Privacy Policy.

1. Information we collect.

We collect information you provide directly to us — including name, email address, phone number, company affiliation, role, industry vertical, and details about your current technology contracts when you submit an engagement intake form or upload a contract for benchmarking. We also collect basic analytics data about visitors to our site (pages visited, referrers, approximate location, device type) via standard web analytics tools.

We use a third-party visitor-identification service (RB2B or similar) that may identify the company a visitor is browsing from based on reverse-IP lookup of US-based visitors. This service identifies the visiting company only, not the specific individual.

2. How we use information.

Information you submit is used to provide the engagement you've requested (benchmark, shortlist, sourcing engagement), to communicate with you about our research and engagement updates, to improve The Cardinal Index, and to comply with applicable legal obligations. Information submitted through the contract benchmark intake is used only for the purpose of producing the benchmark you requested.

3. What we do not do.

We do not sell your personal information. We do not share your contract details with technology suppliers without your explicit permission. We do not provide your contact information to third-party advertisers. We do not retain uploaded contracts longer than necessary to produce the deliverable you requested.

4. Third-party services we use.

The Cardinal Source uses a small set of third-party services to operate the site and the engagement process. We disclose each below and what we use it for.

• PostHog — product analytics. We use PostHog (posthog.com) to track aggregate site usage, form submissions, and feature engagement so we can improve the site and our research. PostHog is loaded from us.i.posthog.com. When you submit a form that includes an email, that email is associated with your PostHog visitor record so we can attribute engagement to a known buyer. PostHog respects the cookie consent choice you make on this site — declining consent disables event capture. You can also opt out at the browser level via Do Not Track or by blocking the PostHog domain in your browser's privacy settings.
• LeadPipe — visitor company identification. We use LeadPipe (loaded from leadpipe.aws53.cloud) to identify the company a visitor is browsing from based on reverse-IP lookup of US-based visitors. This service identifies the visiting company only, not the specific individual. You can opt out by blocking the LeadPipe domain in your browser's privacy settings.
• Formspree — form delivery. Forms on this site (benchmark intake, contact, newsletter, engagement) submit to Formspree (formspree.io), which delivers the submission to our internal inbox. Formspree retains the submission record for delivery and abuse-prevention purposes per their privacy policy.
• Google Fonts — site typography. We load typefaces (Newsreader, Inter Tight, JetBrains Mono, Cormorant) from Google Fonts (fonts.google.com). Google may log the request IP for the purpose of serving the font file.

If you would like to use the site with all third-party services blocked, the recommended approach is a privacy-focused browser (Brave, Firefox with strict tracking protection) combined with an ad/tracker blocker. The site remains usable with these services blocked; analytics events will not fire and visitor-company identification will not run.

5. Cookies and similar technologies.

We use cookies and similar technologies for analytics, to remember your color-mode preference, and to operate the site. You can disable cookies in your browser settings; some site features may not function as expected if you do.

6. Email and newsletter.

If you subscribe to our research newsletter, your email address is stored in our email service provider's systems for the purpose of sending you monthly research updates. You can unsubscribe at any time using the unsubscribe link in any email. Unsubscribing removes you from all future marketing communications.

7. How long we retain information.

Engagement-related information is retained for the duration of the engagement plus a reasonable period thereafter (typically three years) to comply with legal and tax obligations. Marketing list subscriptions are retained until you unsubscribe. Uploaded contracts submitted via the Tier 1 benchmark are deleted after the benchmark is delivered, unless you engage us for a Tier 2 or Tier 3 engagement.

8. Your rights.

You have the right to request access to the personal information we hold about you, to request correction or deletion of that information, and to object to certain uses of it. Email our contact form with any such request. We respond to all valid requests within 30 days.

9. Changes to this policy.

We may update this policy from time to time. Material changes will be reflected in the "last updated" date above. Continued use of the site after a policy change constitutes acceptance of the revised policy.

10. Contact.

Questions about this privacy policy can be sent via our contact form.

This privacy policy is provided for informational purposes. It does not constitute legal advice. The Cardinal Source recommends consulting a qualified attorney for specific privacy or compliance questions.