Privacy policy

Effective date: June 14, 2026 · Last updated: June 14, 2026

This Privacy Policy explains how Prima Vera Consulting, doing business as "Vera Pools" ("we," "us," or "our"), collects, uses, discloses, and protects personal information in connection with verapools.com, including our marketing pages (Home, Marketing, Design, About) and our personalized per-lead landing pages at verapools.com/l/<campaign>/<parcel> (together, the "Site"), and the related direct-mail services we provide to pool contractors.

We are a small business based in California (Los Angeles County). We serve two groups of people: (1) pool contractors who visit the Site and submit our forms (business leads), and (2) California homeowners (consumers) whose property information we obtain from public sources, to whom we mail personalized postcards, and who may book a consultation through one of our personalized landing pages.

Important — not legal advice

This document is provided for general informational purposes only and is not legal advice. It is a working draft based on our understanding of the facts described above. Privacy law in California and the United States changes frequently. Before publishing or relying on this policy, have it reviewed by a licensed California privacy attorney, including the cookie/consent banner copy, the session-replay consent design, and every factual statement about how data is collected and shared.

This policy describes a consent banner and related controls. The consent banner, off-by-default analytics and session replay, and Global Privacy Control handling described in Section 6 are now deployed on the live Site. A small number of items remain in progress and are clearly marked [NOT YET IMPLEMENTED] — specifically explicit input-level masking configuration verified in a test replay, and a formal consent-log audit trail. Do not publish those specific statements as current fact until they are implemented and verified.

Table of contents

  1. Scope — who this policy covers
  2. Categories of personal information we collect
  3. Sensitive personal information
  4. Categories of sources
  5. Business and commercial purposes for collection and use
  6. Cookies, analytics, heatmaps, and session replay (important)
  7. How we disclose information — third parties and service providers
  8. Sale and sharing of personal information
  9. Do-Not-Track and opt-out preference signals (GPC)
  10. Homeowner / indirectly-collected data and the public-records exemption
  11. Data retention
  12. Your California privacy rights
  13. How to exercise your rights
  14. Notice at collection
  15. Data security
  16. If there is a data breach
  17. Processing locations and transfers
  18. California "Shine the Light"
  19. Children's and minors' privacy
  20. Automated and AI processing
  21. Communications — email, calls, and text messages
  22. Future accounts and changes to this policy
  23. Contact us

1. Scope — who this policy covers

This policy applies to two categories of people:

  • (a) Contractor visitors and leads. Pool contractors who browse the Site and/or submit our contractor lead form or brand-kit intake form. Although California's privacy law once exempted business-to-business contacts, that exemption expired on January 1, 2023, so pool contractors who are California residents have the same privacy rights described below.
  • (b) California homeowners. California residents (i) whose property information we obtain from public sources (described in Section 4) and who receive a personalized postcard and/or visit a personalized /l/ landing page showing an AI-generated render of a pool on their property, and (ii) who may also submit their contact information directly to us through the "book a consult" form on a /l/ landing page. For the public-records portion, homeowners did not submit information to us directly; we collected it indirectly from public records and combined or derived new information from it (see Section 10). For the consult form, the homeowner provides the information directly. California privacy rights — including the right to know and the right to delete — apply to both.

If you are not a California resident, we still apply the core protections in this policy to you as a matter of practice, but some rights described are specific to California law.

2. Categories of personal information we collect

The table below lists the categories of personal information we collect and have collected in the preceding 12 months, and the categories we currently intend to collect, using the category labels from the California Consumer Privacy Act (CCPA), as amended by the CPRA. For each category we show the source(s), the purpose(s) (keyed to Section 5), and how long we keep it (keyed to Section 11).

Statutory category Examples we collect From whom (source) Purpose (see §5) Retention (see §11)
Identifiers Contractor name, company name, phone number, service territory / city / ZIP; homeowner name, phone number, email address, and property/street address (consult form); parcel identifier (Assessor's Parcel Number / Assessor Identification Number, "APN/AIN"); IP address; device/online identifiers Contractors (forms); homeowners (consult form + public records); all visitors (analytics) Operate lead service; deliver mail campaigns; run/measure Site; secure Site; communicate Contractor form data up to 24 mo; homeowner consult data per campaign + 6–12 mo wind-down; analytics IDs 12 mo
Commercial information Pools-built-per-year, booking link, business/service interest; homeowner pool-style interest Contractors (forms); homeowners (consult form) Operate lead service; deliver mail campaigns Same as the form it was collected on
Internet or other electronic network activity Pages viewed, clicks, navigation paths, scrolling, mouse movement, heatmap interactions, session-replay recordings, page URLs (including /l/ campaign+parcel codes), referring URLs, functional/security cookies All visitors (PostHog, Cloudflare) — see Section 6 Run, measure, and improve the Site; secure the Site Analytics events 12 mo; session replays 30 days
Geolocation data (approximate) Approximate location derived from IP address; service territory; property/parcel location (from public assessor records) All visitors; homeowners (public records) Run/measure Site; deliver mail campaigns IP-derived location with analytics (12 mo); parcel location with campaign data (campaign + 6–12 mo)
Professional or employment-related information Pools-built-per-year; brand kit (business name, brand colors, booking link); uploaded business logo; CSLB (California Contractors State License Board) license number, where collected Contractors (forms) Operate lead service; produce branded campaigns Engagement + 12 mo; logo/license deleted on request or at engagement end
Visual information Uploaded contractor logo image; aerial imagery of a homeowner property; AI-generated pool render Contractors (forms); homeowners (public sources + our processing) Produce branded campaigns; deliver mail campaigns Logo: engagement + 12 mo; renders: campaign + 6–12 mo wind-down
Inferences / derived data AI-generated render of a pool keyed to a specific parcel; selection of a property as a mailing target; basic lead qualification notes about a contractor Generated by us from the above Deliver mail campaigns; operate lead service Renders/parcel linkage: campaign + 6–12 mo; contractor notes up to 24 mo

We do not collect government ID numbers (other than a publicly-issued CSLB contractor license, where provided), financial-account or payment-card numbers, precise GPS device geolocation, biometric data, health information, or the contents of private messages or communications through the Site.

Note on the contractor lead form: the contractor lead form on the marketing site collects name, company, phone, territory/city, and pools-built-per-year. It does not collect a contractor email address. The brand-kit intake collects a territory ID, an uploaded logo, and an optional confirmation phone number (and, where requested as part of brand setup, a CSLB license number). An email address is collected only from homeowners on the consult form (see Section 4).

Where a specific period is impractical, we retain each category no longer than reasonably necessary for the disclosed purpose, then delete or de-identify it.

3. Sensitive personal information

Under the CPRA, "sensitive personal information" includes things like government IDs (for example, Social Security number or driver's license), financial-account login details, precise geolocation, race or religion, health or sex-life information, and the contents of your mail, email, or text messages where you are not the intended recipient.

We do not intentionally collect or use sensitive personal information to infer characteristics about you. Two points are worth addressing directly:

  • Parcel-level property location. Our homeowner pipeline ties data to a specific property parcel, which is more precise than a roughly 1,850-foot radius. We do not treat this as CPRA "precise geolocation," because it is publicly available property data drawn from government assessor records — it identifies a parcel, not the real-time location of a person's device. [FLAG FOR COUNSEL: confirm this parcel-vs-precise-geolocation position before relying on the "no Limit link" conclusion below.]
  • Session replay and message contents. Session replay (Section 6) is configured to mask form input fields and is not intended to capture the contents of private communications. We do not record private mail, email, or text-message contents. [NOT YET IMPLEMENTED: input masking must still be explicitly configured and verified in a test replay before this statement is published as current fact — see Section 6.2.]

A CSLB contractor license number, where collected, is a publicly issued professional license, not a government identity document, and we use it only to verify and brand a contractor's campaign / brand profile. Because we do not use sensitive personal information beyond the limited purposes permitted by law, the CPRA "Right to Limit the Use of Sensitive Personal Information" produces no action today, and we do not post a "Limit the Use of My Sensitive Personal Information" link. If this ever changes, we will update this policy and add that link.

4. Categories of sources

We obtain personal information from the following sources:

  1. Directly from contractors — when you complete our contractor lead form (name, company, phone, territory/city, pools-per-year) or brand-kit intake (territory ID, logo, optional confirmation phone, and CSLB license number where requested). These forms are processed by Web3Forms, a third-party form backend, which receives and forwards the information you submit to us.
  2. Directly from homeowners — consult booking form — when a homeowner uses the "book a consult" form on a personalized /l/ landing page, they provide their first/last name, phone number, email address (optional), property address, and pool-style interest, which are processed by Web3Forms and routed to the relevant contractor.
  3. Automatically from your device — when you use the Site, through PostHog (analytics, heatmaps, and session replay) and Cloudflare (hosting, content delivery, and security). See Section 6.
  4. Public and indirect sources (for homeowners) — we obtain homeowner property information from:
    • the Los Angeles County Assessor parcel roll (public records);
    • USDA NAIP aerial imagery (public domain, U.S. federal government work); and
    • Microsoft Building Footprints (open data).
  5. Generated by us — information we create from the above, including the AI-generated pool render tied to a specific parcel and the decision to select a property for a mailing.

5. Business and commercial purposes for collection and use

We collect and use personal information for these purposes:

  • To operate the contractor lead service — respond to contractor inquiries, qualify leads, set up and brand a contractor's campaign / brand profile, and follow up about our services.
  • To produce and deliver direct-mail campaigns — select eligible no-pool single-family homes from public records, generate an AI render of a pool on the property, print a personalized postcard, mail it, and route the homeowner to a personalized /l/ landing page showing the render.
  • To handle consult bookings — receive a homeowner's consult-form submission and route it to the relevant contractor.
  • To run, measure, and improve the Site — understand how visitors use the Site, diagnose drop-off, fix problems, and improve design and content (analytics, heatmaps, and session replay).
  • To secure the Site — detect, prevent, and respond to fraud, abuse, security incidents, and technical problems.
  • To communicate with contractors — send service-related (transactional) and, where permitted, marketing messages, and route "book a consult" requests to the contractor's own booking provider.
  • To comply with law — meet legal obligations and exercise or defend legal claims.

We do not use your personal information for purposes that are incompatible with those described here without giving you notice.

6. Cookies, analytics, heatmaps, and session replay (important)

This section describes the tracking technologies we use. Please read the session-replay disclosure (Section 6.2) carefully. It describes how the Site behaves under the deployed consent design.

6.1 What we use

  • Cloudflare (functional / security cookies). Cloudflare hosts and protects the Site. Depending on which Cloudflare features are active, it may set strictly-necessary cookies such as __cf_bm, cf_clearance, or _cfuvid (exact names depend on the security features enabled) to deliver content securely and block malicious traffic. These are essential to the Site's operation.
  • PostHog (analytics, heatmaps, and session replay). We use PostHog Cloud (data sent to us.i.posthog.com) for product analytics, heatmaps, and session recording / session replay. PostHog may store cookies or browser-storage values (such as ph_<token>_posthog and a distinct_id) to recognize a returning device and tie events to a session.

To the best of our knowledge, we do not set third-party advertising or cross-context behavioral-advertising cookies on the Site (that is, we do not use cookies that track you across other companies' sites to target ads).

6.2 Session replay — what it records and your consent

We use session-replay technology provided by PostHog, Inc. When session replay is active, it creates a recording of your interactions with the page and transmits that recording to PostHog. A session-replay recording can capture: mouse movement, clicks and taps, scrolling, the pages you navigate to and the order you view them, the content displayed on the page during your visit, and the web address (URL) of the pages you view — which on a personalized /l/ page includes a code identifying the campaign and the property (parcel). This applies to pages across verapools.com, including the personalized /l/ landing pages.

Plain-language summary first: Session replay records what happens on the page during your visit. A consent banner is shown so that, before any recording starts, you can choose "Accept" or "Reject" with equal ease — and if you reject, nothing is recorded. We do not condition viewing your personalized render on accepting tracking.

Our service-provider position. We engage PostHog strictly as our service provider — a tool that records on our behalf, under contract, and is prohibited from using your interactions for its own purposes. We nonetheless obtain your prior consent before any recording begins, both to respect your privacy and because California law is currently unsettled on whether a contractually-restricted recording vendor is a "third party" for wiretap purposes.

Why we ask for consent (legal background). California's wiretap and eavesdropping law — the California Invasion of Privacy Act, Cal. Penal Code §§ 631 and 632 — is widely read to require the consent of all parties before such a recording begins. In plain terms, everyone involved must agree before the recording starts. Court decisions including Javier v. Assurance IQ (9th Cir. 2022), Mikulsky v. Bloomingdale's (9th Cir. 2025), and Thomas v. Papa John's (9th Cir. 2025) treat routing a visitor's page interactions to a session-replay provider as conduct that requires prior, affirmative consent — a privacy policy a person reads afterward is not enough, and consent inferred from continued use is not enough.

Current state of the Site. As of the Last Updated date, the Site loads PostHog with session recording disabled at initialization. Session replay starts only after you click "Accept" on the consent banner; if you reject, dismiss, or ignore the banner, no replay is recorded. You can also limit collection by blocking cookies/scripts in your browser, by sending a Global Privacy Control signal (which we auto-honor as a decline — see Section 9), or by contacting us at privacy@verapools.com to request that we suppress your data.

Consent design. The following is deployed on the live Site:

  • Off by default, on after Accept. When you first arrive, you see a consent banner. Until you click "Accept," session recording stays disabled and we do not record sessions before you consent.
  • Clicking "Accept" means you consent in advance to the recording, interception, and transmission of your Site interactions to our analytics and session-replay provider (PostHog) for the purposes described in this policy.
  • Equal, honest choice. "Reject" is presented with equal prominence and is as easy to choose as "Accept." No option is pre-selected. If you dismiss, close, scroll past, or ignore the banner without choosing, we treat that as a rejection and do not start replay. We remember your choice (stored locally as your consent preference) so you are not re-prompted unnecessarily.
  • Proof of consent. Session replay is enabled only for sessions where you have affirmatively accepted (a post-consent flag is checked before recording begins). [NOT YET IMPLEMENTED: a formal, server-side consent-log audit trail recording the selection, date/time, and banner version per session is not yet in place; today consent is enforced client-side via the stored preference, and we cannot yet produce a centralized audit log of each choice.]
  • Where the banner runs today. The consent banner and the off-by-default session-replay gate are deployed on our marketing pages (Home, Marketing, Design, About, and this Privacy page). The personalized /l/ landing pages reached from a postcard are a separate system: extending the same consent banner and off-by-default session-replay gate to the /l/ pages is in progress and not yet deployed. Until that ships, if you do not want your activity on a /l/ page recorded, send a Global Privacy Control signal from your browser or email us at privacy@verapools.com and we will suppress replay for you.
  • Form fields are masked. [NOT YET IMPLEMENTED: explicit PostHog input masking and class-based masking selectors on elements echoing submitted data or homeowner PII (name, phone, email, CSLB number, address) must still be configured and verified in a test replay before this statement is published as current fact.] We intend to keep PostHog input masking on, which masks the characters you type into standard form input fields, and to apply class-based masking (for example, PostHog's ph-no-capture / mask-text selectors) to any element that echoes submitted data or displays personal information.

Bridging note: although replay can capture on-screen content generally, our masking is intended so that what you type (name, phone, email, license number, ZIP, address) is not recorded. The masking is only effective once configured and verified as described above.

We retain session-replay recordings for a short, defined window (see Section 11) and do not use them for advertising.

6.3 Device and connection information

PostHog's analytics and heatmaps also collect technical "addressing" information — the rules about collecting the technical connection details of your visit — such as your device type, browser, IP address, referring/landing URL, and similar identifiers. Under the deployed consent design, we collect this only after you accept, and we treat your prior consent as authorizing this collection. The application of California's pen-register / trap-and-trace statute (Cal. Penal Code § 638.51) to website analytics is unsettled, and it is one of the items we have flagged for attorney review. The real protection is the prior-consent gate, not a claim that a specific statutory exception clearly applies.

6.4 Managing cookies and your choices

You can control cookies through your browser settings (block or delete cookies). Blocking strictly-necessary Cloudflare cookies may break parts of the Site. You can change your analytics/replay choice at any time by clearing your stored consent preference (or your browser's site data for verapools.com), which re-prompts the consent banner. You can also opt out by blocking cookies/scripts, sending a Global Privacy Control signal, or contacting us at privacy@verapools.com.

7. How we disclose information — third parties and service providers

We do not sell your personal information (see Section 8). We disclose personal information to the following recipients, each of which processes data on our behalf under a contract that makes it a "service provider" under the CCPA (the CCPA also uses the word "contractor" for this legal role — that is different from the pool contractors this Site serves), except where noted:

Recipient What they receive Role
PostHog Cloud (us.i.posthog.com) Site analytics events, heatmap data, and session-replay recordings Service provider — analytics & session replay
Web3Forms Contractor lead-form data (name, company, phone, territory, pools-per-year), contractor brand-intake data (territory ID, logo, optional phone, CSLB number where provided), and homeowner consult-form data (name, phone, email, property address, pool-style interest) Service provider — form backend
Cloudflare Network/security data, functional cookies; AI renders and assets stored on Cloudflare R2 (renders.verapools.com) Service provider — hosting, content delivery network (CDN), security, storage
AI image provider(s) — see note below Aerial imagery of a property to generate the pool render Service provider — render generation
Print / mail vendor [PLANNED / CONFIRM] Mailing name/address and the postcard render Service provider — printing and mailing
The pool contractor's own booking provider When a homeowner clicks "book a consult," they are handed off to the contractor's independent third-party booking link Independent third party with its own privacy policy

AI image providers. We generate renders using third-party AI image API(s). The provider(s) actually in the live render path may be one of OpenAI (gpt-image-1.5), Google (Gemini), or fal.ai (Flux Kontext). [CONFIRM: list only the provider(s) actually invoked in the deployed render pipeline; name fallbacks as "or" alternatives only if they can actually receive data.]

Print / mail vendor. Printing and mailing are part of how the service works. [CONFIRM whether a print/mail vendor is engaged today; if not yet, treat this row as a description of how the service works rather than a current service-provider relationship.]

We may also disclose information to comply with law, respond to lawful requests, protect our rights and safety, or in connection with a business transfer (for example, a merger or sale), with appropriate safeguards.

The pool contractor's booking provider is an independent third party we do not control. Once you leave the Site to book a consult, that provider's own privacy policy governs your information there.

Service-provider status depends on signed agreements. Our "service provider" characterization — and the conclusion that we do not "sell" or "share" personal information — depends on having executed, CCPA-compliant data processing agreements with PostHog, Web3Forms, Cloudflare, and the AI image provider(s) that contain the required restrictions (no sale; no retention, use, or disclosure outside the business purpose; no combining of data). [FLAG FOR COUNSEL: verify each such agreement exists and contains the required Civ. Code §§ 1798.100(d) / 1798.140 service-provider terms before relying on the no-sale/no-share conclusion.]

8. Sale and sharing of personal information

The CCPA defines "sale" broadly, and defines "sharing" to mean disclosing personal information for cross-context behavioral advertising (tracking you across other companies' sites to target ads).

Categories collected, disclosed, sold, and shared (preceding 12 months):

  • Categories collected: Identifiers; Commercial information; Internet/electronic network activity; Geolocation (approximate); Professional or employment-related information; Visual information; and Inferences (see Section 2).
  • Categories disclosed for a business purpose: Identifiers; Commercial information; Internet/electronic network activity; Geolocation (approximate); Professional or employment-related information; Visual information; and Inferences — disclosed to the following categories of third parties: analytics/session-replay providers, form-processing providers, hosting/CDN/security/storage providers, AI image-generation providers, and (where engaged) print/mail vendors.
  • Categories sold: NONE.
  • Categories shared (for cross-context behavioral advertising): NONE.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We do not use third-party advertising cookies or advertising pixels on the Site, and we do not disclose personal information to third parties for their own advertising purposes. Our analytics provider (PostHog) is engaged as a service provider that processes data on our behalf and is contractually restricted from using it for its own purposes (subject to the agreement caveat in Section 7).

We also have no actual knowledge that we sell or share the personal information of consumers under 16 years of age.

Because we do not sell or share personal information, we nonetheless honor opt-out requests and Global Privacy Control (GPC) signals as a direction to stop any disclosure that could be deemed a sale or share, and we provide a "Do Not Sell or Share My Personal Information" path. See Section 9.

Do Not Sell or Share My Personal Information: send a Global Privacy Control signal from your browser (auto-honored as a decline), contact us at privacy@verapools.com, or decline tracking via the consent banner.

9. Do-Not-Track and opt-out preference signals (GPC)

  • Legacy "Do Not Track" (DNT). Web browsers can send a "Do Not Track" signal. There is no industry-standard way to respond to legacy DNT signals, and we do not respond to legacy DNT signals. We disclose this so you are not misled (as required by California's CalOPPA, Cal. Bus. & Prof. Code § 22575(b)(5)).
  • Global Privacy Control (GPC). When your browser sends a GPC signal, we auto-honor it as a decline: we do not start session replay, heatmaps, or non-essential analytics at all for that visit — the signal is honored before any capture begins, and we do not require you to interact with the banner. We also treat GPC as a valid request to opt out of any sale or sharing of your personal information. We process opt-out preference signals within 15 business days of receipt, as required by 11 CCR § 7025. Where feasible we will indicate that an opt-out preference signal has been recognized.

The GPC effect described here (opt out of sale/share and suppress non-essential analytics/session-replay before capture) is the single, authoritative description; Section 8's reference to GPC cross-refers to this section.

10. Homeowner / indirectly-collected data and the public-records exemption

Some information we process about California homeowners is collected indirectly from public sources rather than from the homeowner: the LA County Assessor parcel roll, USDA NAIP aerial imagery, and Microsoft Building Footprints. Homeowners did not opt in to our use of this public-records information. (Separately, a homeowner who fills out the consult form on a /l/ page provides their contact information to us directly — see Sections 1, 2, and 4.)

We want to be transparent about the limits of the "publicly available information" exemption:

  • Public records. Information lawfully made available from government records — such as the existence of a parcel and its assessor data — can fall within the CCPA's "publicly available information" exemption.
  • Derived and combined information is different. When we combine public data and generate new information from it — for example, by selecting a specific property for a mailing and creating an AI render of a pool keyed to that parcel — that derived information is not the same as the original public record, and we do not treat it as exempt. We treat the parcel-to-render linkage and the personalized landing page as personal information subject to your rights.

Notice timing for indirectly-collected data. Because the public-records portion is collected indirectly (at the moment we ingest assessor and imagery data), notice "at or before collection" at that exact moment is not feasible. Our mitigation is that the postcard and the /l/ landing page provide notice at the earliest point of contact with the homeowner, and a homeowner may exercise know/delete/correct rights immediately. [FLAG FOR COUNSEL: confirm that the public-records exemption plus this first-contact notice is sufficient given the derived, non-exempt render.]

Homeowners have the right to know, delete, and correct the information we hold about them — including the derived render and the parcel-to-render linkage and any consult-form data — subject to the verification process in Section 13. Renders and the parcel-to-render linkage are also deleted on the schedule in Section 11 (active campaign plus a 6–12 month wind-down). To make a request, contact us at privacy@verapools.com or [Mailing address available on request]. Because we collected the public-records portion indirectly, you may need to give us enough detail (such as the property address, parcel number, or the URL of the /l/ landing page on your postcard) for us to locate your records.

11. Data retention

We keep personal information only as long as needed for the purposes described in this policy, then delete or de-identify it (that is, remove details that tie it to you). Our retention practices are:

Category / data Retention
Contractor lead-form submissions (name, company, phone, territory, pools-per-year) For the active relationship, then up to 24 months after last contact, then deleted
Contractor brand-kit intake (territory ID, logo, brand colors, booking link, CSLB # where provided) For the engagement plus 12 months; logo/license deleted on request or at engagement end
Homeowner consult-form submissions (name, phone, email, property address, pool-style interest) For the active campaign plus a 6–12 month wind-down, then deleted
Web3Forms processed submissions Same as the underlying form; processed submissions purged at the periods above
PostHog analytics events (incl. IP-derived approximate location, device identifiers) 12 months (rolling)
PostHog session recordings / replays 30 days
Cloudflare strictly-necessary cookies and security logs Cookies expire per their stated lifetimes (typically minutes to ~30 days). Security logs are retained only as long as needed for security, fraud-prevention, and network operations (typically up to 90 days); we contractually require deletion when no longer needed
Homeowner public-records-derived data and AI renders (Cloudflare R2) For the active campaign plus a 6–12 month wind-down, then renders and the parcel-to-render linkage are deleted

Where a specific period is not listed, we retain information only as long as reasonably necessary for the purpose for which it was collected. We may retain limited information longer where required to comply with law, resolve disputes, or enforce agreements.

[CONFIRM each retention period against actual configuration]: PostHog project data-retention setting (free-tier default is 1 year; replay retention is plan-dependent and 30 days may not be the configured value), Cloudflare/R2 lifecycle rules, the 90-day value for security-log retention, and how Web3Forms submissions are actually stored and purged. Adjust the figures above to match configured reality before publishing.

12. Your California privacy rights

If you are a California resident — whether a pool contractor or a homeowner — you have the following rights, subject to legal exceptions and verification. Some rights listed are statutory rights that may produce no action today because of how we operate (we note where this is the case):

  • Right to know / access — request the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties to whom we disclosed it.
  • Right to delete — request deletion of personal information we collected from or about you.
  • Right to correct — request correction of inaccurate personal information.
  • Right to opt out of sale/sharing — we do not sell or share personal information; nonetheless we honor opt-out requests and GPC signals as a direction to stop any disclosure that could be deemed a sale or share (see Sections 8–9).
  • Right to limit use of sensitive personal information — California gives residents this right when a business uses sensitive personal information beyond limited permitted purposes. We do not, so there is nothing to limit today; if that changes, we will add a "Limit" control (see Section 3).
  • Right to non-discrimination — we will not discriminate or retaliate against you for exercising your rights. You will receive the same service and price.
  • Right to use an authorized agent — you may designate an authorized agent to make a request on your behalf.

We do not engage in financial-incentive programs that would require additional notice.

13. How to exercise your rights

You can submit a privacy request using either of these methods:

  1. Email: privacy@verapools.com
  2. Mail: Prima Vera Consulting, [Mailing address available on request]

We operate online and have a direct relationship with the pool contractors who use the Site; for them, an email address is a sufficient request method under California regulations. For homeowners — whom we first contact offline by postcard — we offer both email and mail.

Verification. To protect your information, we will verify your identity before fulfilling a request to know, delete, or correct. We may ask you to confirm details we already have, or — for homeowner records collected indirectly — to provide the property address, parcel number, or the /l/ landing-page URL printed on your postcard, so we can match your request to our records. We will not use information you provide for verification for any other purpose.

Authorized agents. An authorized agent may submit a request on your behalf with written permission; we may still ask you to verify your identity directly or confirm the agent's authority.

Timing. We will acknowledge a request within 10 business days and respond within 45 calendar days. If we need more time, we may extend by another 45 days and will tell you why.

Cost. Requests are free unless they are excessive, repetitive, or manifestly unfounded, in which case we may charge a reasonable fee or decline, and will explain why.

We are not required to publish the consumer-request metrics that apply only to businesses handling the personal information of 10 million or more consumers, because we do not meet that threshold.

14. Notice at collection

We provide a notice at collection at or before the point where we collect personal information:

  • On each form (contractor lead form, brand-kit intake, and homeowner consult form), a short notice tells you the categories of information collected, the purpose, whether it is sold or shared (it is not), and links to this policy.
  • For passive collection (PostHog analytics/heatmaps/session replay and Cloudflare cookies), the consent banner described in Section 6 serves as just-in-time notice. Session replay and heatmaps are off until you click "Accept," and are suppressed entirely on a decline or a Global Privacy Control signal. Basic, non-identifying product-analytics events may run under this disclosure so the Site stays measurable; declining or sending GPC opts you out of those as well.
  • For homeowners, this policy and the information printed on your postcard and shown on your /l/ landing page serve as notice of the categories, sources, and purposes described in Sections 2, 4, 5, and 10, at the earliest point of contact (see Section 10).

15. Data security

We maintain administrative, technical, and physical safeguards designed to protect personal information in a manner appropriate to its sensitivity, including HTTPS/TLS (encryption) in transit, access controls, data minimization, and the use of reputable processors (Cloudflare, PostHog, Web3Forms, and our AI render provider(s)). No method of transmission or storage is 100% secure, however, and we cannot guarantee absolute security. You share information with us at your own risk.

16. If there is a data breach

If we discover a security breach affecting California residents' personal information, we will notify affected residents without unreasonable delay, consistent with California Civil Code § 1798.82 (which, as amended effective January 1, 2026, requires notification within 30 calendar days of discovery, subject to permitted delays — for example, a legitimate law-enforcement request, or the time reasonably necessary to determine scope and restore the integrity of the system). Where more than 500 California residents are affected, we will submit a sample notice to the California Attorney General within 15 days of notifying residents. We will provide the information required by law (the nature of the incident, the categories of information involved, and steps you can take). [CONFIRM internal breach-response SLA matches a real, documented incident-response process.]

17. Processing locations and transfers

We and our service providers process personal information in the United States. Our processors (Cloudflare, PostHog, Web3Forms, and AI render provider(s)) may process data in U.S. data centers. By using the Site or providing information to us, you understand that your information will be processed in the United States.

18. California "Shine the Light"

California's "Shine the Light" law (Cal. Civ. Code § 1798.83) lets California residents request information about personal information shared with third parties for those third parties' own direct-marketing purposes. By its terms, it applies only to businesses with 20 or more employees.

As a small business with fewer than 20 employees, we are exempt from Shine the Light. [CONFIRM: verify the under-20-employee headcount before relying on this exemption.] Separately, we also do not disclose your personal information to third parties for their own direct-marketing purposes. If either fact ever changes, we will provide a designated address for these requests and respond within 30 days. You may direct any Shine the Light inquiry to privacy@verapools.com.

19. Children's and minors' privacy

The Site is intended for a general and business audience and is not directed to children. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us information, contact us at privacy@verapools.com and we will delete it. Consistent with California law, we do not knowingly sell or share the personal information of consumers under 16 without the required opt-in consent.

California minors (Bus. & Prof. Code § 22581). The Site does not currently offer registered user accounts and is not directed to minors. If we introduce contractor accounts in the future (see Section 22) and a registered user is a California minor (under 18), that user may request removal of content or information they posted, and we will honor such requests as required by law. Note that removal may not be complete or comprehensive, and we are not required to remove content where another law requires us to retain it.

20. Automated and AI processing

We use automated processing and third-party AI image service(s) (see the AI-provider note in Section 7) to generate the personalized pool render on a homeowner's property from public aerial imagery. This processing produces a marketing render; it does not make legal, financial, employment, credit, housing, or similar decisions about any person. California is phasing in new rules governing automated decision-making technology (ADMT) over the coming years, and we will update this section and our practices as those rules take effect.

21. Communications — email, calls, and text messages

We describe below the communications we actually send, plus standard protections that would apply only if we launch a calling or texting program.

  • Email (contractors). We may send service-related (transactional) and, where permitted, marketing emails to pool contractors who contact us. Any marketing email includes a working unsubscribe mechanism, accurate sender and subject lines, and our physical mailing address ([Mailing address available on request]), consistent with the CAN-SPAM Act. You can opt out of marketing emails using the unsubscribe link in any such email — that is all that is required, at no cost. You do not have to give us any other information or take any other step; we honor opt-out requests within 10 business days. You may also contact us at privacy@verapools.com as an additional (not required) path.
  • Calls and texts — [ONLY IF a calling/texting program is launched]. We do not currently operate an SMS, autodialed, prerecorded, or AI-voice marketing program. If we ever do, we will not place autodialed, prerecorded, AI-voice, or text-message marketing communications without the prior express written consent required by the Telephone Consumer Protection Act (TCPA) and California law, and such consent will never be a condition of receiving our services. In that case we would honor "STOP"/opt-out and revocation requests, maintain an internal Do-Not-Call list, honor the National Do-Not-Call Registry, disclose any prerecorded or AI-generated voice at the start of the call, restrict marketing calls to between 9 a.m. and 9 p.m. in the recipient's local time zone, and provide caller-ID and callback information, consistent with California rules (including AB 2905).
  • Book a consult. When you click "book a consult," you are routed to the pool contractor's own third-party booking provider. Any communications you arrange there are governed by that provider's terms and privacy policy.

To opt out of our communications, use the unsubscribe link in any marketing email, reply "STOP" to any text (if we operate a texting program), or contact us at privacy@verapools.com.

22. Future accounts and changes to this policy

We do not currently offer user accounts or logins on the Site. We may introduce pool-contractor accounts (a dashboard) in the future; if we do, we will update this policy to describe any new data practices, and the minors' provisions in Section 19 (Bus. & Prof. Code § 22581) would apply to any registered California minor.

We may update this Privacy Policy from time to time, and we review and update it at least once every 12 months, as required by California law. When we make changes, we will revise the "Last Updated" date at the top and, where appropriate, provide additional notice.

Your continued use of the Site after an update means you accept the revised policy with respect to non-tracking practices. We do NOT rely on continued use as consent for session replay, heatmaps, or non-essential analytics — those begin only after you affirmatively click "Accept" on the consent banner, and a material change to our session-replay practices will re-prompt you for fresh consent through the banner.

23. Contact us

If you have questions about this policy or want to exercise your privacy rights, contact us:

Prima Vera Consulting (d/b/a "Vera Pools")
[Mailing address available on request]
privacy@verapools.com

This Privacy Policy is provided for general informational purposes only and is not legal advice. Have a licensed California privacy attorney review it — including the session-replay consent design and banner copy, and every statement marked [NOT YET IMPLEMENTED], [CONFIRM], or [FLAG FOR COUNSEL] — before publishing or relying on it.