Enduro Consulting — Privacy Policy

Who we are

Enduro Consulting (“Enduro,” “we,” “us,” or “our”) is a U.S.-based consultancy that partners with leaders and organizations to launch and scale high-impact ventures.

Scope

This policy explains how we collect, use, share, and safeguard personal information when you:

• Visit our websites, landing pages, or forms (the “Sites”);
• Use services we host or operate (client portals, dashboards, prototypes we run);
• Receive our emails or marketing;
• Work with us on consulting or build engagements.

Client properties we build (e.g., a site/app we create and hand off) are governed by the client’s privacy policy. When we operate a system on a client’s behalf, we act as their processor (see below).

Our role (Controller vs. Processor)

• Controller / “business”: For prospects, clients, website visitors, vendors, and community contacts whose data we collect for our own purposes (marketing, sales, hiring, support, account management).
• Processor / “service provider/contractor”: For personal information we process on a client’s instructions—including CRM records, website/app event data, support communications, advertising audiences, and third-party platform data ingested through integrations (ad platforms, analytics, scheduling, payments, messaging, etc.). This processing is governed by a Data Processing Addendum (DPA) and the client’s privacy policy. A DPA is available upon request.

Data we collect

You give us

• Contact details (name, email, phone, company, role)
• Account details (workspace, credentials, preferences)
• Communications (messages, tickets, interviews/research notes; optional call recordings/voicemails)
• Billing info (billing address; payment tokens handled by our processor)
• Project materials (briefs, content, creative assets, datasets, authorized credentials, product feedback)
• Recruiting info (CVs, references) if you apply to work with us

We collect automatically (Sites, hosted services, prototypes)

• Device/usage data (IP, browser/OS, pages viewed, referring URLs, events, session duration)
• Cookies/SDKs/pixels (see Cookies & tracking)
• Approximate geolocation inferred from IP

We receive from third parties (when you connect or consent)

• Integrations you authorize (e.g., Google/Microsoft, Slack, ClickUp, Notion, GitHub, Figma, calendars, ad platforms, analytics, payment and messaging providers, CRM tools including—but not limited to—HighLevel)
• Advertising/analytics partners (traffic, performance, attribution)
• Public sources (professional profiles, company sites)

Sensitive information

We don’t seek sensitive data (e.g., precise geolocation, health, religious beliefs). If a project requires it (e.g., usability testing with optional demographics), we process only as necessary and allowed by law and will obtain required consent. Avoid putting sensitive data in free-text fields unless required and authorized.

How we use data (controller context)

• Provide, secure, and improve our Sites and services
• Set up and manage accounts/workspaces; provide support
• Conduct research and discovery for client work (interviews, surveys) with consent
• Send service/transactional emails; send B2B marketing where permitted
• Analyze usage and performance; develop new features
• Detect, prevent, and investigate security/fraud
• Comply with laws; enforce terms; protect rights

Legal bases (EEA/UK): contract, legitimate interests (service improvement, network security, B2B marketing), consent (where required), and legal obligations.

AI transparency

• Some offerings use third-party AI/ML (summarization, classification, drafting, analytics insights, agentic automations).
• We do not use your data to train our internal or vendor models without your separate, explicit consent.
• If AI features use your data, we’ll state the purpose, obtain required consent, and provide an easy way to withdraw.
• Vendors operate under contracts with confidentiality, data-use limits, and security obligations.

Optional integrations (examples)

• Advertising & analytics: Google Ads/Analytics, LinkedIn, Meta, Plausible, Segment
• Productivity & design: Google Workspace/Microsoft 365, Slack, ClickUp, Notion, Figma, Adobe CC
• Engineering & hosting: GitHub, Vercel/Netlify, Cloudflare, AWS/GCP/Azure
• Messaging & comms: Twilio, Mailgun/SendGrid, WhatsApp Business providers
• Scheduling & forms: Calendly/Cal.com, Typeform/Formsort
• Payments & accounting: Stripe, QuickBooks/Xero
• Wearables/fitness (opt-in): Garmin Connect

When you connect an integration, we receive data only for the scopes you approve, via the provider’s authorization flow. You can disconnect at any time (see Your choices).

Garmin Connect (only if you opt in)

If you connect Garmin, Enduro receives Garmin-sourced data via OAuth for the categories you approve (e.g., activity/wellness metrics, device/timestamp metadata). We never request your Garmin password.

• Purpose: Provide the features you request (analytics/insights/reporting) and improve those features.
• Consent & notice: Before transfer, we present a clear notice with categories/purpose and a link to Garmin’s privacy statement; we obtain your express consent. See Garmin Privacy Statement.
• Disconnect & deletion: Disconnect anytime in your account or by contacting us. We revoke tokens immediately and delete Garmin-sourced data within 30 days, unless law requires longer or you request earlier deletion.
• No sale / no cross-context ads: We do not sell Garmin-sourced personal data or share it for cross-context behavioral advertising.

Sharing and disclosures

• Service providers/processors: hosting; productivity; design; analytics/attribution; ad platforms; scheduling; messaging; payments/accounting; security; and similar vendors. Access is limited to performing services under contract.
• Integration partners you voluntarily connect.
• Professional advisors (legal, accounting) under confidentiality.
• Authorities/others where required by law or to protect rights, safety, and security.
• Corporate transactions (merger, acquisition) consistent with this policy.

No sale / no cross-context ads: We do not sell personal information and we do not share it for cross-context behavioral advertising as defined by CPRA. If that changes, we’ll update this policy and provide required choices.

Cookies & tracking

We use cookies and similar technologies to operate and improve the Sites and hosted services.

• Types: strictly necessary; functional; analytics; advertising (off by default unless you consent).
• Manage cookies in your browser; in regulated regions, we show a consent banner. Some features may not work without certain cookies.

Retention

• Account/CRM & project records: while active + 24 months after last interaction
• Research/interview materials: 12–24 months (or as contractually agreed)
• Support tickets/communications: 24 months
• Billing/tax records: 7 years (or as required)

We may anonymize/aggregate data for statistics.

Security

We use administrative, technical, and physical safeguards (role-based access, least privilege, encryption in transit, logging/monitoring, periodic reviews). No method is 100% secure.

International transfers

We may transfer data to the United States and other countries with different laws. Where required, we use appropriate safeguards (e.g., EU/UK Standard Contractual Clauses and supplementary measures).

Your rights

U.S. state privacy laws (e.g., TX/TDPSA; CA/CPRA; CO, CT, UT, VA)

Subject to exceptions, you may request to access, correct, delete, or export your data, and to opt out of targeted advertising, sale, or profiling with legal/similar effects. We do not sell or share for cross-context ads. You can appeal a decision if we deny a request.

EEA/UK (GDPR)

You may have rights to access, rectify, erase, restrict, object, and data portability. Where processing relies on consent, you may withdraw it anytime. You can also lodge a complaint with a supervisory authority.

How to exercise rights: Email [email protected] with subject “Privacy Request.” We’ll verify identity and respond within legal timelines. Authorized agents may submit requests with proof of authority. We won’t discriminate against you for exercising rights.

Your choices

• Marketing: Unsubscribe via the link in our emails or email us.
• Cookies: Use the banner (where shown) or browser settings.
• Integrations: Enable/disable in your account or contact support.
• Garmin (if connected): Disconnect at any time; we’ll revoke tokens immediately and delete stored Garmin data within 30 days.

Children’s privacy

Our services target adults. We don’t knowingly collect data from children under 13 (or the applicable minimum age). If you believe a child provided data, contact us.

Do Not Track

We don’t respond to DNT signals at this time.

Changes

We’ll update this policy as needed. The Effective date shows the latest revision. For material changes, we’ll post notices on the Sites and, where required, notify you directly.

Sub-processors (processor context)

When acting as a processor, we may engage sub-processors for hosting, security, communications, analytics, ads, scheduling, design, engineering, and accounting. Typical examples include: Google Workspace/Cloud, Microsoft 365, Slack, ClickUp, Notion, Figma, Adobe CC, GitHub, Vercel/Netlify, Cloudflare, AWS/GCP/Azure, Stripe, QuickBooks/Xero, Twilio, Mailgun/SendGrid, Calendly/Cal.com, Typeform/Formsort, analytics/ad platforms (Google, LinkedIn, Meta, Plausible), and CRM tools including—but not limited to—HighLevel. We maintain contracts imposing confidentiality and security obligations. A current list is available upon request at [email protected].

This policy is for general informational purposes and doesn’t constitute legal advice. Consult counsel to tailor it to your jurisdictions and use cases.