Request a Demo
Request a Demo

Privacy Policy

Last updated:

Important: This Privacy Policy describes our practices in plain language. It is not personal legal advice. Capitalized terms not defined here have the meanings given to them in our Terms of Service or in any applicable order form or master subscription agreement entered into with us.

Masthead CMS currently provides services to United States–based customers. This policy is written primarily for visitors and customers in the United States.

Contents

At a glance

This summary highlights key points; it does not replace the full policy.

  • We operate Masthead CMS, a publishing platform for news organizations and similar customers.
  • We act as a controller for data about our website visitors, prospects, and customer-account contacts; we typically act as a processor for data inside our customers’ Masthead instances (their articles, subscriber lists, comments, analytics, and similar).
  • We do not sell personal information for monetary consideration. We describe our use of advertising and analytics technologies, and your choices, below.
  • We use cookies and similar technologies for functionality, security, analytics, and marketing.
  • You can exercise privacy rights by emailing privacy@mastheadcms.com. If you are an end user of a publisher that uses Masthead, please contact that publisher first; they typically control your data.

Who we are

Masthead CMS is a publishing platform and related product offering operated by HarborByte (“HarborByte,” “we,” “us,” or “our”). Our public website is available at mastheadcms.com.

Mailing address:
HarborByte
2501 Chatham Rd Ste R
Springfield, IL 62704
United States

Phone: (312) 870-0177

For privacy requests and questions about this policy, contact privacy@mastheadcms.com. For general product support, contact support@mastheadcms.com. To report suspected abuse of our services, contact abuse@mastheadcms.com.

Scope of this policy

This Privacy Policy describes how we collect, use, disclose, and otherwise process personal information in connection with:

  • Marketing website. Visitors to mastheadcms.com and related promotional pages.
  • Sales and inquiries. Information you submit through contact forms, demo requests, email correspondence, events, or similar channels.
  • Customer dashboard and authentication. Accounts and sessions for Masthead-hosted portal experiences (for example, tenant-specific dashboard URLs on masthead.cloud subdomains).
  • Masthead CMS services. Cloud-hosted or composed Masthead CMS implementations we operate for customers, including editorial tooling, APIs, webhooks, content delivery infrastructure, digital asset management, and related support.

This policy does not govern the practices of our customers (for example, news publishers using Masthead to operate their own websites). When you read an article, subscribe to a newsletter, or post a comment on a publisher’s site that runs on Masthead, that publisher’s privacy notice — not ours — usually applies to your personal information. Please contact the relevant publisher directly to exercise rights with respect to their content and audience data.

Our role: controller and processor

We process personal information in two distinct roles, depending on context:

  • As a controller (or “business” under California law). We determine the purposes and means of processing for: visitors to our marketing website; prospects and customer-account contacts; users of our customer dashboard; recipients of our marketing communications; and personnel who access our internal systems. This Privacy Policy primarily addresses processing in this controller capacity.
  • As a processor (or “service provider” / “contractor” under California law). Our customers may upload or generate articles, images, video, audio, asset metadata, subscriber lists, comments, audience analytics, and other materials through Masthead CMS (“Customer Content”). When we process Customer Content to provide services on a customer’s instructions, we act as a processor on that customer’s behalf, and the customer’s own privacy notice generally governs personal information inside Customer Content.

Where we act as a processor, our processing is governed by our agreement with the relevant customer. Determinations about controller versus processor roles can be fact-specific; your agreement with us may further describe roles, instructions, sub-processing, security measures, breach notification, and assistance with privacy requests.

If you are an individual whose personal information appears within Customer Content (for example, you are a subscriber, commenter, or reader of a publisher who uses Masthead), and you wish to exercise privacy rights regarding that information, please contact the publisher directly. We will refer your request to them, or, where required by law, assist them in responding.

Information we collect

The categories below are illustrative. Not every category applies to every visitor or customer.

  • Identifiers and contact details. Name, email address, phone number, job title, organization name, mailing address (if provided), and similar contact fields.
  • Account and authentication data. Login identifiers, credentials or password hashes as implemented by our authentication layer, multi-factor authentication tokens or recovery codes, session tokens, security logs, audit logs, and tenant or organization identifiers.
  • Commercial information. Purchase history, order details, subscription status, plan tier, billing-related records, and limited payment metadata. Full payment-card details are handled by our payment processors and are not stored by us in the ordinary course.
  • Internet and technical data. IP address, approximate location derived from IP, user agent, device type, operating system, browser type, language preferences, referring URLs, pages viewed, search queries within our site, timestamps, request and response metadata, error and diagnostic data, and similar telemetry from websites or APIs.
  • Audio, electronic, visual, or similar information. For example, screenshots or session recordings collected by analytics tools where enabled, attachments included in support tickets, profile images, and any voice or video content you submit through support or sales channels.
  • Professional or employment information. Information about your role, employer, and professional interests submitted through forms, on calls, or at events.
  • Marketing and communications data. Email open and click events, campaign engagement, event attendance, content downloads, communication preferences, and unsubscribe status.
  • Inferences. Limited inferences drawn from usage or interactions for security, fraud prevention, product improvement, customer success, and marketing segmentation.

We do not intentionally collect categories of personal information considered “sensitive” under applicable law (such as government-issued identifiers, precise geolocation, account credentials for non-Masthead accounts, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic or biometric data, health data, or data concerning a person’s sex life or sexual orientation) through our marketing website or sales operations in the ordinary course. If such information is submitted voluntarily — for example, in a free-text message — we use it only as described in this policy and applicable law, and do not use or disclose it for purposes other than those permitted under California Civil Code §1798.121 and equivalent state law.

Where we act as a processor of Customer Content, the categories of personal information processed are determined by our customers and may be broader. Those categories are described in the relevant customer agreement.

Sources of information

  • Directly from you when you fill out forms, create an account, communicate with us, attend events, or use our services.
  • Automatically through cookies, pixels, server logs, software development kits, and similar technologies when you use our sites or software.
  • From integrations such as CRM, marketing automation, advertising, or analytics providers when you interact with our campaigns or our partners.
  • From customers or their authorized users when they configure tenants, invite users, upload Customer Content, or integrate third-party systems.
  • From vendors or partners in limited circumstances (for example, conference lead lists where permitted, business-information providers, and fraud-prevention services).
  • From publicly available sources such as professional networking sites, company websites, and public registries, in connection with sales prospecting where permitted by law.

How we use information

We use personal information for the purposes below, subject to applicable law:

  • Provide, operate, maintain, secure, debug, and improve Masthead CMS, our APIs, and related websites.
  • Create and administer accounts; authenticate users; manage entitlements; detect and prevent fraud, abuse, and security incidents.
  • Process transactions; invoice and collect fees; manage taxes; maintain financial records; handle disputes and chargebacks.
  • Provide customer support, account management, onboarding, and respond to inquiries.
  • Send service-related communications (such as security alerts, billing notices, policy updates, and operational notifications).
  • Send marketing communications where permitted (you may opt out at any time as described in any message footer or by contacting us).
  • Measure traffic, campaigns, and product engagement using analytics tools; conduct research and development to improve our offerings.
  • Personalize content where appropriate; remember your preferences across sessions.
  • Comply with legal obligations and respond to lawful requests from public authorities; enforce our terms; pursue or defend legal claims.
  • Protect rights, privacy, safety, and property of HarborByte, our customers, and the public.
  • Carry out corporate transactions such as financing, audit, due diligence, merger, acquisition, reorganization, or asset sale.
  • Aggregate or de-identify personal information so that it can no longer reasonably be associated with a specific individual, and use such aggregated or de-identified data for any lawful purpose, consistent with applicable law.

We will not use personal information for materially different, unrelated, or incompatible purposes without first providing notice or, where required, obtaining your consent.

Cookies and similar technologies

We and our service providers use cookies, local storage, pixels, software development kits, server logs, and similar technologies (collectively, “cookies”) on our websites and within parts of our services. Cookies generally fall into the following categories:

  • Strictly necessary — required to operate our sites and services, authenticate users, maintain sessions, balance load, and protect against abuse. These cannot be turned off through cookie controls.
  • Functional / preferences — remember settings such as language, region, or accessibility options.
  • Performance / analytics — measure how visitors and users interact with our sites and services so we can improve them. Examples include Google Analytics (GA4 / gtag.js), Microsoft Clarity (session analytics and heatmaps), and PostHog (product analytics, where configured).
  • Marketing / targeting — track engagement with our campaigns and help us tailor advertising. Examples include HubSpot tracking (marketing automation, forms, and related tracking) and similar tools where enabled.

Where required by law, we will obtain your consent before setting non-essential cookies through a cookie banner or equivalent mechanism. You can withdraw consent or change your preferences at any time using our cookie settings (where displayed) or your browser controls.

Browser signals. Where applicable law requires, we honor recognized opt-out preference signals such as the Global Privacy Control (GPC) for visitors to our marketing website, treating them as a request to opt out of “sale” or “sharing” of personal information for cross-context behavioral advertising. On mastheadcms.com we respond both to the JavaScript property navigator.globalPrivacyControl and to the Sec-GPC HTTP request header when present on applicable page loads, and we avoid loading optional analytics and marketing tags such as Google Analytics (gtag.js), Microsoft Clarity, PostHog, and HubSpot while that signal is honored. Because there is currently no industry-standard response to “Do Not Track” (DNT) signals, we do not respond to DNT signals separately.

Disabling cookies may affect site functionality. Most browsers also allow you to delete or block cookies through their settings. For more about cookies, see allaboutcookies.org.

How we disclose information

We disclose personal information in the following circumstances:

  • Service providers and subprocessors that assist us with hosting, content delivery, storage, analytics, communications, customer support, authentication, security, payments, billing, accounting, advertising, and similar functions, subject to written contracts with appropriate confidentiality, security, and use-restriction obligations.
  • Customers, where you use Masthead CMS as an authorized user of an organization; disclosures within or between authorized users are an expected feature of multi-user collaboration tools.
  • Professional advisers such as lawyers, auditors, accountants, insurers, bankers, and similar advisers under confidentiality obligations.
  • Corporate transactions such as a financing, merger, acquisition, reorganization, bankruptcy, receivership, or asset sale, subject to appropriate protections; we will provide notice as required by law.
  • Authorities and others when we believe in good faith that disclosure is necessary to (i) comply with applicable law, regulation, legal process, subpoena, or governmental request; (ii) enforce our agreements, including investigation of potential violations; (iii) detect, prevent, or otherwise address fraud, security, or technical issues; or (iv) protect against harm to the rights, property, or safety of HarborByte, our users, our customers, or the public.
  • With your direction or consent, including when you ask us to share information with a third party.

We do not disclose personal information for purposes that are materially incompatible with the purposes for which it was originally collected or otherwise authorized by you.

“Sale,” “sharing,” and targeted advertising

Different US state laws define “sale,” “share,” and “targeted advertising” in different ways. We do not sell personal information for monetary consideration, and we do not knowingly process personal information of consumers we know to be under 16 for the purpose of selling or sharing.

Some advertising and analytics technologies on our marketing website (for example, Google Analytics, the HubSpot tracking script, and similar tools) may, depending on configuration and your jurisdiction, qualify as a “sale,” “share,” or use of personal information for “targeted advertising” or “cross-context behavioral advertising” under California, Colorado, Connecticut, or other US state privacy laws. To the extent any such activities occur, you may opt out as described in United States — state-specific notices and the Cookies and similar technologies section, including by submitting a Global Privacy Control signal where supported.

Service providers and subprocessors

We rely on a range of service providers and subprocessors to help us operate our websites and services. The table below identifies the key vendors whose technologies are most likely to be visible to website visitors or to handle significant volumes of personal information. It is not a complete list of every vendor we use.

ProviderRolePrivacy / trust center
CloudflareHosting, CDN, security, edge compute, DNS, object storageCloudflare privacy policy
Amazon Web Services (AWS)Cloud infrastructure, storage, and related services (including transactional email delivery)AWS privacy notice
StripePayment processing where applicableStripe privacy center
Google (Analytics)Website measurement and analytics (GA4 / Google tag / gtag.js) on mastheadcms.com where enabledGoogle Privacy Policy
HubSpotCRM, forms, marketing automation, customer communicationsHubSpot privacy policy
Microsoft (Clarity)Session analytics on mastheadcms.com where enabledMicrosoft privacy statement
PostHogProduct analytics on mastheadcms.com where configuredPostHog privacy

In addition to the vendors above, we use other service providers for categories of activity such as authentication, transactional email, application performance monitoring and observability, error reporting, file and object storage, backup, and similar back-end functions. These vendors are bound by written contracts that limit their use of personal information to the services they provide to us.

Customers can request a current list of the subprocessors that handle their Customer Content by contacting privacy@mastheadcms.com. We may add, remove, or change subprocessors as our operations evolve and will update this policy and notify customers as required by contract or applicable law.

International data transfers

HarborByte is headquartered in the United States, and personal information collected through our websites and services is generally processed in the United States. Some of our service providers operate global infrastructure (for example, content delivery networks with edge nodes in multiple countries), so personal information may be routed through, or temporarily processed in, jurisdictions outside the United States. We take reasonable steps designed to protect personal information consistent with this policy and applicable law regardless of where it is processed.

Retention

We retain personal information only for as long as is reasonably necessary to fulfill the purposes for which it was collected — including providing our services, complying with our legal, accounting, or reporting obligations, resolving disputes, and enforcing our agreements — and otherwise consistent with applicable law. The criteria we use to determine retention periods include:

  • The duration of our relationship with you or your organization, including any active subscription, account, or trial;
  • Whether there is a legal obligation to retain the information (for example, tax, accounting, or e-commerce record-keeping);
  • Whether retention is advisable in light of our legal position (for example, statutes of limitations, ongoing or anticipated litigation, regulatory investigations, or governmental requests); and
  • The nature and sensitivity of the information and the potential risks of unauthorized use or disclosure.

The following table reflects our typical retention practices for the controller-side processing described in this policy. Customer-instructed retention of Customer Content is governed by the customer agreement and may differ.

CategoryTypical retention
Account, authentication, and tenant dataFor the duration of the account, plus a reasonable wind-down period after termination (typically up to 90 days for active data and up to 12 months for backups), then deletion or de-identification, subject to legal-hold requirements.
Billing, invoicing, and tax recordsGenerally up to 7 years from the date of the relevant transaction, or longer where required by tax or accounting law.
Sales, prospect, and CRM recordsFor as long as there is an active or reasonably anticipated business relationship, plus a limited residual retention period; suppression lists for marketing opt-outs are retained indefinitely as required to honor your choice.
Marketing engagement and communications dataFor as long as you remain subscribed, plus a limited period for analytics and compliance.
Support communications and ticketsGenerally up to 3 years from closure of the ticket, or longer where required for ongoing matters or legal obligations.
Server, security, and audit logsOperational logs are typically retained for up to 90 days; security and audit logs may be retained for up to 24 months for fraud prevention, incident response, and compliance.
Cookies and similar technologiesPer the duration disclosed in our cookie settings (where displayed) or your browser, typically ranging from session-length to 24 months.
Customer Content (when we act as processor)As specified in the customer agreement. After termination, we will delete or return Customer Content within the time period specified, subject to backup-rotation schedules and legal obligations.

When we no longer need personal information, we delete it, anonymize it, or take steps to put it beyond use, in each case in accordance with applicable law.

Security

We maintain administrative, technical, and organizational measures designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. These measures include, as applicable: encryption of data in transit and at rest using industry-standard protocols; role-based access controls and the principle of least privilege; multi-factor authentication for administrative access; logging and monitoring; vulnerability and patch management; secure software development practices; vendor security reviews; and incident response procedures.

No method of transmission over the Internet or method of electronic storage is 100% secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and notifying us promptly of any suspected unauthorized access. To report a suspected security issue, contact abuse@mastheadcms.com. Where required by applicable law or contract, we will notify affected individuals or customers of a data breach within the timelines required.

Your privacy rights

Depending on where you live and the nature of our relationship with you, you may have rights under applicable privacy law to:

  • Confirm whether we process personal information about you, and access a copy of that information;
  • Correct inaccurate or incomplete personal information;
  • Delete personal information we hold about you;
  • Receive personal information you provided to us in a portable, structured, and machine-readable format;
  • Opt out of the sale or sharing of personal information, targeted advertising, and certain profiling activities;
  • Limit the use or disclosure of sensitive personal information to specified purposes;
  • Withdraw consent where processing is based on consent, without affecting the lawfulness of prior processing;
  • Designate an authorized agent to submit requests on your behalf, where permitted; and
  • Appeal a denial of a privacy request, where applicable law provides such a right.

How to exercise rights. Email privacy@mastheadcms.com. To protect your information, we may need to verify your identity before responding, which may require us to request additional information sufficient to confirm your identity to a reasonable degree. We will respond within the timeframes required by applicable law (generally, 45 days under California law, with one possible 45-day extension where reasonably necessary).

Authorized agents. You may authorize another person to submit a request on your behalf. We may require the agent to provide written authorization signed by you and may require you to verify your identity directly with us, except as otherwise required by law.

No retaliation. We will not discriminate or retaliate against you for exercising your privacy rights. We may decline a request, or charge a reasonable fee, where permitted by law (for example, where a request is manifestly unfounded, excessive, or repetitive).

Appeals. If we deny your request and applicable law provides a right to appeal, our response will explain how to appeal. You may also have the right to contact your state attorney general or another regulator.

End users of customers. If you are an individual whose personal information appears in Customer Content (for example, you are a subscriber of a publisher that uses Masthead), please direct privacy requests to that publisher. If you contact us, we will refer your request to the relevant customer or assist them in responding.

United States — state-specific notices

Several US states have enacted comprehensive consumer privacy laws, including (without limitation) California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Tennessee, Iowa, Indiana, Delaware, New Hampshire, New Jersey, Nebraska, Maryland, Minnesota, Kentucky, Rhode Island, and (to a more limited extent) Florida. If you are a resident of a state with a comprehensive privacy law, you may have rights described in Your privacy rights, subject to that state’s thresholds, exceptions, and definitions. Specific requirements vary, but generally include rights to access, correct, delete, obtain a portable copy of, and opt out of the sale or sharing of personal data, targeted advertising, and (in some states) certain forms of profiling.

How to opt out of targeted advertising or “sale”/“sharing.” You may submit a request by emailing privacy@mastheadcms.com, by using any opt-out controls offered in our cookie settings (where displayed), or by sending a Global Privacy Control (GPC) or other recognized universal opt-out signal from your browser. We will treat valid universal opt-out signals as a request to opt out of sale or sharing for the browser or device transmitting the signal, where required by law.

Sensitive data. We do not process “sensitive data” (as defined under applicable state laws) for purposes that would require opt-in consent in the ordinary course of operating our marketing website and customer-facing systems. Where consent is required, we will obtain it before processing.

Appeals. Several state laws (including those of Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and others) require that we provide an appeal process if we decline a privacy request. If we decline a request you submit, our response will describe how to appeal. If you are dissatisfied with the result of an appeal, you may contact your state attorney general or other regulatory authority.

Nevada residents. Nevada law (Chapter 603A) provides Nevada residents with a right to opt out of the sale of certain covered personal information. We do not currently sell covered personal information as defined under Nevada law. To submit a request relating to Nevada law, contact privacy@mastheadcms.com.

California residents

This section provides additional information for California residents under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”).

Categories of personal information we collect, sources, purposes, and disclosures. In the preceding 12 months, we have collected the following categories of personal information identified in Cal. Civ. Code §1798.140, sourced and used as described in Sources of information and How we use information, and disclosed for business purposes to the categories of recipients identified in How we disclose information and Service providers and subprocessors:

  • Identifiers (such as name, email address, IP address, and account identifiers).
  • Customer records information described in Cal. Civ. Code §1798.80(e) (such as contact and billing information).
  • Commercial information (such as products or services purchased and transaction history).
  • Internet or other electronic network activity information (such as browsing and interaction data).
  • Geolocation data (approximate location derived from IP address).
  • Audio, electronic, visual, or similar information (such as session recordings and support attachments where applicable).
  • Professional or employment-related information.
  • Inferences drawn from the categories above.

We do not collect or use “sensitive personal information” as defined by the CCPA for purposes other than those permitted under Cal. Civ. Code §1798.121 (including, for example, providing the services requested, security, fraud prevention, and resisting malicious or deceptive actions).

“Sale” and “sharing.” We do not sell personal information for monetary consideration. As described in “Sale,” “sharing,” and targeted advertising, certain advertising and analytics technologies on our marketing website may, depending on configuration, qualify as a “sale” or “share” of personal information under the CCPA. You may opt out by emailing privacy@mastheadcms.com, by using opt-out controls in our cookie settings (where displayed), or by sending a Global Privacy Control signal. We do not knowingly sell or share personal information of California residents under the age of 16.

Retention. The retention criteria and typical retention periods for each category of personal information are described in Retention.

Your CCPA rights. Subject to verification and exceptions, California residents may request to:

  • Know the categories and specific pieces of personal information we have collected, the categories of sources, the purposes for collection, the categories of recipients, and the categories of personal information sold or shared (the “right to know”);
  • Delete personal information we have collected from you;
  • Correct inaccurate personal information we maintain about you;
  • Opt out of the sale or sharing of personal information;
  • Limit the use and disclosure of sensitive personal information to those uses permitted by law; and
  • Not be subject to retaliation for exercising your CCPA rights.

You may submit requests by emailing privacy@mastheadcms.com. We may need to verify your identity before responding, generally by matching information you provide with information we already maintain. You may also designate an authorized agent in writing to submit a request on your behalf; we may require the agent to provide proof of authorization and may require you to verify your identity directly with us where permitted by law. We will respond as required by the CCPA, generally within 45 days, with one possible 45-day extension.

“Shine the Light.” California Civil Code §1798.83 permits California residents to request information regarding our disclosures of personal information to third parties for those third parties’ direct marketing purposes. We do not currently disclose personal information to third parties for their direct marketing purposes; if this changes, we will update this policy.

Notice of financial incentive. We do not offer financial incentives or price or service differences in exchange for the retention or sale of personal information.

Children

Masthead CMS is intended for businesses and adult professionals. Our services are not directed to children. We do not knowingly collect personal information from children under the age of 13 in violation of the US Children’s Online Privacy Protection Act (“COPPA”), and we do not knowingly sell or share the personal information of consumers under the age of 16 as those terms are used under the CCPA. If you are a parent or guardian and believe we have collected personal information from a child without appropriate consent, please contact privacy@mastheadcms.com and we will take reasonable steps to delete it.

Automated decision-making

We do not use solely automated decision-making — including profiling — that produces legal or similarly significant effects concerning individuals in the ordinary operation of our marketing website or customer-account systems. Where we introduce features that involve such processing, we will provide additional notice, and where required by law, an opportunity to opt out, obtain human review, or otherwise exercise your rights.

Our websites and services may contain links to third-party websites, plug-ins, applications, or services that we do not operate or control. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy notices of any third-party site or service you visit before providing personal information.

Changes to this policy

We may update this Privacy Policy from time to time. When we make changes, we will revise the “Last updated” date at the top of this page and, if the changes are material, take additional steps required by applicable law or contract — for example, providing notice through our website, by email, or in-product, and (where required) obtaining consent before applying the changes to your personal information.

Contact us

Related documents: Terms of Service · Accessibility Statement