Home/Legal/Privacy Policy

Privacy.

How we collect, use, share, and protect personal data — and the rights you can exercise over it. Written to satisfy the EU GDPR, UK GDPR, California CCPA/CPRA, and the wider US state-privacy patchwork (VA, CO, CT, UT, TX, OR, MT, FL, DE, IA, NH, NJ, NE, MD, MN, IN, TN, KY, RI).

Last updated January 10, 2026Effective January 10, 2026Entity SIERRA OAK LLCJurisdiction Wyoming, USA

↳ Plain-English note

We aim to write these policies the way we operate — direct, specific, no legalese theatre. If anything here is unclear, write to desk@sierraoakaffiliate.com and we will explain it in plain language and update the document.

↳ Contents

Who we are
What we collect
How we use it
Legal bases (GDPR)
Who we share with
How long we keep it
International transfers
Security measures
Your rights (EU/UK)
Your rights (California)
Other US state rights
Children's privacy
No automated decisions
Changes to this policy
Contact & complaints

Who we are

↳ Plain English

We are SIERRA OAK LLC, a performance/affiliate marketing agency based in Wyoming, USA. We are the "controller" of personal data collected on this website.

SIERRA OAK LLC ("Sierra Oak," "we," "us," "our") operates the website at sierraoakaffiliate.com (the "Site"). For this Site, we act as the data controller within the meaning of EU/UK GDPR Article 4(7).

Where we process personal data on behalf of a client — for example, running an advertising account, an affiliate platform, or a server-side tracking endpoint — we typically act as a data processor under that client's instructions, and a separate Data Processing Agreement (DPA) governs that relationship. This Policy concerns our own controller-stage processing only.

Registered office

SIERRA OAK LLC · 347 Wyoming Ave, WY 82801, USA. Contact: desk@sierraoakaffiliate.com · +1 (854) 226-1376.

What we collect

↳ Plain English

The contact form takes your name, work email, company, and a free-text brief. The Site itself sets a tiny number of essential, first-party items only. We do not run advertising pixels, behavioural analytics, or third-party tracking on this Site at this time.

Information you give us directly

Category	Fields	Source
Contact identifiers	First and last name, work email, company name	Brief form on /contact
Commercial information	Vertical, requested practice mix, monthly media budget band, engagement model preference	Brief form on /contact
Free-text content	Anything you choose to write into the brief field	Brief form on /contact
Communications	Email replies, scheduled calls, attached documents	Direct email or phone to desk@sierraoakaffiliate.com / +1 (854) 226-1376

You can contact us without filling the form — using email or phone — and supply only what you choose to supply.

Information collected automatically

When you visit any page, the hosting platform receives standard server data: the IP address from which the request was made, a user-agent string, the URL requested, the referring URL if any, a timestamp, and an approximate HTTP status. We use this for security, fraud prevention, and to debug the Site. These logs are not used to build a behavioural profile of you.

Cookies and similar technologies

The Site does not currently set any non-essential cookies. We do not run Google Analytics, Plausible, Mixpanel, Segment, Meta Pixel, TikTok Pixel, LinkedIn Insight, Google Ads remarketing tags, Hotjar, FullStory, or any cross-site tracker. Full details are in our Cookie Policy.

Sensitive data

We do not ask for, and ask you not to send us, any "special category" data under GDPR Article 9 (health, biometrics, political opinions, etc.) or "sensitive personal information" under CPRA §1798.140(ae) through this Site. If you send such data inside a free-text brief, we will treat it as confidential and delete it on request.

How we use it

↳ Plain English

To reply to you, schedule a call, write an audit, and run the project we agree to. We also keep enough records to meet tax, accounting, and anti-money-laundering rules. We do not sell or rent your contact data.

Responding to your enquiry. Reading the brief, replying within our stated 24-hour window, and scheduling a follow-up conversation.
Preparing a proposal or audit. Analysing the context you give us, producing a one-page audit or pilot scope, and exchanging documents.
Operating an engagement. If you become a client, your contact data populates our project records, billing, and ordinary client communications.
Security and integrity of the Site. Detecting and preventing fraud, spam submissions, scraping, brute-force activity, or attempted abuse.
Legal, accounting, and tax obligations. Maintaining business records as required by US federal and Wyoming state law.
Improving our work. Aggregated, non-identifying analysis of which questions we are getting and where the Site can be clearer.

We do not serve targeted advertising based on this Site, profile visitors for marketing purposes, sell email lists, build look-alike audiences from our submissions, or run AI training on the content of your brief.

Legal bases (GDPR / UK GDPR)

↳ Plain English

For each purpose above, we have a specific legal basis under GDPR Article 6 — usually that you asked us to do something, or that we have a clear legitimate reason like security or accounting.

Purpose	GDPR Art. 6 legal basis
Replying to a brief or enquiry	Art. 6(1)(b) — pre-contractual measures at your request
Performing a signed engagement	Art. 6(1)(b) — contractual necessity
Site security, fraud / spam prevention	Art. 6(1)(f) — legitimate interests
Tax, accounting, AML record-keeping	Art. 6(1)(c) — legal obligation
Optional marketing emails (only if you opt in)	Art. 6(1)(a) — consent, freely withdrawable

We balance every "legitimate interests" use against your rights and freedoms. You can request a copy of our balancing test by emailing us.

Who we share data with

↳ Plain English

Only the service providers we need to run the business — hosting, email, accounting — and never to advertising networks or data brokers. We list every meaningful processor below and update the list when it changes.

We share personal data only with:

Processor	Purpose	Location
Vercel Inc.	Site hosting, edge delivery, server logs	United States / global edge
Email provider (Google Workspace or equivalent)	Receiving the brief, replying, calendar invites	United States / EU
Accounting and tax advisor	Statutory bookkeeping and tax filings	United States
Legal counsel	Advice on disputes and compliance	United States
Payment processor (for clients)	Invoicing and ACH / wire reconciliation	United States

We require every processor to be bound by a written Data Processing Agreement (or equivalent contract) that satisfies GDPR Article 28 and CPRA §1798.140(ag).

Disclosures we do not make

We do not "sell" your personal information for money or other valuable consideration.
We do not "share" your personal information for cross-context behavioural advertising as defined in CPRA §1798.140(ah).
We do not pass your contact data to advertising networks, data brokers, or list-resale platforms.

When we may have to disclose

We may disclose personal data if compelled by valid legal process (subpoena, court order, lawful regulator request), to protect the safety of users or the public, to investigate fraud or abuse against us, or in connection with a corporate transaction (merger, financing, acquisition, or sale of substantially all assets) — in which case the acquirer will be bound by terms at least as protective as this Policy.

How long we keep it

↳ Plain English

We keep contact-form data for two years, then delete it. Active client records run for the engagement plus seven years for tax. Email correspondence is reviewed and pruned annually.

Data	Retention	Reason
Unconverted brief submissions	24 months	Reasonable follow-up window then deletion
Client project records	Engagement + 7 years	US tax and accounting
Invoices and financial records	7 years	IRS / state tax statute of limitations
Server access logs	30 days	Security, debugging
Marketing-consent records	While consent is in force + 3 years	Proof of consent (GDPR Art. 7(1))

You can ask us to delete unconverted enquiry data sooner — see Your rights.

International data transfers

↳ Plain English

We are based in the US. If you write to us from the EU or UK, your data is transferred to the US. We rely on Standard Contractual Clauses and the EU-US Data Privacy Framework where our vendors are certified.

SIERRA OAK LLC is established in the United States. When you contact us from the European Economic Area, the United Kingdom, or Switzerland, your personal data is transferred to and processed in the US.

We protect those transfers using one or more of the following safeguards under GDPR Chapter V:

The EU-US Data Privacy Framework and its UK Extension / Swiss Bridge, where our processor is self-certified.
The 2021 Standard Contractual Clauses (SCCs), Modules 2 and 3, with the UK Addendum where required.
A documented transfer impact assessment (TIA) considering US surveillance law and supplementary measures.

You can request a copy of the safeguards in place for a specific transfer by emailing us.

Security measures

↳ Plain English

The Site runs on a managed platform behind TLS. Internal access is restricted, MFA-enforced, and logged. We are honest about being a small team — we use modern, well-supported tooling rather than running our own infrastructure. See our Trust & Security page for detail.

TLS 1.2+ everywhere; HSTS enabled.
Principle of least privilege for internal systems; SSO + MFA on all administrative tooling.
Hard-drive encryption on every employee endpoint; password manager mandated.
Vendor due diligence: every processor must produce a DPA, a security overview, and (where applicable) a SOC 2 / ISO 27001 attestation.
Incident response: any confirmed personal-data breach is investigated immediately; affected EU/UK individuals and the relevant supervisory authority are notified within 72 hours where required by GDPR Article 33.

Your rights — EU, UK, and similar regimes

↳ Plain English

You can ask us what we have on you, fix it, delete it, take it elsewhere, or tell us to stop using it. Email us and we will reply within 30 days, free of charge.

If you are in the EEA, UK, or another jurisdiction with equivalent law, you have:

Right of access (GDPR Art. 15) — a copy of the personal data we hold about you.
Right to rectification (Art. 16) — to correct anything inaccurate.
Right to erasure / "right to be forgotten" (Art. 17), subject to legal-obligation exceptions.
Right to restrict processing (Art. 18).
Right to data portability (Art. 20) — a machine-readable export.
Right to object (Art. 21), including an absolute right to object to direct marketing.
Right to withdraw consent (Art. 7(3)) at any time, where consent is the basis.
Right not to be subject to solely automated decision-making with legal or similarly significant effect (Art. 22). We do not engage in such decision-making — see Section 13.
Right to lodge a complaint with a supervisory authority — your local DPA, the UK ICO, or the Irish DPC as applicable.

To exercise any of these rights, email desk@sierraoakaffiliate.com with the subject line "Data subject request". We respond within 30 days. We may need to verify your identity before disclosing data, in line with EDPB guidance.

Your rights — California (CCPA / CPRA)

↳ Plain English

If you live in California, you can ask us what we collect and why, get a copy, correct it, delete it, and tell us not to sell or share it — we do not sell or share it to begin with.

Under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA/CPRA"), California residents have the following rights:

Right to know what categories of personal information we collect, the sources, the business purposes, the categories of third parties to which it is disclosed, and the specific pieces of personal information held about you.
Right to delete personal information we hold about you, subject to statutory exceptions.
Right to correct inaccurate personal information.
Right to opt out of "sale" or "sharing": we do not sell or share personal information for cross-context behavioural advertising and have no such opt-out to surface, but we honour Global Privacy Control (GPC) signals.
Right to limit use of sensitive personal information: we do not knowingly collect sensitive personal information.
Right to non-discrimination for exercising any of these rights.

Categories collected in the past 12 months

CPRA category	Examples	Sold?	Shared?
Identifiers (§1798.140(v)(1)(A))	Name, email, IP address	No	No
Commercial information (§1798.140(v)(1)(D))	Engagement preferences, budget band	No	No
Internet activity (§1798.140(v)(1)(F))	Pages requested, referring URL (server logs)	No	No
Inferences (§1798.140(v)(1)(K))	None drawn for profiling	No	No

To exercise these rights, email desk@sierraoakaffiliate.com with subject "California rights request." You may also designate an authorised agent in writing. We will verify your identity by matching information you submit against information already in our records.

We respond to verifiable consumer requests within 45 days, extendable by another 45 days with notice.

Other US state rights (VA / CO / CT / UT / TX / OR / MT / DE / IA / NH / NJ / NE / MD / MN / IN / TN / KY / RI / FL)

↳ Plain English

If you live in another US state with a comprehensive privacy law, you have substantially the same access, correction, deletion, and opt-out rights as Californians. Use the same email and we will handle it.

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MTCDPA), Delaware (DPDPA), Iowa, New Hampshire, New Jersey, Nebraska, Maryland (MODPA), Minnesota (MCDPA), Indiana, Tennessee (TIPA), Kentucky, Rhode Island, and Florida (FDBR) may exercise the access, correction, deletion, portability, and opt-out rights conferred by their state statute. The contact route is the same as above. We honour the universal opt-out signals required by Colorado, Connecticut, Texas, Oregon, and Montana, including Global Privacy Control.

Children's privacy

↳ Plain English

This Site is built for businesses. We do not knowingly collect data from anyone under 16. If you are under 16, please do not send us a brief.

The Site is directed to business users. We do not knowingly collect personal information from children under 16 (or 13 for purposes of COPPA, 15 U.S.C. §6501 et seq.). If we learn we have collected personal information from a child, we will delete it. If you believe a child has provided personal information to us, please contact desk@sierraoakaffiliate.com.

No automated decisions with legal effect

↳ Plain English

We do not make automated decisions about you that have a legal or similarly significant effect, and we do not profile you for that purpose.

We do not engage in solely automated decision-making within the meaning of GDPR Article 22(1). Any decision to engage, decline, or shape a project is made by a human operator at SIERRA OAK LLC.

Changes to this Policy

↳ Plain English

If we change this Policy in a material way, we will say so at the top of the page and explain what changed. The version above is the one in force.

We may update this Policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. For material changes, we will post a prominent notice on the Site and, where required, contact you directly. Continued use of the Site after a change indicates acceptance of the updated Policy.

An archive of prior versions is available on request.

Contact and complaints

↳ Plain English

Email us. We will reply.

For any privacy question, request, or complaint:

Email: desk@sierraoakaffiliate.com (subject: "Privacy")
Mail: SIERRA OAK LLC, 347 Wyoming Ave, WY 82801, USA
Phone: +1 (854) 226-1376

You may also lodge a complaint with your local data-protection authority. We will cooperate with any such authority in resolving the matter.

This Policy was last updated on January 10, 2026.

Questions about this document

desk@sierraoakaffiliate.com

Mailing address

SIERRA OAK LLC
347 WYOMING AVE
WY 82801
UNITED STATES