Last Updated: February 10, 2026
‍
‍This Privacy Policy explains how SampleServe, Inc. (SampleServe, we, us, our) collects, uses,
discloses, and retains personal information when you visit our website or use our products,
services, and applications (collectively, the Services).
This Policy is written to address requirements under the EU General Data Protection Regulation
(GDPR) and the EU ePrivacy Directive cookie rules, and to provide U.S. consumer privacy
disclosures and rights, including California (CCPA as amended by CPRA), Colorado Universal
Opt Out requirements, and the Virginia model state privacy rights framework. (GDPR)
‍
1. Who we are
Controller contact: Security
SampleServe, Inc.
12935 SW Bayshore Dr. Suite 200, Traverse City, MI 49684, USA
Email: privacy@sampleserve.com
Phone: +1 (231) 933-7035
EU Representative (if required under GDPR Article 27): Russell Schindler, CEO
security@sampleserve.com
Data Protection Officer (if appointed): Mike Franklin, CTO, security@sampleserve.com
(GDPR)
‍
2. Scope and our role (controller vs processor)
‍
2.1 Website and account administration
For our website, marketing, billing administration, and general account management,
SampleServe acts as a controller of personal information we collect for those purposes.
‍
2.2 Customer use of the Services
When an organization (a customer) uses the Services to collect, store, and manage sampling
and field data, that customer typically acts as the controller and SampleServe acts as a
processor/service provider/contractor for that customer. In those cases, requests about
customer controlled content should be directed to the customer administrator, unless the
customer directs you to submit the request to SampleServe.
‍
3. Personal information we collect
We collect the following categories of personal information (terms may overlap across laws):
3.1 Identifiers and contact details
Name, email address, phone number, postal address, organization name, job title, account
identifiers.3.2 Commercial and transaction information
Subscription details, invoices, payment status, billing contacts. Payment card information is
processed by our payment processor. We do not store full card numbers.
3.3 Customer content
Data and files uploaded to the Services, including field records, notes, attachments, photos,
videos, and related metadata, as configured by the customer.
3.4 Internet or network activity
IP address, device identifiers, browser type, operating system, log data, access times, pages
viewed, and interactions with the Services.
3.5 Approximate location and precise geolocation (when enabled)
Approximate location derived from IP address. Precise geolocation only when you enable
device permissions and use location features.
3.6 Support and communications
Messages to support, feedback, and related records.
3.7 Sensitive data
We avoid collecting sensitive data unless required for the Services and configured by the
customer. Precise geolocation is treated as sensitive under many U.S. state privacy laws and
is processed only with opt-in consent where required, and via device permission controls.
(Virginia Law Portal)
‍
4. Sources of personal information
We collect personal information from:
- You directly
- Your device and browser automatically when you use the Services
- Your organization or account administrator (if the Services are provided through an
organization)
- Service providers and integrations you enable (as permitted by your settings)
‍
5. How we use personal information
We use personal information for the purposes below:
5.1 Provide and operate the Services
Account creation, authentication, feature delivery, customer support, service
communications, and contract administration.
5.2 Security and fraud prevention
Monitoring, logging, auditing, misuse detection, and protecting the integrity of the Services.
5.3 Improvement and analytics
Debugging, performance monitoring, product development, and service analytics.5.4 Billing and payments
Invoices, payment processing, and recordkeeping.
5.5 Marketing (where permitted)
Sending product updates or promotional messages. Opt-out is available at any time.
‍
6. GDPR lawful bases (EEA, UK, Switzerland)
Where GDPR applies, we process personal data under the following lawful bases
(depending on context): contract necessity, legal obligation, legitimate interests, and
consent. (GDPR)
- Contract necessity: to provide the Services and support, and to administer accounts.
- Legal obligation: tax, accounting, and compliance obligations.
- Legitimate interests: to secure the Services, prevent fraud, and improve performance,
balanced against your rights.
- Consent: for non-essential cookies and similar technologies in the EU/EEA, and for
sensitive data processing where required.
You can withdraw consent at any time. Withdrawal does not affect prior lawful processing.
‍
7. Cookies, similar technologies, and preference signals
7.1 EU ePrivacy and cookie consent
For users in the EU/EEA, we use a consent banner and cookie preferences tool for non-
essential cookies and similar technologies. Strictly necessary cookies are used to provide and
secure the Services. (EUR-Lex)
7.2 U.S. opt-out preference signals
We honor opt-out preference signals where required. Colorado requires recognition of a valid
Universal Opt Out Mechanism, and the Colorado AG has recognized Global Privacy Control
(GPC) as meeting the standard. (Colorado Attorney General)
7.3 Links
We maintain the following links in the website footer:
- Cookie Preferences
- Privacy Choices (opt-out of targeted advertising where applicable)
- Do Not Sell or Share My Personal Information (see Section 10)
‍
8. How we disclose personal information
We disclose personal information to:
8.1 Service providers (processors, contractors)
Hosting, data storage, security tooling, customer support tooling, analytics providers,
payment processors, and similar vendors. They are contractually restricted to using personal
information only to provide services to SampleServe.8.2 Customer administrators and authorized users
If you use the Services through an organization, authorized users and administrators may
access information associated with the account based on the organization’s settings.
8.3 Integrations at your direction
If you enable integrations, we disclose information as needed to provide the integration.
8.4 Legal and safety disclosures
To comply with law, respond to lawful requests, and protect rights, safety, and the Services.
8.5 Business transfers
In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of
assets, subject to appropriate protections.
‍
9. International data transfers (EEA, UK, Switzerland)
We operate in the United States. If you access the Services from outside the U.S., your
information may be processed in the U.S. and other countries where we or our service
providers operate.
Where GDPR applies and we transfer personal data outside the EEA, we rely on an adequacy
decision or appropriate safeguards such as Standard Contractual Clauses, and provide a copy
upon request where required. (GDPR)
‍
10. U.S. privacy rights (nationwide approach) and state-specific notices
We provide a uniform set of privacy rights and controls to U.S. residents that is designed to
satisfy the common requirements across comprehensive U.S. state privacy laws. As of
January 15, 2026, multiple states have enacted comprehensive consumer privacy laws,
including California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky,
Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode
Island, Tennessee, Texas, Utah, and Virginia.
10.1 Rights offered to U.S. residents (where applicable and subject to exceptions)
- Access: confirm processing and obtain a copy of personal data
- Deletion: delete personal data
- Correction: correct inaccurate personal data
- Portability: obtain a portable copy of personal data
- Opt out: opt out of targeted advertising, and opt out of sale of personal data (as
defined by applicable law)
- Opt in consent for sensitive data: we obtain opt-in consent for sensitive data
processing where required, including for precise geolocation
- Non-discrimination: no unlawful discrimination for exercising privacy rights
- Appeal: appeal a denial of a rights request (required under the Virginia model states)
10.2 Do we sell or share personal information
SampleServe does not sell personal information.SampleServe does not share personal information for cross-context behavioral advertising
(targeted advertising) as those terms are defined under California law.
For transparency, we provide a “Do Not Sell or Share My Personal Information” link in the
footer. If our practices change, we will update this Policy and provide the required opt-out
mechanisms.
10.3 Targeted advertising
If we engage in targeted advertising in the future, we will provide:
- A clear opt-out mechanism via the Privacy Choices link
- Recognition of applicable opt-out preference signals (including Colorado UOOM
requirements)
- Required disclosures in this Policy
10.4 Colorado Universal Opt Out Mechanism
We honor Colorado valid Universal Opt Out Mechanisms for opt-out of targeted advertising
and sale where applicable, including GPC as recognized by the Colorado AG. (Colorado
Attorney General)
10.5 Virginia model opt-out and appeal
For states using the Virginia model framework, we provide opt-out for targeted advertising,
sale, and certain profiling, and an appeal process for denied requests. (Virginia Law Portal)
10.6 Maryland and Minnesota provisions addressed in this Policy
- Maryland: we treat minors’ data with heightened protections, including restricting
targeted advertising to minors where required by applicable law. (Cooley)
- Minnesota: we provide a mechanism to question certain profiling outcomes and to
request review where required. (MN Revisor's Office)
10.7 Nevada
Nevada provides an opt-out of sale in certain contexts. Since we do not sell personal
information, this is not applicable, requests can still be submitted as described in Section 12.
11. California Privacy Notice (CCPA as amended by CPRA)
This section applies to California residents.
11.1 Notice at collection
In the last 12 months, we collected the categories listed in Section 3 for the purposes listed in
Section 5.
11.2 Categories disclosed for business purposes
In the last 12 months, we disclosed the categories listed in Section 3 to recipients listed in
Section 8 for business purposes.
11.3 Sensitive personal information
We do not use or disclose sensitive personal information for purposes that trigger aCalifornia right to limit, except as necessary to provide the Services or as otherwise
permitted by law.
11.4 California rights
Subject to exceptions, California residents have the right to:
- Know, access, and data portability
- Delete
- Correct
- Opt out of sale or sharing (we do not sell or share as stated above)
- Limit use and disclosure of sensitive personal information (if applicable)
- Non-discrimination (California Privacy Protection Agency)
‍
12. How to submit privacy requests (U.S., California, and GDPR)
12.1 Request channels
Submit a request using any of the following:
- Webform: https://sampleserve.com/privacy-request
- Email: privacy@sampleserve.com (Subject: Privacy Request)
- Phone: +1 (231) 933-7035
- Mail: Sample Serve, Inc., 12935 SW Bayshore Dr. Suite 200, Traverse City, MI
49684, Attention: Privacy (California.Public.Law)
12.2 What to include
- Full name
- Email address and/or account identifier
- State/country of residence
- Request type (access, delete, correct, portability, opt out)
- Sufficient detail to locate the relevant information
12.3 Identity verification
We verify requests using information associated with your account or relationship with the
Services. If we cannot verify, we may deny the request or request additional information as
permitted by law.
12.4 Timing
We respond within the time required by applicable law. Many U.S. state laws require
response within 45 days with a possible extension when permitted. California provides
similar timelines. (California.Public.Law)
‍
13. Authorized agents (California and other states)
You may use an authorized agent where permitted. We require proof of authorization and
may require verification of your identity directly.
‍
14. Appeals (Virginia model states)
If we deny a request that is subject to an appeal right, you may appeal by emailing
privacy@sampleserve.com with the subject “Privacy Appeal” within 60 days of the denial.We respond to appeals within the timeframe required by applicable law. (Virginia Law
Portal)
‍
15. Data retention
We retain personal information only as long as necessary for the purposes in Section 5,
including:
- Account and billing records: for the duration of the relationship plus the period required
for legal, tax, accounting, and dispute resolution
- Customer content: as directed by the customer contract and settings
- Security logs: for a limited period appropriate for security and operational needs
‍
16. Security
We use reasonable administrative, technical, and physical safeguards designed to protect
personal information. No method of transmission or storage is fully secure.
Security reporting: security@sampleserve.com
‍
17. Children
The Services are not directed to children under 13. We do not knowingly collect personal
information from children under 13. If we learn that we have collected such information, we
delete it.
‍
18. Changes to this Policy
We may update this Policy. We post the updated version and revise the Last Updated date.
February 10, 2026