Privacy Policy

Last updated: September 30, 2025

Overview

This Privacy Policy explains how we collect, use, disclose, and safeguard information in connection with your use of our products, services, APIs, applications, and websites that link to this policy (collectively, the "Services").

Waterfall ("Waterfall," "we," "us," or "our") is committed to handling personal information responsibly. We value the information you share with us and treat it with respect.

Who We Are

Waterfall provides B2B marketing intelligence that helps go-to-market teams access comprehensive datasets across company, contact, and IP address intelligence. Using our data, customers can enrich systems and build products.

Our Services help customers and partners identify potential business customers, find relevant contacts by department, role, or seniority, and personalize interactions with those companies.

Scope of This Policy

This Privacy Policy applies to information that Waterfall collects or maintains through:

- Websites that link to this policy (the "Site")

- Software and integrations (including APIs and third-party integrations)

- Other Services that reference this policy

This Privacy Policy does not apply to other companies' websites, products, or services that have their own privacy policies, or to our customers' privacy practices. In certain cases we act as a processor or service provider on behalf of our customers; in those cases, the customer's agreement with Waterfall governs processing of personal information, not this Policy. If you have concerns about a customer's privacy practices, please review their privacy policy.

This Policy may include additional notices for residents of certain jurisdictions (for example, the European Economic Area, United Kingdom, Brazil, or California). Please see "Additional Notices for Specific Jurisdictions" below for details, including how to exercise your rights where applicable.

The Information We Collect

We collect information in the following ways:

1) Information you provide directly to us

2) Information collected through our Services

3) Information collected via cookies and similar technologies

4) Information obtained from third parties

1) Information You Provide Directly to Us

When you browse the Site, contact us or use our free tools, we may collect information you voluntarily provide (e.g., via web forms or emails). This may include:

- Identifiers: name, business address, email address, and similar identifiers

- Transaction information: Services purchased or considered and related commercial details

- Professional or employment-related information: job title and/or role

- Financial information: payment card or banking details, billing name, and address (if you purchase Services)

- Support interactions: messages submitted to support, summaries or recordings of customer service interactions

- Other information you provide: feedback, comments, or other content

Where permitted by law, we may record calls, training sessions, webinars, or similar events you participate in with us.

2) Information We Obtain When Customers Use Our Services

We may receive information when customers use our analytics and data-driven solutions in B2B marketing and sales. This may include website activity data, sales data, and business contact or lead information related to interactions with our customers.

3) Information From Cookies, Web Server Logs, and Similar Technologies

We (and our service providers) may automatically collect information via cookies and similar technologies such as web server logs, pixels, and end-user website activity tags (collectively, "Tracking Technologies"). Information collected may include internet or electronic network activity, such as IP addresses, identifiers derived from email addresses for cross-device purposes, visit timestamps, pages viewed, referral links, and time spent on pages.

We may use third-party analytics services (for example, Google Analytics) to help analyze how users use the Site and to improve the Services. To learn how Google uses data, visit `https://www.google.com/policies/privacy/partners/`. You can opt out of Google Analytics by visiting `http://tools.google.com/dlpage/gaoptout`.

4) Information From Third Parties

Publicly Available Information

We and our service providers may collect publicly available information about businesses and their personnel. This may include identifiers (e.g., name, title, company), business contact information, employment history, social media data, and similar information.

Third Parties

We obtain information from third parties, including data vendors, customers, partners, and integrators. For example, some customers authorize us to collect information to develop professional profiles ("Business Profile Information") for our commercial database. Partners may gather information from data co-ops or public sources. This may include identifiers (e.g., name, title, department, company name and officers), business or mobile phone numbers, fax number, business address, email addresses, and employment/education history.

How We Use Information

We may use the information we collect to:

- Provide enriched Business Profile Information to customers and partners for permitted B2B marketing and sales purposes

- Operate our business (e.g., respond to inquiries, route requests, maintain accounts, provide customer service, fulfill orders and transactions, verify information, process payments, and perform accounting/forecasting)

- Conduct auditing, security, debugging, research and development, service quality, safety, and performance monitoring

- Maintain, improve, and enhance the Site and Services

- Communicate about your account, our Services, and changes to them

- Enforce our terms and prevent, detect, and stop fraud or abuse

- Comply with legal and regulatory obligations

- Provide Services you request and personalize your experience

- Analyze traffic sources and transactions

- Perform internal research and development

We may de-identify information so that it cannot reasonably identify you or your device. Our use and disclosure of de-identified information is not restricted by this Policy.

Disclosures and Transfers

We may disclose information in the following situations:

Customers

We disclose information to customers for internal sales and marketing use or, with our permission, for integration into their products.

We may disclose Business Profile Information we process for one customer to other customers. Customers' privacy policies describe their use of such information.

Service Providers and Similar Third Parties

We disclose information to service providers and third parties for operational and business purposes, such as hosting, analytics, payment processing, order fulfillment, IT and cloud infrastructure, customer service, email delivery, security and auditing, and similar services.

Governments, Law Enforcement, and Legal Requirements

We may disclose information if we believe it is necessary or appropriate to: (i) comply with legal processes or laws; (ii) protect rights, privacy, safety, or property (ours, yours, or others'); (iii) prevent harm or financial loss; or (iv) investigate or enforce our agreements or suspected illegal activity.

We may also disclose information in connection with a contemplated or actual merger, acquisition, reorganization, bankruptcy, or similar event. Information may be transferred to a successor or assignee as part of such a transaction.

Business Partners

We may disclose information to business partners and affiliates to fulfill contractual commitments or provide requested products or services. We may also disclose information for marketing or sales purposes (e.g., conferences or events) where permitted.

Related Companies and Affiliates

We may disclose information within our corporate group for operational and business purposes.

Your Data Rights

You may have choices about your personal information. If you have questions about our collection, use, or disclosure of personal information—or wish to exercise rights including removal from our databases—please contact us using the details provided below.

In cases where we process information as a processor or service provider on behalf of a customer, please contact that customer directly to exercise your rights.

Opt Out of Cookies and Similar Technologies

Your browser or device may allow you to control cookies or similar technologies. Some features of the Site or Services may not function properly if you disable such technologies. See our Cookie Policy for details.

Opt Out of Marketing Communications

You can opt out of marketing emails by using the "Unsubscribe" link in our marketing messages or by contacting us using the details below.

Additional Rights

Depending on your location, you may have rights such as access, correction, deletion, portability, restriction, objection, and appeal. We may request information necessary to verify your identity before responding. Certain information may be exempt under applicable law. If we deny your request, you may have the right to appeal; we will provide appeal instructions where required.

Data Privacy Framework Notice (If Applicable)

If we rely on the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, or the Swiss-U.S. DPF, we will adhere to the applicable Principles for personal information received under those frameworks. For more information on the DPF program, visit https://www.dataprivacyframework.gov/.

Where we disclose personal information to third parties under the DPF, we will require them to provide a level of protection consistent with the DPF Principles and remain liable for onward transfers as required by the DPF.

Individuals in the EU, UK, and Switzerland may request access, correction, or deletion of their personal information processed under the DPF and may opt out of marketing communications. To exercise these rights or submit a complaint, contact us using the details below. We will attempt to resolve DPF-related complaints within forty-five (45) days and will cooperate with applicable supervisory authorities. Binding arbitration may be available under certain circumstances, as described in Annex I of the DPF Principles. The U.S. Federal Trade Commission has enforcement authority over our compliance with the DPF.

International Transfers

Waterfall is based in the United States. Your personal information may be collected, transferred to, stored, and otherwise processed in countries where we or our service providers operate, including the United States, which may have data protection laws different from your country. Data may be accessible to law enforcement or national security authorities where permitted by law.

When transferring personal information from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on appropriate safeguards (e.g., the EU Standard Contractual Clauses, the UK Addendum, the DPF where applicable, and additional safeguards as appropriate). Contact us for more information about our transfer mechanisms.

Additional Notices for Specific Jurisdictions

You may be entitled to additional notices depending on your location.

California

For disclosures required by California law (e.g., the CCPA/CPRA), please refer to our California-specific privacy disclosures.

Nevada

If you are a Nevada resident and wish to request that we refrain from selling your covered information (as defined by Nevada law), please contact us using the details below.

Other U.S. States

Applicable state laws (e.g., Virginia, Colorado, Connecticut) may grant additional rights, such as the right to confirm processing, access, correct, delete, obtain a portable copy, and opt out of targeted advertising, sale, or profiling with significant effects. Some information may be exempt under those laws. We will verify your identity before fulfilling requests and provide appeal instructions if a request is denied.

Outside the United States

For individuals in the EU, UK, or Switzerland, Waterfall is the controller of your personal information. Our Data Protection Officer (if applicable) can be contacted using the details below.

Legal bases for processing may include: consent, performance of a contract, compliance with legal obligations, and legitimate interests (e.g., providing Business Profile Information to customers for B2B purposes), provided your rights and freedoms are not overridden.

Your rights may include being informed, accessing, rectifying, deleting, porting, restricting, or objecting to processing. You may also withdraw consent at any time, without affecting prior lawful processing. You may lodge a complaint with your local supervisory authority; however, we encourage you to contact us first.

Protection and Retention of Information

We implement technical and organizational measures designed to protect information from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. No security system is impenetrable, and we cannot guarantee absolute security.

We retain information for as long as necessary to comply with legal obligations, enforce agreements, maintain customer relationships, and for other legitimate business purposes.

Our Policy Toward Children

Our Services are intended for business users and are not directed to individuals under 18. We do not knowingly collect personal information from individuals under 18. If we learn that we have collected such information, we will delete it in accordance with applicable law. If you believe we have collected information from a minor, please contact us.

Updates to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated as appropriate (e.g., by email or a notice on our homepage), depending on the nature of the change.

Contact Us

If you have questions about this Privacy Policy or our privacy practices, or if you wish to exercise your rights, please contact us at:

Email: privacy@waterfall.io