Privacy Policy
Last updated: July 15, 2026
Plain-language policy — under formal legal review. This policy is written in plain language and reflects exactly how we operate today. It is undergoing formal legal review; if anything here concerns you, write to support@cmtechsoftware.io and we'll respond directly.
Summary
We're a small, veteran-owned software company in Reno-Sparks, Nevada. We collect what we need to run a working website, respond to product inquiries, operate our subscription products, and understand how our site is being used. Everything we collect lives on a server we own and operate. We don't sell anyone's data, share it with advertisers, or hand it off to third-party analytics vendors. Anyone can ask for their data to be deleted at any time.
Your payment and financial details are never stored by us. We do not keep credit or debit card numbers, bank-account details, or billing/postal addresses in our database (PostgreSQL) or anywhere on this website. All of that is collected and maintained by our payment processor, Stripe, Inc., the third party we use to accept electronic payments. And your account password is never stored in readable form — we keep only a salted, one-way hash that cannot be reversed, so no one (including us) can see your actual password.
1. Who we are
CM Tech Software LLC is a Nevada limited liability company (a veteran-owned software company) operated by Chris Martinez, based in Reno-Sparks, Nevada (United States). We're the data controller for everything described below. Contact: support@cmtechsoftware.io · (775) 229-2579.
2. What we collect
2.1 When you visit any public page on cmtechsoftware.io
Always, to run and protect the site: our web server writes standard access logs for every request — your IP address, the URL you requested, your browser's User-Agent string, the page you came from, and the timestamp — kept about 30 days. These are essential to operate the site, debug problems, and detect abuse, so they're recorded regardless of your cookie choice (we rely on legitimate interest for them, not consent).
Only if you accept analytics in our cookie banner, we additionally capture behavioral analytics to understand how the site is used. If you decline, none of the behavioral tracking below runs and the cm_vid cookie is not set — only the essential cookies that keep the site working (your session and CSRF token) are used. You can change your choice any time via Cookie settings in the footer. When you've consented, we collect:
- First-party visitor cookie (
cm_vid, 2-year expiry): a random UUID that lets us recognize that the same browser returned, without tying it to your real identity. The cookie is set by our server and read back by our own JavaScript. It is not shared with any third party. - Per-page-load session ID (in your browser's memory, not stored on your machine): a random UUID that groups the events on a single page load together.
- Click positions and element identifiers: when you click somewhere on a page we record the click's x/y coordinates, the CSS selector + visible text of what you clicked, your viewport size, the device class (mobile / tablet / desktop), the URL, and the visitor + session identifiers.
- Mouse-movement samples: throttled to roughly five samples per second and only when the pointer has actually moved more than 20 pixels, we record the position and a millisecond offset from page load. This is used to render mouse-trail heatmaps so we can see where attention concentrates.
- Scroll depth: the deepest percentage of the page you scrolled to during a visit.
- Page-visit duration: how many seconds you spent on each page before leaving.
- Self-hosted analytics events (via Umami, running on our own server): the URL of each page view, anonymized referrer, country (derived from IP without storing the IP), device/browser/OS class, and a small set of custom events we track (form submissions, button clicks, phone-link clicks, file downloads, outbound-link clicks, time-on-page buckets, scroll-depth thresholds).
2.2 When you submit a form
We collect whatever you put in the form. Depending on which form:
- Product demo / interest request: name, company, email, product interest, and your message. We use this to respond to you and track the conversation in our internal CRM.
- Customer account sign-up: name, email, phone (optional), company (optional), and a password (stored salted and hashed, never in plain text).
- Newsletter: email and optionally name. Double opt-in — you'll get a confirmation email and we don't add you to the list until you click it. Once confirmed, you receive our general newsletter: an educational content series sent on a schedule. Every email has a one-click unsubscribe link, and section 2.6 explains how we measure engagement.
- Resource downloads (e.g. the IT Operations Audit Checklist): name (optional), email, company (optional). We email you the file and add an entry to our CRM.
2.3 When you're a paying customer
If you subscribe to one of our products we also collect what's needed to run your subscription and the payment:
- Billing information: handled entirely by Stripe. We never see, store, or have access to your card or debit number, bank-account details, or billing/postal address — none of it is written to our database or kept on this website. Stripe collects and maintains all of it and gives us back only a Charge identifier, the last four digits, the card brand, and the amount. See Stripe's privacy notice for what they collect.
- Subscription and usage records: your plan, invoices, the data you enter into the product, support messages, and status changes — kept while your subscription is active and for our internal records afterwards.
- Email log: a copy of every transactional email we send to you (subject, body, slug, timestamp, success/failure) so we can prove what was sent in case of dispute.
- Product emails: while you're subscribed to (or trialing) a product, we send onboarding and educational emails about that product. Which product emails you receive depends on which products you're actively subscribed to; they stop automatically when a subscription ends, and every email has a one-click unsubscribe link. Engagement is measured as described in section 2.6.
2.4 What we don't collect or store
- Payment card / debit numbers, bank-account details, and billing/postal addresses — never stored in our database (PostgreSQL) or anywhere on this website. Our payment processor, Stripe, collects and maintains all of it; we only ever see a charge reference and the last four digits.
- Your password in readable form — we store only a salted, one-way hash that cannot be reversed, so no one (including us) can recover your actual password.
- We don't use third-party tracking pixels (no Facebook Pixel, no Google Analytics, no LinkedIn Insight, no advertising cookies). Our own newsletter and product emails do include first-party, self-hosted open- and click-tracking so we can measure engagement — this is described in section 2.6, stays on our own servers, and is never shared.
- We don't use third-party fonts that report back (we self-host fonts).
- We don't sell, rent, or share personal data with advertising networks, data brokers, or any external mailing-list service.
- We don't load videos or chat widgets from third-party providers.
- We don't collect biometric data, health data, precise geolocation, or anything from minors under 13.
2.5 When you use the AI assistant (Soft-Con Tracker, Growth and higher plans)
Customers on Soft-Con Tracker's Growth and higher plans can use an in-app AI assistant (insights, suggestions, and questions about the contracts, licenses, and vendors you track). When you use it we capture and store:
- Your questions and the AI's answers, the insights you generate, and usage metrics (which feature, token counts, and cost) — saved to your account.
- The records used to answer are your existing data in Soft-Con Tracker (your tracked contracts, licenses, vendors, and related notes). We don't gather anything new for this — we assemble what's already on your account.
Who can see it: you can see your own insights and question history in the app, and CM Tech Software staff and administrators can view them to support you and maintain quality and safety. We do not send our internal staff-only notes to the AI, and we never send payment-card, bank-account, or password data to it.
How it's processed: the assistant runs on Anthropic's Claude API (see "Who we share it with"). Output is AI-generated and may be imperfect — treat any product, cost, or lead-time figures as estimates to verify, not guarantees.
2.6 Email engagement (our newsletters and product emails)
Our marketing emails — the general newsletter and the product onboarding/education series — include lightweight, first-party engagement tracking so we can tell whether our emails are useful and improve them:
- Opens: a small, invisible image (a "tracking pixel") served from our own server. When your email app loads images, it tells us that message was opened, and when.
- Clicks: links in these emails route through our own server before forwarding you to the destination, so we can count which links were clicked.
This tracking is first-party and self-hosted — it runs on our servers, is tied only to your subscription record, and is never sent to or shared with any third party or ad network. It applies to marketing emails, not to transactional emails (receipts, password resets, and the like). You can avoid it by keeping images turned off in your email app, and you can stop the emails entirely with the one-click unsubscribe link in every message. Engagement records follow our behavioral-data retention window (see section 4).
3. Why we collect it (lawful basis)
- To run the website (server logs, session cookies, CSRF tokens): legitimate interest in keeping the site working and secure.
- To respond to your inquiries and operate our products (form data, account data, subscription records): performance of a contract (or steps before one).
- To understand how the site is used (visitor cookie, click + scroll + mouse-trail tracking, self-hosted analytics): your consent, given through our cookie banner and withdrawable at any time via "Cookie settings" in the footer. None of this runs until you accept, and your data is never transmitted to anyone else.
- To send transactional email (signup confirmation, password reset, payment receipt): performance of a contract.
- To send the general newsletter: your consent (which you give by confirming the double opt-in). You can unsubscribe at any time using the link in every email.
- To send product onboarding and education emails to customers about a product they're subscribed to: our legitimate interest in helping you get value from what you're paying for. You receive only the emails for products you're actively subscribed to, and you can unsubscribe at any time.
- To measure email engagement (opens and clicks on our marketing emails, section 2.6): our legitimate interest in improving those emails. It's first-party, self-hosted, never shared, and you can opt out by unsubscribing.
- To meet legal obligations (tax records, audit logs): legal obligation under U.S. law.
4. How long we keep it
- Server logs: ~30 days.
- Behavioral data (clicks, mouse-movement, scroll): 12 months, then automatically purged.
- Newsletter list: until you unsubscribe.
- Customer account + subscription records: as long as the account is active, plus 7 years for tax/audit reasons after closure (you can request earlier deletion of records that aren't tied to a financial transaction).
- Support messages and our transactional email log: kept while your account is active so we can help you and resolve any dispute over what was sent (entries tied to a payment are kept up to 7 years for tax reasons); otherwise deletable on request.
- Stripe payment records: per Stripe's own retention; we keep the Charge identifier plus our own subscription and billing notes for at least 7 years for tax purposes.
- The
cm_vidcookie: 2 years from your last visit (rolling). - Self-hosted analytics events (page visits): 24 months, then automatically purged.
- AI assistant records (your questions, the AI's answers, and generated summaries): kept with your account while it is active; deletable on request, like other account records.
5. Who we share it with
The short version: as few third parties as we can possibly use. The longer version:
- Stripe, Inc. — payment processor. They see your card number and billing address; we don't.
- Hostinger — our VPS hosting provider. The server runs on their infrastructure.
- Anthropic PBC — provides the Claude AI model behind our AI assistant (Soft-Con Tracker, Growth and higher plans only). When you use that feature, your question and the relevant account records are sent to Anthropic's API to generate a response, under Anthropic's commercial terms. Anthropic does not use business/API inputs to train its models. We never send card, bank, or password data.
- A successor business — if CM Tech Software is ever acquired, merged, or sold, customer and subscriber data may transfer to the successor as part of that transaction. The successor will be bound by this privacy policy (or one at least as protective), and if you're a customer or subscriber we'll notify you before the transfer takes effect.
- The U.S. government and any other lawful authority — only if compelled by a valid legal request (subpoena, warrant, court order). We will resist overbroad requests and notify you unless legally prohibited.
That's it. No advertising networks, no analytics aggregators, no CRM SaaS vendors, no email-marketing platforms, no chat tools, no surveillance vendors. If we ever add a vendor that processes personal data, this list will be updated and (if you're a customer or subscriber) you'll be notified before the change takes effect.
6. Your rights
Regardless of where you live, you can ask us to do any of the following by emailing support@cmtechsoftware.io:
- Access the personal data we hold about you, in a portable format.
- Correct anything that's inaccurate.
- Delete what we hold (subject to records we're legally required to keep, like tax records of past payments).
- Stop processing for a specific purpose (e.g. opt out of behavioral tracking but keep your customer account).
- Opt out of the newsletter using the one-click link in every email.
- Take your data elsewhere (data portability).
We aim to acknowledge within 5 business days and complete within 30 days. If we say no to any request, we'll explain why.
6.1 If you're a California resident (CCPA / CPRA)
You have the rights listed above, plus the right to opt out of any sale or share of your personal data (we don't do either — but the right is reserved). You can also designate an authorized agent to act on your behalf. We don't discriminate against anyone who exercises these rights.
6.2 If you're in the EU/UK/EEA (GDPR)
You have the rights listed above, plus the right to lodge a complaint with your local data-protection authority. We're a U.S. business and don't actively target the EU, but if you reach out and we engage with you, we'll honor GDPR-equivalent rights.
7. Security
HTTPS site-wide (TLS 1.2+). Passwords stored salted + hashed. Stripe handles all card data. Customer accounts can enable two-factor authentication, and it's mandatory for staff. For your protection, signed-in sessions are automatically signed out after one hour of inactivity (with an on-screen warning shortly before). Our server uses standard hardening: rate-limiting, CSRF protection, honeypot fields on public forms, signed-cookie sessions, content-type and frame-ancestor headers, and per-user permission separation. No system is unbreakable. If we have a breach that affects you, we'll notify you without undue delay and within the timeframes required by applicable law, by email if we have one on file.
8. Children
This site is not directed at children under 13, and we don't knowingly collect data from them. If you believe a child has submitted information to us, contact us and we'll delete it.
9. International transfers
Our server and Stripe are in the United States. If you submit personal data from outside the U.S., you're consenting to that data being transferred to and processed in the U.S.
10. Changes to this policy
If we change anything material (what we collect, how we use it, who we share it with, retention periods), we will update the "Last updated" date above and notify newsletter subscribers and active customer accounts. Continued use of the site after the change indicates acceptance.
11. Contact
For any privacy question, request, or complaint:
support@cmtechsoftware.io · (775) 229-2579 · CM Tech Software LLC, Reno-Sparks, Nevada, USA.