Privacy Policy & Cookie Policy

1. Introduction & Scope

Welcome to Outline Partners, accessible at outline.partners. This Privacy Policy describes how Outline Technologies ("we," "us," or "our") collects, uses, processes, stores, discloses, and protects personal information from individuals who visit our website, submit an application to join our partner program, or otherwise interact with us.

Outline Partners is a business-to-business (B2B) white-label partner program. We enable marketing agencies, web design firms, digital consultants, and related professionals to resell our SEO, Answer Engine Optimization (AEO), Generative Engine Optimization (GEO), and AI Citation services under their own brand. The personal information we collect therefore relates primarily to business professionals acting in their professional capacity, not to consumers purchasing products for personal use.

This policy applies to all personal data collected through:

• Our website at outline.partners
• Our partner application form
• Email communications to [email protected] or [email protected]
• Any other channel where this policy is referenced or posted

This policy does not apply to data processed by Outline Technologies on behalf of its clients under separate data processing agreements — that processing is governed by the relevant client contracts and the client's own privacy policies.

We are committed to complying with applicable data protection laws globally, including the General Data Protection Regulation (GDPR) for individuals in the European Union and the United Kingdom (UK GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and applicable US state privacy laws. By accessing or using our services, you acknowledge that you have read and understood this Privacy Policy.

2. Data We Collect

We collect information in two ways: information you provide to us directly, and information collected automatically as you interact with our website. Our data collection is intentionally minimal — we collect only what is necessary to evaluate your application and deliver our services.

2.1 Data You Provide to Us

When you complete and submit a partner application form, you will be asked to provide the following information:

• Full Name: The name of the individual applying on behalf of the agency, used for direct communication and to identify the primary contact for the partnership.
• Business Email: Your professional email address, which serves as the primary channel for all application-related communications, partnership updates, and operational correspondence.
• Agency Name: The legal or trading name of your marketing agency, essential for identifying the entity seeking partnership and for any formal agreements.
• Agency Website URL: The web address of your agency, which allows us to understand your business, verify your online presence, and assess your suitability for the program.
• Approximate Active Client Count (Range Dropdown): An indication of your agency's scale, provided as a selected range (e.g., 1–10, 11–50, 51–100, 100+), helping us tailor our support resources and partnership structure to your needs.
• Services Interested In (Checkboxes): Your specific areas of interest within our white-label offerings — for example, SEO, AEO, GEO, or AI Citation tracking — enabling us to provide relevant information and customize our partnership proposal.
• Referral Source (Dropdown): How you heard about Outline Partners (e.g., search engine, social media, industry event, referral from an existing partner), which helps us measure the effectiveness of our outreach and attribute program growth.
• Optional Notes: Any additional information or comments you voluntarily choose to include, providing further context to your application, specific requirements, or questions.

Certain fields (full name, business email, agency name) are required for us to process your application. Optional fields such as the notes field can be left blank without affecting your submission. All information you provide is used solely for the purposes outlined in this policy.

2.2 Data We Collect Automatically

When you visit outline.partners, certain technical information is automatically collected through our web infrastructure and third-party security services. This data is collected to maintain site security, ensure functionality, and gather anonymized usage analytics. The automatically collected data includes:

• IP Address: Your Internet Protocol address, used for security purposes (identifying and blocking malicious traffic, DDoS protection), approximate geographic location (country or region level only), and basic access logging. We do not use IP addresses to build individual user profiles.
• Browser Type and Version: Information about the web browser you are using (e.g., Chrome 124, Firefox 125, Safari 17), which helps us ensure website compatibility and optimal display across different browsers.
• Referring URL: The URL of the webpage you visited immediately before navigating to outline.partners, providing insight into how visitors discover our site.
• Pages Visited: A record of the specific pages you access on our website, providing aggregated insights into content engagement and user navigation patterns. This data is processed in anonymized, aggregated form.
• Time on Site: The approximate duration of your visit and time spent on individual pages, used to assess engagement and identify areas of the site that may need improvement. Processed in aggregated form only.

This automatic data collection is primarily facilitated through Cloudflare's infrastructure (our CDN and security provider). Cloudflare Web Analytics, which we use for site usage insights, is designed to be privacy-preserving: it does not use client-side tracking cookies, does not log IP addresses for analytics purposes, and does not track individuals across websites. All analytics data is processed in anonymized, aggregated form. We do not use this automatically collected data for advertising or to build individual user profiles.

3. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR) and the UK GDPR, we must have a valid legal basis before processing personal data. The legal bases we rely on, mapped to the relevant data types, are as follows:

Application Form Data (Name, Email, Agency Details, etc.)

• Performance of a contract or steps prior to entering a contract (Article 6(1)(b) GDPR): When you submit an application, processing your full name, business email, agency name, website URL, client count range, services of interest, and optional notes is necessary for us to evaluate your application (pre-contractual steps at your request) and, if approved, to establish and manage our partnership agreement. Without this data, we cannot process your application or fulfill our obligations under a partnership agreement.
• Legitimate interests (Article 6(1)(f) GDPR): We may also process certain application data — particularly your agency website URL and referral source — on the basis of our legitimate interests in improving our application process, verifying information provided, understanding our market reach, and preventing fraudulent applications. We have conducted a balancing test and are satisfied that these interests are not overridden by your fundamental rights and freedoms, given that the data is professional in nature, is not sensitive, and the processing is limited in scope.
• Compliance with legal obligations (Article 6(1)(c) GDPR): In certain circumstances, we may be required by law to process or retain your information, for example to comply with tax regulations, accounting requirements, or a lawful request from a public authority.

Automatically Collected Technical Data (IP Address, Browser, etc.)

• Legitimate interests (Article 6(1)(f) GDPR): Processing IP addresses and technical browsing data for website security, DDoS protection, fraud prevention, and website performance analysis is based on our legitimate interests in maintaining a secure, functional, and optimized website. These interests are proportionate and do not override your rights, particularly as: (a) the data is processed in anonymized, aggregated form for analytics; (b) no profiling or advertising activities are conducted; and (c) security processing is fundamental to any online service.

For individuals located outside the EEA/UK, where applicable privacy laws may reference different legal frameworks, our processing activities remain governed by the principles of purpose limitation, data minimization, transparency, and security described throughout this policy.

4. How We Use Your Information

We use the information we collect for specific, legitimate business purposes. We are committed to using your data only for the purposes stated here and will not repurpose it in ways that are incompatible with your original expectations.

Application and Partnership Data

• To process and evaluate your application: Your full name, business email, agency name, website URL, client count, and services of interest are used to assess whether your agency is a good fit for the Outline Partners program, including reviewing your online presence and understanding your service needs.
• To communicate with you about your application: We use your name and email to keep you informed of your application status, request any additional information needed, and answer queries you submit during the application process.
• To onboard and manage approved partners: If your application is approved, your information is used to set up your partner account, provide access to partner resources, introduce you to your dedicated account manager, and administer the ongoing partnership relationship.
• To deliver white-label services: Partner information enables us to deliver SEO, AEO, GEO, and AI Citation services tailored to your agency's profile, including providing branded report templates, briefing systems, and performance dashboards.
• For internal record-keeping and administration: We maintain records of partners and applications for program management, compliance, and quality assurance purposes.
• To comply with legal and regulatory obligations: We may use and retain your information where required by law, including tax obligations, anti-money laundering requirements, or lawful requests from authorities.
• To protect our legal rights: We may use information to investigate, detect, or defend against fraud, abuse, or legal claims.

Automatically Collected Technical Data

• Website security and DDoS protection: IP addresses and access patterns are processed by Cloudflare to identify and block malicious traffic, unauthorized access attempts, and denial-of-service attacks.
• Website performance analysis: Aggregated, anonymized data about pages visited, browser types, and time on site helps us understand how our website is used, identify popular content, and improve navigation and design.
• Troubleshooting technical issues: Technical data helps us diagnose and resolve errors or performance problems that may affect the user experience.
• Internal reporting: Anonymized website usage data informs our strategic decisions about content and website development.

5. How We Share Your Information

We do not sell, rent, or trade your personal data to any third parties for their own marketing or commercial purposes. Sharing of your information occurs only in limited, defined circumstances with trusted service providers, or where legally required. All third-party service providers with whom we share data are bound by contractual obligations to protect your information and process it only under our instructions.

Current Third-Party Processors

• Cloudflare, Inc. (USA): We use Cloudflare for content delivery network (CDN) services, DDoS protection, web application firewall (WAF), and privacy-preserving website analytics (Cloudflare Web Analytics). When you access our website, your traffic is routed through Cloudflare's global network. Cloudflare processes technical data including IP addresses to filter malicious traffic, accelerate content delivery, and provide us with aggregated site usage data. Cloudflare acts as a data processor under our instructions. Their processing is covered by a Data Processing Addendum, and Cloudflare is certified under the EU-US Data Privacy Framework. For details, see Cloudflare's Privacy Policy at cloudflare.com/privacypolicy.
• Email service provider (potential future use): Should we implement a partner communications or newsletter service for operational updates, we may engage a reputable email service provider (such as Mailchimp or SendGrid) and share partner email addresses solely for the purpose of sending those communications. We will update this policy if and when such a provider is engaged. Any such provider would be required to comply with applicable data protection laws and would not be permitted to use your data for their own purposes.

Other Disclosure Circumstances

• Legal requirements: We may disclose personal data where required by law, court order, subpoena, governmental request, or regulatory authority, or where we believe disclosure is necessary to comply with a legal obligation, protect our rights or property, prevent fraud, or ensure the safety of our users or the public.
• Business transfers: In the event of a merger, acquisition, asset sale, or corporate restructuring involving Outline Technologies, your personal data may be transferred to the acquiring entity or successor as part of that transaction. We will notify you of any material change in ownership or control and ensure that the recipient is bound by privacy obligations no less protective than those in this policy.
• Professional advisors: We may share information with our legal, financial, or technical advisors where strictly necessary for them to provide professional services to us, subject to obligations of confidentiality.

6. International Data Transfers

Outline Partners serves a global audience, and our primary third-party processor, Cloudflare, Inc., is headquartered in the United States. Consequently, personal data collected from visitors in the European Economic Area (EEA), United Kingdom, Switzerland, and other jurisdictions may be transferred to and processed in the United States or other countries that may not have data protection laws equivalent to those in your home jurisdiction.

Where personal data is transferred from the EEA or UK to the United States, we rely on the following legal safeguards:

• EU-US Data Privacy Framework (DPF): Cloudflare, Inc. is certified under the EU-US Data Privacy Framework, the UK Extension to the EU-US DPF, and the Swiss-US DPF. These frameworks, established following the Schrems II ruling, provide a mechanism for lawful transfer of personal data from the EU, UK, and Switzerland to certified US companies. Certification requires adherence to a set of privacy principles that ensure adequate protection for personal data. We verify the DPF certification of our US-based processors.
• Standard Contractual Clauses (SCCs): Where the DPF is not applicable, or as an additional safeguard, we rely on the European Commission's Standard Contractual Clauses (SCCs) — pre-approved contractual terms that impose binding data protection obligations on both the exporter and importer of personal data. For UK-originating transfers, we use the UK International Data Transfer Addendum (IDTA) as supplemented by the Information Commissioner's Office.
• Adequacy decisions: For transfers to countries that have been granted adequacy status by the European Commission or UK government (including countries such as Canada, Australia, Japan, and others), we rely on those adequacy decisions as the transfer mechanism.

We conduct appropriate due diligence on international data transfer mechanisms and, where required, undertake Transfer Impact Assessments (TIAs) to evaluate whether additional technical or organizational safeguards are needed. We are committed to ensuring that your personal data receives equivalent protection regardless of where it is processed. By using our website, you understand that your data may be processed in countries outside your own, including the United States, subject to the safeguards described above.

For partners and applicants based in the UAE and Australia: while these countries have their own data protection frameworks (the UAE's Federal Decree-Law No. 45 of 2021 on Personal Data Protection, and Australia's Privacy Act 1988 as amended), your data processed by Cloudflare is covered by the DPF or SCCs as described above. We are committed to honoring privacy requests from residents of all jurisdictions we serve.

7. Data Retention

We retain your personal information only for as long as is necessary to fulfill the purposes for which it was collected, including to satisfy applicable legal, accounting, reporting, or contractual requirements. Our retention practices are designed to comply with the principle of storage limitation under GDPR and equivalent data protection laws: we do not hold data longer than needed.

Application Data Retention

• Unsuccessful or withdrawn applications: If your application to the Outline Partners program is not approved, or if you withdraw your application before approval, we will retain your application data (full name, email, agency details, services interest, referral source, and any notes) for a period of three (3) years from the date of application submission. This period allows us to maintain records for internal review, respond to follow-up inquiries, prevent re-submission of previously declined applicants without new circumstances, and comply with any legal obligations related to application records. After this period, your data will be securely deleted or irreversibly anonymized.
• Approved partners — active partnership: During an active partnership, we retain all relevant partner data for the duration of the partnership relationship.
• Approved partners — post-partnership: Following the termination or conclusion of a partnership with Outline Partners, we will retain partner data for an additional period of seven (7) years from the date the partnership ends. This extended period is necessary to comply with legal obligations (including VAT and tax record-keeping requirements in relevant jurisdictions), audit requirements, and to enable us to defend or pursue legal claims that may arise after the relationship concludes. After this seven-year period, data will be securely deleted or anonymized.

Automatically Collected Data Retention

• Raw technical data (IP addresses, access logs): Raw technical access logs are retained for a limited period — typically between 30 days and 12 months — depending on the specific data type and security requirements, after which they are deleted.
• Anonymized and aggregated analytics: Once website usage data has been anonymized and aggregated (meaning it can no longer be linked to any identifiable individual), it is no longer considered personal data under GDPR. Such anonymized analytics data may be retained indefinitely for historical trend analysis, website improvement, and long-term reporting, as it poses no privacy risk to individuals.

Legal Holds and Extended Retention

In some circumstances, we may be legally required to retain certain data beyond the periods described above — for example, in connection with ongoing legal proceedings, regulatory investigations, or statutory requirements under applicable tax or financial laws. In such cases, we will retain the relevant data until the legal obligation or proceeding is resolved, after which normal deletion procedures will apply.

When the applicable retention period expires, we will securely delete or irreversibly anonymize your personal information using technically appropriate methods to ensure it cannot be recovered or reconstructed.

8. Your Rights Under GDPR

If you are located in the European Union, the European Economic Area, or the United Kingdom, the General Data Protection Regulation (GDPR / UK GDPR) grants you comprehensive rights regarding your personal data. Outline Partners is committed to upholding these rights and making it straightforward for you to exercise them.

To exercise any of the rights below, contact us at [email protected]. We will respond to your request within 30 calendar days. In complex or high-volume cases, this may be extended by up to 60 additional days (maximum 90 days total), with prior notification and explanation of the reason for delay. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive.

1. The Right to Be Informed (Articles 13 & 14): You have the right to be informed about how we collect and use your personal data. This Privacy Policy fulfills that right. If we obtain data about you from a source other than directly from you, we will provide you with the required information within a reasonable timeframe.
2. The Right of Access (Article 15): You have the right to request confirmation of whether we process personal data about you, and to receive a copy of that data along with supplementary information about how it is processed (purposes, categories, recipients, retention periods, etc.). We will provide this in a clear, accessible format, typically via email.
3. The Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data we hold about you, or completion of incomplete data, without undue delay. If you believe any information in our records is incorrect, please contact us with the correct information and we will update our records promptly.
4. The Right to Erasure — "Right to Be Forgotten" (Article 17): You have the right to request deletion of your personal data where: the data is no longer necessary for the purpose for which it was collected; you withdraw consent and no other legal basis exists; you object to processing and there are no overriding legitimate grounds; the data has been unlawfully processed; or deletion is required by a legal obligation. Note that this right is not absolute — we may need to retain certain data to comply with legal obligations, defend legal claims, or for other permitted purposes described in this policy.
5. The Right to Restriction of Processing (Article 18): You have the right to request that we restrict the further processing of your personal data in certain circumstances — for example, if you contest the accuracy of the data (restriction applies while we verify accuracy), if the processing is unlawful but you prefer restriction over deletion, or if we no longer need the data but you require it for legal claims. During restriction, we will store the data but not otherwise use it.
6. The Right to Data Portability (Article 20): Where processing is based on consent or on a contract, and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (such as CSV or JSON) and to transmit that data to another controller. This right applies to data you have provided to us directly — for example, your application data.
7. The Right to Object (Article 21): You have the right to object to processing of your personal data where we rely on legitimate interests as our legal basis. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for legal claims. You have an absolute right to object to processing for direct marketing purposes — upon such objection, we will immediately cease marketing communications.
8. Rights Related to Automated Decision-Making and Profiling (Article 22): You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects concerning you. Outline Partners does not engage in automated decision-making or profiling that produces such effects. Application decisions involve human review.

When you submit a request to exercise your rights, we may ask you to provide information sufficient to verify your identity, to ensure we do not disclose data to unauthorized individuals. This is a security measure, not a barrier, and we will process verification quickly.

9. Your Rights Under CCPA/CPRA

This section applies to residents of California. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants California residents specific rights regarding their Personal Information. While our primary business model is B2B, we extend these protections to the extent applicable to personal information collected in connection with our operations.

To exercise any of the rights below, contact us at [email protected]. We will respond within 45 calendar days, extendable by an additional 45 days in complex cases (maximum 90 days), with prior written notification. We will not charge a fee for processing verifiable requests, up to twice per 12-month period.

• Right to Know: You have the right to request disclosure of: the categories of Personal Information we have collected about you; the categories of sources from which it was collected; the business or commercial purposes for collecting it; the categories of third parties to whom we disclose it; and the specific pieces of Personal Information we have collected about you.
• Right to Delete: You have the right to request deletion of Personal Information we have collected from you, subject to exceptions including where retention is necessary to complete a transaction, detect security incidents, comply with a legal obligation, or enable other lawful internal uses compatible with the context in which you provided the information.
• Right to Correct Inaccurate Personal Information: You have the right to request correction of inaccurate Personal Information we hold about you, taking into account the nature of the information and our processing purposes. We will use commercially reasonable efforts to correct inaccurate information upon receipt of a verifiable request.
• Right to Opt-Out of Sale or Sharing: The CCPA/CPRA provides the right to opt out of the "sale" of Personal Information (exchange for valuable consideration) and the "sharing" of Personal Information for cross-context behavioral advertising. Outline Partners does not sell Personal Information and does not share it for cross-context behavioral advertising. We have no advertising relationships that would constitute a "sale" or "sharing" under CCPA/CPRA. There is therefore no opt-out mechanism needed for this right.
• Right to Limit the Use and Disclosure of Sensitive Personal Information (SPI): The CPRA introduced rights regarding Sensitive Personal Information. Outline Partners does not collect Sensitive Personal Information as defined by the CPRA (such as racial or ethnic origin, precise geolocation, health data, biometric data, or financial account credentials) from our partners or website visitors. Business email addresses, professional information, and agency details provided in the application form are not classified as Sensitive Personal Information under CPRA.
• Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA rights. We will not deny you services, charge different prices, or provide a different quality of service because you exercised your privacy rights.
• Right to Appeal: If we deny your request to exercise any of the rights above, you may appeal that decision by contacting us at [email protected], clearly indicating you are submitting an appeal. We will review your appeal and provide a written response within 45 days. If we deny your appeal, we will provide information about how to submit a complaint to the California Privacy Protection Agency (CPPA).

Identity Verification

To protect your privacy, we will verify your identity before fulfilling any request. This typically involves matching identifying information you provide (such as your name, email address, and agency name) against our records. For requests for specific pieces of Personal Information, we may require a higher level of verification. Authorized agents submitting requests on your behalf must provide written proof of authorization.

10. Your Rights Under Other US State Laws

In addition to California, numerous US states have enacted comprehensive consumer data privacy laws that may grant residents rights with respect to their personal data. The laws listed below are primarily designed to protect individuals acting as consumers, and many of them explicitly exclude data collected in the context of B2B transactions. However, because our website collects data from website visitors and applicants in these states, and because we believe in honoring privacy rights regardless of technical exemptions, we commit to processing privacy requests from residents of these states to the extent reasonably practicable.

Rights Available Under Most of These Laws

• Right to Access/Know: Confirm whether we process your personal data and access a copy of it, along with information about the categories, purposes, and recipients.
• Right to Delete: Request deletion of personal data we have collected from you, subject to similar exceptions as described for CCPA.
• Right to Correct: Request correction of inaccurate personal data we hold about you.
• Right to Opt-Out of Sale: Opt out of any sale of your personal data. As stated above, Outline Partners does not sell personal data.
• Right to Opt-Out of Targeted Advertising: Opt out of processing of your personal data for targeted advertising. Outline Partners does not engage in targeted advertising — this right is therefore not relevant to our current practices.
• Right to Opt-Out of Profiling: Opt out of profiling in furtherance of decisions with legal or significant effects. Outline Partners does not engage in such profiling.
• Right to Non-Discrimination: Not be discriminated against for exercising your rights.
• Right to Appeal: Appeal a denial of your rights request.

State-Specific Summary

• Delaware (Delaware Personal Data Privacy Act — DPDPA, effective January 1, 2025): Grants rights to access, deletion, correction, and opt-out of sale, targeted advertising, and profiling. Controller and processor obligations apply.
• Iowa (Iowa Act Relating to Consumer Data Protection — IACDP, effective January 1, 2025): Provides rights to access, deletion, and opt-out of sale. Narrower in scope than some other states.
• New Hampshire (New Hampshire Privacy Act — NHPA, effective January 1, 2025): Comprehensive rights framework including access, deletion, correction, and opt-out of sale, targeted advertising, and profiling.
• New Jersey (New Jersey Data Privacy Act — NJDPA, effective January 15, 2025): Broad applicability; rights to access, deletion, correction, and opt-out of sale, targeted advertising, and profiling. Includes specific provisions for sensitive data.
• Tennessee (Tennessee Information Protection Act — TIPA, effective July 1, 2025): Rights to access, deletion, correction, and opt-out of sale, targeted advertising, and profiling.
• Minnesota (Minnesota Consumer Data Privacy Act — MCDPA, effective January 1, 2025): Strong consumer rights including access, deletion, correction, and opt-out of targeted advertising and profiling. Particular focus on data minimization.
• Maryland (Maryland Online Data Privacy Act — MODPA, effective October 1, 2025): Rights to access, deletion, correction, and opt-out of sale, targeted advertising, and profiling. Notable for lower thresholds and stricter treatment of sensitive data categories.
• Kentucky (Kentucky Consumer Data Protection Act — KCDPA, effective January 1, 2026): Rights to access, deletion, correction, and opt-out of sale, targeted advertising, and profiling.
• Texas (Texas Data Privacy and Security Act — TDPSA, effective July 1, 2024): Rights to access, deletion, correction, and opt-out of sale and targeted advertising. Applies to businesses not classified as small businesses under the US SBA definition.
• Florida (Florida Digital Bill of Rights — FDBR, effective July 1, 2024): Rights to access, deletion, correction, and opt-out of sale and targeted advertising. Specific thresholds on annual revenue apply.

To submit a privacy request under any of these state laws, contact us at [email protected]. We will verify your identity and respond within the applicable statutory timeframe (typically 45 days, with possible extension). If your request is denied, we will provide a written explanation and information about your right to appeal.

11. Cookie Policy

This section explains in detail how Outline Partners uses cookies and similar technologies on outline.partners. Our approach to cookies is minimalist by design: we use only what is essential for website function and security, plus privacy-preserving analytics that involve no tracking cookies whatsoever.

What Are Cookies?

Cookies are small text files placed on your device (computer, tablet, or mobile phone) when you visit a website. They allow websites to recognize your device, remember preferences, maintain security, and gather usage statistics. Cookies can be "session cookies" (deleted when you close your browser) or "persistent cookies" (remaining on your device for a defined period or until you delete them manually).

Cookies We Use

• Strictly Necessary Session Cookies: These cookies are essential for our website to function correctly. They maintain your session state as you navigate the site, enable security functionality, and support basic site operations. Without these cookies, certain features of the website would not work. Examples include session identifiers and security tokens. These are session cookies — they are deleted automatically when you close your browser. No consent is required for strictly necessary cookies under the ePrivacy Directive and GDPR, as they are essential for the service you have requested.
• Cloudflare Security Cookies (__cf_bm, __cf_clearance): Cloudflare, our CDN and security provider, sets these cookies to help identify individual clients behind shared IP addresses, apply security rules on a per-client basis, and distinguish legitimate users from automated bots. The __cf_bm cookie has a 30-minute duration. The __cf_clearance cookie is set only when a user passes a Cloudflare security challenge and expires after 30 minutes to 24 hours depending on configuration. These cookies are classified as strictly necessary for website security and do not require explicit consent.

Analytics — No Tracking Cookies

We use Cloudflare Web Analytics to understand how our website is used. Unlike traditional analytics platforms such as Google Analytics, Cloudflare Web Analytics is specifically designed to be privacy-preserving:

• It does not use client-side tracking cookies.
• It does not log or store individual IP addresses for analytics purposes.
• It does not track users across different websites.
• It does not collect any personally identifiable information (PII).
• All data is aggregated and anonymized at the point of collection — individual users cannot be identified from this data.
• It relies on server-side analysis and does not involve placing tracking cookies on your device.

Because Cloudflare Web Analytics places no tracking cookies and collects no personal data, no cookie consent is required for this analytics method.

What We Explicitly Do NOT Use

To be unambiguous, Outline Partners does not use any of the following on outline.partners:

• Advertising cookies — we do not serve advertising or participate in advertising networks
• Remarketing or retargeting pixels — we do not track visitors to show them ads elsewhere on the internet
• Google Analytics or any Google advertising/tracking technologies
• Meta Pixel (Facebook Pixel) or any other Meta/Facebook tracking tools
• LinkedIn Insight Tag or similar professional network tracking
• Third-party tracking pixels from data brokers, audience platforms, or ad networks
• A/B testing cookies or session recording tools that capture individual user behaviour
• Fingerprinting or other tracking technologies designed to identify individual users

Cookie Consent

Because we only use strictly necessary cookies (which do not require consent under the ePrivacy Directive) and analytics that involve no cookies at all, we have determined that a cookie consent banner or cookie preference management tool is not required on outline.partners under current applicable regulations. Our website is designed to respect your privacy by default.

How to Control Cookies via Your Browser

You can control and delete cookies through your browser settings at any time. Most browsers allow you to view which cookies are set, delete individual cookies, block cookies from specific sites, block all third-party cookies, or delete all cookies when you close your browser. Please be aware that blocking strictly necessary cookies may prevent parts of our website from functioning correctly. For guidance, visit your browser's help documentation:

• Chrome: Settings > Privacy and security > Cookies and other site data
• Firefox: Options > Privacy & Security > Cookies and Site Data
• Safari: Preferences > Privacy > Manage Website Data
• Edge: Settings > Cookies and site permissions

12. Children's Privacy

Outline Partners' website and partner program are designed exclusively for business professionals and entities — specifically marketing agencies, web design firms, digital consultants, and related business professionals. Our services are not intended for, directed at, or designed to appeal to individuals under the age of 16.

We do not knowingly collect, process, or solicit personal information from anyone under the age of 16. The nature of our B2B service — which requires providing a business email, agency name, agency website, and professional details — means that individuals applying to our program are necessarily business professionals of adult age. Our application form is not designed to be completed by, or on behalf of, minors.

If we become aware, through any means, that we have inadvertently collected personal information from a child under the age of 16 without verifiable parental or guardian consent, we will take immediate action to:

• Delete all personal information relating to that individual from our active databases;
• Remove any communications or records associated with that individual;
• Confirm deletion to the parent or guardian upon request.

If you are a parent or guardian and you believe your child under the age of 16 may have submitted personal information to us through our website or application form, please contact us immediately at [email protected] with sufficient detail for us to identify and remove the information. We will investigate and respond promptly.

We are committed to complying with applicable laws protecting children's online privacy, including the Children's Online Privacy Protection Act (COPPA) in the US and Article 8 of the GDPR regarding children's data.

13. Security Measures

Protecting the security and integrity of your personal information is a core responsibility we take seriously. We implement a range of technical, organizational, and administrative security measures designed to protect against unauthorized access, accidental loss, alteration, disclosure, or destruction of your data. While no online system can guarantee absolute security, we apply industry-standard practices and continuously review our security posture.

Technical Security Measures

• Encryption in Transit (TLS/SSL): All data transmitted between your browser and our website is encrypted using Transport Layer Security (TLS 1.2 or higher). This protects data from interception during transmission. Our website enforces HTTPS and employs HTTP Strict Transport Security (HSTS) to prevent protocol downgrade attacks.
• Cloudflare DDoS Protection and Web Application Firewall (WAF): We leverage Cloudflare's enterprise-grade security infrastructure, including Distributed Denial of Service (DDoS) mitigation — filtering malicious traffic before it reaches our servers — and a Web Application Firewall that identifies and blocks common web attack patterns including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities.
• Access Controls and Least Privilege Principle: Access to systems and data containing personal information is strictly limited to authorized personnel who require that access to perform their specific job functions. We implement role-based access controls (RBAC) and the principle of least privilege — granting only the minimum level of access necessary for each role.
• Secure Infrastructure: Our hosting infrastructure is designed with security in mind, including network segmentation, firewall rules, and regular security patching of all systems and dependencies.

Organizational Security Measures

• Data Minimization: We apply data minimization principles throughout our systems, collecting and retaining only the personal data that is genuinely necessary for the purposes described in this policy, reducing the potential impact of any security incident.
• Vendor Security Assessments: Before engaging third-party processors, we evaluate their security practices and data protection standards. We enter into Data Processing Agreements with all processors, requiring them to implement appropriate security measures and notify us of any security incidents affecting our data.
• Employee Training and Awareness: All personnel with access to personal data receive training on data privacy principles, secure data handling practices, and their obligations under applicable data protection laws. We maintain internal data protection policies and procedures.
• Regular Security Reviews: We conduct periodic reviews of our security practices, including vulnerability assessments and reviews of access logs, to identify and remediate potential weaknesses.

Incident Response and Breach Notification

We maintain documented procedures for detecting, containing, assessing, and reporting data security incidents. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals:

• For GDPR purposes: we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where feasible), and notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
• For CCPA/CPRA purposes: we will provide notification to affected California residents in accordance with California law requirements and timeframes.
• For other jurisdictions: we will comply with all applicable breach notification requirements.

Limitations

Despite our best efforts, no method of data transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security of your personal information. You also play an important role in protecting your data — please use strong, unique passwords for any accounts, do not share login credentials, and notify us promptly if you suspect unauthorized access to your account or personal information.

14. Third-Party Links

Our website may contain links to third-party websites, services, or resources that are not owned or operated by Outline Partners or Outline Technologies. These links may appear in our content, blog posts, resource sections, or as references to partner tools and external platforms. Such links are provided solely for your convenience and informational purposes.

Outline Partners has no control over, and assumes no responsibility for, the content, privacy policies, data practices, security measures, or terms of service of any third-party websites or services. The fact that we link to a third-party website does not imply endorsement, recommendation, or approval of that website or its practices.

When you click a link that directs you away from outline.partners to a third-party website, this Privacy Policy no longer applies. Your interactions with that third-party website are governed exclusively by that website's own privacy policy, terms of service, and cookie policy. We strongly encourage you to review the privacy policies of any external websites you visit before providing any personal information to them.

Common third-party links on our site may include: links to outline.ad (our main website, which has its own privacy policy), links to Cloudflare's website, links to industry publications or regulatory bodies, and links to professional networks. In all cases, please review those sites' privacy policies independently before engaging with them.

15. Changes to This Policy

Outline Partners reserves the right to update or modify this Privacy Policy at any time to reflect changes in our data practices, the services we offer, applicable legal requirements, or our operational processes. Privacy law and best practices evolve rapidly, and we are committed to keeping this policy current and accurate.

When we make changes to this policy, we will:

• Revise the "Effective Date" and "Last Updated" date at the top of this page to indicate when the revision occurred.
• Post the updated policy at the same URL (outline.partners/privacy).
• For material changes — those that significantly alter the categories of data we collect, the purposes for which we use it, the third parties with whom we share it, or the rights available to you — provide more prominent notice, which may include a banner notification on our website and, for active partners, an email notification to the email address associated with your partner account.

We define "material changes" as changes that fundamentally affect: how we collect or use your personal data; the types of data we collect; who we share data with; your rights under this policy; or how you can exercise those rights. Minor, non-material changes — such as typographical corrections, clarifications that do not alter the substance of our commitments, or updated contact details — may be made without specific advance notice beyond the effective date update.

Your continued use of outline.partners following the posting of any updated version of this Privacy Policy constitutes your acknowledgment of the changes. If you disagree with any changes to this policy, you should discontinue your use of our website and, if you are an active partner, contact us at [email protected] to discuss the implications for your partnership.

We encourage you to review this policy periodically to stay informed about how we protect your information. If you have questions about any version of this policy or the changes made, please contact us at [email protected].

16. How to Contact Us & Exercise Your Rights

We are committed to addressing your privacy concerns transparently, thoroughly, and promptly. Whether you wish to exercise a data subject right, ask a question about our data practices, report a concern, or simply understand more about how your information is used, we welcome your contact.

Privacy Contact

How to Submit a Rights Request

To exercise any of your privacy rights — including access, deletion, correction, restriction, portability, or objection rights under GDPR, CCPA/CPRA, or applicable US state laws — please email [email protected] with the following information:

1. Your full name as it appears in our records.
2. Your email address associated with your application or partnership.
3. Your relationship with Outline Partners (e.g., current partner, former partner, website visitor, applicant).
4. The specific right you wish to exercise (e.g., "I am requesting a copy of my personal data" or "I am requesting deletion of my personal data").
5. Any additional details that help us locate your information and process your request efficiently.

Identity Verification

To protect your privacy and the security of your data, we will verify your identity before processing any request. We will typically ask you to provide at least two pieces of identifying information that we can match against our existing records (e.g., your name plus your business email plus your agency name). For requests involving particularly sensitive information, we may require additional verification. This step is a security measure, not a barrier — we aim to complete verification quickly.

If you are submitting a request as an authorized agent on behalf of another individual, you must provide written proof of your authorization to act on their behalf, and we may also contact the individual directly to verify the request.

Response Timelines

• GDPR (EU/UK residents): We will respond within 30 calendar days of receipt. In complex cases, this may be extended by up to 60 additional days (maximum 90 days total), with written notification within the initial 30-day period explaining the reason for the extension.
• CCPA/CPRA (California residents): We will respond within 45 calendar days of receipt. This may be extended by an additional 45 days in complex cases (maximum 90 days total), with prior written notice and explanation.
• Other US state laws: We will comply with the specific response deadlines required by the applicable state law, which is typically 45 days with possible extension.
• All other requests: We aim to respond to all privacy-related enquiries within 30 days of receipt, regardless of jurisdiction.

All verifiable requests will be processed free of charge. However, if a request is manifestly unfounded, repetitive, or excessive, we reserve the right to charge a reasonable fee or refuse to act, provided we give you written explanation of our decision and inform you of your right to complain to a supervisory authority.

If we deny your request in whole or in part, we will provide a written response explaining our reasons, the legal basis for our decision, and information about your right to appeal or to lodge a complaint with the relevant supervisory authority.

17. Supervisory Authority

If you are located in a jurisdiction with a data protection supervisory authority, you have the right to lodge a complaint with that authority if you believe that Outline Partners has not complied with applicable data protection law or your privacy rights. We always encourage you to contact us first at [email protected] — in our experience, most concerns can be resolved directly, and we are committed to addressing issues quickly and fairly. However, your right to contact a supervisory authority at any time is unconditional and cannot be waived.

European Union

EU residents can lodge a complaint with the data protection authority (DPA) in the EU member state where they reside or work, or in the member state where the alleged breach occurred. Examples of national DPAs include:

• France: Commission Nationale de l'Informatique et des Libertés (CNIL) — cnil.fr
• Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) — bfdi.bund.de (or the relevant state-level Datenschutzbehörde)
• Ireland: Data Protection Commission (DPC) — dataprotection.ie
• Spain: Agencia Española de Protección de Datos (AEPD) — aepd.es
• Netherlands: Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl
• Italy: Garante per la protezione dei dati personali — gpdp.it

A complete list of EU data protection authorities is available on the European Data Protection Board (EDPB) website at edpb.europa.eu.

United Kingdom

UK residents can lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk — Telephone: 0303 123 1113. The ICO is the UK's independent regulator for data protection and information rights.

Australia

Australian residents can lodge a complaint with the Office of the Australian Information Commissioner (OAIC): oaic.gov.au. The OAIC handles complaints about interferences with privacy under the Privacy Act 1988 (Cth).

United Arab Emirates

The UAE enacted Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL), with implementing regulations progressively coming into force. Supervisory mechanisms under UAE law are still being established. UAE-based individuals who have concerns about our data practices are warmly encouraged to contact us directly at [email protected], and we will endeavour to address any concern comprehensively.

United States

While the US does not have a single federal data protection authority equivalent to the ICO or EDPB, California residents may contact the California Privacy Protection Agency (CPPA) at cppa.ca.gov for complaints relating to CCPA/CPRA rights. Residents of other states may contact the relevant state attorney general's office if they believe a business has violated applicable state privacy law.