Legal / Privacy
Privacy Policy
Last updated: January 2, 2026
This Privacy Policy explains how The ARC Method ("ARC," "we," "us," or "our") collects, uses, discloses, and safeguards information when you visit our website, book a call, engage us as a consulting client, or use our GoHighLevel CRM management services delivered through our agency branch, ARC Revenue Systems (a certified GoHighLevel agency partner).
By using our site or services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.
1. Who We Are
The ARC Method is a business operations consultancy owned and operated by Taylor Rose. Our GoHighLevel CRM agency branch resells, configures, and administers HighLevel (GoHighLevel) sub-accounts and related automations on behalf of our clients. When we operate a HighLevel sub-account for you, we act as a data processor for the personal information flowing through your CRM, and you remain the data controller of your customers' data.
Contact: tm.socialbranding@gmail.com · arcmethod.ca
2. Information We Collect
We collect information in three ways:
a) Information you give us directly — name, email, phone number, business name, website, role, and any details you share when you book a call, submit a form, complete the Culture Audit, sign a proposal, or communicate with us over email, SMS, or Zoom.
b) Information we collect automatically — IP address, browser type and version, device identifiers, referring URLs, pages viewed, and timestamps, collected through cookies, pixels, and analytics tools (see Section 7).
c) Client CRM data (agency services) — when you engage our GoHighLevel agency, we process the contacts, leads, conversations (SMS, email, voice, chat), pipeline records, calendar bookings, payment records, call recordings, forms, surveys, membership data, and workflow logs that live inside your HighLevel sub-account. This data belongs to you.
3. How We Use Information
- Deliver, maintain, and improve our consulting and CRM services.
- Respond to inquiries, schedule and conduct calls, and issue proposals or invoices.
- Configure, automate, and optimize your GoHighLevel sub-account and integrations.
- Send service-related communications (onboarding, changes, security notices).
- Send marketing communications where you have opted in — you can unsubscribe anytime.
- Detect, investigate, and prevent fraud, abuse, and security incidents.
- Comply with our legal, tax, and regulatory obligations.
We do not sell your personal information, and we do not use client CRM data to train third-party AI models.
4. GoHighLevel CRM Agency Services
When ARC Revenue Systems provisions a HighLevel sub-account for you, HighLevel LLC is a sub-processor of your data. HighLevel's own privacy and security terms apply in addition to this policy — see gohighlevel.com/privacy-policy.
Our commitments as your agency:
- We access your sub-account only to perform the services you have engaged us for (build-out, automation, optimization, support, or ongoing management).
- Access is limited to authorized ARC team members under written confidentiality obligations, using individual named logins with strong passwords and two-factor authentication (2FA) enforced.
- We follow the principle of least privilege — team members are granted the minimum role required for their task, and access is revoked promptly when the engagement or role ends.
- We never sell, rent, or share your contacts, conversations, or pipeline data with third parties, and we do not use them for our own marketing.
- On written request, or within 30 days of the end of our engagement, we will remove our team's access and — at your option — export your data or transfer ownership of the sub-account to you.
- A written Data Processing Addendum (DPA) is available on request for clients subject to GDPR, UK GDPR, PIPEDA, CCPA/CPRA, or similar regimes.
Messaging compliance (A2P 10DLC, CAN-SPAM, CASL, TCPA): You are responsible for obtaining lawful consent from every contact you upload or message through your sub-account, honoring opt-outs (STOP, UNSUBSCRIBE), and ensuring all campaigns comply with applicable telecom, email, and anti-spam laws. We configure systems to support compliance but cannot warrant the legality of your specific campaigns or lists.
5. Service Providers and Sub-processors
We rely on vetted third parties to run our business and deliver services. Each is bound by contract to protect your information and to use it only for the purposes we authorize. Current sub-processors include:
- HighLevel LLC (GoHighLevel) — CRM, automation, messaging, calendars, payments.
- Stripe — payment processing.
- Google Workspace — email, documents, calendars.
- Zoom — video calls and, where you consent, call recording and transcription.
- Cloudflare / Lovable Cloud — website hosting, CDN, and edge security.
- Twilio, Mailgun, LeadConnector — SMS, voice, and email delivery inside HighLevel.
- OpenAI / Anthropic / Google AI — AI features you enable inside your CRM or workflows (input is not used to train the providers' foundation models under our enterprise terms).
An up-to-date list is available on request.
6. Security Safeguards
We implement administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, disclosure, alteration, and destruction:
- Encryption in transit (TLS 1.2+) for all traffic to our site, CRM, and integrations.
- Encryption at rest for data stored with our hosting and CRM sub-processors.
- Two-factor authentication (2FA) enforced on all ARC team accounts.
- Role-based access control and least-privilege permissions.
- Unique, strong, credential-manager-generated passwords; no shared logins.
- Prompt access revocation on role change or offboarding.
- Written confidentiality agreements with all contractors and employees.
- Regular review of sub-processor security posture and DPAs.
- Segregation of client sub-accounts — no cross-client data mixing.
- Secure device standards (disk encryption, screen lock, current OS).
- Documented incident response process (see Section 10).
No method of transmission or storage is 100% secure. While we work hard to protect your information, we cannot guarantee absolute security.
8. Data Retention
We retain personal information only for as long as necessary to provide the services, comply with legal obligations, resolve disputes, and enforce agreements. Prospect and marketing records are retained for up to 24 months after last contact unless you ask us to delete them sooner. Client engagement records (contracts, invoices) are retained for the period required by applicable tax and corporate law (typically 6–7 years). CRM data inside your sub-account is retained per your instructions.
9. Your Rights
Depending on where you live, you may have the right to:
- Access the personal information we hold about you.
- Correct inaccurate or incomplete information.
- Request deletion of your information (subject to legal retention obligations).
- Withdraw consent or object to certain processing.
- Request a portable copy of your information.
- Lodge a complaint with your local data protection authority.
To exercise any right, email tm.socialbranding@gmail.com. We will respond within 30 days. If you are a customer of one of our clients, please contact that business directly — we will support them in fulfilling your request.
10. Incident and Breach Notification
If we become aware of a security incident that affects your personal information or your CRM data, we will notify you without undue delay and, where required by law, within 72 hours of confirmation. Notifications will describe what happened, what data was involved, what we are doing about it, and steps you can take.
11. International Data Transfers
We are based in Canada, and our sub-processors may store or process information in the United States and other countries. Where required, we rely on Standard Contractual Clauses or equivalent safeguards for cross-border transfers.
12. Children's Privacy
Our services are intended for business owners and are not directed to children under 16. We do not knowingly collect personal information from children.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be posted on this page with a revised "Last updated" date and, where appropriate, communicated by email.
14. Contact Us
Questions about this policy or our data practices?
The ARC Method
Email: tm.socialbranding@gmail.com
Web: arcmethod.ca
