Privacy Policy
This Privacy Policy describes how AeolusGTM LLC, a Colorado limited liability company (“AeolusGTM,” “we,” “us,” or “our”), collects, uses, discloses, protects, and retains Personal Data. It applies to app.aeolusgtm.com, the AeolusGTM client platform, and the AeolusGTM products and services identified below (collectively, the “Services”).
1. Scope and defined terms
The Services are business-to-business offerings for our clients (“Clients”) and their authorized users. They are not directed to consumers for personal, family, or household use.
- Authorized User means an individual permitted by a Client to access or administer the Services.
- Client Data means information submitted by or for a Client, or accessed from a system connected at a Client’s direction.
- Personal Data means information that identifies, relates to, describes, or can reasonably be linked to an individual, as defined by applicable law.
A signed services agreement, statement of work, data processing addendum, or product order may impose additional privacy and security obligations. If a product-specific provision in Section 6 conflicts with a general provision of this Policy, the product-specific provision controls for that product.
2. Our role
For account, business-contact, website, security, and direct Client-relationship data, AeolusGTM generally determines the purposes and means of processing. In those circumstances, AeolusGTM acts as a controller, business, or similar regulated entity.
For Client Data processed to provide the Services at a Client’s direction, the Client determines the purposes and means of processing, and AeolusGTM acts as a processor, service provider, or contractor. The Client is responsible for the lawfulness of the Client Data and for providing any required notices or obtaining any required rights, permissions, or consents. If your Personal Data appears in a Client’s connected system, submit your request to that Client. We will assist the Client as required by applicable law and our agreement with the Client.
3. Sources and categories of Personal Data
We collect Personal Data from the following sources:
- directly from Clients, Authorized Users, and other business contacts;
- from systems a Client or Authorized User chooses to connect;
- from files, records, and instructions submitted in connection with an engagement;
- automatically from the browser or device used to access the Services; and
- from service providers that support authentication, hosting, and connected features.
The categories we collect depend on the Services used and may include:
- Account and identity data. Name, business email address, profile information, company, role, authentication identifiers, and account status.
- Engagement and support data. Company information, goals, stakeholders, configurations, documents, communications, requests, and support records.
- Connected-system data. The limited fields, records, associations, and settings described for each product in Section 6.
- Google user data. The data described in Section 7 when a user or Client connects a Google service.
- Device and usage data. Internet Protocol address, browser and device information, authentication events, request and error logs, and security audit records.
The Services are not designed to collect sensitive personal data such as government identification numbers, payment card numbers, precise geolocation, biometric identifiers, health information, or information about children. Clients must not submit such data unless AeolusGTM has agreed in writing to process it.
4. Purposes of processing
We process Personal Data to:
- provide, configure, support, and administer the Services;
- authenticate users and maintain account and access controls;
- perform the product-specific functions described in Section 6;
- communicate about accounts, engagements, support, security, and service changes;
- monitor reliability, prevent misuse, investigate incidents, and maintain audit records;
- improve the Services using operational feedback and aggregated or de-identified information;
- comply with law and enforce our agreements; and
- establish, exercise, or defend legal claims.
We do not sell Personal Data. We do not share Personal Data for cross-context behavioral advertising or process it for targeted advertising. We do not use Client Data to train a general-purpose model owned by AeolusGTM.
5. Legal bases where applicable
Where a law requires a legal basis for processing, AeolusGTM relies on one or more of the following: performance of a contract or steps requested before entering a contract; compliance with a legal obligation; consent, where requested; and legitimate interests in providing and securing a business service, managing Client relationships, preventing misuse, and improving operations. We balance those interests against the rights and interests of affected individuals. A person may withdraw consent at any time where consent is the basis for processing. Withdrawal does not affect processing completed before the withdrawal.
When AeolusGTM acts as a processor or service provider, the Client determines the legal basis for processing Client Data.
6. Product-specific processing
6.1 AeolusGTM Revenue Data Health Diagnostic
Access and use. The Diagnostic uses a separate, read-only connection to an authorized CRM. Its provider interface has no method to create, update, merge, or delete CRM records. The Diagnostic uses Client Data only to evaluate revenue-data quality, produce findings and scores, support remediation worklists, and prepare reports for Client review. Its CRM checks are deterministic and rules-based. CRM data connected for the Diagnostic is not sent to a third-party artificial intelligence service.
Data collected. The Diagnostic stores a minimized, field-limited snapshot. Depending on the connected CRM, this may include record identifiers; company and contact names; normalized business email addresses and domains; phone numbers; job titles; industry, lifecycle stage, annual revenue, employee count, country, and state or region; deal pipeline, stage, amount, and close date; an owner-assigned indicator; and relevant created, modified, and activity dates. It does not request note bodies, email or message bodies, call recordings, attachments, street addresses, or full custom-field exports for the Diagnostic.
Retention and disconnection. Detailed snapshot records are scheduled for deletion approximately 30 days after the connection’s last successful sync. An active connection may refresh those records on a recurring basis, so the 30-day period begins again after each successful sync. Disconnecting the Diagnostic deletes the stored connection credential and detailed snapshot records. Diagnostic runs, findings, scores, audit history, and bounded finding samples may remain as part of the engagement record. A verified full-erasure request deletes the engagement’s CRM Diagnostic data, except for a limited erasure receipt and information that must be retained by law.
6.2 AeolusGTM Territories
Access and use. Territories uses a separate HubSpot application and connection from the Diagnostic. It analyzes account and ownership data to model territories, generate proposed assignments, display previews, and, only after an authorized publish action, apply approved changes in HubSpot.
Data collected. Territories may read Company record identifiers, names, domains, city, state or province, country, revenue, employee count, industry, lifecycle stage, parent-company relationship, current owner, and configured legacy territory fields. It may also read Deal identifiers, names, amounts, stage, pipeline, open or closed status, owner, last-modified date, and primary Company association. Owner-directory data may include name, business email address, HubSpot owner and user identifiers, and active or archived status. AeolusGTM also stores territory rules, geographic definitions, owner mappings, assignment previews, publish results, and audit records.
Preview and write behavior. Preview and pilot modes do not change HubSpot Company records. An authorized setup action may create approved custom Company property definitions. When an authorized user approves a publish action, Territories may update only the Company property or ownership values shown in the publish review. Contact access and Contact assignment are not part of the current Territories connection. If those capabilities are enabled later, AeolusGTM will update the applicable disclosures and request the required permissions before using them.
Disconnection and HubSpot data. Disconnecting Territories stops future synchronization and publishing. AeolusGTM will delete the stored connection credential and the synchronized HubSpot records held for the Territories workspace, subject to limited security, billing, and audit records retained as required by law or the applicable agreement. Disconnection does not reverse assignments already published to HubSpot and does not delete custom properties or other configuration already created in the Client’s HubSpot account. The Client retains control of those items in HubSpot and may modify or remove them there.
6.3 AeolusGTM Advisory Services
Advisory Services use the information supplied by the Client and the data sources identified in the applicable engagement agreement or statement of work. This may include business records, documents, interview notes, operating plans, analyses, and deliverables. Retention follows the applicable agreement and our legal and business recordkeeping needs.
AeolusGTM may use automated tools to support an engagement only as permitted by the applicable agreement, Client instructions, and this Policy. Uploaded documents eligible for optical character recognition may be sent to Mistral AI to convert the document into machine-readable text. The document, and not a connected CRM dataset, is sent for that OCR operation. AeolusGTM makes a deletion request for the temporary Mistral file after the OCR operation, including after a processing failure when the request can be completed. Any broader use of a third-party artificial intelligence service with Client Data must be disclosed in the applicable engagement terms or otherwise authorized by the Client.
6.4 Marketing Event & Campaign Attribution
Marketing Event & Campaign Attribution is not presently enabled as a Client-connected product in the Platform. Before enabling it, AeolusGTM will publish a product-specific notice that identifies its data sources, record categories, attribution uses, write behavior, recipients, and retention period. Until that notice is effective, AeolusGTM will process information for this offering only under a written Client agreement that states those terms.
7. Google user data and connected Google services
Google sign-in provides basic identity information, such as name, email address, and account identifier. If an authorized user separately connects a Google service, the Platform requests the scopes shown on Google’s consent screen. Depending on the feature enabled, those scopes may permit the Platform to:
- read calendars and create or update calendar events;
- send email and process selected Gmail metadata and message content for CRM activity sync;
- access Google Drive files selected for an authorized workflow;
- read Google Search Console properties and search-performance data; or
- read Google Analytics properties and page-level performance metrics.
We use Google user data only to provide and secure the connected feature selected by the user or Client. We do not sell Google user data, use it for advertising, or use it to train a general-purpose artificial intelligence model. Human access is limited to support, security, legal compliance, or the user-authorized purpose for which the data was connected.
AeolusGTM’s use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
8. Cookies and similar technologies
The Platform uses authentication and session cookies required to sign users in, maintain a secure session, and protect the Services. The current Platform does not use advertising cookies, third-party advertising networks, or cross-site behavioral tracking. If we add non-essential analytics or similar technologies, we will update this Policy and provide any notice or choice required by law.
9. Disclosures and service providers
We disclose Personal Data only as described below:
- Supabase. Database, authentication, and file storage services.
- Cloudflare. Application hosting, network, security, and edge-delivery services.
- Google. Authentication and the Google-connected services selected by a user or Client.
- Mistral AI. Optical character recognition for eligible documents submitted to the Platform.
- Professional advisers and authorities. Advisers, regulators, courts, law enforcement, or other recipients where disclosure is required by law or reasonably necessary to protect rights, safety, and security.
- Transaction recipients. A buyer, successor, or other participant in a proposed or completed financing, merger, acquisition, reorganization, or sale of assets, subject to appropriate confidentiality protections.
HubSpot, Salesforce, Google-connected services, GitHub, and other systems selected by a Client remain separate systems controlled by the Client or the applicable account holder. Data exchanged with those systems is limited to the connected feature and authorized permissions.
10. Security and incident response
We maintain administrative, technical, and organizational safeguards designed for the nature of the Personal Data we process. These safeguards include encrypted connection credentials, transport encryption, database access controls, tenant isolation, restricted administrative access, authentication controls, and security logging. No security measure can eliminate all risk, and we cannot guarantee absolute security.
If we confirm a security incident affecting Personal Data or Client Data, we will investigate, take reasonable containment and remediation measures, and notify affected Clients or individuals as required by applicable law and contract.
11. Retention, deletion, and de-identification
We retain Personal Data only for as long as reasonably necessary for the purposes stated in this Policy, the applicable product terms in Section 6, the Client engagement, and our legal, accounting, security, and dispute-resolution obligations. Retention periods depend on the data category, product lifecycle, account status, contractual requirements, and applicable law.
When deletion is required, we delete or de-identify the applicable data from active systems and allow protected backups to expire under their ordinary lifecycle, unless law requires continued retention. De-identified information will not be used to attempt to re-identify an individual.
12. Privacy rights and choices
Depending on applicable law and subject to available exceptions, an individual may have the right to request access to, correction of, deletion of, or a portable copy of Personal Data; obtain information about processing and disclosures; withdraw consent; object to or restrict certain processing; and appeal a decision on a privacy request.
Submit a request to legal@aeolusgtm.com. State “Privacy Request” in the subject line. To appeal a decision, state “Privacy Appeal” in the subject line. We may verify identity and authority before acting. We will not discriminate against an individual for exercising an applicable privacy right.
Requests concerning Client Data that we process for a Client should be directed to that Client. If we receive such a request directly, we may refer it to the Client and assist the Client in responding.
13. International processing
AeolusGTM operates from the United States. Personal Data may be processed in the United States and in other countries where our service providers operate. Those countries may have privacy laws different from the laws where the individual resides. Where applicable law requires a transfer mechanism or additional safeguards for an international transfer, AeolusGTM will use an authorized mechanism and applicable contractual, technical, or organizational safeguards.
14. Children
The Services are business offerings and are not directed to children under 18. We do not knowingly collect Personal Data from children through the Services. If you believe a child has submitted Personal Data, contact us so that we can investigate and take appropriate action.
15. Changes to this Policy
We may update this Policy to reflect changes in the Services, law, or our data practices. We will post the revised Policy with a new version and effective date. We will provide additional notice to affected Clients when a change is material or when applicable law or contract requires notice or consent. We will not apply a materially broader use of previously collected Personal Data retroactively unless permitted by law and, where required, after notice or consent.
16. Contact
Privacy questions and requests may be sent to legal@aeolusgtm.com. Legal process and postal correspondence may be directed to AeolusGTM LLC through its registered agent on file with the Colorado Secretary of State.