TOOLFORA

Privacy Policy

Effective 21 May 2026

1.Who we are

HereNow Labs, Inc. operates Toolfora at 1007 N Orange St Fl 4, Wilmington, DE 19801, USA. Privacy contact: team@herenowlabs.com.

2.Scope

This policy applies to toolfora.com, all *.toolfora.com subdomains, and any form embedded on a Toolfora page.

3.Categories of personal data we collect

  • Contact data you submit — name, email, company, role, and any free-text you choose to add.
  • Technical data — a salted hash of your IP address, user-agent, referer, and request timestamps via our hosting provider's server logs.
  • Behavioral data — which subdomain you visited; which A/B variant you were bucketed into via the cp_v cookie on certain pages; whether you arrived via a Google ad.
  • Marketing-attribution data — Google Ads conversion cookies (such as _gcl_*) may be set on pages where the conversion tag is active; UTM parameters present in the URL.

4.Sources of personal data

Directly from you (forms); automatically from your browser (logs, cookies); from Google Ads (click identifiers when you arrive from one of our ads).

5.Purposes and legal bases (GDPR Art. 6)

  • Respond to your inquiry — contract performance / pre-contract steps.
  • Operate the site and prevent abuse — legitimate interest.
  • Measure ad effectiveness — consent (where required) or legitimate interest (elsewhere).
  • Comply with legal obligations — legal obligation.

6.Recipients and processors

  • Supabase, Inc. — database hosting (US).
  • Vercel, Inc. — site hosting and CDN (US).
  • Google LLC / Google Ireland — ads delivery and conversion measurement.
  • Anthropic, PBC — AI provider for our internal writing tools. Anthropic does not receive your submitted form data.

Each processor is bound by a data-processing agreement that requires confidentiality, security measures appropriate to the data, and prohibits use of the data outside the documented purposes. Where a processor's services involve EEA/UK personal data, the agreement incorporates Standard Contractual Clauses.

7.International transfers

Data may be stored or processed in the United States. Where EEA/UK data is transferred, we rely on Standard Contractual Clauses with the processors above.

8.Retention

Form submissions are retained until the earlier of: (a) you request deletion; (b) closure and archival of the page that collected them; or (c) 24 months from collection. Salted IP hashes are retained for 90 days.

9.Data minimization

We collect only what is reasonably necessary to operate the site, respond to your inquiry, and measure the effectiveness of advertising that brought you here. We do not retain form data after the purpose for which it was collected has been fulfilled and any applicable retention period in §8 has elapsed.

10.Sensitive personal information

We do not collect "Sensitive Personal Information" as defined under the California Privacy Rights Act (CPRA) — for example, government identifiers, financial-account numbers, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, the contents of mail/email/text messages not directed to us, genetic data, biometric identifiers used to identify you, health information, or information about your sex life or sexual orientation. If you include sensitive information in a free-text field, we will treat it with the same protections as other personal data and will not use it for any purpose beyond responding to you.

11.Marketing communications and your choices

Where you submit a form, we may follow up with you about the topic of the page you submitted or about related research we publish. Every marketing email we send includes a clearly visible unsubscribe link. To stop all marketing emails immediately, click the unsubscribe link in any email or write to team@herenowlabs.com with "UNSUBSCRIBE" in the subject line. Transactional emails (for example, responses to a question you asked) are not subject to opt-out.

12.Your rights under GDPR / UK GDPR

Access, rectification, erasure, restriction, portability, objection, withdrawal of consent at any time, and the right to lodge a complaint with a supervisory authority.

13.California rights (CCPA / CPRA)

The right to know, delete, correct, opt out of "sale" or "sharing", and non-discrimination. We do not sell personal information. "Sharing" for cross-context behavioral advertising is limited to the Google Ads conversion tag described above; to opt out, email team@herenowlabs.com.

Verifiable consumer requests. To protect against fraud, we may require you to verify your identity before completing an access, deletion, correction, or portability request — typically by replying from the email address associated with the data we hold, or by providing details that only the legitimate user would know.

Authorized agents. California residents may designate an authorized agent to submit requests on their behalf. We will require the agent to provide written proof of authorization and may verify your identity directly before processing the request.

Global Privacy Control and Do Not Track. We honor the Global Privacy Control (GPC) signal as an opt-out request under the CCPA for users in California. Our site does not separately respond to traditional "Do Not Track" browser signals, because there is no industry consensus on their interpretation; GPC and the rights mechanisms elsewhere in this policy provide equivalent or stronger protection.

14.Other US state privacy laws

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, or any other US state with a comprehensive consumer-privacy law, you have rights substantially similar to those described under California above. To exercise them, contact us using the methods in §20.

15.Children’s privacy

Toolfora is directed at people doing B2B operational work, not children. We do not knowingly collect personal information from anyone under 13; if you believe we have, please email us and we will delete it. If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information as soon as practicable.

16.Security

TLS in transit; salted IP hashing; least-privilege service-role keys; we do not log PII. No system is perfectly secure; in the event of a personal-data breach affecting you, we will notify you and any relevant supervisory authority where required (for example, within 72 hours under GDPR Art. 33).

17.Automated decision-making

We do not make decisions producing legal or similarly significant effects about you using automated processing alone.

18.Business transfers and successors

If HereNow Labs, Inc. or Toolfora is involved in a merger, acquisition, investor diligence, financing, reorganization, bankruptcy, dissolution, or sale of assets, your personal information may be transferred as part of that transaction. We will provide notice by posting to this page or by email to the address you provided before personal information becomes subject to a materially different privacy policy.

19.Third-party services and links

The site may link to third-party services or be linked to from third parties. We are not responsible for the privacy practices or content of any third-party site, even one referenced from our pages. Their handling of your personal information is governed by their own policies, not this one.

20.How to exercise rights and make complaints

Email team@herenowlabs.com. We respond within 30 days (GDPR) / 45 days (CCPA), and will tell you if we need an extension.

If we cannot resolve your concern, you may lodge a complaint with the Delaware Attorney General (Consumer Protection Unit, 820 N. French St., Wilmington, DE 19801) or with the data-protection supervisory authority in your jurisdiction.

21.Changes to this policy

Material changes will be posted at this URL with an updated effective date. Continued use of the site after the effective date constitutes acceptance of the updated policy.

22.Severability

If any provision of this policy is held invalid or unenforceable, the remaining provisions continue in full force. The invalid provision will be enforced to the maximum extent permitted by law.

23.Effective date

2026-05-21