ERSO LLC ("ERSO," "we," "our," or "us") provides a business-to-business sales intelligence platform ("Platform") that assists HVAC sales professionals in identifying commercial facilities, surfacing professional contact information, and organizing prospect data. This Privacy Policy describes how ERSO collects, uses, stores, discloses, and protects information in connection with your use of our Platform, website located at ersoai.com, and related services (collectively, the "Services").
This Policy applies to (a) business users who subscribe to and access the Platform; (b) visitors to the ERSO website; and (c) professional contact data processed through the Platform in connection with B2B sales activities. This Policy does not govern personal information processed by third-party services you may access through links on our website.
By accessing or using the Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, you should discontinue use of the Services.
When you create an account or request a demonstration of the Platform, we collect information you provide directly, which may include your name, business email address, company name, job title, telephone number, and billing information. We use this information to provision access to the Platform, process payments, communicate with you, and fulfill our contractual obligations.
When you use the Platform, we automatically collect certain technical information, including: IP address, browser type and version, operating system, pages viewed, features accessed, search queries submitted within the Platform, time and date of access, referring URLs, and session duration. This information is collected via server logs, cookies, and similar tracking technologies.
The Platform processes publicly available professional information about commercial facility personnel, including names, business titles, business email addresses, business telephone numbers, employer names, and facility addresses. This information is sourced from publicly accessible professional directories, government databases, industry registries, and third-party data enrichment providers. ERSO processes this data exclusively in the context of legitimate B2B commercial sales activities directed at professionals acting in their business capacities.
If you contact ERSO for support, submit feedback, or communicate with us via email or our website contact form, we retain those communications and any information you include, to the extent necessary to respond to your inquiry and improve our Services.
ERSO uses session cookies, persistent cookies, and similar technologies to authenticate users, maintain session state, analyze usage patterns, and improve the Platform. You may configure your browser to refuse cookies; however, doing so may impair certain functionality. We do not use cookies to deliver third-party advertising or to track you across unaffiliated websites.
ERSO uses the information we collect for the following purposes:
ERSO does not sell personal information. We do not share personal information with third parties for their own marketing purposes. We may disclose information in the following limited circumstances:
We engage vetted third-party service providers to assist in operating the Platform, including cloud hosting and infrastructure providers, payment processors, email delivery services, and analytics platforms. These providers are permitted to process your information only as necessary to perform services on our behalf and are bound by contractual obligations consistent with this Policy.
The Platform integrates with third-party B2B data enrichment providers to source professional contact information. These integrations are governed by data processing agreements. Domain and facility identifiers are transmitted to such providers solely to retrieve associated professional contact records.
We may disclose information if we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation or respond to a valid legal process such as a subpoena, court order, or government request; (b) enforce our Terms of Service or other agreements; (c) detect, prevent, or address fraud, security incidents, or technical issues; or (d) protect the rights, property, or safety of ERSO, our users, or the public.
In connection with a merger, acquisition, reorganization, sale of assets, or other corporate transaction, information we hold may be transferred to a successor entity, subject to that entity's agreement to honor the commitments in this Policy or to provide you with notice and a reasonable opportunity to object.
We may share information for any other purpose with your express consent.
ERSO implements administrative, technical, and physical safeguards designed to protect information against unauthorized access, alteration, disclosure, or destruction. These measures include encrypted data transmission (TLS), access controls limiting data access to authorized personnel on a need-to-know basis, regular security assessments, and secure credential storage practices.
No method of data transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security. In the event of a data breach that creates a risk of harm, we will notify affected users as required by applicable law.
You may review, update, or correct your account information by logging into your account settings or contacting us at privacy@ersoai.com. Upon termination of your account, we will delete or anonymize your account information in accordance with our Data Retention Policy, except to the extent we are required to retain it by law.
You may opt out of receiving marketing or promotional communications from ERSO at any time by clicking the "unsubscribe" link in any marketing email or by contacting us at privacy@ersoai.com. Transactional and operational communications related to your account are not subject to opt-out.
You may manage cookie preferences through your browser settings. Note that disabling certain cookies may affect the functionality of the Platform.
Some browsers transmit "Do Not Track" signals. ERSO does not currently respond to Do Not Track signals, as there is no industry-wide standard for such signals. We will reassess this position as standards develop.
ERSO operates as a B2B platform processing professional contact information. Many U.S. state privacy laws include explicit exemptions for personal information processed in a business-to-business commercial context or information pertaining to employees and business contacts acting in their professional capacities. To the extent applicable law requires, we honor the rights described below. Residents of the states listed below may submit requests by contacting privacy@ersoai.com.
The following state laws are acknowledged and addressed by our privacy practices:
| State | Statute | Key Rights / Notes |
|---|---|---|
| California | CCPA/CPRA — Cal. Civ. Code §§ 1798.100–1798.199 | Right to know, delete, correct, opt-out of sale/sharing, limit sensitive data use. B2B exemption applies to professional contact data. |
| Virginia | VCDPA — Va. Code §§ 59.1-571–59.1-585 | Right to access, correct, delete, portability, opt-out of targeted advertising and profiling. |
| Colorado | CPA — Colo. Rev. Stat. §§ 6-1-1301–6-1-1313 | Right to opt-out, access, correction, deletion, portability. Universal opt-out honored. |
| Connecticut | CTDPA — Conn. Gen. Stat. §§ 42-515–42-525 | Right to access, correct, delete, portability, opt-out of sale and profiling. |
| Utah | UCPA — Utah Code §§ 13-61-101–13-61-404 | Right to access, delete, portability, opt-out of targeted advertising and sale. |
| Texas | TDPSA — Tex. Bus. & Com. Code §§ 541.001–541.205 | Right to access, correct, delete, portability, opt-out of sale, targeted advertising, and profiling. |
| Florida | FDBR — Fla. Stat. §§ 501.701–501.721 | Applies to large controllers. Right to access, correct, delete, portability, opt-out of sale. |
| Montana | MCDPA — Mont. Code Ann. §§ 30-14-3201–30-14-3215 | Right to access, correct, delete, portability, opt-out of sale and profiling. |
| Oregon | OCPA — Or. Rev. Stat. §§ 646A.570–646A.590 | Right to access, correct, delete, portability, opt-out of sale, targeted advertising, and profiling. |
| Iowa | ICDPA — Iowa Code §§ 715D.1–715D.9 | Right to access, delete, portability, opt-out of sale and targeted advertising. |
| Indiana | INCDPA — Ind. Code §§ 24-15-1-1–24-15-8-1 | Right to access, correct, delete, portability, opt-out of sale, targeted advertising, and profiling. |
| Tennessee | TIPA — Tenn. Code Ann. §§ 47-18-3201–47-18-3213 | Right to access, correct, delete, portability, opt-out of sale, targeted advertising, and profiling. |
| New Hampshire | NHDPA — N.H. Rev. Stat. Ann. §§ 507-H:1–507-H:12 | Right to access, correct, delete, portability, opt-out of sale, targeted advertising, and profiling. |
| New Jersey | NJDPA — N.J. Stat. Ann. §§ 56:8-166.1 et seq. | Right to access, correct, delete, portability, opt-out of sale, targeted advertising, and profiling. |
| Delaware | DPDPA — Del. Code tit. 6, §§ 12D-101–12D-120 | Right to access, correct, delete, portability, opt-out of sale, targeted advertising, and profiling. |
| Minnesota | MNDPA — Minn. Stat. §§ 325O.01–325O.14 | Right to access, correct, delete, portability, opt-out of sale, targeted advertising, and profiling. |
| Maryland | MODPA — Md. Code Ann., Com. Law §§ 14-4601–14-4626 | Right to access, correct, delete, portability, opt-out of sale, targeted advertising, and profiling. |
| Kentucky | KCDPA — Ky. Rev. Stat. Ann. §§ 367.385–367.387 | Right to access, correct, delete, portability, opt-out of sale, targeted advertising, and profiling. |
ERSO's practices are also informed by applicable federal statutes, including: the CAN-SPAM Act (15 U.S.C. §§ 7701–7713), governing commercial email communications; the Telephone Consumer Protection Act (TCPA) (47 U.S.C. § 227), governing telephone and text message communications; the Children's Online Privacy Protection Act (COPPA) (15 U.S.C. §§ 6501–6506), which is inapplicable as the Services are not directed at children under 13; and the Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030), relevant to prohibitions on unauthorized access to systems.
To exercise any applicable state privacy right, please submit a verified request to privacy@ersoai.com. We will respond within the timeframe required by applicable law, typically 45 days, with the possibility of a 45-day extension where permitted.
To the extent ERSO processes personal data of individuals located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable national implementing legislation may apply.
We rely on the following lawful bases: (a) performance of a contract (Art. 6(1)(b)) for processing necessary to provide the Services; (b) legitimate interests (Art. 6(1)(f)) for processing B2B professional contact data in connection with commercial sales activities, analytics, security, and fraud prevention, where such interests are not overridden by data subjects' rights; (c) compliance with a legal obligation (Art. 6(1)(c)) where required by applicable law; and (d) consent (Art. 6(1)(a)) where we have obtained your explicit consent for a specific processing activity.
Individuals whose personal data we process have the following rights under GDPR, subject to applicable limitations and exemptions:
Where required by Article 37 GDPR, ERSO has designated a data protection contact reachable at privacy@ersoai.com.
ERSO is based in the United States. If we transfer personal data from the EEA, UK, or Switzerland to the U.S. or other jurisdictions, we do so using appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission or other legally recognized transfer mechanisms.
If you believe our processing of your personal data violates applicable law, you have the right to lodge a complaint with the supervisory authority in your Member State of residence or the authority in the Member State where the alleged infringement occurred.
Where ERSO acts as a data processor on behalf of a customer who is a data controller under GDPR, the parties' rights and obligations are governed by the Data Processing Agreement incorporated herein by reference. Where required by Article 28 GDPR, such agreement governs the processing of personal data on behalf of the controller.
ERSO retains personal information for as long as necessary to fulfill the purposes for which it was collected, maintain your account, provide Services, comply with legal obligations, resolve disputes, and enforce agreements. Account information is generally retained for the duration of the active subscription and for a reasonable period thereafter. Detailed retention schedules are set forth in our Data Retention Policy, accessible via the tab above.
When personal data is no longer needed, we will securely delete or anonymize it in a manner that renders it non-recoverable. Anonymized and aggregated data from which individual identity cannot reasonably be reconstructed is not subject to this Policy and may be retained indefinitely.
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:
ERSO LLC
Privacy Inquiries
Email: privacy@ersoai.com
ERSO reserves the right to update or modify this Privacy Policy at any time. When we make material changes, we will update the "Last Revised" date at the top of this page and, where feasible, provide notice through the Platform or by email. Your continued use of the Services following any such modification constitutes your acceptance of the updated Policy. We encourage you to review this Policy periodically.
This Data Retention Policy ("Policy") establishes the standards and procedures by which ERSO LLC ("ERSO") retains, archives, and disposes of data processed in connection with the ERSO sales intelligence platform and associated services. This Policy applies to all data categories processed by ERSO, including personal information of business users, B2B professional contact data, system logs, financial records, and communications.
The objective of this Policy is to ensure that data is retained for no longer than is necessary for the identified purpose, to fulfill legal and contractual obligations, and to enable timely and secure disposal of data that no longer serves a legitimate business purpose. All personnel with access to ERSO systems are expected to comply with this Policy.
ERSO's retention practices are governed by the following principles, consistent with applicable U.S. and international data protection law:
User account information, including name, business email, company affiliation, and credentials, is retained for the duration of the active subscription and for a period of three (3) years following account termination, to facilitate account recovery, resolve billing disputes, and comply with financial recordkeeping requirements. Following expiration of the retention period, such data shall be securely deleted or irreversibly anonymized.
Payment transaction records, invoices, and billing history are retained for a minimum of seven (7) years from the date of the transaction, in accordance with U.S. federal tax recordkeeping requirements under the Internal Revenue Code and applicable state tax statutes. Credit card numbers and full payment instrument details are not stored by ERSO; payment processing is performed by PCI-DSS-compliant third-party processors.
System access logs, application logs, search query records, and event logs are retained for a period of twelve (12) months from the date of generation. Aggregated and anonymized usage analytics, from which individual users cannot be identified, may be retained indefinitely for product improvement purposes.
Professional contact records processed through the Platform — including business names, titles, email addresses, and telephone numbers sourced from public or third-party sources — are retained within the Platform for the duration of the user's active subscription. Upon account termination, user-generated contact lists and enrichment records are deleted within ninety (90) days. ERSO's source-level cache of enrichment data obtained from third-party providers is subject to the data license terms of those providers and is refreshed or deleted in accordance with those terms, but in no event retained beyond twenty-four (24) months without re-verification.
Inbound support requests, emails, and chat communications are retained for three (3) years from the date of the last communication in the thread. Communications subject to a legal hold are retained for the duration of that hold. After expiration, such records are securely purged.
Records of user consent to receive marketing communications, including opt-in timestamp, IP address, and consent method, are retained for four (4) years following the withdrawal of consent or the end of the relationship, whichever is later. This retention is necessary to demonstrate compliance with the CAN-SPAM Act and TCPA.
Executed agreements, terms of service acceptances, data processing agreements, and related legal records are retained for a minimum of seven (7) years following expiration or termination of the agreement. Certain records may be retained longer as required by applicable law or as necessary to defend legal claims.
Records pertaining to security incidents, including incident reports, investigation notes, and remediation documentation, are retained for five (5) years from the date of resolution or regulatory closure, whichever is later.
Notwithstanding the retention schedules set forth herein, if ERSO reasonably anticipates litigation, receives a legal hold notice, or is subject to a regulatory inquiry or government request, it shall suspend the scheduled disposal of data potentially relevant to such matter. A legal hold supersedes this Policy's standard retention periods. Legal holds remain in effect until expressly released by legal counsel or the relevant authority.
Personnel who become aware of circumstances that may necessitate a legal hold should immediately notify the appropriate management contact. Unauthorized disposal of data subject to a legal hold may constitute spoliation of evidence and may expose ERSO and individuals to civil or criminal liability.
At the conclusion of the applicable retention period, data shall be disposed of using methods appropriate to the sensitivity of the data and the medium on which it is stored. For electronic data stored on ERSO's managed infrastructure:
Disposal actions shall be logged to create an auditable record of compliance. Physical media, to the extent used, shall be disposed of in accordance with NIST SP 800-88 or equivalent standards.
Data obtained through third-party B2B enrichment providers is subject to the license and retention terms of the applicable provider agreements. ERSO will not retain such data beyond the scope or duration authorized by those agreements. Upon expiration or termination of a provider agreement, ERSO shall promptly dispose of any licensed data that is no longer authorized for retention, in accordance with the provider's contractual requirements and this Policy.
ERSO management is responsible for implementing and maintaining this Policy, ensuring adequate technical controls are in place to enforce retention schedules, and training relevant personnel. All individuals with access to ERSO systems are responsible for handling data in accordance with this Policy and for reporting any actual or suspected non-compliance to privacy@ersoai.com.
This Policy shall be reviewed annually or upon any material change in applicable law, business operations, or data processing practices. ERSO reserves the right to amend this Policy at any time. Material changes will be communicated to users via the Platform or by email. Questions regarding this Policy should be directed to privacy@ersoai.com.
This Data Processing Agreement ("DPA") is entered into between ERSO LLC ("Processor") and the Customer identified in the applicable subscription or service agreement ("Controller"), and is incorporated by reference into that agreement. This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the ERSO sales intelligence platform and related services ("Services").
To the extent ERSO processes personal data of individuals located in the European Economic Area, United Kingdom, or Switzerland on the Controller's behalf, this DPA is intended to satisfy the requirements of Article 28 of the General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable national data protection legislation.
For purposes of this DPA, the following definitions apply:
The Processor shall process Personal Data only as described herein and as instructed by the Controller in connection with the Services. The subject matter, nature, purpose, and duration of processing, together with the categories of Personal Data and data subjects, are as follows:
The Controller represents, warrants, and agrees that: (a) it has a lawful basis under applicable data protection law for processing the Personal Data that it directs the Processor to process; (b) it will comply with all applicable data protection laws in its use of the Services; (c) it will provide notice to data subjects as required by law; (d) it will not direct the Processor to process Personal Data in a manner that would violate applicable law; and (e) it accepts responsibility for providing any required authorizations, consents, or legal bases prior to uploading or directing the processing of Personal Data.
The Processor agrees to the following obligations with respect to Personal Data processed on behalf of the Controller:
The Controller provides general authorization for the Processor to engage Sub-Processors for the provision of the Services, subject to the conditions set forth herein. The Processor shall: (a) enter into a written agreement with each Sub-Processor imposing data protection obligations no less protective than those in this DPA; (b) remain liable to the Controller for the Sub-Processor's performance of its data protection obligations; and (c) provide the Controller with reasonable advance notice before engaging new Sub-Processors or materially changing existing Sub-Processor arrangements involving Personal Data. The Controller may object to a new or replacement Sub-Processor on reasonable data protection grounds by providing written notice. Sub-Processors currently engaged include cloud infrastructure and hosting providers, payment processors, and email delivery services.
Taking into account the nature of the processing, the Processor shall assist the Controller, by appropriate technical and organizational measures, in fulfilling the Controller's obligations to respond to requests by data subjects exercising rights under applicable data protection law, including rights of access, rectification, erasure, restriction of processing, data portability, and objection. The Processor shall promptly notify the Controller if it receives a data subject request that appears to pertain to Personal Data processed on behalf of the Controller, and shall not respond to such request directly except on documented instructions from the Controller or as required by law.
The Processor shall implement and maintain appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Such measures include, without limitation:
The Processor shall review and update these measures periodically to account for changes in the risk environment, available technology, and applicable legal requirements.
The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of a personal data breach affecting Personal Data processed under this DPA. Such notification shall include, to the extent then known: (a) a description of the nature of the breach, including categories and approximate number of data subjects affected; (b) contact details for the Processor's data protection point of contact; (c) the likely consequences of the breach; and (d) measures taken or proposed to address the breach and mitigate its effects. The Processor may provide the notification in phases where full information is not available within the initial notice period.
Where the Processor transfers Personal Data of data subjects in the EEA, United Kingdom, or Switzerland to countries not recognized as providing an adequate level of protection, such transfers shall be made subject to appropriate safeguards, including Standard Contractual Clauses approved by the European Commission or the UK Information Commissioner's Office, or other legally recognized transfer mechanisms. The Processor shall maintain and make available upon request records of international data transfer mechanisms applicable to its processing activities.
Upon reasonable written notice and no more than once per calendar year (or more frequently if required by a supervisory authority), the Processor shall make available to the Controller such information as is reasonably necessary to demonstrate compliance with this DPA. Audits shall be conducted at the Controller's expense and shall not unreasonably disrupt the Processor's operations. The Processor may require that such audits be conducted by an independent third-party auditor subject to a confidentiality agreement satisfactory to the Processor. The Processor may satisfy audit obligations in part by providing certifications, third-party audit reports, or other documentation evidencing its security and privacy practices.
Upon the expiration or termination of the applicable subscription agreement, or upon the written request of the Controller, the Processor shall, at the Controller's election, return to the Controller all Personal Data in a commonly used machine-readable format or securely delete Personal Data, within ninety (90) days of such request or termination. The Processor shall certify in writing upon request that deletion has been completed. This obligation does not apply to the extent the Processor is required to retain Personal Data under applicable law, in which case the Processor shall isolate and protect such data from further processing except as required by law.
Each party's liability under this DPA is subject to the limitations and exclusions set forth in the applicable subscription or service agreement. To the extent permitted by applicable law, the Processor's total liability arising out of or related to this DPA shall not exceed the aggregate fees paid by the Controller to the Processor in the twelve (12) months preceding the event giving rise to the claim. Nothing in this DPA shall limit either party's liability for fraud, willful misconduct, or as otherwise required by applicable law. Each party shall indemnify the other against third-party claims arising from its own breach of this DPA.
This DPA shall remain in effect for the duration of the applicable subscription or service agreement and shall automatically terminate upon the expiration or termination of that agreement, subject to the survival of obligations relating to data deletion, confidentiality, and any claims arising during the term. In the event of a conflict between the terms of this DPA and the applicable subscription agreement with respect to the processing of Personal Data, the terms of this DPA shall control. This DPA may be amended only by written agreement signed by authorized representatives of both parties.