Privacy Policy

1. Who we are

Thorli ("Thorli," "we," "us," "our") is the working brand of a US dental marketing agency founded by Karen Martin in 2026, providing search engine optimization (SEO), answer engine optimization (AEO), and adjacent marketing services to dental practices in the United States. Our website is thorli.com. Formal US entity registration is in progress; the registered entity will assume and be bound by this Privacy Policy once registration completes.

For questions about this policy or to exercise any of the rights described below, contact us at privacy@thorli.com.

2. What we collect

We only collect personal information you give us, or that we need to operate the site. Specifically:

2.1 Information you submit

• Audit request form: name, work email, practice name, practice website URL, city/state, and any notes you add.
• Contact form: name, work email, message contents, and (optionally) phone number.
• Newsletter signup: work email and first name.
• Discovery calls: whatever you share verbally or in writing during a scoping conversation.

2.2 Information collected automatically

• Plausible Analytics: page URL, referrer, country (not city), browser type, device type, and screen size. Plausible does not use cookies, does not collect IP addresses, and does not build cross-site profiles. Read their data policy.
• Server logs: our hosting provider records IP address, timestamp, and HTTP request data for up to 14 days, used solely for security and abuse prevention.

2.3 What we do not collect

• We do not run Google Analytics, Meta Pixel, LinkedIn Insight Tag, TikTok Pixel, or any other third-party ad-tech tracker on thorli.com.
• We do not buy or enrich contact lists from data brokers (ZoomInfo, Apollo, Clearbit, etc.) to populate our outreach.
• We do not collect Protected Health Information through this website. If patient data ever ends up in an audit submission by accident, we redact and delete it (see Section 8).

3. How we use what we collect

We use your information for the following purposes only:

• Deliver the thing you asked for. If you requested an audit, we use your details to research your practice and send you the audit.
• One follow-up. If you do not respond to an audit, we will send one polite follow-up email. After that, we stop.
• Service the engagement. If you become a client, we use your data to do the work, send invoices, and communicate about your account.
• Internal analytics. Aggregate, de-identified site metrics so we can tell which pages help people and which do not.
• Legal and security obligations. Responding to subpoenas, preventing fraud, and protecting our systems.

We do not use your information to train AI models, sell to third parties, or target you with retargeting ads across the web.

4. Cookies and tracking

thorli.com sets a small number of strictly functional cookies (for example, to remember your dark/light mode preference). We do not set advertising or cross-site tracking cookies. Because our analytics provider (Plausible) is cookieless and our marketing stack does not include ad pixels, you will not see a cookie consent banner on most pages. If that changes, we will update this section and surface a banner.

5. Sharing and disclosure

We share personal information only with vendors that help us run the business, and only the minimum necessary:

• Hosting and infrastructure: AWS, Cloudflare.
• Email delivery: AWS Simple Email Service (SES) and Postmark.
• CRM: HubSpot Enterprise (with BAA where dental practice client data is involved).
• Payments: Stripe (for card payments) and our bank (for ACH).
• Scheduling: Cal.com or SavvyCal.

Each of these vendors is bound by a Data Processing Agreement (DPA) and uses your data only to provide their service to us. We do not sell or rent personal information, and we have not done so in the preceding 12 months.

We may disclose information when required by law (subpoena, court order, regulatory request) or to protect the rights, property, or safety of Thorli, our clients, or the public. We will notify you of a legally compelled disclosure unless prohibited from doing so.

6. Data retention

• Audit requests: 24 months from submission, then permanent deletion.
• Contact form submissions: 12 months from submission, then permanent deletion.
• Newsletter subscribers: until you unsubscribe.
• Client records: 7 years after engagement ends (tax and IP records retention).
• Server logs: 14 days.

7. Your rights

Regardless of where you live in the United States, you have the right to:

• Access the personal information we hold about you.
• Correct inaccurate information.
• Delete your information (subject to legal retention requirements).
• Port your information to another provider in a machine-readable format.
• Opt out of marketing communications at any time.
• Be free from retaliation for exercising any of these rights.

To exercise any of these rights, email privacy@thorli.com. We respond within 30 days. If we need more time, we will tell you why and when to expect a response. We verify identity before fulfilling access or deletion requests, usually by replying to the email address on file.

7.1 State-specific rights

If you are a resident of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Delaware (DPDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (ICDPA), New Jersey (NJDPA), New Hampshire, or any other state with a comprehensive consumer privacy law in effect, you have the rights listed above plus any additional rights granted by your state. California residents can also designate an authorized agent and request a disclosure of categories of personal information collected, sold, or shared in the prior 12 months. (Our answer to the "sold or shared" question is always "none.")

We do not engage in "targeted advertising," "sale" of personal information, or "profiling" as those terms are defined in U.S. state privacy laws. You do not need to opt out because there is nothing to opt out of.

8. HIPAA crossover

If you are a dental practice client and your engagement involves Protected Health Information (PHI), the terms of a signed Business Associate Agreement (BAA) and our HIPAA Notice will govern that data, not this Privacy Policy. We will sign a BAA with every dental practice client before any PHI is shared; this is committed as item 8 of our Bill of Rights and will be effective from day one of formal entity registration. If an audit submission or contact form unexpectedly contains PHI (for example, a patient name or treatment detail), we redact and delete it on receipt and notify the submitter.

9. Children's privacy

Thorli's services are for adult business contacts at dental practices. We do not knowingly collect personal information from anyone under 18. If you believe a minor has submitted information through our site, email privacy@thorli.com and we will delete it.

10. International users

Thorli operates from the United States and our services are designed for U.S. dental practices. Our infrastructure (hosting, CRM, email) is U.S.-based. We are not currently set up to handle EU/UK/Swiss GDPR data subject requests at scale. If you are outside the United States and submit information, you consent to its transfer to and processing in the United States.

11. Security

We use industry-standard administrative, technical, and physical safeguards: TLS encryption in transit, encryption at rest for production databases, role-based access controls, mandatory two-factor authentication on every account with system access, and quarterly access reviews. No system is perfectly secure. If we discover a breach affecting your personal information, we will notify you in accordance with applicable state breach notification laws.

12. Changes to this policy

We will update this policy when our practices change or when the law requires. If we make material changes, we will update the "Last updated" date at the top of this page and, for substantive changes, post a notice on thorli.com for at least 30 days. Continued use of our services after changes take effect constitutes acceptance.

13. Contact

Privacy questions, requests, or complaints:
Email: privacy@thorli.com
General: hello@thorli.com