Privacy Policy

1. Introduction

Go Topo LLC ("Go Topo," "we," "our," or "us") protects your personal information. This policy explains what we collect, how we use it, who we share it with, and the choices you have. It covers visitors to our marketing site and organizations that engage us to design, build, or operate fulfillment systems on top of their existing stack (the "Services").

Go Topo builds tailored fulfillment systems on top of platforms our clients already use: Shopify, ShipStation, NetSuite, other OMS/WMS/IMS tools, and third-party logistics providers (3PLs). We are not a SaaS platform. Every engagement is a custom integration layered on a client's stack. When we process personal data on a client's behalf, we act as a processor under that client's instructions. See Customer data processing.

We comply with applicable data privacy laws, including the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) and the EU/UK General Data Protection Regulation (GDPR) where it applies to interactions with us.

2. Information we collect

A. Information you provide

We collect information you give us when you:

• Submit a contact, demo, or discovery-call request through our website
• Schedule a meeting (e.g., via our Zoom Scheduler link)
• Subscribe to updates or newsletters
• Engage us to scope, build, or operate a fulfillment workflow
• Submit a support request or email us

This typically includes:

• Name, job title, and company
• Work email and (optional) phone number
• Details about your fulfillment operations, stack, and goals that you choose to share
• Billing and contract information for paid engagements

B. Information collected automatically

When you visit our website, we collect limited technical data:

• Device and browser information (type, OS, screen size)
• Log data (IP address, referrer URL, timestamps)
• Usage behavior (pages viewed, clicks, session duration)
• Approximate geographic location derived from IP address

We use these tools to collect or process this data: Google Tag Manager and Google Analytics 4 for traffic analytics, the Zoom Scheduler embed for booking calls, and our application logs (stored in Axiom) for diagnostics. See Cookies and tracking for details.

3. How we use your information

We use personal data to:

• Respond to inquiries and schedule discovery calls
• Scope, deliver, and support fulfillment-systems engagements
• Operate, secure, and improve our website and services
• Send service-related notices (e.g., changes to engagements, billing, security)
• Send marketing communications when you opt in. Opt out at any time.
• Detect and prevent fraud, abuse, and unauthorized access
• Measure the effectiveness of our marketing and reach similar audiences through advertising platforms (Google Ads, LinkedIn Ads). See section 11.
• Comply with legal obligations and enforce agreements

4. Customer data processing

Go Topo plays two distinct roles, depending on the data.

A. When we are a controller

For information about visitors to our marketing site, prospects, leads, and people who contact us directly, Go Topo is the data controller. We decide why and how that information is used, and this policy governs that use.

B. When we are a processor

When a client engages us to build or operate a fulfillment workflow, we may process personal data flowing through their connected systems (Shopify, ShipStation, NetSuite, other OMS/WMS/IMS tools, and 3PL platforms). For that data, our client is the controller and Go Topo is a processor. We process it only under the client's instructions and only for the engagement.

Categories of client-controlled data we may handle on a client's behalf:

• Order details (order ID, line items, quantities, fulfillment status)
• Recipient name, shipping and billing addresses
• Recipient contact information (email, phone) for shipping notifications and exception handling
• Inventory, lot, and warehouse metadata
• Operational metadata (work assignments, batching decisions, exception flags)

We do not store payment card numbers. Payment processing stays in the client's existing PCI-compliant systems (e.g., Shopify, Stripe). Engagement-specific terms, including the scope of processing and security commitments, are set out in a Data Processing Agreement (DPA) available on request.

5. Legal bases for processing (GDPR)

Where the GDPR applies to our processing of your personal data as a controller, we rely on one or more of the following legal bases:

• Consent, e.g., to send marketing emails
• Contract, to perform engagements you (or your organization) have entered into with us
• Legitimate interests, to operate, secure, and improve our website and services
• Legal obligation, to meet tax, accounting, and other legal requirements

When we process data as a processor on behalf of a client, the client's lawful basis governs that processing.

6. Sharing and disclosure of personal information

We do not sell your personal information for monetary consideration. We do "share" limited personal information for cross-context behavioral advertising as that term is defined under the CCPA/CPRA, specifically with Google Ads and LinkedIn for measuring and optimizing our marketing. See section 8A for how to opt out. We disclose personal information in the cases below.

A. Service providers (sub-processors)

We use vetted vendors to operate our business. Each is contractually bound to use personal data only for the services they provide to us:

• Heroku (Salesforce): application hosting
• Google Cloud Platform: analytics warehouse (BigQuery) and object storage (GCS)
• Google (Google Workspace, Google Analytics 4, Google Tag Manager): email, productivity, and website analytics
• Google Ads: ad measurement and audience features for our marketing campaigns
• LinkedIn (Marketing Solutions, Insight Tag, Conversions API): ad measurement and audience features for our marketing campaigns
• Axiom: application log management
• Zoom: scheduling and video meetings

Client engagements may involve additional sub-processors specific to the client's stack (e.g., the client's own Shopify, ShipStation, NetSuite, or 3PL accounts). The engagement's DPA governs those.

B. Legal and compliance

We disclose information when we believe in good faith it is necessary to:

• Comply with a legal obligation, court order, or lawful government request
• Enforce our agreements or protect our rights, privacy, safety, or property
• Detect, prevent, or address fraud, abuse, or security incidents

C. Business transfers

If Go Topo is involved in a merger, acquisition, financing, or sale of assets, your information may transfer as part of that transaction. We will provide notice consistent with applicable law.

7. Data retention

We retain personal information only as long as needed to fulfill the purposes described in this policy:

• The duration of an active engagement and a reasonable period after it ends
• To meet legal, accounting, or regulatory obligations
• To maintain security, audit, and operational logs

Retention periods vary by data type. For client-controlled data we process on a client's behalf, the client's instructions and the engagement's DPA govern retention.

8. Your rights and choices

A. California residents (CCPA/CPRA)

California residents have the right to:

• Know what categories of personal information we collect, the sources, the purposes, and the categories disclosed to service providers
• Access the specific pieces of personal information we hold about you
• Correct inaccurate personal information
• Delete personal information, subject to legal exceptions
• Opt out of sale or sharing of personal information for cross-context behavioral advertising. Go Topo shares limited personal information (IP address, hashed email when provided, click identifiers, and event data) with Google Ads and LinkedIn for advertising measurement and audience purposes. Three ways to opt out:
  • Click Your Privacy Choices in the footer of any page
  • Send a Global Privacy Control (GPC) signal from a supported browser (Brave, DuckDuckGo, Firefox with the setting enabled). We honor it automatically and suppress advertising tags for the rest of your session.
  • Email [email protected] with the subject "Do Not Sell or Share My Personal Information."
• Limit the use of sensitive personal information. Go Topo does not use sensitive personal information for purposes that would require this option.
• Non-discrimination: we will not discriminate against you for exercising any of these rights.

Categories of personal information we collect (per Cal. Civ. Code § 1798.140): identifiers (name, email, IP address, click identifiers), professional or employment information (job title, employer), commercial information (engagement and billing records), and internet/network activity (page views, referrer). Sources: you directly and your interactions with our website. Business purposes: operating the Services, communicating with you, billing, security, and advertising measurement. We share identifiers and internet/network activity with Google Ads and LinkedIn for advertising measurement and audience purposes; see section 11. Retention follows the periods described in Data retention.

B. EU/UK residents (GDPR)

If the GDPR applies to you, you also have the right to object to or restrict processing, withdraw consent, request data portability, and lodge a complaint with your local supervisory authority.

Go Topo is based in the United States and does not target EU/UK residents. We have not appointed an EU/UK representative. If you are based in the EU or UK and contact us, we handle your information consistent with this policy and applicable law.

C. How to exercise your rights

Email [email protected] and tell us which right you want to exercise. We respond within the timeframes required by applicable law and may need to verify your identity first. You may also use an authorized agent where the law permits.

For client-controlled data we process on a client's behalf, contact the client directly. We will support them in fulfilling your request.

9. Marketing preferences

To opt out of marketing communications:

• Click the unsubscribe link in any marketing email, or
• Email [email protected]

Opting out of marketing does not stop transactional or service-related messages (e.g., engagement updates, billing, security notices).

10. Data security

We use reasonable administrative, technical, and physical safeguards:

• Encryption in transit (TLS) and at rest for data stored on our hosting and analytics platforms
• Role-based access controls and multi-factor authentication on internal systems
• Secure software development practices and code review
• Centralized application logging and monitoring (Axiom)
• Hosting on managed platforms (Heroku, Google Cloud) that operate under industry-standard security and compliance programs

No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

11. Cookies and tracking

We use cookies and similar technologies for three purposes:

• Strictly necessary: session and security cookies set by our application (LiveView session, CSRF protection). The site does not function correctly without these.
• Analytics: Google Analytics 4, loaded via Google Tag Manager and our server-side GTM endpoint, to understand traffic and improve the site. See Google's Privacy Policy and how Google uses data from sites that use its services.
• Advertising: tags and pixels we use to measure and optimize our Google Ads and LinkedIn Ads campaigns. Specifically:
  • Google Ads conversion tracking via our server-side GTM endpoint, including the FPID first-party cookie set by Google and the Conversion Linker that preserves the gclid click identifier.
  • LinkedIn Insight Tag: a browser pixel loaded from snap.licdn.com that sets the li_fat_id third-party cookie. We also store a first-party copy on our domain so the identifier survives third-party cookie restrictions.
  • LinkedIn Conversions API: server-to-server lead events from our sGTM endpoint to LinkedIn for conversion attribution.

How to opt out of advertising tags:

• Click Your Privacy Choices in the footer of any page
• Send a Global Privacy Control (GPC) signal from a supported browser. We detect it and suppress the advertising tags above for the rest of your session.
• Manage Google ad settings: adssettings.google.com
• Manage LinkedIn ad settings: LinkedIn ad preferences
• Install Google's Analytics Opt-Out Browser Add-on
• Block or delete cookies through your browser settings

Our audience is US-based, so we do not display a cookie consent banner. If you visit from a jurisdiction that requires consent before non-essential cookies fire, use the controls above.

12. International transfers

Go Topo is based in the United States, and our primary infrastructure providers operate in the United States. If you access the Services from outside the U.S., your information will transfer to and be processed in the U.S. or other countries where we or our service providers operate. Where required, we use appropriate safeguards such as Standard Contractual Clauses for cross-border transfers.

13. Children's privacy

Our Services are intended for businesses and their authorized employees, not for consumers, and are not directed to children. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact us and we will delete it.

14. Third-party links

Our website and engagements may include links to third-party websites or services we don't control. We are not responsible for their privacy practices. Review their policies before using them.

15. Changes to this Privacy Policy

We update this policy as needed and revise the "Last updated" date at the top. For material changes, we provide additional notice (e.g., via the website or email).

16. Contact us

Questions or requests about this policy or our data practices?