Privacy & Data Protection Policy — Highly Persuasive
Effective: March 2026
Replaces all prior versions
1. Who We Are
Highly Persuasive is a global brand strategy and positioning consultancy operating across the United States, Thailand, Singapore, Australia, and broader international markets. We operate through the following entities:
| Region | Role | Legal Entity | Address |
|---|---|---|---|
| United States | Data Controller | Highly Persuasive LLC | 7311 West Highway 326, Ocala, FL 34482 |
| Thailand | Joint Controller | Highly Persuasive (DBA) | 110 Vibhavadi Rangsit Rd, Din Daeng District, Bangkok 10400 |
| Singapore | Operational Presence | Highly Persuasive | Singapore (regional hub) |
Data Protection Contact: [email protected]
Subject line: Privacy / Data Request
We serve clients and website visitors worldwide. We do not deliberately target or monitor individuals in the EU/EEA or United Kingdom; however, where EU/UK residents engage with us, we apply appropriate protective standards.
2. Scope & Governing Law
This Policy governs all personal data we process through:
- HighlyPersuasive.com and all subdomains
- The DemandSignals™ content library and email subscription list
- Client inquiry and engagement processes
- Outbound business development communications
- Client project work and deliverable production
We comply with the following legal frameworks:
United States — FTC Act, CAN-SPAM Act, COPPA, and applicable state privacy statutes including CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), and TDPSA (Texas).
Thailand — Personal Data Protection Act B.E. 2562 (PDPA).
Singapore — Personal Data Protection Act 2012 (PDPA SG) and applicable IMDA guidelines.
Australia — Privacy Act 1988, Australian Privacy Principles (APPs), and Spam Act 2003.
Canada — PIPEDA and Québec Law 25.
When applicable laws conflict, we apply the higher-protection standard for the individual.
3. Key Definitions
- Personal Data (PD) — information that identifies or can reasonably be linked to an individual.
- Business Contact Data — names, job titles, company names, work email addresses, and business phone numbers used in a professional context.
- Sensitive PD — race/ethnicity, biometrics, precise geolocation, children’s data, and other categories designated as sensitive under applicable law.
- Processing — any operation on personal data, including collection, storage, use, disclosure, transfer, and deletion.
- Controller — the entity that determines the purposes and means of processing.
- Processor — a third party that processes data on our behalf.
4. Data We Collect & Why
4.1 Site Visitors
| Category | Examples | Legal Basis | Purpose |
|---|---|---|---|
| Identity | Name, title, company name | Contract; Legitimate Interest | Inquiry handling, onboarding |
| Contact | Email, phone, postal address | Contract; Consent | Communication, project delivery |
| Behavioral | IP address, device ID, pages visited, session duration | Legitimate Interest | Site security, UX optimization |
| Analytics | Aggregated traffic metrics, referral sources | Legitimate Interest | Site performance measurement |
| Marketing | Cookie IDs, ad campaign tags, UTM parameters | Consent | Analytics, remarketing |
4.2 DemandSignals™ Subscribers
When you subscribe to the DemandSignals™ newsletter or download any resource, we collect your name, email address, company name (optional), and engagement behavior (opens, clicks). This data is used to deliver content, measure engagement, and — with your consent — to inform you about Highly Persuasive services. You may unsubscribe at any time.
4.3 Prospective Clients (Outbound)
As part of our business development, we may process professional contact data obtained through lawful means including LinkedIn Sales Navigator, Apollo.io, Hunter.io, public company websites, industry directories, and publicly available professional profiles.
This data is limited to business contact information (name, job title, company, work email). We do not process personal contact data (personal emails, personal phone numbers, home addresses) obtained from these sources. All outbound communications comply with CAN-SPAM, CASL, and PDPA requirements and include clear opt-out mechanisms. Individuals may request removal from our prospect database at any time by contacting [email protected].
4.4 Client Project Data
In the course of delivering consulting engagements, we may receive, process, or generate data that includes:
- Stakeholder interview notes and recordings (with consent)
- Customer research data, survey responses, and market intelligence
- Internal commercial data shared by clients under confidentiality
- Brand asset files and proprietary business information
Such data is processed solely for the purpose of the engagement, stored securely, shared only with team members directly involved in the project, and is not used for any other purpose, including marketing or training AI systems. Project data retention is governed by the applicable client agreement; default retention is 24 months post-engagement, after which it is securely deleted unless otherwise agreed.
4.5 Job Applicants
Applications submitted to Highly Persuasive are processed for recruitment purposes only. Data is retained for 12 months following a final hiring decision and deleted on request.
5. AI & Automated Tools
We use AI tools to support research, content drafting, analysis, data enrichment, and internal workflow. Current categories include:
- Content assistance — AI writing and editing tools may be used in the production of DemandSignals™ articles and client deliverables. All output is human driven and human-reviewed before publication or delivery.
- Lead scoring and enrichment — tools that help prioritize outreach based on firmographic and behavioral signals.
- Communication tools — AI-assisted email drafting used internally.
We do not use facial recognition, emotion inference, biometric analysis, or high-risk AI systems as defined under applicable law. No automated decision-making with material legal or commercial consequences is applied to individuals without human review.
Client data and personal data processed through our work are not used to train any AI model, whether operated by us or a third party.
6. Cookies & Tracking Technologies
We deploy cookies and tracking technologies in the following categories, loaded only after obtaining consent through our cookie banner:
| Category | Examples | Purpose |
|---|---|---|
| Strictly Necessary | Session cookies, consent preference cookies | Site functionality; cannot be disabled |
| Performance / Analytics | Google Analytics 4, Hotjar | Visitor behavior analysis, performance measurement |
| Functional | Chat preferences, form state | Enhanced user experience |
| Advertising / Remarketing | Google Ads tag, LinkedIn Insight Tag, Meta Pixel | Campaign attribution, retargeting |
Consent can be withdrawn at any time by revisiting cookie settings. We honor the Global Privacy Control (GPC) signal for U.S. residents. Browser “Do Not Track” (DNT) headers are not acted upon as there is no consistent industry standard.
Full cookie details including retention periods are available at highlypersuasive.com/cookies.
7. How We Use Personal Data
- Deliver consulting services and digital products you request
- Respond to inquiries and manage the client intake process
- Personalize site content and marketing communications
- Distribute DemandSignals™ and related content
- Conduct outbound business development with business contacts
- Measure and improve site performance and usability
- Detect, investigate, and prevent fraud or security incidents
- Comply with legal, tax, and audit obligations
We do not sell personal data. We do not share personal data with third parties for their direct marketing purposes without explicit consent.
8. Data Retention
| Dataset | Trigger | Retention Period |
|---|---|---|
| Client contracts and invoices | Last transaction | 7 years (tax obligation) |
| Client project files and deliverables | Engagement completion | 24 months (or per agreement) |
| Marketing contacts / DemandSignals™ subscribers | Last interaction | 26 months |
| Prospect / outbound database | Last contact or opt-out | 12 months |
| Analytics and behavioral data | Collection | 26 months (GA4 default) |
| AI-assisted processing logs | Model cycle | Up to 12 months; aggregated thereafter |
| Job applications | Final hiring decision | 12 months |
Data is securely deleted after the applicable retention period unless retention is required by law.
9. Your Rights
United States (State Privacy Laws)
Residents of California, Virginia, Colorado, Connecticut, Utah, Texas, and other states with applicable privacy laws have the right to: access their personal data; request correction; request deletion; opt out of sale, sharing, or targeted advertising; and limit the use of sensitive personal data.
To exercise rights: email [email protected] with subject line “Privacy Request — [State].” We will respond within 45 days. We do not discriminate against individuals who exercise privacy rights.
California residents: You have the right to know the categories of personal data collected and the purposes for which it is used. We do not sell or share personal data as defined under CCPA/CPRA. You may submit a request through the contact above or through an authorized agent.
Thailand (PDPA)
You have the right to: access your data; request rectification; request erasure; restrict processing; data portability; withdraw consent at any time; and lodge a complaint with Thailand’s Personal Data Protection Committee (PDPC). We respond to requests within 30 days, with a possible 15-day extension for complex requests.
Singapore (PDPA SG)
You have the right to access and correct personal data we hold about you. Requests will be responded to within 30 days. You may withdraw consent for non-essential processing at any time.
Australia (Privacy Act / APPs)
You have the right to access and correct personal data. Complaints may be lodged with the Office of the Australian Information Commissioner (OAIC).
Canada (PIPEDA / Québec Law 25)
You have the right to access, correct, and withdraw consent for your personal data. Complaints may be lodged with the Office of the Privacy Commissioner of Canada (OPC). Québec residents have additional rights under Law 25, including the right to data portability.
10. Data Security
We implement appropriate technical and organizational measures to protect personal data, including:
- TLS 1.3 encryption in transit; HSTS enabled (12-month preload)
- AES-256 encryption at rest on applicable cloud storage systems
- Role-based access controls and multi-factor authentication for staff
- Restricted access to client project data on a need-to-know basis
- Regular security assessments and monitoring
Breach Notification:
- United States (state laws): within 30–45 days per applicable state statute
- Thailand (PDPA): notification to PDPC and affected individuals within 72 hours of discovery
- Singapore (PDPA SG): notification to PDPC within 3 calendar days for notifiable breaches
- Australia (NDB Scheme): within 30 days
- Canada (PIPEDA): as soon as feasible following discovery
11. International Data Transfers
Personal data collected in Thailand, Singapore, or Australia may be transferred to and processed in the United States (primary hosting infrastructure). We rely on contractual safeguards, including data processing agreements, encryption, and access controls, to ensure adequate protection during international transfers.
Clients and prospects engaging with our Thailand or Singapore operations acknowledge that their data may be processed in the United States in connection with service delivery.
12. Disclosure & Third-Party Sharing
We share personal data only in the following circumstances:
- With vetted sub-processors under data processing agreements (current sub-processors include cloud hosting, analytics platforms, CRM tools, and email delivery services)
- To comply with valid legal process, subpoenas, court orders, or lawful governmental requests
- In connection with a merger, acquisition, or sale of business assets, with advance notice where possible
- To prevent or respond to fraud, security incidents, or imminent harm
We do not share personal data with third parties for their direct marketing without explicit consent.
13. Email, SMS & Outbound Communications
United States: We comply with the CAN-SPAM Act. All commercial emails include a clear identifier, physical address, and unsubscribe mechanism. Opt-out requests are honored within 10 business days.
Canada: We comply with CASL. Commercial electronic messages are sent only to recipients who have provided express or implied consent under CASL. All messages include identification and unsubscribe mechanisms.
Australia: We comply with the Spam Act 2003. All commercial emails include functional unsubscribe mechanisms and are processed within 5 business days.
Thailand: All direct marketing to Thai residents is conducted with appropriate consent under PDPA. Individuals may withdraw consent at any time.
Transactional and service-related messages (engagement updates, invoices, delivery confirmations) are exempt from opt-out requirements but remain subject to our data handling standards.
14. Children’s Privacy
Our services are directed at business professionals and are not intended for individuals under 16. We do not knowingly collect personal data from children. If we discover we have inadvertently collected data from a minor, we will delete it immediately. Parents or guardians may contact [email protected] to request deletion.
15. Sub-Processors
We use vetted third-party sub-processors in the delivery of our services and operation of this site. Current categories include:
| Category | Examples |
|---|---|
| Cloud hosting & infrastructure | AWS (us-east-1, ap-southeast-1) |
| Analytics | Google Analytics 4, Hotjar |
| CRM & marketing automation | ActiveCampaign or equivalent |
| Email delivery | Google Workspace |
| Advertising | Google Ads, LinkedIn Ads, Meta |
| Payments | Stripe, PayPal |
| Contact research | LinkedIn Sales Navigator, Apollo.io |
| Project management | Notion, Slack or equivalent |
| AI writing assistance | Anthropic Claude, OpenAI |
All sub-processors are bound by appropriate data processing agreements.
16. Limitation of Liability
Except as required by law, Highly Persuasive’s total aggregate liability under this Policy shall not exceed USD $100 or the amount paid to us in the preceding 12 months, whichever is greater.
17. Changes to This Policy
We may update this Policy to reflect changes in our practices, services, or applicable law. Material changes will be indicated by updating the “Effective” date at the top of this page. Where required by law, we will provide advance notice of material changes by email.
18. Questions, Requests & Complaints
For any privacy-related inquiry, data access request, or complaint:
Email: [email protected]
Subject line: Privacy Request
Web: highlypersuasive.com/contact-us
You also have the right to lodge a complaint with your applicable data protection authority:
- United States: Your state Attorney General’s office
- Thailand: Personal Data Protection Committee (PDPC)
- Singapore: Personal Data Protection Commission (PDPC SG)
- Australia: Office of the Australian Information Commissioner (OAIC)
- Canada: Office of the Privacy Commissioner of Canada (OPC)
