Privacy Policy

Last updated: May 2026

This page is the single canonical Privacy Policy for Cursive across both meetcursive.com (marketing site) and leads.meetcursive.com (the Cursive application, including installs from the Shopify and GoHighLevel marketplaces).

At Cursive (“we,” “us,” or “our”), we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard information when you visit our websites, use our platform, install our app via our marketplace partners, or interact with our services.

1. Scope and Applicable Laws

This Privacy Policy is designed to comply with, and is interpreted in accordance with, the following frameworks:

• EU General Data Protection Regulation (GDPR) and UK GDPR
• California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)
• Quebec Law 25 (An Act to modernize legislative provisions as regards the protection of personal information)
• Other U.S. state privacy laws (CO, CT, VA, UT, TX, OR, MT, IA, DE)
• CAN-SPAM Act, TCPA, and applicable telecommunications law for outbound communications
• California Invasion of Privacy Act (CIPA) and analogous federal/state wiretap and electronic-communications statutes

Where these frameworks conflict, the stricter requirement governs for residents of the applicable jurisdiction. We monitor case law developments — including the Camplisson line of pixel-tracking decisions and the 2025 volume of CIPA filings — and update our consent, disclosure, and opt-out implementation accordingly (see §13).

2. Information We Collect

2.1 Information You Provide

• Name, email address, and contact information
• Company name, job title, and business details
• Payment and billing information (processed securely via Stripe)
• Communications with our team, including chat and email
• Account preferences and targeting criteria

2.2 Information Collected Automatically

• Device & browser information: IP address, browser type and version, operating system, device type, and screen resolution
• Usage data: Pages visited, time spent on pages, click patterns, referring URLs, and navigation paths
• Location data: Approximate geographic location derived from your IP address
• Privacy signals: Global Privacy Control (GPC) header (Sec-GPC: 1) and Do Not Track header (see §7)

2.3 Visitor Identification Data (via Cursive Pixel)

The Cursive pixel deployed on customer websites collects:

• Anonymous visitor identifiers (browser cookie IDs, hashed identifiers)
• Page URLs visited and referrer URLs
• Event timestamps (page view, product view, cart, checkout events)
• IP-derived approximate location
• Resolved identity attributes when matched against the Cursive identity graph: name, email address, phone number, mailing address, employer, job title

We do not collect the content of communications, capture keystrokes, or record session replays. We do not cross-track across third-party advertising networks. The Cursive pixel sets only a first-party cookie (_cursive_cid) on the installing site.

2.4 Marketplace Integration Data

Shopify: when a customer installs the Cursive Shopify app we receive shop information, customer email addresses (for matching to resolved visitors), and order events (used to suppress customers from acquisition retargeting).

GoHighLevel: when an agency installs the Cursive app on a GHL location we receive location metadata, custom values, and contact data necessary to write back identified visitors as GHL contacts with intent tags.

3. Identity Graph Sources and Provenance

Cursive's identity resolution layer matches anonymous visitors to verified business and consumer profiles. The underlying identity graph is sourced from:

• Publicly available business information — corporate registries, professional profiles, company websites, regulatory filings
• Opted-in consumer panels — first-party data contributed by panel participants who provided informed consent and may withdraw at any time
• Public records — including the National Change of Address (NCOA) registry for address validation
• Licensed third-party identity graphs — data providers under written license, each contractually required to represent that records were lawfully sourced and that downstream use is permitted under applicable privacy law
• Customer first-party data — data our customers authorize us to ingest, scoped to that customer's workspace

Records undergo regular verification (305M+ records re-verified monthly). Skip-traced data is flagged in the record. Do-Not-Contact (DNC) flags returned from the upstream identity layer are persisted to every record and enforced before any outbound action by Cursive or its customers.

De-listing. Any individual may request removal from the Cursive identity graph by emailing privacy@meetcursive.com. De-listing is honored within 30 days, propagates platform-wide (see §8), and is stored as a persistent suppression so the individual is not re-resolved if their data reappears in a future graph refresh.

4. Consent Management

4.1 Our Approach

Cursive uses a Consent Management Tool (CMT) on our websites to inform visitors about data collection and obtain clear, documented consent before activating non-essential tracking technologies. When you first visit, you will be presented with a cookie consent notice describing the categories of data we collect and giving you a choice to accept or decline.

4.2 What Happens When You Accept

If you click “Accept,” we activate analytics, visitor identification, and marketing technologies as described in this policy. Your consent is recorded with a timestamp and stored in your browser so you are not asked again on subsequent visits for a period of 12 months.

4.3 What Happens When You Decline

If you click “Decline,” we limit data collection to essential, functional cookies only. Non-essential cookies, analytics scripts, and visitor identification pixels are not activated. Your decline preference is stored and honored on subsequent visits.

4.4 Consent Records

We maintain records of consent decisions including date, time, IP, and consent-notice version. These records are retained for audit and compliance purposes. You may withdraw your consent at any time by clearing your browser's local storage or contacting privacy@meetcursive.com.

4.5 Consent Architecture on Customer Sites

Shopify installs. The Cursive pixel installed via the Shopify Web Pixels API gates resolution calls behind the visitor's consent state, as reported by Shopify's native consent banner. Resolution calls fire only after consent is granted for analytics + marketing purposes. EU and CCPA-region visitors see the native consent banner before any resolution occurs. Post-purchase conversion events fire regardless of consent state but are used solely for suppression (so existing customers stop seeing acquisition ads) — never for new identity resolution.

GoHighLevel and direct installs. The Cursive pixel relies on the merchant's consent management. Merchants are required (under §15 below and our Terms of Service) to ensure their consent capture complies with applicable law (GDPR, CCPA/CPRA, Quebec Law 25).

5. Global Privacy Control (GPC) and Do Not Track

GPC handling. Cursive recognizes the Global Privacy Control specification. When a request to a Cursive-controlled endpoint (meetcursive.com, leads.meetcursive.com, or the Cursive pixel ingestion endpoint) carries the Sec-GPC: 1 header, we treat that signal as:

• An opt-out of sale and sharing under CCPA/CPRA and analogous U.S. state laws
• A withdrawal of consent for non-essential cookies and analytics under GDPR and Quebec Law 25
• A request to suppress the originating browser/identity from future Cursive identity resolution

The GPC signal is processed server-side at the pixel ingestion endpoint and persisted as a suppression tied to the visitor's first-party cookie. Where Cursive operates downstream of a customer's Consent Management Platform (e.g. Shopify Web Pixels API), the upstream CMP's recognition of GPC governs whether the pixel fires at all; Cursive's server-side GPC handling provides a second layer of enforcement.

Do Not Track (DNT). We honor the DNT browser header on Cursive-owned properties on the same terms as GPC. We treat DNT as advisory on customer-installed pixels because the DNT specification was never finalized and behavior across browsers is inconsistent; the dominant signal for downstream installs is the upstream CMP decision plus GPC.

6. Opt-Out Propagation Across Sessions, Devices, and the Platform

A consumer opt-out reaches Cursive through any of the following channels:

• Declining our cookie consent banner
• Sending a Sec-GPC: 1 signal (see §5)
• Emailing privacy@meetcursive.com
• A Shopify customers/redact, shop/redact, or customers/data_request webhook
• Any state-mandated opt-out portal request

Once received, the opt-out is propagated as follows:

• Cross-session, same browser: The decline / opt-out preference is written to the first-party _cursive_cid cookie and to a server-side suppression list. The pixel will not re-resolve the visitor on subsequent visits even if the cookie is cleared, because the suppression list is keyed by the visitor's resolved identity (hashed email, where known).
• Cross-device: Where the consumer is identified by hashed email (HEM), the suppression applies across all devices and browsers that resolve to that identity.
• Platform-wide: Opt-out is enforced at the Cursive platform layer, not per-customer. A consumer who opts out is suppressed across every Cursive customer workspace going forward.
• Workspace isolation: Visitor data does not cross between customer workspaces. Workspace isolation is enforced at the database layer via Row-Level Security policies, not by application logic alone.
• SLA: Opt-out, deletion, and de-listing requests are honored within 30 days.

7. Cookies and Tracking Technologies

7.1 What We Use

• Essential cookies: Required for basic site functionality, authentication, and security
• Analytics cookies: Google Analytics to understand site usage patterns and improve our services
• Visitor identification pixels: First-party pixels to identify website visitors for B2B lead generation purposes
• Chat functionality: Crisp chat widget for customer support
• Marketing cookies: To measure advertising effectiveness and deliver relevant content

The Cursive pixel uses a first-party cookie (_cursive_cid) on installed sites for visitor consistency across sessions. We do not use third-party advertising cookies.

7.2 Managing Cookies

You can manage your cookie preferences through the cookie consent banner displayed on our website. Clicking “Decline” will prevent non-essential cookies and tracking technologies from loading. You can also configure your browser to refuse all cookies or alert you when cookies are being sent. Note that disabling essential cookies may affect site functionality.

8. How We Use Your Information

• To provide, maintain, and improve our lead generation platform
• To identify website visitors and deliver leads to your dashboard and your connected CRMs (GoHighLevel, Klaviyo, Meta, and others you explicitly authorize)
• To process payments and manage your subscription
• To send transactional emails (install confirmation, sync alerts, account notifications)
• To improve the Service via aggregate, de-identified analytics
• To detect, investigate, and prevent fraud and security incidents
• To comply with legal obligations and protect against fraud

9. Data Sharing — and Our CCPA “Sharing” Posture

We do not sell personal information. “Sale” is defined under CCPA/CPRA as exchanging personal information for monetary or other valuable consideration. We do not engage in such exchanges.

We do not “share” personal information for cross-context behavioral advertising as that term is defined under CPRA. The CPRA-specific definition of “sharing” covers the disclosure of personal information to a third party for cross-context behavioral advertising. Cursive does not engage in cross-context behavioral advertising, does not pass identifiers to ad networks for retargeting on third-party properties, and does not participate in real-time bidding ecosystems.

Delivery of lead data to the Cursive customer whose pixel resolved the visitor is the service the consumer's data is processed for; it is a disclosure to a service-related party rather than cross-context behavioral advertising.

We share information only with:

• Sub-processors we use to operate the Service (see §10)
• Destinations the customer connects in the Cursive portal — Meta (Custom Audiences), Klaviyo (email lists), GoHighLevel (contacts), Google Sheets, and others the customer explicitly authorizes. We send only the fields the customer configures
• Marketplace platforms (Shopify, GoHighLevel) for the limited data flows described in the integration documentation
• Professional advisors — lawyers, accountants, auditors
• Authorities when legally compelled (subpoena, court order, regulatory request)
• Business transfers in connection with a merger, acquisition, or sale of assets — where the recipient is bound by terms no less protective than this Policy

10. Sub-Processors

The following sub-processors process personal data on Cursive's behalf:

• Supabase Inc. — database hosting and authentication. Supabase Privacy
• Vercel Inc. — web hosting and edge compute. Vercel Privacy
• Inngest Inc. — background job orchestration
• Stripe Inc. — payment processing. Stripe Privacy
• Google LLC (Google Analytics) — web analytics. Google Privacy
• Crisp IM SAS — live chat. Crisp Privacy
• Identity-resolution provider — the upstream identity graph and pixel resolution layer described in §3. Operates under written contract; their privacy policy is provided as part of the DPA disclosure (see §14)
• Email-delivery providers — transactional email delivery (Resend, Postmark, or equivalents)

We maintain a current sub-processor list and provide 30 days' notice of material changes to enterprise customers under DPA. Request the current list at privacy@meetcursive.com.

11. Legal Basis for Processing (GDPR)

For individuals in the EEA / UK, we process personal data on the following legal bases:

• Consent (Art. 6(1)(a)): analytics cookies, visitor identification pixels, and marketing technologies — activated only after the user clicks “Accept” on our consent banner
• Contract (Art. 6(1)(b)): processing necessary to fulfill your subscription, deliver leads, and manage your account
• Legitimate Interests (Art. 6(1)(f)): B2B marketing and lead generation using publicly available professional data; fraud prevention; platform security and improvement. Our legitimate interests are balanced against individuals' rights — business-professional contact information used for relevant B2B outreach does not unduly override their privacy interests
• Legal Obligation (Art. 6(1)(c)): tax records, compliance reporting, and responding to lawful government requests

You may request a copy of our Legitimate Interests Assessment (LIA) by contacting privacy@meetcursive.com.

12. Your Rights — by Jurisdiction

12.1 All Users

• Access and receive a copy of your personal data
• Rectify inaccurate personal data
• Request deletion of your personal data
• Object to or restrict processing of your data
• Data portability (receive your data in a structured format)
• Withdraw consent at any time (where processing is based on consent)

12.2 California Residents (CCPA / CPRA)

California residents have the additional rights to know what personal information is collected, to delete, to correct, to opt out of sale or sharing of personal information, to limit the use of sensitive personal information, and to non-discrimination for exercising these rights. Cursive does not engage in sale or sharing as defined under CPRA (see §9). GPC is honored as a valid opt-out signal (see §5).

12.3 European Residents (GDPR)

EEA / UK residents may exercise the rights listed in 12.1 and may lodge a complaint with their local data protection authority. Our legal bases are described in §11.

12.4 Quebec Residents (Law 25)

Quebec residents have the rights listed in 12.1, plus additional rights under Law 25, including:

• The right to be informed when personal information is used to render a decision based exclusively on automated processing
• The right to data portability beginning under Law 25's phased portability provisions
• The right to request that personal information be de-indexed or ceased from dissemination where it causes serious injury
• The right to receive privacy disclosures in French upon request

Privacy officer. Cursive's designated person in charge of the protection of personal information (privacy officer) for Law 25 purposes is reachable at privacy@meetcursive.com.

Automated decision-making. Cursive does not use solely automated decision-making to render decisions that produce legal or similarly significant effects on individuals. Lead scoring is advisory; final decisions about outreach are made by the customer.

Cross-border transfers. Cursive operates in the United States. Transfers of Quebec residents' personal information outside Quebec are subject to a Privacy Impact Assessment (PIA) and contractual safeguards. See §17.

12.5 Other U.S. State Residents

Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, and Delaware have rights under their respective state laws that parallel CCPA / CPRA. We honor these rights on the same SLA and through the same channels.

12.6 How to Exercise Your Rights

Email privacy@meetcursive.com. We respond within 30 days (extendable to 45 where law permits, with notice). We will not discriminate against you for exercising your rights.

13. Data Processing Agreements (DPA)

Cursive operates as a data processor when handling personal information on behalf of our customers, and as a data controller for our own platform and marketing. A Data Processing Agreement is available for execution by:

• All Pipeline-tier and Enterprise customers
• Any customer on request, regardless of tier, at privacy@meetcursive.com

The Cursive DPA includes:

• Standard contractual clauses (EU SCCs and UK Addendum) for international transfers
• The sub-processor list at §10 (and a 30-day notice mechanism for material changes)
• Security commitments (TLS in transit, encryption at rest, RBAC, audit logging, regular security review)
• Breach notification within 72 hours of awareness
• Audit rights consistent with Article 28 GDPR
• Quebec Law 25 cross-border transfer commitments and PIA cooperation
• Data return / deletion within 30 days of contract termination

14. Camplisson, CIPA, and Wiretap-Statute Posture

We are aware of the Camplisson line of California pixel-tracking decisions and the substantial increase in CIPA (Cal. Penal Code §§ 631, 632.7) filings in 2025 targeting third-party pixels and session-replay technologies. Our implementation is designed to avoid the conduct those cases address:

• No session replay or keystroke capture. The Cursive pixel does not record session video, capture form-field contents pre-submission, or stream the content of communications. It records event metadata only (URL, timestamp, event type).
• No third-party advertising cookies. The Cursive pixel sets only a first-party cookie on the installing site.
• Consent gating before resolution. On Shopify installs the pixel runs through the Web Pixels API, which gates execution behind the visitor's consent state under Shopify's native consent banner. On other installs the merchant's CMP gates execution. Resolution calls fire only after consent is granted.
• Server-side GPC honoring. Cursive's ingestion endpoint independently honors Sec-GPC: 1 (see §5).
• No interception of consumer-to-merchant communications. Cursive does not read, transmit, or store the content of consumer chats, emails, or messages exchanged with our customers' sites.
• Two-party consent jurisdictions. In states with two-party consent requirements (California, Florida, others), the pixel is gated by the merchant's explicit consent flow as described above.

Customers remain responsible for their own consent capture on their own properties (see §15). Cursive's implementation provides controller-side mitigations; it does not eliminate the customer's controller-side obligations.

15. Requirements for Customers Installing the Cursive Pixel

If you are a Cursive customer who installs our pixel on your website, you are required under our Terms of Service and applicable law to:

• Disclose use of visitor identification technology in your own website's privacy policy
• Display a cookie consent or tracking notice before the pixel activates
• Use a Consent Management Platform (CMP) or Consent Management Tool (CMT) to log consent decisions, including GPC where applicable
• Honor opt-outs and consent withdrawals from your visitors
• Establish a lawful basis (legitimate interests or explicit consent) for visitor identification data processing
• Comply with Camplisson / CIPA mitigations on your own property (no pre-consent firing, no session replay layered on top of Cursive, etc.)

Cursive is not responsible for our customers' consent management practices on their own websites. The Cursive DPA includes customer obligations in this regard.

16. Data Security

We implement industry-standard security: TLS encryption in transit, encryption at rest, role-based access controls, audit logging, and regular security review. Access to production systems is restricted to a small set of authorized engineers and is logged. Multi-tenant isolation is enforced at the database layer via Row-Level Security policies, not by application logic alone.

17. Data Retention

We retain account data while your account is active. Visitor lead data is retained for the duration of your subscription plus 30 days after cancellation, after which it is permanently deleted. Consent records are retained for audit purposes for the period required by applicable law.

Upon receipt of a Shopify customers/redact, shop/redact, or customers/data_request webhook, we comply within 30 days. Upon any other deletion request received at privacy@meetcursive.com we honor it within 30 days.

18. International Data Transfers

Cursive operates in the United States. By using the Service you acknowledge that your information may be transferred to and processed in the United States, where data protection laws may differ from your jurisdiction. For EEA / UK transfers, we rely on Standard Contractual Clauses (and the UK Addendum) as described in our DPA. For Quebec transfers, we conduct a Privacy Impact Assessment as required by Law 25 §17.

19. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

20. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Policy on this page, updating the “Last updated” date, and notifying active customers via email.

21. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:

• Privacy & data rights: privacy@meetcursive.com
• General inquiries: hey@meetcursive.com
• Quebec privacy officer: privacy@meetcursive.com