Privacy policy.

How we handle information about website visitors, prospective clients, and active engagements. Written plainly, because a privacy policy that nobody reads protects nobody.

Last Updated 2026.05.11

Effective 2026.05.11

Controller Caeruli Obscuri Laboratorium

Jurisdiction Utah, United States

§01Who we are.

This policy applies to Caeruli Obscuri Laboratorium — a Utah-domiciled provider of open-source intelligence analytics and bespoke instrumentation services (“we,” “us,” or “the Laboratorium”).

Our website is caeruli-obscuri.com. For any privacy-related question, contact brayden.anthony@caeruli-obscuri.com.

Placeholder The legal entity name, registered address, and any DBA designations should be confirmed by counsel before this policy is published. Replace this callout with the formal entity registration upon completion.

§02Scope of this policy.

This policy applies to:

Visitors to caeruli-obscuri.com and any subdomain we operate
Individuals who send inquiries through the contact information on our site
Client and prospective-client representatives during the course of a business relationship
Personnel of clients whose data is processed during an active engagement

This policy does not override specific data-handling terms agreed to in a signed engagement letter or master services agreement. Where the engagement contract is more protective of client data than this policy, the engagement contract controls.

§03Website visitor data.

When you visit caeruli-obscuri.com, our hosting provider records standard server log information — IP address, user-agent string, referrer, requested URL, and timestamp. We retain these logs for operational and security purposes.

We do not use third-party advertising trackers, social media pixels, or cross-site analytics. We do not sell or transfer visitor data to data brokers under any circumstance.

We use minimal first-party analytics (page views, referrer source, approximate geography by region) to understand which content earns attention. This analytics traffic is privacy-preserving and does not build profiles of individual visitors.

Placeholder Name the specific analytics provider here (Plausible, Fathom, self-hosted Umami, etc.). If you use no analytics at all, say so explicitly — that is a competitive trust signal for this audience.

§04Inquiry & correspondence.

When you contact us — by email, by introduction through a mutual connection, or through any other channel — we receive whatever information you choose to share. Typically this includes name, organizational affiliation, contact information, and the substance of your inquiry.

We treat the substance of business inquiries as confidential by default. We do not share, post, or otherwise disclose the content of unsolicited inquiries except as required by law or with the sender's permission.

If we determine your inquiry is not a fit for our practice, we delete the correspondence within 90 days of the final reply unless you ask us to keep your information on file for future opportunities.

§05Client engagement data.

During an active engagement, we receive and process whatever information the engagement requires. This may include geographic coordinates, asset lists, internal documents, proprietary methodologies, personal data about your personnel, and other information you elect to provide.

We treat all engagement data as confidential by default. Specific handling terms — retention, deletion, return of materials, audit rights, breach notification — are negotiated in the engagement letter or accompanying data-processing addendum.

Posture Client data is pseudonymized before it crosses any model boundary where pseudonymization is feasible without degrading the analytic result. We architect for the world in which the data leaks — not the world in which it never does.

Personal data about your personnel (names, emails, phone numbers, organizational role) is processed solely to deliver the engagement. We do not enrich it with third-party data sources, build behavioral profiles, or use it for any purpose outside the engagement.

§06How we use information.

We use the information described above to:

Respond to your inquiries and conduct prospective-client conversations
Deliver engagements under signed contract
Operate, secure, and improve our website and infrastructure
Comply with legal, accounting, and regulatory obligations
Develop and refine our internal methodologies — only after de-identification of any client-specific signal

We do not sell personal data. We do not rent personal data. We do not share personal data with marketing partners, data brokers, or any third party for their own purposes.

§07Security posture.

Our security practices are designed for a firm whose competitive advantage depends on client data confidentiality. Specifically:

Encryption. Data is encrypted in transit using TLS 1.2 or higher and at rest using provider-managed encryption at all storage layers we control.
Access control. Engagement data is accessible only to assigned analysts on a least-privilege basis. All administrative accounts require hardware-backed multi-factor authentication.
Audit logging. Access to systems handling client data is logged. Logs are retained per engagement-specific terms and made available for client audit on request when contractually agreed.
Pseudonymization. Identifiable client data is pseudonymized before crossing any AI model boundary where pseudonymization is feasible and does not materially degrade the analytic result.
Incident response. Suspected unauthorized access to client data triggers a defined incident-response procedure including timely notification under engagement-specific terms.

No security posture is invulnerable. We architect, train, and contract for failure cases — not just success cases.

§08Third parties & subprocessors.

We use a limited set of third-party service providers to operate our business — hosting, email, payment processing, professional services tooling. A current list of material subprocessors is available on request to brayden.anthony@caeruli-obscuri.com.

We require contractual data-protection terms from any subprocessor who handles personal data on our behalf, including obligations no less protective than this policy and applicable law.

We do not transfer client engagement data to any subprocessor that has not been disclosed in the engagement letter or data-processing addendum without your prior written consent.

Placeholder Maintain a separate subprocessor list document. Common subprocessors at our stage typically include cloud hosting, email service, accounting software, and possibly a CRM. Counsel should review the disclosure obligations specific to your contracts and applicable state law.

§09Your rights.

Depending on where you reside, you may have specific rights with respect to personal data we hold about you, including the rights to:

Access the personal data we hold
Correct inaccurate personal data
Request deletion of personal data, subject to our legitimate retention obligations
Object to or restrict certain processing
Receive a portable copy of your data
Lodge a complaint with a supervisory authority

California residents have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information we collect and the right to delete it.

EU and UK residents have rights under the GDPR and UK GDPR respectively. Our lawful bases for processing are typically contract performance (for engagement data) and legitimate interest (for business-development correspondence).

To exercise any of these rights, contact brayden.anthony@caeruli-obscuri.com. We respond within thirty days. We do not retaliate against anyone for exercising a privacy right.

§10Retention & deletion.

We retain information only as long as needed for the purpose for which it was collected, unless a longer retention period is required or permitted by law.

Website server logs: 90 days, then aggregated and de-identified
Inquiry correspondence (non-converted): 90 days after final reply, then deleted
Inquiry correspondence (converted): retained for the duration of the engagement plus the period specified in the engagement letter
Client engagement data: retained per engagement letter terms; default 24 months after final delivery unless extended for audit or legal obligation
Financial and tax records: retained as required by applicable accounting and tax law

You may request earlier deletion of personal data we hold about you; we will accommodate where legally permitted and not in conflict with active engagement obligations.

§11International transfers.

We operate primarily in the United States. Engagement data is generally stored and processed within the United States.

If you contact us from outside the United States, your personal data will be transferred to and processed in the United States. We rely on appropriate transfer mechanisms (including Standard Contractual Clauses where applicable) for personal data originating in jurisdictions with cross-border transfer restrictions.

§12Changes to this policy.

We may update this policy from time to time. Material changes will be announced by updating the “Last Updated” date at the top of this page and, where appropriate, by direct notice to active clients.

We do not believe in burying material changes in legalistic language. If we materially change how we handle data, we will tell you plainly and tell you why.

§13Contact us.

For any question about this policy, any privacy-related request, or any concern about how we handle your data:

Email: brayden.anthony@caeruli-obscuri.com
General inquiry: brayden.anthony@caeruli-obscuri.com
Mailing address: available on request

We aim to respond to all privacy-related correspondence within ten business days and resolve formal requests within thirty days unless complexity requires an extension, in which case we will tell you so.