Privacy Policy

1. Introduction

Hellhorse Performance LLC d/b/a Gray Reserve ("Gray Reserve," "we," "us," or "our") operates the website grayreserve.com (the "Site") and the Gray Reserve platform (the "Platform"). This Privacy Policy describes how we collect, use, disclose, and protect the personal information of visitors, users, and clients of the Site and Platform. We are committed to protecting your privacy and handling your data with transparency and care.

This Privacy Policy applies to information we collect through the Site, the Platform, via email, SMS, or other electronic communications, and through any of our online services. By using the Site or Platform, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

(a) Information You Provide

We collect information that you voluntarily provide to us, including:

• Contact form submissions (name, email address, company, phone number, message)
• Audit and consultation requests
• Account registration information through our authentication provider, Clerk (name, email, profile data, organization membership)
• Platform usage data: campaign configurations, uploaded assets, analytics settings, and client collaboration data
• Billing information processed through our payment provider, Stripe (we do not store full payment card numbers)
• Contract and engagement data processed through our document signing provider, DocuSeal
• Newsletter or mailing list sign-ups
• Responses to surveys or feedback requests
• SMS opt-in consent (see our SMS Terms)
• Any other information you choose to provide through the Site or Platform

(b) Automatically Collected Information

When you visit the Site, we automatically collect certain information, including:

• Usage data via Google Analytics 4 (GA4), including pages visited, time on page, bounce rate, and user flow
• Device information (browser type, operating system, screen resolution, device type)
• IP address and approximate geographic location
• Referring URL and search terms that led you to the Site
• Cookies and similar tracking technologies (see Section 6)
• Google Ads conversion tracking data for visitors who arrive through our advertising

3. How We Use Information

We use the information we collect for the following purposes:

• To provide, maintain, and improve the Site and our services
• To communicate with you, including responding to inquiries and providing requested information
• To send marketing communications about our services (with your consent where required)
• To analyze Site usage patterns and optimize the user experience
• To measure the effectiveness of our marketing campaigns and advertising
• To detect, prevent, and address technical issues and security vulnerabilities
• To comply with legal obligations and enforce our Terms of Use
• To create aggregated, anonymized data for business analysis and reporting

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:

• Consent: Where you have given clear consent for us to process your personal data for a specific purpose, such as subscribing to our newsletter or submitting a contact form
• Contract: Where processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract
• Legitimate interest: Where processing is necessary for our legitimate business interests, such as improving our Site, marketing our services, and ensuring security, provided these interests are not overridden by your rights
• Legal obligation: Where processing is necessary to comply with a legal obligation to which we are subject

5. Information Sharing & Subprocessors

We do not sell your personal information. We may share your information in the following circumstances:

• Service providers (subprocessors): We share data with trusted third-party service providers who assist us in operating the Site, Platform, and delivering services. See the subprocessor list below.
• Professional advisors: We may share information with our attorneys, accountants, and other professional advisors as necessary for business operations
• Legal requirements: We may disclose your information if required to do so by law, regulation, or legal process, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request
• Business transfers: In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information

Subprocessor List

The following third-party service providers process personal data on our behalf:

We maintain contractual agreements with each subprocessor to ensure they handle your data in accordance with applicable privacy laws. We will update this list when we add or remove subprocessors. Material changes to the subprocessor list will be communicated to Platform users with reasonable notice.

6. Cookies & Tracking

The Site uses the following tracking technologies:

• Google Analytics 4 (G-7BMTRR1QVF): Collects anonymized usage data to help us understand how visitors interact with the Site and improve its performance
• Google Ads (AW-17970584223): Tracks conversions from our advertising campaigns to measure their effectiveness
• Essential cookies: Strictly necessary for the Site to function, including session management, authentication state, and security tokens
• Optional cookies: Performance and analytics cookies that help us understand site usage patterns. You may opt out of these through your browser settings

Most web browsers allow you to control cookies through their settings. You can typically set your browser to refuse cookies or to alert you when a cookie is being placed. Please note that disabling cookies may affect the functionality of certain features on the Site.

7. Your Privacy Rights

CCPA Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

• Right to know: You can request that we disclose what personal information we collect, use, share, and sell about you
• Right to delete: You can request that we delete any personal information we have collected about you, subject to certain exceptions
• Right to opt-out: You can opt out of the sale of your personal information. Gray Reserve does not sell personal information
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights

GDPR Rights (EEA and UK Residents)

If you are located in the EEA or UK, you have the following rights under the General Data Protection Regulation:

• Right of access: You can request a copy of the personal data we hold about you
• Right to rectification: You can request that we correct any inaccurate or incomplete personal data
• Right to erasure: You can request that we delete your personal data under certain circumstances
• Right to restrict processing: You can request that we restrict the processing of your personal data under certain circumstances
• Right to data portability: You can request a copy of your personal data in a structured, machine-readable format
• Right to object: You can object to our processing of your personal data based on legitimate interests or for direct marketing purposes

Exercising Your Rights

To exercise any of these rights, please contact us at access@grayreserve.com or use the contact information in Section 13 below. We will respond to your request within the timeframe required by applicable law. We may need to verify your identity before processing your request.

8. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. When determining the appropriate retention period, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the data, and applicable legal requirements.

Specific retention periods:

• Platform data (client accounts): Retained for the duration of your account. Upon account termination or cancellation, you have 60 days to export your data, after which it is permanently deleted from our systems and backups.
• Contact form submissions: Retained for up to 24 months from date of submission, unless you become a client (in which case MSA retention terms apply).
• Analytics data: Anonymized usage data collected via GA4 is retained per Google's default retention settings (14 months).
• Email communications: Marketing email engagement data is retained for 36 months. Transactional emails are retained as part of your account record.
• Legal and compliance records: Retained as required by applicable law, typically 7 years for financial records.

Upon request, we will delete or anonymize your personal information unless retention is required by law. Deletion requests are processed within 30 days.

9. Security

We implement commercially reasonable technical and organizational security measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit via TLS/SSL, secure authentication through Clerk, access controls, and regular security assessments. However, no method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

10. Children's Privacy

The Site is not directed at individuals under the age of 13, and we do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13 without verification of parental consent, we will take steps to delete that information promptly. If you believe we may have collected information from a child under 13, please contact us at access@grayreserve.com.

11. International Data Transfers

Gray Reserve is based in the United States, and your information is processed and stored on servers located in the United States. If you access the Site from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those of your country of residence. By using the Site, you consent to the transfer of your information to the United States and the processing of your information in accordance with this Privacy Policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will notify you by posting the updated policy on the Site with a new effective date. We encourage you to review this Privacy Policy periodically. Your continued use of the Site after any changes indicates your acceptance of the updated policy.

13. Contact

If you have questions or concerns about this Privacy Policy or our data practices, or if you wish to exercise any of your privacy rights, please contact us:

14. Effective Date

This Privacy Policy is effective as of April 12, 2026.