This Privacy Policy explains how EARNS & BARNS LLC (“Earns & Barns,” “we,” “us,” or “our”) collects, uses, shares, and protects information about visitors to earnsandbarns.com (the “Site”) and clients who engage us for digital marketing and SEO services (the “Services”).
We are a small studio with a small footprint. We have done our best to keep this document short, honest, and useful. Where the law gives you specific rights — for example under the EU/UK GDPR or the California CCPA / CPRA — we say so and tell you how to use them.
1. Summary
- What we collect: contact-form submissions, basic server logs, optional analytics if you accept cookies.
- Why: to answer you, to scope and deliver client work, to keep the site secure and improve it.
- Who else sees it: a handful of named vendors (email, hosting, analytics). Listed below.
- How long: contact requests for up to 24 months unless you become a client; client records as required by tax and contract law.
- Your rights: access, correction, deletion, portability, opt-out — exercised by emailing hello@earnsandbarns.com.
2. Scope of this policy
This policy covers personal information processed by Earns & Barns acting as a controller — meaning we decide why and how it is processed. That includes:
- Information you submit through the contact form on the Site.
- Email and phone correspondence with the studio.
- Information collected automatically when you visit the Site (server logs, optional analytics).
- Information collected during a paid engagement that relates to you personally (your name as a client signatory, billing contact, account credentials we are given for delivery).
When we handle the personal data of your customers on your behalf — for example by running your CRM, analytics, or email program — we act as a processor under your instructions. Our handling in that role is governed by the Master Services Agreement and a Data Processing Addendum (DPA) we'll sign with you before any such data is in scope.
3. What we collect
3.1 Information you give us
When you use the contact form or email the studio, you may give us:
- Name and (optionally) company name
- Email address and (optionally) phone number
- Website URL
- Industry and a budget band
- The free-text message you write
We don't use account passwords, government IDs, payment card data, or health information through the Site. If a client engagement ever requires us to receive payment information, we use a PCI-DSS-compliant processor and we never store card numbers on our infrastructure.
3.2 Information collected automatically
Our hosting provider records standard request logs that may include:
- IP address (truncated to the /24 block after 30 days)
- User-agent string and referrer
- Timestamp, requested URL, and HTTP status
These logs exist to debug errors and resist abuse. They are not used to profile you for advertising. If you accept analytics cookies, we may also process the limited analytics events described in our Cookie Policy.
3.3 What we don't collect
- We do not buy personal information from data brokers.
- We do not run third-party advertising pixels (no Meta Pixel, no TikTok Pixel, no LinkedIn Insight on this Site).
- We do not fingerprint browsers or use session-replay tools (Hotjar, FullStory, etc.) on the Site.
- We do not knowingly collect information from children. See Children's privacy.
4. How we use information
| Purpose | Example | Legal basis (GDPR) |
|---|---|---|
| Reply to your inquiry | Sending you a quote or scheduling a discovery call | Legitimate interest; pre-contract steps at your request |
| Deliver Services | Running a campaign you've engaged us to run | Contract performance |
| Run the studio | Invoicing, payment, tax records | Legal obligation; contract |
| Security & abuse prevention | Rate-limiting the contact form, log review | Legitimate interest |
| Improve the Site | Aggregate analytics (only if you accept) | Consent |
| Legal compliance | Responding to lawful requests; record-keeping | Legal obligation |
5. Legal basis for processing (GDPR)
If you are in the EU, UK, or another GDPR-equivalent jurisdiction, we rely on the following legal bases:
- Article 6(1)(a) — Consent: optional analytics cookies; marketing emails (we don't currently send any).
- Article 6(1)(b) — Contract: performing the Services you've engaged us to perform.
- Article 6(1)(c) — Legal obligation: tax, anti-fraud, and other statutory records.
- Article 6(1)(f) — Legitimate interest: replying to inquiries, abuse prevention, basic server logs. We have balanced these interests against your rights and freedoms and documented the assessment in our internal records.
6. Sharing & subprocessors
We don't sell your personal information or share it for cross-context behavioral advertising. We use a small, named set of vendors (“subprocessors”) to operate the studio. Each is bound by a written agreement that meets the relevant data protection standards.
| Vendor | Purpose | Region | Safeguard |
|---|---|---|---|
| Vercel | Site hosting & serverless functions | USA / Global edge | SCCs · DPA |
| Cloudflare | DNS & abuse mitigation | USA / Global edge | SCCs · DPA |
| Google Workspace | Email, calendar, drive (studio operations) | USA / EU | SCCs · DPA |
| Postmark | Transactional email (contact-form delivery) | USA | SCCs · DPA |
| Plausible Analytics | Privacy-friendly Site analytics (cookieless by default) | EU (Germany) | GDPR-native |
| Stripe | Invoicing & payment processing for clients | USA / EU | SCCs · DPA · PCI-DSS L1 |
If we add or remove a subprocessor we'll update this list. Active clients can subscribe to subprocessor change notifications by emailing hello@earnsandbarns.com.
We may also disclose personal information when required by law (subpoena, court order, lawful government request), to protect rights or safety, or in connection with a corporate transaction (merger, acquisition, asset sale) — in which case we will require the recipient to honor this policy or notify you.
7. International data transfers
We operate from the United States. If you are in the EU/UK or another region with cross-border transfer rules, your information may be transferred to and processed in the US. We rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum with each subprocessor. We perform a transfer impact assessment before adding any vendor outside the EEA/UK.
8. Retention
| Category | Retention | Why |
|---|---|---|
| Contact-form inbound | Up to 24 months from last interaction | Future inquiry follow-up |
| Client correspondence | Term of engagement + 7 years | Tax / dispute / contract |
| Invoices & financial records | 7 years | IRS / Wyoming statute |
| Server logs (raw) | 30 days | Debugging & security |
| Aggregate analytics | 26 months | Comparing year-over-year |
| Backups | 30 days, rolling | Disaster recovery |
9. Security
We take a defense-in-depth approach proportional to the data we hold. Highlights live on the Trust & Security page. In short:
- TLS 1.2+ for all data in transit; HSTS on every public domain.
- Encrypted-at-rest data stores using AES-256 (provider-managed).
- Single sign-on with multi-factor authentication required for every studio account.
- Principle of least privilege; access reviews each quarter.
- Documented incident response with a 72-hour breach-notification SLA aligned to GDPR Art. 33.
No system is 100% secure. If you believe you've found a vulnerability, please email security@earnsandbarns.com.
10. Your rights under the GDPR
If GDPR or UK GDPR applies to you, you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectify data that's inaccurate or incomplete (Art. 16).
- Erase data when the legal basis no longer applies (Art. 17, “right to be forgotten”).
- Restrict processing in certain circumstances (Art. 18).
- Port data you gave us in a machine-readable format (Art. 20).
- Object to processing based on legitimate interest, including profiling (Art. 21).
- Withdraw consent at any time, without affecting prior lawful processing.
- Lodge a complaint with your local supervisory authority. A list is at edpb.europa.eu.
To exercise any of these rights, email hello@earnsandbarns.com with the subject line “Data Rights Request.” We will reply within 30 days. We may ask you to verify your identity before releasing data. There is no charge.
11. Your rights under the CCPA / CPRA (California)
If you are a California resident, you have the right to:
- Know what categories and specific pieces of personal information we've collected about you in the past 12 months.
- Delete personal information we collected from you, subject to legal exceptions.
- Correct inaccurate personal information.
- Opt out of the sale or sharing of personal information for cross-context behavioral advertising.
- Limit the use of sensitive personal information (we don't collect any from the Site, but the right exists).
- Not be discriminated against for exercising any of these rights.
In the prior 12 months we collected the categories listed in Section 3. We disclosed information to the subprocessors listed in Section 6 for the operational purposes described. We did not sell or share personal information as those terms are defined under CCPA / CPRA.
To make a request: email hello@earnsandbarns.com with the subject line “CCPA Request.” You may use an authorized agent; we'll ask for written proof of authorization.
12. Do Not Sell or Share My Personal Information
We also recognize the Global Privacy Control (GPC) browser signal as a valid opt-out request. If your browser sends GPC, our cookie consent module records a “reject non-essential” choice automatically.
13. Children's privacy
The Site and the Services are designed for businesses. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided personal information through the Site, please email us and we'll delete it.
14. Cookies & tracking
See the dedicated Cookie Policy. In short: we set one strictly necessary cookie to remember your consent choice. Analytics are off until you accept.
15. Automated decision-making
We do not use automated decision-making (including profiling) that produces legal or similarly significant effects for visitors of the Site. Our team reviews every quote, every audit, and every onboarding by hand.
16. Changes to this policy
We'll update this policy when our practices or the law change. The version date at the top reflects the most recent revision. For material changes (adding a new category of data, a new purpose, a new region of transfer) we will give at least 30 days' notice via a banner on the Site and, where we have your email, by direct message.
Past versions are archived in the public git history of this Site, so you can compare what changed.
17. Contact us
For privacy questions, requests, or complaints:
- Email: hello@earnsandbarns.com (subject line “Privacy”)
- Security disclosures: security@earnsandbarns.com
- Postal address: EARNS & BARNS LLC, 339 W Burkitt St, Sheridan, WY 82801, USA
- Phone: +1 (681) 284-1515 (Mon–Fri · 8a–6p MT)
We don't currently appoint an EU/UK representative under GDPR Art. 27 because we do not regularly process EU/UK data on a scale that requires one. If that changes, we'll list the representative here.