Skip to content

Privacy Policy

Effective date: June 17, 2026 · Last updated: June 17, 2026

About This Policy (and an Important Disclaimer)

This Privacy Policy explains what information Kairos Salt Holdings LLC and its subsidiary Neustac LLC (together, "Neustac," "we," "us," or "our") collect when you visit neustac.com (the "Site"), why we collect it, who we share it with, and the choices you have.

Neustac is an AI consulting firm based in Wyoming and operated remotely; the Neustac brand is operated by Kairos Salt Holdings LLC through its subsidiary, Neustac LLC. We do not operate a physical storefront.

Scope. This policy covers your use of the public Site and the inquiry, booking, and contact information we receive when you reach out to us through it (including through the linked scheduling page). It does NOT govern the information we handle when you become a paying client. Our work for clients is governed by the separate written agreements we sign with them (for example, a Master Services Agreement and Statement of Work, and any related data processing terms). Where those signed agreements address how we handle a client's data, those agreements control over this policy. Our AI Notice describes how we use artificial intelligence in connection with the Site.

What This Site Does and Does Not Collect Today

We believe in describing what is actually true of this Site, not generic boilerplate.

What the Site does today:

  • The Site is a static marketing site. Today it runs no analytics and sets no advertising cookies (the advertising tools described below are not yet live). The only thing the Site stores in your browser is a small record of your own privacy choices — for example, whether you have opted out of advertising or dismissed a notice — kept in your browser's local storage so we can honor those choices on your next visit.
  • The Site's display fonts are self-hosted and served directly from neustac.com, so rendering them does not send your IP address or any other information to Google or any third-party font service.
  • The Site is hosted on Cloudflare Pages, which keeps standard server logs (see below).
  • The main call to action on the Site is a button that links you OUT to a separate scheduling page (get.neustac.com) run on the GoHighLevel / LeadConnector platform, where you can book a discovery call. If you book, you provide your name, email, phone number, and scheduling details on that page.

What is planned and forward-looking (and clearly labeled as such throughout this policy):

  • Advertising and conversion tracking using the Google Ads tag (gtag) and the Meta (Facebook/Instagram) Pixel. These are expected to be added shortly after this policy goes live.
  • Website analytics using Google Analytics 4 (GA4), to understand how visitors find and use the Site. This is also planned and not yet live; when added, it will run behind the same opt-out and Global Privacy Control controls described below.
  • A contact form that, if and when it is published on the Site, would let you send us your name, email, company, and message, delivered to us by email through a service called Resend.

Where this policy describes the pixels or the contact form, it is describing how we will handle that information once those features are live.

Information We Collect

Information you give us directly:

  • Booking a discovery call. When you click through to our scheduling page and book a call, you provide your name, email address, phone number, and your selected date and time. (This is collected on the GoHighLevel scheduling page, not on neustac.com itself.)
  • Emailing us. If you email [email protected], we receive your email address, your name if you provide it, and whatever you choose to write.
  • Contact form (if and when published). If we publish a contact form and you submit it, we collect your name, email address, company (optional), and your message.

Information collected automatically:

  • Technical and log data. Our host, Cloudflare, automatically records standard server information such as your IP address, browser type and user-agent, the pages you request, referring URLs, and timestamps. This is normal web-server logging used to deliver and secure the Site.
  • Font files. The Site's fonts are self-hosted and served from neustac.com, so no font-loading data is shared with Google or any third-party font service.
  • Advertising and analytics identifiers (forward-looking). Once the Google Ads tag, Meta Pixel, and Google Analytics are live, they will set cookies and collect identifiers and activity data as described in the "Cookies and Tracking Technologies" section below.

We do not ask for, and we do not want, sensitive or privileged information through this public Site. Because we work with law firms and other professionals, please do not send confidential client matters, privileged communications, or sensitive personal data through the booking page, the contact form, or email. Use the secure channels we set up with you under a signed engagement for anything like that.

How We Use Your Information

We use the information above to:

  • Respond to your inquiry, schedule and hold a discovery call, and follow up about whether and how we can help.
  • Operate, secure, maintain, and improve the Site.
  • Send you transactional messages, such as confirming a call you booked.
  • Send marketing or follow-up emails where you have asked to hear from us or where otherwise permitted by law. Every such marketing email will include a working unsubscribe link.
  • Measure and improve our advertising and understand which ads and pages lead people to contact us (once advertising tracking is live).
  • Comply with our legal obligations and enforce our terms.

We do not use the Site to knowingly collect any of the special categories of sensitive personal data (such as precise geolocation, health, biometric, or similar information), and we configure our advertising tools so they are not fed those categories. See "Sensitive Data" below.

Third Parties We Rely On

We use a small number of service providers. Each receives only the information it needs to perform its function. We do not authorize our hosting, email, and scheduling providers to use the information we send them for their own unrelated purposes. Our advertising partners, Google and Meta, are different: as described below, they also process advertising data under their own terms as independent businesses, not solely as our service providers.

Cloudflare (hosting and security) — Cloudflare Pages hosts the Site and processes server log data (including IP address and request metadata) to deliver and protect it. Cloudflare acts as our processor and states that it does not sell or share the personal data it processes on our behalf. See cloudflare.com/privacypolicy.

Fonts (self-hosted) — The Site's display fonts are self-hosted and served directly from neustac.com using Fontsource. We do not load fonts from Google's font CDN, so no IP address or request data is shared with Google to render the Site's typography.

Resend (transactional email delivery — forward-looking) — If and when we publish a contact form, Resend Inc. would deliver your submission to us by email. Resend would receive the name, email, company, and message you submit. Resend acts as our processor for that delivery. See resend.com/legal/privacy-policy.

GoHighLevel / LeadConnector (scheduling) — Our booking buttons (for example, "Book an AI Readiness Audit") send you to a scheduling page operated on the HighLevel platform (HighLevel Inc.). When you book, HighLevel collects your name, email, phone number, and scheduling details on our behalf and makes them available to us so we can prepare for and hold the call. HighLevel acts as our processor for the booking data we receive. The scheduling page is also governed by HighLevel's own terms and privacy practices. See gohighlevel.com/privacy-policy.

Google Ads (advertising and conversion tracking — forward-looking) — Once live, the Google Ads tag (gtag) will use cookies and similar identifiers to measure ad performance, attribute conversions, and show you Neustac ads on Google and partner properties based on your visit. This involves sharing data with Google for advertising. See policies.google.com/technologies/ads.

Meta Pixel (advertising and conversion tracking — forward-looking) — Once live, the Meta Pixel will use cookies and similar identifiers to measure and target ads on Facebook and Instagram based on your visit. This involves sharing data with Meta for advertising. See facebook.com/privacy/policy.

Google Analytics (analytics — forward-looking) — Once live, Google Analytics 4 (GA4) will use cookies and similar identifiers (such as the _ga and _gid cookies) to measure how visitors find and use the Site. Google processes this analytics data under its terms, and we will run GA4 behind the same opt-out and GPC controls as the advertising tags. See policies.google.com/privacy and the Google Analytics opt-out add-on at tools.google.com/dlpage/gaoptout.

Cookies and Tracking Technologies

Today, the Site sets no cookies and uses no tracking technologies of its own. Once advertising is live, the Site will use the cookies and similar technologies described in the table below.

You can control cookies through your browser settings, through the opt-out tools listed below, and through the controls described in the "Targeted Advertising, and How to Opt Out" section.

The table below reflects the trackers that will be present once advertising is enabled:

  • Provider: Google Ads (gtag). Type: Advertising / conversion. Purpose: Measure ad performance, attribute conversions, and serve Neustac ads based on your visit (remarketing). Data involved: Cookie/device identifiers, IP address, pages viewed, ad-interaction data. Status: Forward-looking (planned). Opt out: your Google ad settings (myadcenter.google.com) and the opt-out tools listed below.
  • Provider: Meta Pixel (fbq). Type: Advertising / conversion. Purpose: Measure ad performance and serve Neustac ads on Facebook and Instagram based on your visit. Data involved: Cookie/device identifiers, IP address, pages viewed, ad-interaction data. Status: Forward-looking (planned). Opt out: Your Facebook/Instagram ad settings and the industry opt-out tools listed below.
  • Provider: Google Analytics 4 (gtag). Type: Analytics / measurement. Purpose: Measure how visitors find and use the Site (traffic, pages, referrals). Data involved: _ga / _gid cookie identifiers, IP address, pages viewed. Status: Forward-looking (planned). Opt out: the "Your Privacy Choices" control on the Site and GPC, plus the Google Analytics opt-out add-on (tools.google.com/dlpage/gaoptout) and your browser's cookie controls.
  • Provider: Cloudflare (hosting). Type: Strictly necessary / security. Purpose: Deliver and secure the Site; server logging. Data involved: IP address, request metadata. Status: Live. Opt out: Not applicable (required to operate the Site).
  • Provider: Self-hosted fonts (Fontsource). Type: Functional (font delivery). Purpose: Render the Site's typefaces. Data involved: None beyond standard server logs. Status: Live. Opt out: Not applicable (no cookie set; fonts are served from neustac.com).

Industry opt-out tools. Once advertising is live, you can opt out of interest-based advertising from many companies, including Google and Meta, through:

  • Network Advertising Initiative: optout.networkadvertising.org
  • Digital Advertising Alliance: optout.aboutads.info
  • Google: your ad settings at myadcenter.google.com, plus your browser's cookie controls

Targeted Advertising, and How to Opt Out ("Do Not Sell or Share My Personal Information")

Once the Google Ads tag and Meta Pixel are live, your visit data will be shared with Google and Meta so they can measure our ads and show you Neustac ads elsewhere. Under several US state privacy laws, this kind of advertising-driven data sharing can be treated as a "sale" of personal information, a "share," or "targeted advertising" / "cross-context behavioral advertising," even though no money changes hands for your data.

We do not sell your personal information for money, and we never sell sensitive personal information. But to be transparent and to give you a clear choice, we will offer an opt-out.

How to opt out:

  • Use the "Do Not Sell or Share My Personal Information" / "Your Privacy Choices" control on the Site.
  • Use the industry opt-out tools listed in the "Cookies" section above.
  • Turn on a Global Privacy Control (GPC) signal in a supported browser or extension. We treat a GPC signal as your request to opt out of advertising-related sharing for that browser.

Our on-site opt-out and GPC honoring apply per browser and device, and they are cleared if you clear your site data or browser storage. To opt out everywhere, turn on GPC in each browser you use and use the industry and Google/Meta account controls listed above.

Why we offer this even though we are likely not legally required to. Based on our size, we likely do not meet the thresholds that would make the major comprehensive state privacy laws (such as California's CCPA/CPRA) mandatory for us, and we likely qualify as a small business that is largely exempt under the Texas Data Privacy and Security Act. We provide the opt-out and GPC honoring anyway because (1) Google's and Meta's advertiser terms require us to provide the advertising disclosures and an opt-out path, (2) it is the right baseline practice, and (3) it positions us to remain compliant if our advertising scale grows or if a state law such as Connecticut's (see below) reaches us.

Texas Residents (Texas Data Privacy and Security Act)

We may serve Texas residents, so we include this section. (The TDPSA can apply to a business that offers products or services to Texas residents, regardless of where the business itself is based.)

The Texas Data Privacy and Security Act (TDPSA) does not have a revenue or data-volume threshold, but it exempts businesses that qualify as "small businesses" under the applicable U.S. Small Business Administration (SBA) size standard. That SBA standard is set per industry by NAICS code and, for the consulting and computer-systems-design work Neustac does, it is measured by average annual revenue, not simply by a head-count of employees. We believe Neustac qualifies as an SBA small business by a wide margin and is therefore exempt from substantially all TDPSA controller obligations.

One TDPSA obligation can apply even to an exempt small business: under Texas Business & Commerce Code Sec. 541.107, a small business may not SELL a consumer's sensitive personal data without first obtaining the consumer's consent. Neustac's policy is simple: we do not sell sensitive personal data, and we keep sensitive categories out of our advertising tools. Because we do not sell sensitive personal data, the verbatim TDPSA "NOTICE: We may sell your sensitive personal data" statement (which Sec. 541.102 requires only of businesses that actually do so) does not appear in this policy. We collect no biometric data, so no biometric-sale notice applies either.

California Residents

CalOPPA. California's Online Privacy Protection Act applies to any commercial website that collects personal information from California residents, regardless of the operator's size. This policy is intended to satisfy CalOPPA, including its Do-Not-Track disclosure (see "Do Not Track" below), its disclosure of third-party cross-site tracking (see "Cookies" and "Targeted Advertising" above), the categories of personal information we collect and the third parties we share with (above), how you can review or request changes to your information (see "Your Choices and Requests"), how we notify you of changes (see "Changes to This Policy"), and the effective date (at the top of this policy).

CCPA/CPRA. The California Consumer Privacy Act, as amended by the CPRA, imposes substantive obligations only on a "business" that meets at least one statutory threshold (broadly: roughly $26.625 million or more in annual gross revenue for 2026; buying, selling, or sharing the personal information of 100,000 or more California consumers or households per year; or deriving 50% or more of revenue from selling or sharing personal information). We do not believe Neustac currently meets any of these thresholds, so CCPA/CPRA likely does not apply to us. We nonetheless offer the "Do Not Sell or Share My Personal Information" opt-out and honor Global Privacy Control as a voluntary best practice and to satisfy our advertising partners' requirements.

Shine the Light (Cal. Civ. Code 1798.83). We do not share your personal information with third parties for those third parties' own direct marketing purposes.

Voluntary rights. As a matter of practice, and not as a concession that any of these laws binds us, we will try to honor reasonable requests from California (and other) residents to know what personal information we hold about them, to correct it, or to delete it. See "Your Choices and Requests."

Other US State Privacy Laws (Including Connecticut)

A growing number of US states have comprehensive privacy laws. Most of them apply only to businesses that process the personal data of large numbers of state residents (for example, 100,000 consumers in many states; 25,000 consumers in Montana since October 1, 2025, lower if a large share of revenue comes from data sales; and 35,000 consumers in states such as Connecticut, Rhode Island, Delaware, and New Hampshire). We do not expect Neustac to reach those volumes, so we do not believe these laws apply to us today.

Connecticut is a deliberate exception we want to flag. As amended by SB 1295 (enacted June 24, 2025, effective July 1, 2026), the Connecticut Data Privacy Act will apply to a business that targets Connecticut residents if it either (a) controls or processes the personal data of 35,000 or more Connecticut consumers in a year (excluding data processed solely to complete a payment), (b) processes sensitive data, or (c) offers personal data "for sale" — and for prongs (b) and (c) there is NO minimum number-of-consumers threshold. Connecticut defines a "sale" broadly as an exchange for monetary or other valuable consideration, and it is genuinely unsettled whether that definition reaches advertising tools like the Meta Pixel and Google Ads tag (commentators disagree, and the question has not been tested in court). Because Neustac will run those advertising tools and could reach Connecticut residents, we do not claim a blanket exemption from Connecticut's law. Our mitigations are the same controls described throughout this policy: we do not sell sensitive data, we keep sensitive categories out of our advertising tools, and we offer the voluntary opt-out and Global Privacy Control honoring.

Your Choices and Requests

You can:

  • Opt out of advertising-related sharing using the controls in "Targeted Advertising" above and by turning on Global Privacy Control in your browser.
  • Manage cookies through your browser settings.
  • Ask us to access, correct, or delete the personal information we hold about you by emailing [email protected]. We will respond within a reasonable time and, where a specific state law applies and sets a deadline, within the period that law requires.
  • Unsubscribe from marketing email using the unsubscribe link in any such message.

We will not discriminate against you for exercising any of these choices. We may need to verify your identity before acting on a request to protect your information.

Do Not Track

Some browsers send a "Do Not Track" (DNT) signal. There is no industry-standard agreement on how to interpret DNT signals. The Site does not currently respond to browser DNT signals. We do, however, honor Global Privacy Control (GPC) signals: when your browser sends a GPC signal, we treat it as an opt-out of advertising-related sharing, and our advertising tags will not load for that browser. Because no advertising tags are live yet, there is currently nothing to suppress; once they are live, GPC keeps them off.

Sensitive Data and Clients in Confidential Professions

Many of our clients are law firms and other professionals who handle confidential and privileged information. The public Site is not built to receive that kind of information, and we ask you not to send it here.

We configure our advertising tools so that they do not capture form-field contents, message text, or any sensitive categories of personal data (such as precise geolocation, health, or biometric information). We do not sell sensitive personal data.

Children's Privacy

The Site is a business-to-business site intended for businesses and professionals. It is not directed to children, and we do not knowingly collect personal information from anyone under 13. If you believe a child has provided us personal information, contact [email protected] and we will delete it. (We include this section as a prudent practice; the federal Children's Online Privacy Protection Act does not impose operational obligations on a site like ours.)

International Visitors

Neustac is a US-based business, and this Site and our services are intended for users in the United States. If you access the Site from outside the United States, you understand that your information will be processed in the United States, where privacy laws may differ from those in your location. We do not currently target the European Economic Area, the United Kingdom, or Switzerland, and this policy is not written to satisfy the GDPR or UK GDPR.

Data Retention and Security

We keep personal information only for as long as we need it for the purposes described in this policy, or as required by law, and then delete or de-identify it. As a general guide: we keep discovery-call bookings, contact-form submissions, and inquiry emails for up to 24 months after our last communication with you, then delete or de-identify them, unless you become a client (in which case your signed engagement agreement governs that data) or we need to keep the information longer to meet a legal obligation or resolve a dispute. Cloudflare server logs are retained only for a short period (generally up to 30 days) for security and diagnostics. Advertising cookies and identifiers expire on schedules set and controlled by Google and Meta under their own policies and your account settings (commonly a matter of months); we do not retain raw pixel event data ourselves beyond what those platforms make available in their dashboards.

We use reasonable administrative and technical safeguards to protect your information, including relying on reputable service providers (such as Cloudflare) for hosting and security. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

Changes to This Policy

We may update this policy from time to time. When we do, we will revise the "Last updated" date at the top and post the updated policy on this page. If we make material changes, we will take reasonable steps to provide additional notice, such as a notice on the Site. The updated policy applies from the date it is posted.

Contact Us

Questions or requests about this policy or your information:

Email: [email protected]
Kairos Salt Holdings LLC
1309 Coffeen Avenue, STE 1200, Sheridan, WY 82801
State of operation: Wyoming