See plans Book a call
Home / Legal / Privacy Policy

Privacy Policy

Last updated · May 7, 2026 Effective · May 7, 2026 Plain language · 8-min read CCPA · GDPR · UK GDPR

01Introduction

SHAL Media LLC ("SHAL Media", "we", "us", or "our") operates shalmedia.com and provides performance marketing services. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the rights you have over it.

This policy applies to (a) visitors to our website, (b) people who contact us about our services, and (c) employees and representatives of our clients. It does not govern how our clients use information they collect through campaigns we run on their behalf — that is governed by each client's own privacy policy. We act as a data processor for client campaign data, and as a data controller for our own marketing and business operations.

One thing this policy will never do: sell your personal information to a third party for their independent marketing. We don't do it for visitors, and we don't do it for our clients' end users.

This page is the working draft. We review it with privacy counsel before each material change — see the "Last updated" date above.

02Information we collect

We collect three categories of information.

(a) Information you give us directly

  • Contact information — your name, business email, phone number, and company when you submit a form, email us, or call our published phone line.
  • Engagement information — industry, monthly ad budget range, and a free-text description of what you're trying to fix.
  • Account information — if you become a client, billing details handled by our payment processor (we never see your full card number) and signed agreement records.
  • Communications — emails, Slack messages, call notes, and meeting recordings (when both parties have consented).

(b) Information collected automatically when you visit

  • Device & browser data — IP address, user agent, screen size, and referrer.
  • Usage data — pages viewed, time on site, scroll depth, and clicks. Collected via Google Analytics 4 with IP anonymization enabled.
  • Conversion events — when you submit a form or click a key CTA, we may pass a hashed identifier to Meta and Google to measure ad performance and build lookalike audiences for our own marketing.

(c) Information from third parties

  • Enrichment — we may use B2B data providers (e.g., LinkedIn Sales Navigator, Apollo.io) to verify the company and role of business contacts who reach out to us.
  • Ad platforms — Google Ads, Meta Ads, TikTok Ads, and LinkedIn Ads provide aggregate performance data for campaigns we manage.

03How we use information

We use the information described above for the following purposes, each tied to a lawful basis under GDPR / UK GDPR where applicable:

  • To respond to inquiries and book calls — basis: legitimate interest in operating our business, or your consent.
  • To deliver services to clients — basis: contract performance.
  • To send service updates and reports — basis: contract performance.
  • To send marketing emails about new services or insights — basis: legitimate interest, with one-click unsubscribe in every email. Never to people who have only visited our site without contacting us.
  • To improve our website and services — basis: legitimate interest. We measure aggregate site performance, not individual behavior.
  • To comply with legal obligations — basis: legal obligation. Tax records, signed agreements, anti-fraud.

04Sharing & third parties

We share personal information only with the following categories of recipients, and only for the purposes described:

  • Service providers we rely on to operate — hosting (AWS), email (Google Workspace), CRM (HubSpot), payment processor (Stripe), scheduler (Calendly), analytics (Google Analytics 4), customer messaging (Slack). Each is contractually limited to processing data for us.
  • Ad platforms, where you've consented — Google, Meta, TikTok, LinkedIn for measurement of ads we run. We use hashed identifiers (email, phone) where supported, and respect platform-level consent signals.
  • Professional advisors — accountants and attorneys, only when required.
  • Acquirers or successors — in the event of a merger, acquisition, or asset sale, with continued protection of your information.
  • Authorities — when required by valid legal process. We will notify you unless legally prohibited.

We do not sell or rent your personal information. We do not share your personal information with third-party marketers for their own use.

05Cookies & tracking

Our website uses cookies and similar technologies in three categories:

  • Strictly necessary — session and security cookies. These cannot be disabled.
  • Analytics — Google Analytics 4 with IP anonymization. You can opt out via the consent banner or browser DNT.
  • Advertising — Meta Pixel, Google Ads, LinkedIn Insight Tag, and TikTok Pixel for measuring our own ad campaigns. Loaded only after you accept advertising cookies in the consent banner.

EU, UK, and California visitors see a granular consent banner on first visit. You can change your choice anytime via the "Cookie settings" link in our footer (rolling out shortly).

06Client data we process on behalf of clients

When we run paid media or lifecycle campaigns for a client, we may process personal information of that client's end users — for example, customer lists uploaded to ad platforms for retargeting or lookalikes.

In those engagements:

  • The client is the data controller; SHAL Media is the data processor.
  • We process this information only on documented instructions from the client.
  • We sign a Data Processing Addendum (DPA) at the start of every engagement. A copy is available on request.
  • We never repurpose a client's audience data for any other client or for our own marketing.

07Your rights

Depending on your location, you may have some or all of the following rights:

If you are in the EU, UK, or Switzerland (GDPR / UK GDPR)

  • Access — request a copy of the personal information we hold about you.
  • Rectification — ask us to correct inaccurate information.
  • Erasure — ask us to delete your information ("right to be forgotten"), where applicable.
  • Restriction — ask us to restrict processing.
  • Portability — receive your information in a machine-readable format.
  • Objection — object to processing based on legitimate interest, including direct marketing.
  • Withdraw consent — at any time, where processing is based on consent.
  • Lodge a complaint — with your local data protection authority.

If you are in California (CCPA / CPRA)

  • Right to know what personal information we collect, use, and share.
  • Right to delete personal information we have collected.
  • Right to correct inaccurate personal information.
  • Right to opt out of "sharing" of personal information for cross-context behavioral advertising. We honor the Global Privacy Control (GPC) signal.
  • Right to non-discrimination for exercising any of the above rights.

To exercise any right, email Privacy email. We respond within 30 days for GDPR/UK GDPR requests and 45 days for CCPA requests. We may need to verify your identity before acting.

08Data retention

We keep personal information only as long as needed for the purposes it was collected:

  • Form submissions that don't become clients — 24 months, then deleted from our CRM.
  • Active client records — for the duration of the engagement plus 7 years for tax and legal record-keeping.
  • Marketing email lists — until you unsubscribe, then suppressed (not re-marketed) for compliance.
  • Analytics data — 14 months in Google Analytics 4.
  • Server logs — 90 days.

09Security

We take reasonable technical and organizational measures to protect your information:

  • TLS encryption for all web traffic.
  • Encryption at rest in our hosting and CRM.
  • Two-factor authentication required for every team member on every system.
  • Role-based access; client data is partitioned per engagement.
  • Annual third-party security review; vendor assessments before onboarding any new processor.

No system is impenetrable. If a breach affects your information, we will notify you and the relevant authorities within the timelines required by applicable law (72 hours under GDPR).

10International transfers

SHAL Media is based in the United States. If you are located outside the US, your information will be transferred to and processed in the US. Where required, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Addendum, or other valid transfer mechanisms.

11Children's privacy

Our services are directed at businesses, not consumers, and certainly not children. We do not knowingly collect personal information from anyone under 16. If we learn we have, we will delete it.

12Changes to this policy

We update this policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will be announced on the home page and, for active clients, by email at least 30 days before they take effect.

13Contact us

For privacy questions, requests, or to exercise any of the rights above:

Privacy contact

SHAL Media LLC
Attn: Privacy Officer
South Florida, USA

Privacy email
Phone

EU / UK representative

If you are in the EU, UK, or Switzerland and would prefer to contact our representative, email Privacy email with the subject "EU/UK rep" and we will route your request appropriately.