Is Kopimore compliant with the California Consumer Privacy Act (CCPA)?

Yes. Kopimore operates in compliance with CCPA. All individuals in our data ecosystem have provided consent for third-party marketing use. We maintain a consumer opt-out mechanism accessible via our privacy policy, and we honor opt-out requests within the timeframes required by law. As a Kopimore client, you are the 'business' under CCPA and are responsible for honoring consumer rights requests related to data you receive from us.

Is Kopimore compliant with the Telephone Consumer Protection Act (TCPA)?

Kopimore provides data from opt-in sources and operates in alignment with TCPA requirements. However, TCPA compliance for outbound calls and texts is primarily the responsibility of the business making contact. We strongly recommend that clients using Kopimore data for phone outreach consult with legal counsel, use a compliant dialing platform, and maintain proper do-not-call list scrubbing.

Does Kopimore comply with CAN-SPAM for email outreach?

Yes. All Kopimore data comes from permission-based sources. When using Kopimore-identified visitor data for email outreach, clients must follow CAN-SPAM requirements: include a physical address, provide a clear opt-out mechanism, honor opt-out requests within 10 business days, and not use deceptive subject lines. Kopimore provides guidance on compliant outreach practices in our client onboarding materials.

What is Kopimore's scope under GDPR?

Kopimore's primary market is the United States. Our visitor identification service is not designed for use with EU-resident website visitors, and our data ecosystem does not include EU consumer profiles. If your website receives traffic from the EU, we recommend implementing appropriate consent mechanisms and excluding EU visitors from Kopimore identification. Please contact us for guidance specific to your situation.

Where does Kopimore's visitor data come from?

All data in the Kopimore ecosystem comes from individuals who have explicitly opted in to third-party marketing across a network of publisher and data partner agreements. We do not scrape data, use dark patterns, or acquire data through non-consensual means. Our data partners are contractually required to maintain opt-in consent records for every individual in the database.

How can a consumer opt out of Kopimore's data ecosystem?

Consumers can submit an opt-out request through the Kopimore Privacy Policy page at kopimore.com/privacy-policy. Upon receiving a verified opt-out request, we remove the individual from our active identification database and suppress them from all future identification events within 30 days. We also honor opt-out requests submitted through our data partners' opt-out mechanisms.

Compliance & Privacy

How It Works

The data flow, explained

Every step of how visitor identity data is collected, matched, and delivered — and where your obligations apply.

Visitor arrives

A user visits your website. Our pixel fires and collects standard browser signals — no personal data yet.

Identity match

Signals are matched against our licensed first-party data graph of opted-in US consumers.

Lead delivered

Matched records — name, email, phone — are delivered to your dashboard or CRM in real time.

You reach out

You contact the lead using your own platform. CAN-SPAM and TCPA obligations now rest with you as the sender.

Legal Frameworks

What the law says — and how we comply

CCPA — California Consumer Privacy Act

Governs how personal information of California residents may be collected, used, and shared.

Compliant

What CCPA requires

Consumers have the right to know what personal data is collected about them
Consumers may request deletion of their data
Consumers may opt out of the "sale" of their personal information
Businesses must disclose data practices in a Privacy Policy

How Kopimore complies

We honor opt-out requests within 15 business days
Our data graph is sourced from opt-in consumer interactions
We maintain a publicly accessible Do Not Sell/Share request form
Clients receive a Data Processing Addendum (DPA) on request

Your responsibilities as a Kopimore client

When you use Kopimore to identify website visitors, you become a "business" under CCPA. You must update your Privacy Policy to disclose your use of visitor identification technology, provide a clear "Do Not Sell or Share My Personal Information" link, and honor any consumer requests for access or deletion that are forwarded to you. We make this easy — our platform includes template disclosures and a forwarding mechanism for consumer requests.

CAN-SPAM Act

Establishes requirements for commercial email and gives recipients the right to opt out.

Aligned

Key requirements

No false or misleading header information
No deceptive subject lines
Must identify the message as an advertisement
Must include a valid physical postal address
Must honor opt-out requests within 10 business days

How this applies to Kopimore leads

Kopimore provides contact data — you are the sender of record
All outreach emails you send must include an unsubscribe mechanism
You must include your physical address in every commercial email
We recommend a warm, relevant first email rather than mass blasts

TCPA — Telephone Consumer Protection Act

Restricts telemarketing calls, auto-dialed calls, and text messages sent to mobile phones.

Safe Harbor Guidance

TCPA basics

Prior express written consent required for auto-dialed or prerecorded calls to mobile phones
Do-Not-Call registry must be honored
Violations can result in $500–$1,500 per call or text
Consent must be obtained before sending marketing SMS

Our guidance for clients

Use identified leads for manual outreach — not autodialers
Always check numbers against the National Do Not Call Registry
If sending SMS, obtain explicit prior written consent first
We provide TCPA compliance documentation on request

Important TCPA note

Kopimore identifies leads — it does not create TCPA consent on your behalf. Phone numbers delivered through our platform should be used for manual outreach only unless you have independently obtained proper written consent. We strongly recommend consulting legal counsel before running any automated SMS or robocall campaigns.

GDPR — General Data Protection Regulation

EU regulation governing the processing of personal data of EU/EEA residents.

EU-Scoped

Kopimore's scope

Kopimore's identity resolution service is built exclusively on US-sourced data and is intended for identifying US-based website visitors. Our data graph does not include EU/EEA resident records. If your website receives significant EU traffic, you should implement geo-based pixel suppression for EU visitors.

If you have EU visitors

Configure your Kopimore pixel to fire only for US traffic
Use IP-geolocation to suppress tracking for EU/EEA users
Consult your DPO before deploying in EU-heavy contexts
We can provide technical suppression guidance on request

Our Practices

How we handle your data

Encryption at rest & in transit

All data is encrypted with AES-256 at rest and transmitted over TLS 1.3. We never store raw match signals longer than necessary for delivery.

Data retention limits

Lead records in your dashboard are retained for 12 months by default. You can adjust this in Settings, or request full deletion of your account data at any time.

No selling your data

The leads we identify for you belong to your account. We do not resell, share, or repurpose your identified visitor data to any third party.

Sub-processor transparency

We maintain an up-to-date list of sub-processors (cloud providers, data infrastructure). Enterprise clients receive a full sub-processor addendum.

Data Processing Addendum

Enterprise and Pro clients can request a signed DPA at any time. Our standard DPA is based on the IAPP Model Data Processing Agreement.

Audit logs

All access to identified lead records is logged with timestamp, user, and IP address. Audit logs are available to account admins in Settings → Security.

Consumer Rights

Your rights in our data ecosystem

If you're a consumer and believe your information may be in our data graph, you have clear rights — and we make them easy to exercise.

Right to Know

You can request a summary of personal information we hold about you, including the categories of data and the sources it was collected from.

Right to Delete

You can request deletion of your personal information from our data graph. We will process your request within 15 business days and confirm deletion in writing.

Right to Opt Out

You can opt out of the sale or sharing of your personal information at any time using the form below. Your opt-out is permanent and honored globally across our platform.

Right to Non-Discrimination

Exercising any privacy right will never affect your ability to use products or services. We do not discriminate against consumers who exercise their rights.

FAQ

Common compliance questions

Where does your data come from?

Our identity graph is built from first-party opt-in data — loyalty programs, registrations, sweepstakes entries, and other consumer-facing touchpoints where individuals have provided their information and consented to marketing use. We do not scrape social media, purchase hacked credentials, or use data obtained without consumer knowledge.

Is it legal to email someone who visited my website but didn't fill out a form?

Under CAN-SPAM, commercial email to identified visitors is generally permissible provided you follow the law's requirements (accurate headers, physical address, clear opt-out mechanism). You are not required to have prior consent for email under CAN-SPAM — unlike SMS under TCPA. That said, we always recommend best-practice outreach: relevant, personalized emails with a clear value proposition and an easy way to unsubscribe. Consult your own legal counsel for guidance specific to your industry and jurisdiction.

Can I use Kopimore if I have EU visitors?

Yes, but you should suppress the pixel for EU/EEA visitors. Our data graph is US-only, so EU visitors won't match — but the pixel firing itself could implicate GDPR. We recommend using IP-based geolocation to only fire the Kopimore pixel for US traffic. We can provide technical documentation to help your developer implement this correctly.

Do I need to update my Privacy Policy?

Yes. You should update your Privacy Policy to disclose that you use third-party visitor identification technology, the categories of data collected, how it's used, and how consumers can exercise their rights. We provide a sample Privacy Policy addendum that your legal team can customize. CCPA-regulated businesses must also add a "Do Not Sell or Share My Personal Information" link to their homepage.

Can I use Kopimore leads for SMS marketing?

No — not without independently obtaining prior express written consent. TCPA requires explicit opt-in consent before sending marketing text messages to mobile numbers. The fact that someone visited your website does not constitute TCPA consent. Kopimore data is best used for manual phone outreach or email campaigns where you follow CAN-SPAM requirements.

How do I request a Data Processing Addendum (DPA)?

Email us at legal@kopimore.com with your company name and plan tier. DPAs are available to Pro and Enterprise clients. We typically return a signed DPA within 3 business days. If you need modifications to the standard DPA, our legal team is available to negotiate on a case-by-case basis for Enterprise accounts.

What happens when a consumer opts out?

When we receive an opt-out request, we remove the consumer's records from our active data graph within 15 business days and add them to our permanent suppression list. This means they will never appear in future identity matches across any Kopimore client account. We send a confirmation email to the consumer when suppression is complete.

Contact

Get in touch with our privacy team

General Privacy Inquiries

privacy@kopimore.com

Response within 2 business days

Legal & DPA Requests

legal@kopimore.com

DPAs returned within 3 business days

Opt-Out & Consumer Requests

privacy@kopimore.com

Processed within 15 business days

Legal Disclaimer: The information on this page is provided for general informational purposes and does not constitute legal advice. Privacy law is complex and jurisdiction-specific. We strongly recommend consulting qualified legal counsel before deploying any outreach campaign using identified visitor data. Kopimore's compliance posture reflects our own practices and does not guarantee that your specific use case will be legally compliant in every jurisdiction.

Built for compliance.
Not bolted on after.

The data flow, explained

Visitor arrives

Identity match

Lead delivered

You reach out

What the law says — and how we comply

CCPA — California Consumer Privacy Act

What CCPA requires

How Kopimore complies

Your responsibilities as a Kopimore client

CAN-SPAM Act

Key requirements

How this applies to Kopimore leads

TCPA — Telephone Consumer Protection Act

TCPA basics

Our guidance for clients

Important TCPA note

GDPR — General Data Protection Regulation

Kopimore's scope

If you have EU visitors

How we handle your data

Encryption at rest & in transit

Data retention limits

No selling your data

Sub-processor transparency

Data Processing Addendum

Audit logs

Your rights in our data ecosystem

Right to Know

Right to Delete

Right to Opt Out

Right to Non-Discrimination

Do Not Sell or Share My Information

Common compliance questions

Get in touch with our privacy team

General Privacy Inquiries

Legal & DPA Requests

Opt-Out & Consumer Requests

Built for compliance.Not bolted on after.

The data flow, explained

Visitor arrives

Identity match

Lead delivered

You reach out

What the law says — and how we comply

CCPA — California Consumer Privacy Act

What CCPA requires

How Kopimore complies

Your responsibilities as a Kopimore client

CAN-SPAM Act

Key requirements

How this applies to Kopimore leads

TCPA — Telephone Consumer Protection Act

TCPA basics

Our guidance for clients

Important TCPA note

GDPR — General Data Protection Regulation

Kopimore's scope

If you have EU visitors

How we handle your data

Encryption at rest & in transit

Data retention limits

No selling your data

Sub-processor transparency

Data Processing Addendum

Audit logs

Your rights in our data ecosystem

Right to Know

Right to Delete

Right to Opt Out

Right to Non-Discrimination

Do Not Sell or Share My Information

Common compliance questions

Get in touch with our privacy team

General Privacy Inquiries

Legal & DPA Requests

Opt-Out & Consumer Requests

Built for compliance.
Not bolted on after.