Privacy Policy
Effective date: TBD (publish date) Last updated: 2026-05-03
Main Street IQ LLC ("Main Street IQ," "MSIQ," "we," "our," or "us") respects your privacy. This policy explains what information we collect, why we collect it, how we use it, who we share it with, and the choices you have. It applies to mainstreetiq.com and any service we provide under the Main Street IQ name, including practice-specific brands such as CCIQ (Central Coast Intelligence) for our wine practice.
If you have questions, email us at privacy@mainstreetiq.com.
1. Who we are
Main Street IQ LLC is a California limited liability company that provides fractional CFO services and a portfolio of subscription-based business intelligence products under the Main Street IQ brand and the CCIQ practice brand. We are the controller of personal information collected through our website and during our engagements.
2. Information we collect
Information you give us directly
- Contact details when you fill out a form, book a meeting, or email us: name, email, phone, company, role
- Strategic brief and intake responses when you become a client: business goals, market context, current operations, account credentials you choose to share for tools you authorize us to access
- Billing details when you pay for a service: billing name, address, last four digits of payment method, tax ID where applicable. Full payment card numbers and bank account credentials are processed by Stripe and never reach us.
- Communications you send us: emails, Slack messages on shared channels, notes from calls
Information we collect automatically
- Usage and device data when you visit
mainstreetiq.com: IP address (anonymized in analytics), browser type, pages viewed, referring URL, approximate geographic region - Cookies and similar technologies: see our Cookie Policy
Information we collect from third parties
- Public web data about a prospect or client's company: search-engine visibility, social presence, review profiles, news mentions
- Authorized client data: when a client explicitly grants us access to their Google Search Console, Google Analytics, Stripe, QuickBooks, Commerce7, vinSUITE, VineSpring, or similar account, we read data from those systems on their behalf
- Enrichment data from publicly available sources used to draft pre-call briefs and prospect dossiers
3. How we use the information
We use the information described above to:
- Respond to inquiries and book meetings
- Provide, deliver, and improve our services
- Generate audits, dashboards, deliverables, and recommendations for clients
- Bill clients and collect payment
- Communicate about service updates, new features, and renewal events
- Send marketing emails (if you have opted in or are a current client) — you can opt out anytime
- Comply with law, enforce our agreements, and protect our rights
We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
4. Legal bases (EU / UK visitors)
If you are in the European Economic Area or the United Kingdom, our legal bases for processing your personal information are:
- Contract — to deliver the service you are paying for or to take pre-contract steps you requested
- Legitimate interests — to operate, secure, and improve the business; to send relevant business communications; to enforce our terms
- Consent — for cookies that are not strictly necessary, and for marketing email where required by law
- Legal obligation — for tax, accounting, and compliance recordkeeping
You can withdraw consent at any time without affecting processing already done on the basis of consent.
5. Who we share information with
We share personal information with the categories of recipients listed below. Our complete and current sub-processor list is maintained in MSIQ/legal/operational/sub-processor-list.md and is available on request.
| Category | Examples | Why |
|---|---|---|
| Infrastructure and hosting | GitHub Pages, Cloudflare | Run the website |
| CRM and lead capture | Zoho CRM, Zoho Forms, Calendly | Manage prospect and client records |
| Communications | Google Workspace, Slack, Notion | Email, calendar, document collaboration |
| Payments and billing | Stripe, QuickBooks Online | Process subscriptions and invoices, accounting |
| AI tooling for service delivery | Anthropic (Claude), OpenAI, Google Gemini, Perplexity | Audit synthesis, content drafting, AI visibility checks. API tiers; prompts are not used to train models. |
| Web intelligence | Ahrefs, Apify, Yelp Fusion, Google Search Console, Google Analytics | Research, audits, monitoring |
| Wine practice (CCIQ only) | Commerce7, vinSUITE, VineSpring | Read-only access when a winery client authorizes it |
| Professional advisors | Attorney, accountant, bookkeeper | Operate the business |
| Government and regulators | Tax authorities, law enforcement when legally required | Compliance |
| Successors | Acquirer, merger partner | If the business is sold or merged. We will notify you and honor this policy. |
We require each sub-processor to use the information only as instructed and to apply reasonable safeguards.
6. AI and automated processing
We use AI tools (Claude, GPT-4, Gemini, Perplexity, and similar) to draft, synthesize, and analyze content during audits, research, and deliverable preparation. See our AI Use Disclosure for what this means in practice.
We do not make solely automated decisions that produce legal or similarly significant effects on you. A human (typically Scott Hess) reviews recommendations before they are delivered.
7. Data retention
We retain personal information for as long as we need it for the purposes described in this policy:
- Lead records: 7 years after last contact
- Active client records: the duration of the engagement plus 7 years after termination
- Audit deliverables and financial records: 7 years (consistent with professional and tax standards)
- Server and analytics logs: 90 days
- Marketing email contacts: until you unsubscribe, then we keep a suppression record so we do not email you again
You can request earlier deletion under the rights described below.
8. Your rights
California residents (CCPA / CPRA)
You have the right to: - Know what personal information we collect, use, disclose, and how - Request a copy of the personal information we hold about you - Request that we delete personal information we hold about you - Request that we correct inaccurate personal information - Limit our use and disclosure of sensitive personal information (we collect very little; see Section 2) - Opt out of the sale or sharing of personal information for cross-context behavioral advertising. We do not sell or share for cross-context behavioral advertising. - Be free from retaliation for exercising any of these rights
You can exercise these rights by emailing privacy@mainstreetiq.com. We will verify your request and respond within 45 days. You can authorize an agent to make a request on your behalf; we will verify the authorization.
EU / UK residents (GDPR)
You have the right to access, correct, delete, restrict processing, object to processing, and portability of your personal information. You can exercise these rights by emailing privacy@mainstreetiq.com. You also have the right to lodge a complaint with your local data protection authority.
"Shine the Light" (California Civil Code §1798.83)
We do not share personal information with third parties for their direct marketing purposes.
9. International transfers
Main Street IQ is based in the United States. Some sub-processors operate outside the US. When personal information is transferred from the EU/UK to the US, we rely on Standard Contractual Clauses with the relevant sub-processor and on each sub-processor's additional safeguards.
10. Children
Our services are intended for businesses, not individual consumers under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, please email privacy@mainstreetiq.com and we will delete it.
11. Security
We use reasonable administrative, technical, and physical safeguards to protect personal information. These include encrypted-in-transit connections, access controls, secrets management, and least-privilege defaults across the toolchain. No system is perfectly secure; if you believe your account or data has been compromised, email security@mainstreetiq.com.
12. Changes to this policy
We may update this policy. When we make a material change, we will update the effective date at the top of the policy and, if you are a current client, send you notice by email at least 30 days before the change takes effect.
13. Contact
Main Street IQ LLC Attn: Privacy San Luis Obispo, California Email: privacy@mainstreetiq.com