// privacy

Privacy Policy

Last updated: May 14, 2026

Prometheus Consulting, LLC ("Prometheus Consulting," "we," "us") takes your privacy seriously. This policy explains what we collect when you interact with prometheusconsulting.ai and how we use it. It is written in plain English; if anything is unclear, email us at josh@prometheusconsulting.ai.

1. Who we are

Prometheus Consulting, LLC is a Service Disabled Veteran-Owned consulting practice providing AI consulting, custom software development, workflow automation, and revenue services to businesses globally. Josh Hohenstein is the founder and data controller. Our registered address appears at the bottom of this policy under "Contact."

2. What we collect

We collect the minimum information necessary to respond to your inquiry, schedule a conversation, and do the work you hire us to do. Specifically:

2.1 When you submit the contact form at /lets-talk

  • Your name
  • Your email address
  • Your company name (optional)
  • The type of engagement you're interested in
  • The message you write to us

2.2 When you book a call via Cal.com

We use Cal.com (operated by Cal.com, Inc.) for scheduling. Cal.com receives your name, email, the meeting time you choose, and any additional information you provide on the booking form. Cal.com has its own privacy policy at cal.com/privacy.

2.3 Server logs (operational only)

Our hosting provider (Vercel) records standard request metadata — IP address, user-agent, timestamp, URL requested, response status — for operational and security purposes. Vercel retains these logs for up to 30 days. We do not link these logs to individual visitors and do not use them for marketing or profiling.

3. What we do NOT collect

We do not use cookies on this site. We do not run Google Analytics, Meta Pixel, LinkedIn Insight, Hotjar, or any other third-party analytics or behavioral-tracking script. There is no cross-site tracking and no advertising profile.

4. How we use your information

We use the information you submit only to:

  • Respond to your inquiry
  • Schedule a call with you
  • Provide the consulting services you engage us for
  • Send you operational emails related to your engagement (e.g. meeting confirmations, deliverables, invoices)
  • Comply with our legal obligations (tax records, accounting)

We do not send marketing email unless you explicitly subscribe. We do not sell, rent, or trade your information. We do not build advertising audiences from your data.

If you are in the European Union, the United Kingdom, or another jurisdiction that requires us to identify a legal basis for processing personal data under the GDPR or equivalent, we rely on:

  • Legitimate interest — responding to your inquiry and providing the services you ask us to provide
  • Contract — performing under any service agreement we enter into with you or your business
  • Legal obligation — retaining records as required by tax, accounting, and corporate law

6. Sub-processors and third parties

We use the following service providers to operate the site and respond to inquiries. Each is bound by its own privacy policy and security commitments:

  • Vercel, Inc. — site hosting and serverless functions. vercel.com/legal/privacy-policy
  • Fastmail Pty Ltd — receiving and storing the email generated by /lets-talk submissions. fastmail.com/about/privacy
  • Cal.com, Inc. — scheduling. cal.com/privacy
  • Upstash, Inc. (when active) — rate-limiting state for the contact endpoint. Stores only IP-prefixed counter keys; no PII.
  • Sentry (Functional Software, Inc.) (when active) — application error tracking. We configure Sentry to scrub IP addresses and PII from error payloads.

We do not share your data with anyone other than the sub-processors above (and our own employees and contractors who need it to deliver services). We do not sell your data, ever.

7. How long we keep your information

  • Inquiry emails: retained in Josh's inbox indefinitely unless you ask us to delete them. If we have not engaged with you within 12 months, we will archive or delete the thread.
  • Engagement records: retained for 7 years from the end of the engagement, as required by applicable business and tax law.
  • Server logs: 30 days (Vercel).
  • Rate-limit counters: rolling one-hour window (Upstash), then auto-expired.

8. International data transfers

Our business operates from the United States. If you submit data from outside the United States, you understand that your data will be transferred to and processed in the U.S. Our sub-processors operate primarily in the U.S. and EU and implement the European Commission's Standard Contractual Clauses where applicable.

9. Your rights

9.1 GDPR (EU/UK residents)

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Request erasure of your data (subject to legal retention obligations)
  • Restrict or object to processing
  • Request portability of your data
  • Withdraw any consent you have given (without affecting the lawfulness of prior processing)
  • Lodge a complaint with your local data protection authority

9.2 CCPA / CPRA (California residents)

You have the right to:

  • Know what personal information we collect and how we use it (this policy)
  • Request deletion of your personal information
  • Opt out of the sale or sharing of your personal information — we do not sell or share your information, so there is nothing to opt out of
  • Be free from discrimination for exercising your privacy rights

9.3 How to exercise your rights

Email josh@prometheusconsulting.ai with the subject line "Privacy Request." We will respond within 30 days. We may verify your identity to prevent fraudulent requests.

10. Children

prometheusconsulting.ai is not directed to children under 13. We do not knowingly collect personal information from anyone under 13. If you believe we have inadvertently collected such information, please contact us and we will delete it.

11. Security

We implement industry-standard security measures including TLS 1.2+ on every connection, HSTS preload, Content-Security-Policy, X-Frame-Options, server-side input validation, rate limiting on the contact endpoint, no client-side storage of personal data, and no third-party cookies. We are a Service Disabled Veteran-Owned Business and maintain operational security practices consistent with that designation.

No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you and the relevant authorities as required by law within the applicable statutory window (typically 72 hours under the GDPR).

12. Changes to this policy

We may update this policy as our business or the law changes. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated via the same email address you provided, if any.

13. How to contact us

For any privacy question, request, or concern, email josh@prometheusconsulting.ai.

Registered service-of-process address: Prometheus Consulting, LLC, 777 N Jefferson St, Ste 408 #832, Milwaukee, WI 53202, United States.