Privacy Policy

At a Glance

This policy explains how Goods & Services collects, uses, shares, and protects information about visitors to goodsandservices.com. The short version:

We do not sell your personal information for monetary consideration.
We do not share your personal information for cross-context behavioral advertising as that term is defined under California law.
We use cookies and similar technologies for site operation, analytics, and limited marketing measurement. You can manage preferences through our cookie banner and through your browser settings.
You have rights to access, delete, correct, port, and limit processing of your information. Section 11 explains how to exercise them.

This summary is for orientation only and does not replace the full policy below.

1. Who We Are and Scope of This Policy

This policy is issued jointly by Goods, Inc. (a U.S. corporation, doing business as Goods & Services, LLC, headquartered in Atlanta, Georgia) and Goods & Services, S.A. de C.V. (a Mexican corporation, with offices in Puebla and Mérida). Together with their affiliates, we are referred to in this policy as “Nearshore,” “Goods, Inc.” “we,” “us,” or “our.”

This policy applies to information collected through goodsandservices.com and its subdomains (the “Website”). It does not apply to:

Information processed under our customer service agreements (governed by separate Data Processing Agreements with our enterprise clients);
Personal data of Goods & Services employees and job candidates (governed by the separate Aviso de Privacidad para Empleados and Aviso de Privacidad para Candidatos for Mexican personnel and equivalent notices for U.S. personnel);
Third-party websites that we link to but do not operate.

1.1 Data Controller / Owner

For visitors located in Mexico, the data controller is Goods & Services, S.A. de C.V., and the Mexican Aviso de Privacidad (issued under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares, or “LFPDPPP”) governs the relationship and is incorporated by reference. Mexican data subjects should consult that notice for ARCO rights and Mexico-specific procedures.

For visitors located outside Mexico, the data controller is Goods, Inc. For visitors located in the European Economic Area or the United Kingdom, see Section 16 for the appointed representative under Article 27 GDPR.

1.2 Contact for Privacy Matters

Privacy contact: privacy@goodsandservices.com · Mail: 1353 Riverstone Pkwy Suite 120-335 Canton GA United States 30114 USA · Phone: 1-800-735-3710

2. Information We Collect

We collect information in three ways: (a) directly from you when you provide it; (b) automatically when you use the Website; and (c) from limited third-party sources (for example, business contact databases used by our sales team).

2.1 Information You Provide

When you fill in a contact, demo-request, or careers form on the website, you provide:

Identifiers — name, work email address, telephone number, employer name, job title;
Communication content — the contents of your message, RFP, or attached documents;
Career-related information (for the careers form only) — résumé/CV, work history, location, and other professional details you choose to share.

2.2 Information Collected Automatically

When you visit the Website, the following information is collected automatically through cookies, pixels, log files, and similar technologies (see Section 4 for the full inventory):

Internet activity — IP address, browser type and version, operating system, device identifiers, referring URL, pages viewed, time spent, click activity, search terms entered into the Website, file downloads;
Approximate geolocation — derived from IP address (typically resolves to city or region, not precise location);
Inferences — limited inferences drawn by Google Analytics about audience interest categories and conversion paths.

2.3 Information from Third Parties

We obtain limited business contact information from licensed third-party providers (for example, business contact-data vendors used by our sales team) and from public sources (for example, LinkedIn profiles of professionals at companies that match our customer profile). We use this only for B2B outreach to business contacts in their professional capacity.

2.4 Categories under California Law

For California residents, the categories of personal information collected through the Website during the past 12 months map to the categories enumerated in Cal. Civ. Code §1798.140(v) as follows:

CCPA Category	Examples Collected	Collected?
(A) Identifiers	Name, email, phone, IP address, cookie IDs	Yes
(B) Customer records (Cal. Civ. Code §1798.80)	Business contact details from forms	Yes
(C) Protected classification characteristics	Race, gender, age (for legally required EEO data only, on careers form)	Limited (careers only)
(D) Commercial information	Records of services inquired about	Yes
(E) Biometric information	Not collected	No
(F) Internet activity	Browsing on our Website, interaction with our ads	Yes
(G) Geolocation (precise)	Not collected. Only city/region from IP.	No (precise)
(H) Sensory data	Not collected	No
(I) Professional information	Employer, title, professional history (career form)	Yes
(J) Education information	From résumé/CV submitted via career form	Limited (careers only)
(K) Inferences	Limited audience-interest signals from analytics	Yes (limited)
(L) Sensitive personal information	See Section 2.5	See 2.5

2.5 Sensitive Personal Information

We do not knowingly collect sensitive personal information (as defined under CCPA/CPRA) through the Website. We do not collect government-issued identifiers, financial account information, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, mail/email/text contents not directed to us, genetic data, biometric data, health data, or sexual orientation/sex life information through the Website.

If sensitive personal information is incidentally provided to us in a free-form message field, we use it only to respond to the inquiry and we do not retain it longer than necessary.

3. How We Use Information

We use information for the following purposes. The right column states the legal basis under the EU/UK GDPR. The same purposes apply to other jurisdictions, with the legal basis adapted under local law.

Purpose	GDPR Legal Basis
Operate, maintain, and secure the Website	Legitimate interests (Art. 6(1)(f))
Respond to inquiries submitted through forms or email	Performance of pre-contractual measures (Art. 6(1)(b)) or legitimate interests
Process job applications submitted through the careers form	Pre-contractual measures (Art. 6(1)(b))
Conduct B2B sales outreach in a professional capacity	Legitimate interests (Art. 6(1)(f)), subject to opt-out
Measure Website performance and audience analytics	Consent (Art. 6(1)(a)) where required by law; legitimate interests otherwise
Marketing measurement, conversion attribution	Consent (Art. 6(1)(a)) where required by law
Comply with legal obligations and respond to lawful requests	Legal obligation (Art. 6(1)(c))
Establish, exercise, or defend legal claims	Legitimate interests (Art. 6(1)(f))

4. Cookies and Tracking Technologies

This section explains the cookies and similar technologies (pixels, web beacons, local storage, server-side tags) used on the Website. We refer to all of these collectively as “cookies” for simplicity.

4.1 What Cookies Are

A cookie is a small data file stored in your browser when you visit a website. Cookies allow the website (and in some cases third parties) to recognize your browser across pages and visits. “First-party” cookies are set by us; “third-party” cookies are set by other domains we have integrated (for example, Google Analytics or LinkedIn).

4.2 Categories of Cookies We Use

We classify cookies into four categories, consistent with the IAB ePrivacy framework and most U.S. state cookie laws:

Strictly Necessary. Required for the Website to function (load balancing, security, session continuity, fraud prevention). Cannot be disabled through the cookie banner because the Website would not work without them. Used regardless of consent.
Functional. Remember your preferences and display the site in your chosen state. Set after consent except where strictly necessary for a feature you have requested.
Analytics. Help us understand how visitors use the Website in aggregate. We use Google Analytics 4 in IP-anonymized mode and with Google Consent Mode v2.
Marketing / Measurement. Used to measure the effectiveness of our advertising campaigns (for example, whether someone who clicked a LinkedIn ad later submitted a contact form). We do not use these cookies to build cross-site behavioral advertising profiles, and we do not share or “sync” cookie identifiers with programmatic ad-tech partners.

4.3 Specific Cookies and Tags in Use

The following cookies and tags are deployed on the Website. This table is maintained by IT Operations and is updated when our tag configuration changes.

Cookie / Tag	Vendor	Purpose	Category	Retention
MURA_UPC, MXP_TRACKINGID, cfid, cftoken	Goods & Services (first-party)	CMS session continuity, anonymous visitor counting	Strictly Necessary	Session – 1 year
_ga, _ga_DJD30JDSG6, _gid	Google (Analytics 4)	Distinguish unique visitors and sessions; aggregate usage analytics	Analytics	Up to 2 years
_gcl_au	Google Ads	Conversion measurement (whether ad clicks led to form submission)	Marketing	90 days
_fbp	Meta (Facebook)	Conversion measurement for Meta Ads campaigns	Marketing	90 days
bcookie, lidc, li_sugr, ar_debug	LinkedIn	LinkedIn Insight Tag — campaign measurement, audience matching for B2B retargeting	Marketing	Up to 1 year
__adroll, __ar_v4 (when set)	AdRoll (NextRoll)	Attribution pixel for retargeting campaigns	Marketing	Up to 1 year
__cf_bm, cf_clearance	Cloudflare (via Pipedrive)	Bot management on contact forms	Strictly Necessary	30 minutes – 1 year
Cookie consent state	Goods & Services (first-party)	Remember your cookie preferences	Strictly Necessary	12 months

4.4 Your Cookie Choices

You have several ways to control the cookies we use:

Cookie banner. On your first visit and at any time afterward via the “Cookie Preferences” link in the Website footer, you can accept all categories, reject all non-essential categories, or set granular preferences.
Browser controls. All major browsers allow you to block or delete cookies from settings. Most allow you to block third-party cookies entirely while keeping first-party cookies (which preserves site functionality).
Global Privacy Control (GPC). We honor the GPC browser signal as a valid opt-out of “sale” and “sharing” under California, Colorado, Connecticut, and other state laws that recognize it.
Vendor-specific opt-outs. Google Analytics: tools.google.com/dlpage/gaoptout. LinkedIn: www.linkedin.com/help/linkedin/answer/62931. Meta: facebook.com/help/568137493302217. AdRoll: nextroll.com/privacy#service-13.

5. How We Share Information

We disclose information only in the limited circumstances below. We do not sell information to data brokers and we do not share it for cross-context behavioral advertising.

5.1 Service Providers and Processors

We share information with vendors that process information on our behalf and are contractually limited to the purposes we specify. The current list of service providers receiving information from the Website is:

Service Provider	Function	Location
Amazon Web Services	Website hosting (Mura CMS, ColdFusion application)	United States
Cloudflare	Content delivery, bot management (via Pipedrive)	United States / Global
Google LLC	Analytics (GA4), Tag Manager, Google Ads conversion tracking	United States / EU
LinkedIn Corporation	B2B campaign measurement (Insight Tag)	United States
Meta Platforms, Inc.	Conversion measurement (Pixel)	United States
NextRoll, Inc. (AdRoll)	Retargeting attribution (pixel only; no cookie syncing)	United States
Pipedrive Inc.	Web-form processing, CRM lead capture	United States / EU

5.2 Affiliates

We share information between Goods, Inc. and Goods & Services, S.A. de C.V. as necessary to operate the Website and respond to inquiries. Both entities are bound by this policy and by intra-group data-transfer terms.

5.3 Legal and Compliance

We may disclose information when required to comply with applicable law, lawful court orders or governmental requests, to enforce our terms, or to protect the rights, property, or safety of Goods & Services, our customers, or others.

5.4 Business Transactions

In the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our business or assets, information may be transferred to the relevant counterparty subject to confidentiality protections and continued application of the protections in this policy (or equivalent).

5.5 With Your Consent

We share information for any other purpose with your consent.

6. Sale and Sharing Disclosure

We do not sell your personal information for monetary or other valuable consideration. We do not share your personal information for cross-context behavioral advertising as that term is defined in Cal. Civ. Code §1798.140(ah). We have not sold or shared personal information of any consumer in the preceding 12 months.

We do not knowingly sell or share personal information of consumers under the age of 16. We have implemented technical controls to verify that our marketing tags do not transmit IAB sale-authorization signals.

Notwithstanding the above, you may exercise the right to opt out of “sale” and “sharing” at any time using our Do Not Sell or Share My Personal Information link, by setting the Global Privacy Control browser signal, or by contacting us using the methods in Section 15. We will treat the request as effective even though we currently do not engage in conduct that would otherwise require the link.

7. International Data Transfers

Because we operate in the United States, Mexico, and the United Kingdom, your information may be processed in any of those jurisdictions, and our service providers may process information in additional countries (typically the United States, Ireland, and Germany for our cloud and analytics vendors).

7.1 Transfers from the EU/UK

For transfers of personal data from the European Economic Area or the United Kingdom to recipients in countries that have not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (Module 2 controller-to-processor or Module 4 processor-to-controller as applicable), supplemented by the UK International Data Transfer Addendum where required, and on technical safeguards including encryption in transit and at rest.

7.2 Transfers from Mexico

Transfers from Mexico are addressed in the Aviso de Privacidad (LFPDPPP) and rely on intra-group transfer arrangements between Goods & Services, S.A. de C.V. and Goods, Inc. that bind the recipient to equivalent protections.

7.3 Transfers from Other Jurisdictions

For visitors from Canada, Brazil, Australia, Japan, South Korea, Singapore, and other jurisdictions with cross-border transfer rules, we rely on the legal mechanisms recognized by the applicable law (typically contractual safeguards equivalent to Standard Contractual Clauses).

8. Data Retention

We retain personal information only for as long as needed for the purposes described in this policy, plus a reasonable period to comply with our legal obligations, resolve disputes, and enforce our agreements.

Data Type	Retention	Rationale
Form submissions (contact, demo)	Up to 7 years	Sales-cycle and statute-of-limitations alignment
Career applications (not hired)	Up to 2 years	Future opportunities; EEO record-keeping where applicable
Server access logs	90 days	Security investigation and abuse prevention
Analytics data (GA4)	14 months	Default GA4 retention (configurable)
Marketing-measurement cookies	Up to 1 year	See cookie table in Section 4.3

9. Information Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include encryption of data in transit (TLS 1.2+), encryption of data at rest, role-based access controls, security monitoring (Cortex XDR), regular vulnerability assessments, and a documented incident-response process. We are working toward ISO/IEC 27001 certification.

No method of transmission or storage is perfectly secure. If we become aware of a personal-data breach affecting your information, we will notify you and the relevant supervisory authorities to the extent required by applicable law.

10. Children's Privacy

The Website is intended for business audiences and is not directed to children. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with information, please contact us using the methods in Section 15 and we will delete it.

11. Your Privacy Rights

Your privacy rights depend on where you live. The table below summarizes the rights we recognize across major jurisdictions. Section 11.7 explains how to exercise them.

Jurisdiction	Rights Recognized	Authority
California (US)	Know, access, delete, correct, portability, opt out of sale/sharing, limit use of sensitive PI, non-discrimination	CCPA / CPRA
Other US states	Access, delete, correct, portability, opt out of sale/targeted advertising/profiling, appeal denials	VA, CO, CT, UT, TX, TN, FL, OR, MT, IA, DE, NJ, IN, NH, MN, MD, KY, RI
EU / EEA	Access, rectification, erasure, restriction, portability, object, withdraw consent, complaint to supervisory authority	GDPR Art. 15–22
United Kingdom	Same as EU/EEA	UK GDPR / DPA 2018
Mexico	Access, rectification, cancellation, opposition (ARCO); revoke consent	LFPDPPP — see Aviso
Brazil	Confirmation, access, correction, anonymization, portability, deletion, information about sharing, revoke consent	LGPD Art. 18
Canada	Access, correction, withdrawal of consent	PIPEDA, Quebec Law 25
Other jurisdictions	Rights granted by your local law; contact us and we will respond consistent with applicable law	Various

11.1 California (CCPA/CPRA) — Specific Notes

In addition to the rights above, California residents have the right to non-discrimination for exercising any privacy right. We will not deny services, charge different prices, or provide a different level of service because you exercised a right. We do not offer financial incentives in exchange for personal information.

Authorized agents. California residents may designate an authorized agent to make requests. We will require proof of authorization (for example, a written and signed permission).

11.2 EU / UK — Specific Notes

In addition to the rights above, you have the right to lodge a complaint with the supervisory authority in your member state of residence, place of work, or place of the alleged infringement. For the United Kingdom, this is the Information Commissioner's Office (ico.org.uk).

11.3 Mexico (LFPDPPP — ARCO Rights) — Cross-Reference

Mexican data subjects exercise ARCO rights (Acceso, Rectificación, Cancelación, Oposición) and revoke consent through the procedures described in our Aviso de Privacidad, available at goodsandservices.com/privacy-policy/aviso-privacidad/. Requests should be directed to the Departamento de Recursos Humanos at the contact information provided in that notice.

11.7 How to Exercise Your Rights

You may submit a privacy request through any of the following methods:

Web form: goodsandservices.com/privacy/request
Email: privacy@goodsandservices.com
Postal mail: 1353 Riverstone Pkwy Suite 120-335 Canton GA United States 30114 USA
Toll-free phone: 1-800-735-3710

We will respond within the timeframe required by applicable law (typically 45 days for CCPA, with one 45-day extension if reasonably necessary; one month for GDPR, with up to two additional months if necessary). We may need to verify your identity, typically by matching information you provide against information we already hold. We do not require account creation to submit a privacy request.

If we deny your request in whole or in part, you have the right to appeal under several U.S. state laws (Virginia, Colorado, Connecticut, others). Appeals are submitted to the same contacts above with the subject line “Privacy Appeal.”

12. Automated Decision-Making

We do not engage in automated decision-making that produces legal effects or similarly significant effects on you based on data collected through the Website.

13. Third-Party Links and Services

The Website may contain links to third-party websites and services. This policy does not apply to those third parties. We encourage you to read their privacy notices.

14. Changes to This Policy

We will update this policy when our practices change or when required by law. Material changes will be communicated by posting a prominent notice on the Website at least 14 days before the change takes effect, and where required by law we will obtain renewed consent. The “Last Updated” date at the top of the policy will reflect the most recent change.

A history of prior versions is maintained internally and is available on request through privacy@goodsandservices.com.

15. How to Contact Us

General privacy inquiries	privacy@goodsandservices.com
Mailing address (US)	1353 Riverstone Pkwy Suite 120-335 Canton GA United States 30114 USA
Mailing address (Mexico)	Calle Tepeaca 51, Colonia La Paz, C.P. 72160, Puebla, Puebla
Phone (US)	1-800-735-3710
Mexican Aviso / ARCO requests	HRMX@goodsandservices.com · See Aviso de Privacidad
Supervisory authority (UK)	Information Commissioner's Office · ico.org.uk
Supervisory authority (Mexico)	INAI · www.inai.org.mx

16. Region-Specific Notices

16.1 California Notice at Collection

This policy serves as our “Notice at Collection” under Cal. Civ. Code §1798.100. The categories of personal information we collect are listed in Section 2.4. The purposes are described in Section 3. We do not sell or share personal information for cross-context behavioral advertising. The retention periods for each category are described in Section 8.

16.2 Mexican Aviso de Privacidad

Visitors located in Mexico should consult our separate Aviso de Privacidad, which is the controlling notice under LFPDPPP. The English-language policy on this page complements but does not replace the Aviso for Mexican data subjects.

16.3 EU/UK Specific Information

Where required, our representative under Article 27 GDPR / equivalent UK provision is identified in Section 15. The legal bases for processing are stated in Section 3. International transfer mechanisms are described in Section 7. You have the right to lodge a complaint with your local supervisory authority.

17. Definitions

Term	Definition
Personal information / personal data	Information that identifies, relates to, describes, or could reasonably be linked to a particular consumer or household (CCPA), or any information relating to an identified or identifiable natural person (GDPR/UK GDPR/LGPD).
Sale	The disclosure of personal information to a third party for monetary or other valuable consideration, as defined in Cal. Civ. Code §1798.140(ad). We do not sell.
Share	Disclosure of personal information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, as defined in Cal. Civ. Code §1798.140(ah). We do not share.
Service provider / processor	An entity that processes personal information on behalf of a business under a written contract that limits the entity's use of the information to the business's specified purposes.
Cookie	A small data file stored in your browser when you visit a website. Includes similar technologies such as pixels, web beacons, local storage, and server-side tags.
Cross-context behavioral advertising	Targeted advertising based on personal information obtained from a consumer's activity across businesses, distinctly-branded websites, applications, or services other than the business with which the consumer intentionally interacts.
Sensitive personal information	Categories defined in Cal. Civ. Code §1798.140(ae), including government identifiers, financial account information, precise geolocation, racial or ethnic origin, religious beliefs, union membership, health data, biometric data, and genetic data.
Global Privacy Control (GPC)	A browser-level signal that communicates a consumer's choice to opt out of the sale and sharing of personal information. We honor GPC as a valid opt-out where applicable law recognizes it.

Questions? Contact privacy@goodsandservices.com.