GoCSM - Privacy Policy

At a Glance

This Privacy Policy explains how GoCSM LLC ("GoCSM," "we," "our," or "us") collects, uses, shares, and protects personal information when you visit our website, install our application from the HighLevel Marketplace, or otherwise interact with our products and services.

Quick summary: We are a B2B SaaS company serving HighLevel agencies. When you install the GoCSM application, HighLevel transmits your name, business email, and business telephone number to us so we can provision your account and onboard you. A member of our Customer Success team may contact you by phone or email to confirm your installation and to invite you to schedule a complimentary kick-off call. These communications relate to the service you have installed and are not marketing or telemarketing. You may opt out at any time, free of charge, and you retain a full set of rights over your personal information regardless of where you live.

If you want the short version, read sections 4, 6, and 12. The remainder is for users, regulators, customers, and counsel who need the full picture.

1. Introduction

GoCSM LLC is a limited liability company organized under the laws of the State of Delaware, United States, with its principal place of business at [insert registered address]. We operate the GoCSM customer success and account health intelligence platform, available at app.gocsm.com and as an application installable from the HighLevel Marketplace (https://marketplace.gohighlevel.com).

This Privacy Policy applies to personal information that we collect and process in connection with:

• Visitors to our websites at gocsm.com, app.gocsm.com, demo.gocsm.com, docs.gocsm.com, and ideas.gocsm.com;

• Users who install or use the GoCSM application from the HighLevel Marketplace;

• Customers who subscribe to the GoCSM service, free trial users, and prospective customers;

• Individuals who contact us, attend our events, respond to our surveys, or otherwise communicate with us; and

• Sub-account end-users whose personal information is processed by us on behalf of our customers (the agencies).

This Privacy Policy does not apply to information collected by HighLevel, by our customers, or by any third party operating independently of GoCSM. Their information practices are governed by their own privacy notices.

2. Definitions

Personal information or "personal data" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, as defined under applicable law.

Customer means a HighLevel agency or business that subscribes to the GoCSM service, or its authorized representatives.

Sub-account means a HighLevel sub-account (typically a client of our Customer) whose data is processed within the GoCSM platform on behalf of the Customer.

Installer means the individual who installs the GoCSM application from the HighLevel Marketplace.

HighLevel means HighLevel, LLC, the operator of the HighLevel platform and the HighLevel Marketplace.

Services means the GoCSM website, application, application programming interfaces, documentation, and related services.

3. Our Role: Controller and Processor

Under the European Union General Data Protection Regulation ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the Lei Geral de Proteção de Dados Pessoais ("LGPD"), the Digital Personal Data Protection Act, 2023 of India ("DPDP Act"), and analogous laws, we act in two capacities depending on the data concerned.

3.1 When We Are the Controller

We act as the controller (or equivalent role, such as "business" under the California Consumer Privacy Act, "data fiduciary" under the DPDP Act, or "controlador" under the LGPD) for personal information we collect from or about:

• Visitors to our websites;

• Prospective customers and individuals attending our events or marketing activities;

• Customers and their authorized users, including Installers; and

• Job applicants and recipients of our marketing communications.

3.2 When We Are the Processor

We act as the processor (or "service provider" under the California Consumer Privacy Act, "data processor" under the DPDP Act, or "operador" under the LGPD) for personal information that our Customers cause to be processed within the GoCSM platform about their own sub-accounts and end-users. In this capacity, we process such personal information only in accordance with our Customer's documented instructions, the GoCSM Data Processing Addendum, and applicable law.

Our Data Processing Addendum is available at [insert URL — e.g., gocsm.com/dpa]. If you are an end-user of one of our Customers and wish to exercise rights over your personal information, please contact the Customer directly. We will support our Customer in fulfilling such requests.

4. Personal Information We Collect

The categories of personal information we collect, and the sources from which we collect them, are summarized in the table below. Specific items in each category may not apply to every individual.

4.1 Personal Information Collected at HighLevel Marketplace Installation

When you install the GoCSM application from the HighLevel Marketplace, HighLevel transmits the following personal information to us on your behalf and pursuant to the authorization you grant during the HighLevel OAuth installation flow:

• Your full name (first and last);

• Your business email address;

• Your business telephone number (mobile or landline, as registered with HighLevel);

• The name and HighLevel Location ID of the agency or sub-account from which the installation was performed;

• The OAuth scopes you authorize and the date, time, and version of the installation.

We receive this information solely through HighLevel's authenticated API endpoints. We do not separately scrape, purchase, or otherwise acquire this information from any other source for purposes related to your installation.

HighLevel's collection and disclosure of your information are governed by HighLevel's own privacy notice. You can review HighLevel's privacy notice on HighLevel's website.

4.2 Information We Do Not Collect

We do not knowingly collect or process "sensitive personal information" as defined under the California Privacy Rights Act of 2020 — such as Social Security numbers, driver's license numbers, precise geolocation, racial or ethnic origin, religious beliefs, biometric data, health data, or contents of communications — except where you voluntarily provide such information to us in a support context. We do not knowingly collect personal information from individuals under the age of 16.

If you transmit any sensitive personal information to us, we will treat it in accordance with applicable law and will not use it for any purpose beyond providing the service you requested, except as expressly permitted by law and by you.

5. Sources of Personal Information

In compliance with Article 14 of the GDPR and equivalent transparency requirements under the UK GDPR, the CCPA/CPRA, the VCDPA, the LGPD, the DPDP Act, and analogous laws, the table below identifies the categories of sources from which we obtain personal information about you.

6. How We Use Your Personal Information

The table below maps each purpose for which we process personal information to (i) the categories of personal information processed, (ii) the lawful basis on which we rely under the GDPR and UK GDPR (and the analogous basis under the LGPD, DPDP Act, and other equivalent regimes), and (iii) the retention period applicable to that purpose.

Where we rely on "legitimate interests," we have conducted, and continue to maintain, a Legitimate Interests Assessment documenting our balancing of those interests against the rights and freedoms of the individuals concerned. We will provide a summary of any such assessment on request.

7. Onboarding and Account Management Communications

7.1 What These Communications Are

When you install the GoCSM application from the HighLevel Marketplace, you become a user of the GoCSM service. As part of providing that service, a member of our Customer Success team may contact you by telephone, email, or SMS to:

• Confirm that your installation completed successfully and that the service is functioning correctly;

• Verify the contact details transmitted to us by HighLevel;

• Help you complete initial setup, configuration, and data sync;

• Invite you to schedule a complimentary kick-off call with our team, where one has not already been booked; and

• Respond to questions you may have about the GoCSM service.

These communications are transactional, service-related, and relational in nature. They are sent in connection with the existing business relationship that arises when you install our application. They are not telemarketing, advertising, or marketing communications, and we do not use them to solicit the purchase of additional products or services.

7.2 Frequency and Duration

We will attempt to reach you a reasonable number of times across email and telephone within the first thirty (30) days following your installation. After that window, or as soon as you book a kick-off call, complete onboarding, or opt out (whichever is sooner), we will cease onboarding outreach.

7.3 How Our Calls Are Placed

Telephone calls placed by our Customer Success team are dialed manually by a human team member. We do not use an automatic telephone dialing system, an artificial or prerecorded voice, or a pre-recorded message for onboarding outreach. We screen telephone numbers against the United States National Do Not Call Registry and our internal suppression list before placing a call where applicable law requires us to do so. We identify GoCSM as the source of the call and the purpose of the call at the outset, and we honor any request to cease contact immediately upon receipt.

7.4 Lawful Bases Across Jurisdictions

European Economic Area, United Kingdom, Switzerland. We rely on the performance of our contract with you (Article 6(1)(b) GDPR and UK GDPR) and on our legitimate interests in onboarding new users and reducing time-to-first-value (Article 6(1)(f) GDPR and UK GDPR). Electronic mail communications to corporate subscribers and to individual subscribers who have an existing customer relationship with us are made in reliance on the "soft opt-in" permitted by Regulation 22(3) of the UK Privacy and Electronic Communications Regulations and the equivalent provisions of national laws implementing Directive 2002/58/EC.

United States. These communications are placed in connection with an established business relationship between you and GoCSM. They are not "telemarketing calls" or "telephone solicitations" within the meaning of the Telephone Consumer Protection Act (47 U.S.C. § 227) or the Federal Trade Commission's Telemarketing Sales Rule (16 C.F.R. Part 310), because they do not encourage the purchase of property, goods, or services beyond the service you have already installed. Email communications comply with the CAN-SPAM Act of 2003 (15 U.S.C. § 7701 et seq.); we identify ourselves, include our physical postal address, and honor opt-out requests within ten (10) business days. Where state-level telemarketing laws apply, including the Florida Telephone Solicitation Act, the Oklahoma Telephone Solicitation Act, and the Washington Commercial Electronic Mail Act, we comply with their requirements as applicable.

Canada. Where Canada's Anti-Spam Legislation (S.C. 2010, c. 23) applies, we rely on implied consent arising from your existing business relationship with us, evidenced by your installation of the GoCSM application. Each commercial electronic message we send contains identification of GoCSM and an unsubscribe mechanism that takes effect within ten (10) business days, as required by law.

Brazil. Where the LGPD applies, we rely on the execution of a contract to which the data subject is a party (Article 7, V) and on our legitimate interests (Article 7, IX and Article 10), supported by a documented legitimate interests assessment.

India. Where the DPDP Act applies, we rely on the certain legitimate uses provision permitting processing necessary to provide a service that a data principal has requested (Section 7(a)), supplemented by the notice-and-consent framework where consent is the applicable lawful basis.

Australia. Where the Privacy Act 1988 (Cth), the Spam Act 2003 (Cth), and the Do Not Call Register Act 2006 (Cth) apply, we rely on the inferred consent arising from your installation of our service. Each commercial electronic message we send identifies us and provides a functional unsubscribe facility.

7.5 Your Right to Opt Out

Regardless of the lawful basis on which we rely, you may opt out of further onboarding calls, emails, and text messages at any time, free of charge, by any of the following means:

• Replying "STOP" to any text message you receive from us;

• Clicking the unsubscribe link at the foot of any email you receive from us;

• Telling the GoCSM team member who calls you that you do not wish to be contacted further;

• Emailing us at help@gocsm.com with the subject line "Opt Out"; or

• Submitting a request through our privacy request portal at gocsm.com/privacy-request.

Once you opt out, your contact details will be added to our internal suppression list and will not be used for further onboarding outreach. We will continue to send you transactional and service-related messages that are necessary to provide the GoCSM service — such as billing notices, security alerts, and notices about material changes to our terms or this Privacy Policy — as permitted by applicable law.

8. Automated Decision-Making and Artificial Intelligence

The GoCSM service includes artificial intelligence features that score and analyze accounts based on aggregated behavioral and commercial data. These features are designed to help our Customers prioritize attention across their account portfolios.

8.1 What the AI Does

Our Account Health AI computes a numerical score (from 0 to 100) for each account a Customer tracks, based on weighted inputs across four pillars: product adoption, revenue intelligence, customer sentiment, and login activity. The score is presented to the Customer along with the underlying data, so that the Customer may decide what action, if any, to take.

8.2 What the AI Does Not Do

The Account Health AI does not produce decisions that have legal effects on, or that similarly significantly affect, any individual, within the meaning of Article 22 of the GDPR. It does not make hiring, lending, insurance, eligibility, pricing, or law-enforcement decisions. The Customer (not GoCSM) decides what action, if any, to take in response to a score, and the Customer remains responsible for any such action.

8.3 Transparency and Human Review

AI features are clearly labeled within the GoCSM interface. You may request meaningful information about the logic underlying any AI-generated output that concerns you, and you may request that a human review any output before it is acted upon, by contacting help@gocsm.com.

8.4 EU Artificial Intelligence Act

To the extent the Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (the "EU AI Act") applies to our AI systems, we comply with the transparency, risk-management, and post-market monitoring obligations applicable to providers and deployers of the relevant risk classification. Our Account Health AI is not a prohibited practice and is not, in our assessment, a high-risk AI system within the meaning of Annex III of the EU AI Act.

9. How We Disclose Personal Information

We disclose personal information to the categories of recipients listed below, in each case subject to appropriate contractual safeguards and only to the extent necessary for the purposes for which the information was collected.

• Service providers and sub-processors who perform services on our behalf, such as cloud hosting, database services, email delivery, SMS delivery, telephony, analytics, customer relationship management, payment processing, and customer support;

• HighLevel, LLC, where necessary to operate the integration between the GoCSM service and the HighLevel platform;

• Our affiliates within the same corporate group, where they assist us in providing the Services;

• Professional advisors, including legal counsel, auditors, accountants, and insurers, in connection with the operation of our business;

• Government authorities, law enforcement, courts, and regulators, where required by applicable law, legal process, or to protect our rights or the rights of others;

• Acquirers, investors, and their advisors in connection with a contemplated or actual sale, merger, financing, or other corporate transaction; and

• Any other party with your consent or at your direction.

9.1 Sub-Processors

We maintain a current list of the sub-processors who process personal information on our behalf at gocsm.com/sub-processors. You may subscribe to notifications of changes to that list by following the instructions on that page. We require each sub-processor to enter into a written contract that imposes data protection obligations no less protective than those set forth in our Data Processing Addendum.

9.2 We Do Not Sell or Share Personal Information for Cross-Context Behavioral Advertising

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, within the meaning of the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA"), or any analogous state law. We have not done so in the preceding twelve (12) months, and we do not engage in any "targeted advertising" within the meaning of the Virginia Consumer Data Protection Act or analogous laws of other states. We do not knowingly sell or share the personal information of consumers under the age of 16.

10. International Data Transfers

GoCSM is headquartered in the United States. The personal information we collect is principally processed and stored in the United States. Some of our sub-processors are located in other countries. When we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of data protection, we rely on one or more of the following safeguards:

• The Standard Contractual Clauses approved by the European Commission in Commission Implementing Decision (EU) 2021/914, incorporated into our contracts with the relevant data importers;

• The International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the United Kingdom Information Commissioner's Office, or the UK International Data Transfer Agreement, as applicable;

• The Swiss Federal Data Protection and Information Commissioner's standard contractual clauses, where required;

• Where applicable, certification under the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework; and

• Any other safeguard permitted under applicable law, including binding corporate rules, derogations, and adequacy decisions.

Copies of the relevant safeguards, with redactions to protect commercially confidential or security-sensitive information, are available on request to help@gocsm.com.

If you access the Services from outside the United States, you understand and consent to the transfer of your personal information to, and the processing of your personal information in, the United States, where data protection laws may differ from those in your jurisdiction.

11. Data Retention

We retain personal information only for as long as necessary to fulfill the purpose for which we collected it, including for the purposes of satisfying any legal, accounting, regulatory, or reporting requirements. The principal retention periods we apply are set out in section 6 above. Once a retention period expires, the relevant personal information is deleted, anonymized in a manner that prevents re-identification, or archived under access controls until lawful deletion.

Where you exercise a right to deletion, we will honor that request in accordance with applicable law, subject to permitted exceptions (for example, where retention is required to comply with a legal obligation, to defend a legal claim, or to detect and prevent fraud or abuse).

12. Information Security

We maintain administrative, technical, organizational, and physical safeguards designed to protect personal information against unauthorized access, accidental loss, alteration, disclosure, or destruction. These safeguards include:

• Encryption of personal information in transit using Transport Layer Security version 1.2 or higher;

• Encryption of personal information at rest using industry-standard symmetric encryption (AES-256 or equivalent);

• Role-based access controls and the principle of least privilege for personnel access to personal information;

• Multi-factor authentication for all personnel access to systems that process personal information;

• Network segmentation, intrusion detection, and continuous logging and monitoring;

• Periodic third-party security testing, including penetration testing;

• Employee training on data protection and information security; and

• A documented incident response plan, including breach assessment and notification procedures.

No security measure is perfect. If we determine that a personal information breach has occurred, we will notify affected individuals and regulators in accordance with applicable law, including, where applicable, within 72 hours of becoming aware of the breach under Article 33 GDPR.

13. Your Rights Over Your Personal Information

Subject to applicable law, you have the following rights over the personal information we hold about you, regardless of your jurisdiction:

• Right to access. To obtain confirmation of whether we process personal information about you and, if so, a copy of that information.

• Right to correction. To request that we correct inaccurate or incomplete personal information about you.

• Right to deletion. To request that we delete personal information about you, subject to permitted exceptions.

• Right to data portability. To receive personal information about you in a structured, commonly used, and machine-readable format, and to have it transmitted to another controller where technically feasible.

• Right to opt out of marketing. To opt out of marketing communications at any time, free of charge.

• Right to withdraw consent. To withdraw any consent you have given us at any time, without affecting the lawfulness of processing carried out before the withdrawal.

• Right to object. To object, on grounds relating to your particular situation, to processing of your personal information that is based on our legitimate interests.

• Right to restriction. To request that we restrict the processing of your personal information in certain circumstances.

• Right to non-discrimination. To exercise the rights described in this Privacy Policy without suffering adverse treatment, including denial of service, differential pricing, or reduced quality of service.

• Right to lodge a complaint. To lodge a complaint with a competent supervisory authority or regulator.

13.1 How to Exercise Your Rights

You may exercise any of the rights described above by:

• Emailing us at help@gocsm.com;

• Submitting a request through our privacy request portal at gocsm.com/privacy-request; or

• Writing to us at our postal address set out in section 19.

We will respond to your request without undue delay, and in any event within 30 days (or such shorter period as applicable law requires). We may extend the response period by an additional 60 days where reasonably necessary, taking into account the complexity and number of requests; we will inform you of any such extension within 30 days of receipt of your request.

We may need to verify your identity before processing your request, in order to protect your personal information against unauthorized access. We will not charge a fee unless your request is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse to act on the request.

You may use an authorized agent to submit a request on your behalf, where applicable law permits, provided the agent furnishes evidence of authorization satisfactory to us.

14. Jurisdiction-Specific Rights

This section provides additional information about rights granted by specific laws. The universal rights set out in section 13 apply in addition to, and not in lieu of, the rights described in this section.

14.1 Residents of California

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the "CCPA"), grants you the following additional rights:

• Right to know what categories of personal information we have collected, the sources from which we collected it, the business purposes for which we collected it, and the categories of third parties with whom we have shared it;

• Right to request a copy of the specific pieces of personal information we have collected about you in the preceding 12 months (or for a longer period, where you so request);

• Right to request that we correct inaccurate personal information we hold about you;

• Right to request that we delete personal information we have collected from you, subject to statutory exceptions;

• Right to opt out of the sale of your personal information and of the sharing of your personal information for cross-context behavioral advertising;

• Right to limit our use and disclosure of your sensitive personal information to that which is necessary to provide the Services or as otherwise permitted by the CCPA;

• Right not to receive discriminatory treatment for exercising any of these rights; and

• Right to use an authorized agent to submit a request on your behalf.

Notice at Collection. This Privacy Policy serves as our notice at collection under California Civil Code § 1798.100(b). At or before the point of collection, we collect the categories of personal information described in section 4, for the business purposes described in section 6, and we retain such information for the periods described in section 6 and section 11.

Sale and Sharing. As stated in section 9.2, we do not sell personal information and we do not share personal information for cross-context behavioral advertising.

Sensitive Personal Information. We do not use or disclose sensitive personal information for purposes other than those permitted by California Civil Code § 1798.121.

Shine the Light. California Civil Code § 1798.83 (the "Shine the Light" law) permits California residents to request, once per year, a list of the personal information we have disclosed to third parties for those third parties' direct marketing purposes during the preceding calendar year. We do not disclose personal information to third parties for their direct marketing purposes.

14.2 Residents of Other US States

Residents of the following US states have substantially similar rights under their respective state consumer privacy laws, including the right to know, access, correct, and delete personal information, the right to opt out of targeted advertising and the sale of personal information (we do not engage in either), the right to opt out of certain profiling, the right to data portability, and the right to appeal a denial of any such request:

Colorado (Colorado Privacy Act), Connecticut (Connecticut Data Privacy Act), Delaware (Delaware Personal Data Privacy Act), Florida (Florida Digital Bill of Rights), Indiana (Indiana Consumer Data Protection Act), Iowa (Iowa Consumer Data Protection Act), Kentucky (Kentucky Consumer Data Protection Act), Maryland (Maryland Online Data Privacy Act), Minnesota (Minnesota Consumer Data Privacy Act), Montana (Montana Consumer Data Privacy Act), Nebraska (Nebraska Data Privacy Act), New Hampshire (New Hampshire Privacy Act), New Jersey (New Jersey Data Privacy Act), Oregon (Oregon Consumer Privacy Act), Rhode Island (Rhode Island Data Transparency and Privacy Protection Act), Tennessee (Tennessee Information Protection Act), Texas (Texas Data Privacy and Security Act), Utah (Utah Consumer Privacy Act), and Virginia (Virginia Consumer Data Protection Act).

To exercise any of these rights, follow the procedure described in section 13.1. To appeal any denial of a rights request, reply to our response email or send a new email to help@gocsm.com with the subject line "Rights Request Appeal." If your appeal is denied, you may submit a complaint to your state attorney general.

14.3 Residents of the European Economic Area, the United Kingdom, and Switzerland

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the rights set out in section 13, which derive from the GDPR, the UK GDPR, and the Swiss Federal Act on Data Protection respectively. You also have the right to lodge a complaint with a supervisory authority in the member state of your habitual residence, place of work, or place of the alleged infringement. A list of EU data protection authorities is available at edpb.europa.eu. The UK supervisory authority is the Information Commissioner's Office (ico.org.uk). The Swiss supervisory authority is the Federal Data Protection and Information Commissioner (edoeb.admin.ch).

Our EU representative (within the meaning of Article 27 GDPR) and our UK representative (within the meaning of Article 27 UK GDPR), where appointed, are identified in section 19.

14.4 Residents of Brazil

If you are located in Brazil, you have the rights granted to data subjects under the LGPD (Lei nº 13.709/2018), including the right of confirmation, access, correction, anonymization or deletion, portability, information about sharing, information about consent and its consequences, and revocation of consent. You may also lodge a complaint with the Autoridade Nacional de Proteção de Dados (gov.br/anpd).

14.5 Residents of Canada

If you are located in Canada, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws, including in Quebec (Law 25), Alberta (PIPA), and British Columbia (PIPA). These rights include access, correction, withdrawal of consent, and the right to lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or the relevant provincial commissioner.

14.6 Residents of India

If you are a data principal located in India, you have the rights granted under the Digital Personal Data Protection Act, 2023, including the right to access information about personal data, the right to correction and erasure, the right to grievance redressal, and the right to nominate. To exercise these rights, contact our Grievance Officer at the postal address set out in section 19. You may also escalate unresolved grievances to the Data Protection Board of India.

14.7 Residents of Australia

If you are located in Australia, you have rights under the Privacy Act 1988 (Cth), including rights of access and correction in respect of personal information we hold about you. You may also lodge a complaint with the Office of the Australian Information Commissioner (oaic.gov.au).

15. Cookies and Similar Technologies

We and our service providers use cookies, pixels, software development kits, local storage, and other similar technologies (collectively, "cookies") on our websites and within our application. We use four categories of cookies:

• Strictly necessary cookies, which are required for the operation of our Services and which you cannot opt out of without losing functionality;

• Performance and analytics cookies, which help us understand how our Services are used so that we can improve them;

• Functional cookies, which remember your preferences and enable personalized features; and

• Marketing cookies, which we and our advertising partners use to measure the effectiveness of our marketing.

Where required by law, we obtain your consent to the use of non-strictly-necessary cookies through a cookie preferences banner displayed on first visit. You may manage your cookie preferences at any time by clicking "Cookie Preferences" in the footer of our website. You may also disable cookies through your browser settings, although doing so may impair the functionality of our Services.

Most browsers and some mobile operating systems include a "Do Not Track" (DNT) signal. There is no industry-standard interpretation of the DNT signal, and accordingly, we do not currently respond to DNT signals. We do, however, respond to the Global Privacy Control (GPC) signal where applicable law requires us to do so.

16. Children's Privacy

Our Services are intended for use by businesses and their authorized representatives. They are not directed at children, and we do not knowingly collect personal information from children under the age of 16. If you become aware that a child has provided us with personal information without parental or guardian consent, please contact us at help@gocsm.com, and we will take steps to delete such information promptly.

17. Third-Party Websites and Services

Our Services may contain links to third-party websites, products, or services that are not operated by us, including HighLevel's platform and websites operated by our Customers. We are not responsible for the privacy practices of such third parties. We encourage you to review the privacy notices of any third-party websites you visit.

18. Changes to This Privacy Policy

We may amend this Privacy Policy from time to time. If we make material changes, we will provide notice through the Services or by other means before the changes take effect, such as by email or by posting a notice on our website at least 30 days in advance, where required. The date at the top of this Privacy Policy indicates when it was last updated. We encourage you to review this Privacy Policy periodically.

19. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our processing of personal information, please contact us:

• By email: help@gocsm.com

• By telephone: +1 (910) 600-6004

• By post: GoCSM LLC, 201 Hay St, Ste 401-C, Fayetteville, North Carolina 28301, US

19.1 Data Protection Officer / Grievance Officer

Where applicable law requires us to appoint a Data Protection Officer, Grievance Officer, or analogous representative, the relevant contact is identified below:

• Data Protection Officer (where appointed under Article 37 GDPR): [insert name or "not appointed; processing does not trigger mandatory appointment"]

• EU Representative (Article 27 GDPR): [insert name and address, where appointed]

• UK Representative (Article 27 UK GDPR): [insert name and address, where appointed]

• Grievance Officer (DPDP Act, India): [insert name and address]

19.2 Supervisory Authority Complaints

You have the right to lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement, as identified in section 14.

20. Version History