Privacy Policy

Who We Are

Undercurrent Holdings LLC (“Undercurrent,” “we,” “us,” or “our”) operates the public marketing website at https://undercurrentholdings.com (the “Site”). Undercurrent Holdings LLC is a limited liability company formed in Wyoming, with a registered presence in Sheridan, Wyoming, and an operating presence in Texas.

For the data described in this policy, Undercurrent Holdings LLC is the data controller. You can reach our privacy team at privacy@undercurrentholdings.com.

What This Policy Covers (and What It Does Not)

This policy applies only to the public marketing website at undercurrentholdings.com. The marketing Site is a static, informational brochure: it has no user accounts, no login or authentication, no payments or checkout, and no investments, securities offerings, or fund subscriptions.

Our other web properties are separate products governed by their own, separate terms and privacy policies — not by this one. If you use any of them, please read the policy posted there:

• Investor portal (investors.undercurrentholdings.com) — has its own terms and privacy policy.
• Customer / developer portal (portal.undercurrentholdings.com) — has its own terms and privacy policy.
• Our products AEGIS (AI governance), AFA (autonomous code evolution), and LIBERTAS (autonomous CI/CD, in beta) are described on this Site for information only. Signing up for or using any product is governed by that product’s own terms and privacy policy, not this one.

Information We Collect

Because this is a brochure site, we collect very little. There are four kinds of data involved, and each is described below.

• Cookieless analytics (Plausible). We use Plausible Analytics, a privacy-focused, EU-hosted analytics service, to understand overall traffic trends — for example, which pages are popular and where visitors arrive from. Plausible does not use cookies, does not store your IP address, does not create a persistent identifier for you, and does not track you across other websites or devices. The data we see is aggregate and does not identify you as an individual.
• Server and content-delivery logs (Vercel). The Site is hosted on Vercel. Like virtually all web hosts, Vercel automatically records standard request logs that include your IP address, browser user-agent, the page requested, and a timestamp. We use these logs to operate the Site, keep it available, and protect it against abuse and attacks.
• Contact details you choose to send us. The Site does not require you to give us any personal information to browse it. If you contact us — through a contact form on the Site or by emailing an address such as ops@undercurrentholdings.com (general questions) or security@undercurrentholdings.com (vulnerability reports) — we receive the email address, name, and message content you choose to include. Contact-form submissions are sent to a backend endpoint operated for us on Convex and routed to the relevant inbox, and a copy of your submission is emailed to our team through our email-delivery provider (Resend) so we see it promptly. We use this information only to read and respond to your message.
• Security telemetry. To keep the Site secure and catch errors quickly, your browser may automatically send two kinds of technical reports to a backend endpoint operated for us on Convex: (1) Content Security Policy (CSP) violation reports, generated by your browser when something tries to load content our security rules disallow; and (2) error beacons, which report client-side script or resource-loading failures (page path, error message, and a short-lived random session identifier). These reports are used only to detect attacks and fix bugs. Where they include technical identifiers such as IP address or user-agent, those values are encrypted on our side, and the reported page address is reduced to the path only (query strings and fragments are stripped) so it does not carry data you typed.

Why We Collect It, and Our Legal Basis

We use the information above for a small, fixed set of purposes: to operate and secure the Site, to understand aggregate usage so we can improve it, and to respond to you when you reach out. We do not use any of this information for behavioral advertising, profiling, or building a marketing profile of you.

For visitors in the European Economic Area, the United Kingdom, and Switzerland, where the GDPR, UK GDPR, or analogous Swiss data-protection requirements apply, our legal bases (or, for Switzerland, equivalent justifications) are as follows:

• Cookieless analytics — our legitimate interest (Article 6(1)(f)) in understanding aggregate Site usage. Because Plausible is cookieless and stores nothing on your device, no cookie consent is required.
• Server logs and security telemetry — our legitimate interest (Article 6(1)(f)) in keeping the Site available, secure, and free from abuse, and in diagnosing errors. Recital 49 of the GDPR expressly recognizes network and information security as a legitimate interest.
• Responding to your message — our legitimate interest in answering enquiries, or, where your message concerns a potential engagement, steps taken at your request before entering into a contract (Article 6(1)(b)).
• You have the right to object to processing based on legitimate interests; see “Your Privacy Rights” below.

Cookies and Tracking

This Site sets no advertising or tracking cookies. Our analytics provider, Plausible, is cookieless and stores nothing on your device. Because we do not store information on, or read information from, your device for tracking purposes, no cookie consent banner is required, and there is nothing here for you to opt out of.

We do not use tracking pixels, cross-site or cross-device tracking, fingerprinting, or behavioral advertising technologies anywhere on this Site.

The Site does use a small amount of functional browser storage on your device — for example, to remember interface state you have triggered (such as discovering a hidden page) and a short-lived random session identifier used only for the security telemetry described above. None of it is used for advertising, profiling, or cross-site or cross-device tracking, so no consent banner is required.

How We Share Information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We share information only with the service providers that help us run the Site, and only as needed for them to provide their service to us:

• Vercel — website hosting and content delivery (and the standard server logs described above).
• Plausible — cookieless, aggregate analytics.
• Convex — the backend that receives our contact-form submissions and our security telemetry (CSP reports and error beacons).
• Resend — our email-delivery provider, which sends us a notification email containing your contact-form submission so we can respond.
• Email providers — the services that deliver mail sent to our privacy@, legal@, ops@, and security@ addresses.

Service Providers and Disclosure for Legal Reasons

Each service provider listed above acts as our processor under a data processing agreement and is permitted to use the information only to provide its service to us.

We may also disclose information if required to do so by law, or if we reasonably believe disclosure is necessary to comply with legal process, to enforce our Terms of Service, or to protect the rights, safety, or property of Undercurrent, our visitors, or the public. If Undercurrent is involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction, subject to this policy.

International Data Transfers

Undercurrent is based in the United States, and our hosting, backend, and email-delivery providers (Vercel, Convex, and Resend) process data in the United States. Plausible Analytics is hosted in the European Union.

Where personal data is transferred out of the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on appropriate safeguards in our agreements with our providers — including the European Commission’s Standard Contractual Clauses (with the UK International Data Transfer Addendum or the Swiss equivalent where applicable) and, where a provider is certified for the relevant framework, the EU-U.S. Data Privacy Framework, its UK Extension, or the Swiss-U.S. Data Privacy Framework. You may request more information about these safeguards by emailing privacy@undercurrentholdings.com.

Data Retention

We keep information only for as long as we need it for the purposes described in this policy, and we do not retain it indefinitely.

• Aggregate analytics (Plausible) — retained in aggregate form; contains no data that identifies you.
• Server and CDN logs / security telemetry — retained only for a limited operational and security period, then deleted or anonymized.
• Contact emails and correspondence — retained for as long as needed to respond and keep a reasonable record of the exchange, then deleted.

Your Privacy Rights

Depending on where you live, you have rights over your personal information. We honor these rights to the extent the information is something we actually hold.

If you are in the EEA, UK, or Switzerland, you may have the right to access, correct, delete, restrict, or port your personal data; to object to processing based on our legitimate interests; and to withdraw any consent you have given. You also have the right to lodge a complaint with your local data protection supervisory authority.

If you are a resident of California, Texas, or another U.S. state with a comprehensive privacy law, you may have the right to know what personal information we collect, to access, delete, and correct it, and, where applicable, to opt out of the “sale” or “sharing” of personal information and of targeted advertising — and to appeal a denied request. We do not sell or share your personal information and do not use it for targeted advertising, so there is nothing to opt out of. Where applicable, we honor browser-based opt-out signals such as Global Privacy Control.

To exercise any of these rights, email privacy@undercurrentholdings.com with a description of your request. We may need to verify your identity before we act. We aim to respond within the timeframe required by applicable law (generally about 30 days under the GDPR and within 45 days under California law), and we will not discriminate against you for exercising your rights.

Children’s Privacy

This Site is a general-audience website intended for businesses and developers. It is not directed to children, and we do not knowingly collect personal information from children under 13 (or under 16 where a higher age applies under local law). If you believe a child has provided us with personal information, please contact privacy@undercurrentholdings.com and we will delete it.

Security

We use reasonable technical and organizational measures appropriate to a static marketing site — including encryption in transit (HTTPS/TLS), strict content-security and access controls, and encryption of technical identifiers in our security telemetry. No method of transmitting or storing data is completely secure, so we cannot guarantee absolute security.

If you discover a security vulnerability in this Site or any of our products, we want to hear about it. Please report it to security@undercurrentholdings.com.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make a material change, we will post the updated policy on this page and revise the “Effective Date” at the top. Your continued use of the Site after an update takes effect means you accept the revised policy.

Contact Us

If you have questions about this Privacy Policy or want to exercise your privacy rights, please reach out:

• Privacy questions and rights requests: privacy@undercurrentholdings.com
• Legal notices: legal@undercurrentholdings.com
• General enquiries: ops@undercurrentholdings.com
• Security and vulnerability disclosure: security@undercurrentholdings.com
• Mailing entity: Undercurrent Holdings LLC, Sheridan, Wyoming, United States