Last Updated: June 2026  |  Effective for all users and clients of Full Funnel, LLC

Introduction

At Full Funnel, LLC ("FullFunnel," "we," "us," or "our"), privacy and data security are central to how we deliver our managed Go-To-Market (GTM) support and applied AI services. This Privacy Policy is designed to be transparent about the personal data we collect, how it is used and shared, and the rights available to individuals under applicable regulations — including the EU and UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable U.S. state and federal privacy frameworks.

This policy applies to FullFunnel's website (fullfunnel.co), our marketing activities, and our client engagement practices. It should be read alongside any applicable Data Processing Agreement (DPA) or service agreement you have entered into with us.

1. Scope: FullFunnel as a Data Controller vs. Data Processor

It is important to understand FullFunnel's two distinct operational roles with respect to data:

FullFunnel as a Data Controller

We act as a Data Controller for personal information collected directly through our website, marketing campaigns, content downloads, event registrations, and direct sales outreach. In this role, we determine the purposes and means of processing that data.

FullFunnel as a Data Processor ("In-Environment Only")

When providing GTM engineering, RevOps, sales operations, and applied AI services to our corporate clients, we act strictly as a Data Processor. Our team interacts with our clients' prospect, lead, and customer data exclusively within the client's own controlled applications and systems (e.g., HubSpot, Salesforce, Clay, Apollo). We do not extract, copy, download, or persistently store client data on FullFunnel-owned infrastructure.

Data handling in this processor capacity is governed by a mutually executed Data Processing Agreement (DPA) with each client. To request a DPA or related documentation, please contact: compliance@fullfunnel.co.

2. Information We Collect (As a Data Controller)

Information You Provide to Us

Contact & Account Data: When you fill out forms on our site, request an audit or consultation, or contact our team, we collect your name, corporate email address, phone number, LinkedIn profile URL, job title, and company information.

Billing & Support Data: For active clients, we or our third-party payment processors collect invoicing addresses and payment metrics. We do not store raw credit card or banking information on our servers. We retain correspondence history when you contact our support team.

Information Collected Automatically

Site Metadata: When you browse our site, we automatically collect system metadata including IP addresses, browser types, referral URLs, links clicked, and features accessed. We use this to improve site performance and understand user behavior.

Cookies and Tracking Technologies: We and our third-party advertising and analytics partners (including Google Analytics and Google Tag Manager) use cookies, web beacons, pixel tags, and persistent identifiers to evaluate site efficiency, support secure authentication, and manage targeted marketing campaigns. You can manage cookie preferences through your browser settings or through the cookie consent mechanism on our site.

3. How We Use Your Information

We process personal data for the following purposes:

• To fulfill contractual obligations, manage billing, and administer client accounts.
• To respond to sales inquiries, deliver requested resources (such as guides and case studies), and provide customer support.
• To optimize website performance, run analytics, and refine our service offerings.
• To send marketing communications, industry insights, and promotional updates (which you may opt out of at any time).
• To operate and improve our AI-assisted services and automation workflows, subject to the AI governance commitments in Section 5.
• To secure our technical infrastructure and comply with legal or regulatory obligations.
• To facilitate business operations including potential mergers, acquisitions, or financing activities.

4. Legal Basis for Processing (EEA and UK Residents)

If you reside within the European Economic Area (EEA) or the United Kingdom, we process your personal data only where we have a valid legal basis under the GDPR:

• Performance of a Contract: Where processing is required to execute or fulfill our services or contractual obligations.
• Legitimate Interests: For standard business operations such as direct B2B marketing, improving our website, and securing our systems, provided these interests do not override your fundamental privacy rights.
• Consent: Where you have granted explicit permission (e.g., opting into certain tracking cookies or marketing communications).
• Legal Obligation: Where necessary to comply with applicable laws or regulatory requirements.

5. AI Governance and Zero-Retention Commitments

FullFunnel incorporates AI and large language model (LLM) capabilities into our GTM engineering and applied AI services. We enforce strict guardrails regarding how AI tools interact with data:

No Model Training

Client data, sales inputs, operational prompts, and any other information passing through AI tools we configure or deploy will never be used by FullFunnel or upstream AI providers to train, fine-tune, or develop public AI models. Where we use API-based AI services (such as the Anthropic Claude API or OpenAI API), we rely on those providers' contractual zero-retention and no-training commitments at the enterprise API tier to backstop this guarantee.

In-Transit Processing Only

For AI enablement services provisioned within client environments, data is processed ephemerally (in-transit) and is not persistently retained on external servers outside the client's own designated cloud infrastructure.

Named AI Subprocessors

The AI and automation subprocessors we may use are listed in Section 9 (Subprocessor List). Clients may request copies of relevant provider DPAs or zero-retention documentation at any time by contacting compliance@fullfunnel.co.

6. How We Share and Disclose Information

We do not sell your personal data. We do not share personal data for cross-context behavioral advertising outside of standard digital advertising platform operations (see cookie disclosures above). We only disclose personal data under the following parameters:

Third-Party Subprocessors & Service Providers

We share data with verified vendors who support our business infrastructure. These vendors are bound by data protection agreements consistent with applicable law. A full list of current subprocessors appears in Section 9.

Legal Compliance

We may disclose data if required by applicable law, court order, governmental authorities, or to protect against fraud, security threats, or harm to FullFunnel, our clients, or our team.

Business Transfers

In the event of a merger, acquisition, reorganization, asset sale, financing, or similar transaction (including due diligence), data may be shared with the successor or acquiring entity subject to standard confidentiality agreements and, where required, this Privacy Policy.

Client Content and Collaborative Sharing

FullFunnel works in a highly collaborative manner with clients. Client teams retain control over who within their organization has access to data managed through our engagement. Contact your FullFunnel account director to adjust access or data-sharing permissions.

7. International Data Transfers

FullFunnel is headquartered in the United States. Data collected via our website or marketing channels may be transferred to and maintained on systems located outside your state, province, or country. For data transfers originating in the EU or UK to countries without an adequacy decision:

• We utilize the EU Standard Contractual Clauses (SCCs) as the primary safeguard for international transfers.
• For UK-originating transfers, we utilize the UK International Data Transfer Addendum (IDTA) where applicable.
• We assess the legal framework and supplementary measures of destination countries on a transfer-by-transfer basis as required under GDPR Chapter V.

8. Your Privacy Rights and Choices

EEA and UK Data Subject Rights

If you are located in the EU or UK, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure (Right to be Forgotten): Request deletion of your personal data, subject to legal retention requirements.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Portability: Receive your data in a structured, commonly used, machine-readable format.
• Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Withdraw Consent: Withdraw consent at any time where processing is consent-based.
• Lodge a Complaint: Contact your local Data Protection Authority (DPA) if you believe your rights have been violated.

U.S. State Privacy Rights (CCPA/CPRA, Texas, Virginia, Colorado, and Others)

If you are a resident of California or another U.S. state with a comprehensive privacy law, you have the right to:

• Know/Access: Confirm whether we are processing your data and access the specific pieces of personal data collected about you.
• Delete: Request deletion of your personal data, subject to legal exceptions.
• Correct: Request correction of inaccurate personal data.
• Opt-Out of Sale or Sharing: Opt out of the "sale" of personal data or "sharing" for cross-context behavioral advertising. FullFunnel does not monetize personal data through traditional sales. However, certain third-party advertising cookies may constitute "sharing" under applicable state law; you can adjust cookie settings via your browser or our cookie consent tool.
• Non-Discrimination: Exercise your privacy rights without receiving discriminatory service or pricing.
• Limit Sensitive Data Use: Where applicable under your state's law, request limits on the use of sensitive personal information.

How to Exercise Your Rights

We will respond to verifiable requests within 30 days (or 45 days with notice for complex requests). We may need to verify your identity before fulfilling certain requests.

Children's Data

FullFunnel does not knowingly collect personal information from individuals under 16 years of age. Our website and services are directed at business professionals. If we become aware that personal information from someone under 16 has been submitted without authorization, we will promptly delete it. Please contact compliance@fullfunnel.co if you believe such data has been provided.

Opt-Out of Marketing Communications

You may unsubscribe from FullFunnel marketing emails at any time using the unsubscribe link in any communication, or by contacting us directly. You will continue to receive transactional and account-related messages as long as you are an active client.

9. Subprocessor and Third-Party Vendor List

The following vendors may process personal data on behalf of FullFunnel in connection with our services. This list is updated periodically; material changes will be reflected in the policy effective date.

Clients requiring a complete list of subprocessors used in their specific engagement, or copies of applicable vendor DPAs, should contact compliance@fullfunnel.co.

10. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy, or as required by law. Our general retention guidelines by data category are:

• Prospect and lead contact data: Up to 2 years from last interaction, or until an opt-out or deletion request is received.
• Active client data: For the duration of the engagement and up to 2 years post-termination.
• Billing and financial records: 7 years from the transaction date, consistent with IRS and legal requirements.
• Support correspondence: 3 years from the date of the interaction.
• Website analytics and usage metadata: Up to 26 months, consistent with Google Analytics default retention settings.
• Legal compliance records: Retained for the period required by the applicable law or regulation.

Upon account closure or receipt of a verified deletion request, we will delete or anonymize personal data within 30 days, except where legal retention obligations apply.

11. Security of Information

We maintain administrative, technical, and organizational security measures to protect personal data against unauthorized access, destruction, loss, disclosure, or alteration. Our protocols include:

• Multi-factor authentication (MFA) required for all personnel devices and key systems.
• Endpoint encryption on all team devices.
• Role-based access controls limiting data access to those with a legitimate business need.
• Regular security reviews and vendor assessments.
• Incident response procedures with defined notification timelines.

No internet transmission or electronic storage method can guarantee absolute security. In the event of a personal data breach that presents a risk to your rights and freedoms, we will notify affected individuals and applicable regulators in accordance with our legal obligations.

12. Cookies and Tracking Technologies

Our website uses the following categories of cookies and similar technologies:

• Strictly Necessary: Required for the website to function (authentication, security, load balancing). These cannot be disabled.
• Analytics/Performance: Measure how visitors use our site (e.g., Google Analytics, Google Tag Manager). These help us improve the user experience.
• Advertising/Targeting: Used to deliver relevant advertising and track campaign performance (e.g., LinkedIn Insight Tag, Google Ads conversion tracking, Meta Pixel).
• Functional: Enable enhanced features such as live chat and scheduling tools.

You can manage or withdraw cookie consent at any time through your browser settings. For EU/UK visitors, we obtain consent for non-essential cookies prior to setting them, consistent with the ePrivacy Directive and GDPR requirements.

13. Policy Updates

We may update this Privacy Policy periodically to reflect changes in our services, operational practices, or applicable law. The "Last Updated" date at the top of this policy indicates when the most recent revisions were made. We encourage you to review this policy periodically.

For material changes that may significantly affect your rights or how we use your data, we will provide advance notice via email or a prominent notice on our website, where required by law.

14. Contacting FullFunnel

For privacy-related inquiries, to exercise data rights, to request a DPA, or for any other questions regarding this policy:

EU/UK Representative: If you are located in the EEA or UK and wish to exercise data rights or lodge a complaint, you may contact us at the address above. We will designate an EU/UK representative as required when our processing activities in those jurisdictions trigger that obligation under GDPR Article 27.