Privacy Policy

Last updated: September 19, 2025

This Privacy Policy explains how [Nimbl Inc.] (“TrustNimbl,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards personal information when you visit trustnimbl.com and any site pages, forms, or tools that link to this Policy (the “Services”).

If you use TrustNimbl through an organization account, your organization may be the data controller (or “business” under U.S. law). In that case, we process certain data as a processor/service provider under our agreement with your organization.

If you do not agree with this Policy, please do not access or use the Services.

1) Who we are & how to contact us

• Controller: NIMBL LLC, 
• Privacy contact: [[email protected]]

   

2) Scope

This Policy covers personal information we process about:

• Visitors to trustnimbl.com (WordPress CMS served via Cloudflare)
• Prospective customers and partners who engage with HubSpot forms, chat, landing pages, or emails
• Individuals who contact us for demos, trials, or support

   

It does not apply to third‑party sites or services linked from our site.

3) Notice at Collection (what we collect, from where, and why)

A. Information you provide (via WordPress/HubSpot forms or email)

• Identifiers & contact: name, email, phone, company, role/title
  Purposes: demos, sales follow‑up, support, service communications
  Legal bases (EEA/UK/CH): contract; legitimate interests; consent (marketing)
• Account/demo details (if applicable): preferences, notes, meeting info
  Purposes: provide requested Services, onboarding, support
  Bases: contract; legitimate interests
• Marketing preferences (opt‑in/opt‑out captured in HubSpot)
  Purposes: honor your choices; send only permitted communications
  Bases: consent; legal obligations

Payments: If any payments occur, they are processed by a third‑party payment provider (not HubSpot core, not WordPress). We do not store full card numbers on our servers.

B. Information collected automatically (primarily by Cloudflare & WordPress)

• Technical & usage data: IP address, approximate location (from IP), device and browser type, referral URL/UTM, pages viewed, timestamps, error and firewall events, and general clickstream.
  Purposes: deliver the site at the edge, performance/caching, DDoS and bot defense, logging/forensics, reliability and improvement.
  Bases: legitimate interests; consent where required for non‑essential cookies.

   

C. Information from third parties

• B2B lead enrichment & attribution (through HubSpot and connected integrations you authorize)
  Purposes: sales pipeline and marketing analytics (B2B context)
  Bases: legitimate interests; consent where required

   

We do not intentionally collect sensitive personal information (e.g., government IDs, precise geolocation) via the marketing site. Please avoid submitting sensitive data in free‑text fields.

4) How we use personal information

We use personal information to:

1. Provide, operate, secure, and maintain the Services (Cloudflare edge delivery/WAF; WordPress CMS)
2. Respond to requests (demos, contact forms, email replies) and provide support
3. Operate HubSpot CRM for pipeline management, marketing lists, and communications, consistent with your permissions
4. Analyze traffic and usage to improve performance, content relevance, and reliability
5. Detect, prevent, and investigate fraud, abuse, and security incidents
6. Comply with legal obligations and enforce agreements

    

We do not engage in automated decision‑making that produces legal or similarly significant effects without human involvement.

5) Legal bases (EEA/UK/Swiss users)

Depending on the context, we rely on: contract, legitimate interests (e.g., site security, service improvement, B2B marketing), consent (e.g., non‑essential cookies, marketing emails), and legal obligations (e.g., compliance and recordkeeping).

You can withdraw consent at any time where consent is the basis.

6) How we share information (and with whom)

We share personal information with:

• Cloudflare, Inc. – hosting/CDN, DNS, WAF, DDoS protection, edge caching and load balancing. Cloudflare processes IP addresses and other technical data to secure and deliver the site.
• HubSpot, Inc. – CRM, marketing automation, landing pages and forms, email delivery, analytics related to those features (e.g., email opens/clicks if you consent to marketing).
• WordPress (self‑hosted CMS) – WordPress core software runs on our infrastructure; it sets functional cookies for login/session and preferences. If we use Automattic/Jetpack/Akismet or other plugins, they may act as additional processors (see Subprocessors).
• Professional advisors – legal, accounting, and security consultants under confidentiality.
• Authorities or third parties – where required by law or necessary to protect rights, safety, and the integrity of the Services.
• Corporate transactions – in a merger, acquisition, financing, or sale of assets, in line with this Policy.

   

We do not “sell” personal information and we do not “share” it for cross‑context behavioral advertising as defined under California law. If this changes, we will update this Policy and provide the required opt‑out mechanisms.

7) Cookies & similar technologies (Cloudflare • WordPress • HubSpot)

We use cookies and similar technologies for functionality, security, and analytics related to our stack. You can manage preferences via our cookie banner (where available) and your browser settings. See our full Cookies Settings for trustnimbl.com

8) International transfers

We may transfer, store, and process information outside your country (including the U.S.), where Cloudflare and HubSpot operate globally distributed infrastructure. Where legally required, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) and supplementary measures. Details are available on request.

9) Data retention

We retain personal information only as long as necessary for the purposes described and to comply with legal requirements, resolve disputes, and enforce agreements. Illustrative windows:

• HubSpot CRM contacts & engagement data: retained while there is an active business relationship or legitimate interest in B2B communications, and deleted or de‑identified thereafter per policy and legal obligations.
• Cloudflare logs and security telemetry: retained for operational troubleshooting and security windows.
• WordPress application logs/content: retained for site operations and backups.

   

Upon expiration, we delete or de‑identify data unless the law requires longer retention.

10) Security

We implement administrative, technical, and physical safeguards appropriate to the risk, including Cloudflare WAF/DDoS protection and TLS, least‑privilege access, and logging/monitoring. No method is 100% secure; if we learn of a breach affecting your rights, we will notify you as required by law.

11) Your privacy rights

Depending on your location and law, and subject to verification, you may be able to:

• Access the personal information we hold about you
• Correct inaccurate information
• Delete your information
• Port your information in a usable format
• Restrict or object to certain processing (EEA/UK)
• Withdraw consent where processing is based on consent
• Opt out of marketing communications at any time

   

How to exercise: Email [[email protected]] with your request and enough information to verify your identity. If you’re in the EEA/UK/CH, you may also contact your local data protection authority.

Appeals (certain U.S. states): If we decline your request, reply to our decision email with “Appeal” in the subject. If denied again, you may contact your state Attorney General.

Authorized agents (CA): You may designate an agent with written authorization and direct verification.

Non‑discrimination: We will not discriminate against you for exercising your rights.

12) Marketing communications (HubSpot)

If you opt‑in, we may send you newsletters or product updates using HubSpot. You can opt out of these emails by using the unsubscribe link or by contacting [[email protected]]. We may still send non‑marketing service notices (e.g., security or transactional messages).

13) Children’s privacy

The Services are not directed to children and we do not knowingly collect personal information from individuals under 16 (or the age required by local law). If you believe a child has provided information, contact us to request deletion.

14) Third‑party links and embeds

Our site may link to or embed third‑party content (e.g., videos, social posts). We do not control those sites and are not responsible for their privacy practices. Review their policies before providing data.

15) AI/product‑specific disclosures (if applicable)

If TrustNimbl offers AI features:

• Customer content: processed to provide the feature and maintain security.
• Model training: We [do not] use your content to train foundation models [unless you opt in].
• Third‑party models: If used, they operate under contract and security commitments. We will disclose details within the feature UI or docs.

   

(Adjust this section to reflect your actual capabilities.)

16) Changes to this Policy

We may update this Policy from time to time. The “Last updated” date shows the latest version. If changes materially affect your rights, we will provide additional notice (e.g., on‑site notice or email to account holders) as required.

17) How to contact us

[Company Legal Name]
Attn: Privacy
Address: [street, city, region, postal code, country]
Email: [[email protected]]

Regional supplements

A) California (CPRA/CCPA)

Categories collected (last 12 months): identifiers (e.g., name, email, IP), internet/network activity (e.g., browsing, usage), commercial information (e.g., demo interest), geolocation (approximate from IP), and inferences (if created in HubSpot to segment B2B interests).
Sources: you; your device/browser (via Cloudflare/WordPress); HubSpot forms and email interactions.
Purposes & disclosures: as described above (security, delivery, analytics via Cloudflare; CRM and marketing operations via HubSpot; CMS functionality via WordPress).
Selling/Sharing: We do not “sell” personal information and do not “share” it for cross‑context behavioral advertising. If this changes, we will add a “Do Not Sell or Share My Personal Information” link and honor applicable opt‑out signals (e.g., GPC).
Sensitive personal information: Not collected via the marketing site.
Retention: See §9.
Your CPRA rights: know/access, correct, delete, portability, limit SPI (if applicable), and opt‑out of sale/sharing/targeted ads (if applicable). Exercise rights per §11.
Non‑discrimination: We do not discriminate for rights exercises.
Financial incentives: We do not offer programs involving sale/sharing of PI. If introduced, we will disclose terms and obtain consent.

B) Virginia / Colorado / Connecticut / Utah & other U.S. state laws

Where applicable, you may access, correct, delete, obtain a copy of your data, and opt out of targeted advertising, sale, and certain profiling. Exercise rights per §11; an appeals process is available (see §11).

C) EEA/UK/Switzerland

• Controller: [Company Legal Name] (see §1)
• Transfers: safeguarded via SCCs and other measures (see §8)
• Your rights: access, rectification, erasure, restriction, portability, objection, and consent withdrawal (see §11).

   

• Complaints: You may lodge a complaint with your local supervisory authority.

   

Subprocessors & infrastructure (stack‑specific)

We maintain an up‑to‑date list at /subprocessors. As of the “Last updated” date, the core stack is:

1. Cloudflare, Inc. (Global) – DNS, CDN/edge hosting, WAF/DDoS, load balancing, caching, log delivery; processes IPs, request metadata, and security telemetry to secure and deliver the site.
2. HubSpot, Inc. (U.S./Global) – CRM, marketing automation, forms, landing pages, chat, and email delivery; processes contact and engagement data under our instructions.
3. WordPress (self‑hosted CMS) – Application software running on our infrastructure. Note: If we enable additional Automattic services or plugins that process personal data (e.g., Jetpack, Akismet), they will appear on /subprocessors.

    

Cookie summary (stack‑specific examples)