01
Scope and how to read this policy
This policy covers picxm.com, The Picspective newsletter, the contact and subscription forms PICXM operates, the studio podcast and video properties under the PICXM identity, and the data handling that supports each. The policy does not cover client engagements governed by separate written agreements, nor third party sites linked from picxm.com.
Each section is written plain English first. Where a regulatory regime requires technical disclosures, those follow inline. We avoid linking out for the things you need to read in one place.
02
Who is responsible for your data
PICXM (Policy Impact Communications) is the data controller for information collected through picxm.com. The legal entity is Policy Impact Communications, headquartered at 1156 15th Street NW, Washington, D.C. 20005, United States. For EU and UK readers, this means PICXM determines the purposes and means of processing your personal data under Article 4 of the GDPR and the UK GDPR.
For California, Virginia, Colorado, Connecticut, Utah, Oregon, Texas, and Montana readers, PICXM is the business under the respective state consumer privacy statutes. Questions and rights requests reach the privacy desk at contact@picxm.com.
03
The information we collect
Four categories, organized by how the data reaches us.
Information you give us directly
Your name, organization, email address, role, phone number when shared, and the contents of messages you send through forms or by email. For event RSVPs and The Picspective subscriptions, the same fields plus preferences you select. When you engage PICXM commercially, the engagement letter and supporting documents become the data record.
Information your browser sends automatically
Your IP address, browser type and version, operating system, device type, screen resolution, pages viewed, referring URL, exit URL, session duration, and timestamps. Webflow, our hosting platform, logs this data on our behalf for site delivery and aggregated analytics. We do not link this data to a personal identity unless you also provide one.
Information from cookies and similar technologies
Strictly necessary cookies that make the site work. Analytics cookies that measure traffic in aggregate. The full breakdown lives in section 8 below. We do not use third party advertising cookies, retargeting pixels, or social media trackers on picxm.com.
Information from third parties
When you subscribe to The Picspective through a referral partner, the partner shares your email and consent record with us. When public information is added to an engagement file, the source is documented. We do not buy marketing lists.
04
How we use your information
Seven purposes, no surprises.
- To respond when you reach out. We use your contact details and message to answer the question, route the inquiry to the right principal, and follow up.
- To deliver The Picspective. We use your email and preferences to send the weekly editorial newsletter you subscribed to and to manage your preferences.
- To run engagements. When PICXM is retained, we use the data the engagement requires to deliver the work covered by the engagement letter.
- To improve the site. Aggregated analytics tell us which content readers value so we publish more of it.
- To prevent abuse. Server logs and rate-limit data help us identify and block bots, scrapers, and bad actors.
- To meet legal obligations. Tax records, regulatory disclosure obligations under FARA when applicable, and lawful requests from authorities.
- To defend legal claims. Preserved records the engagement or any dispute may require.
05
Legal bases under GDPR and UK GDPR
EU and UK readers, the lawful bases we rely on under Article 6.
- Consent (Art. 6(1)(a)). For The Picspective subscriptions, marketing communications, and any non-essential cookies. You can withdraw consent at any time.
- Contract (Art. 6(1)(b)). For data we need to deliver a client engagement, answer your direct inquiry, or perform the steps you have asked us to take.
- Legal obligation (Art. 6(1)(c)). For tax records, FARA filings, regulatory disclosure, and lawful requests.
- Legitimate interests (Art. 6(1)(f)). For site security, fraud prevention, aggregated analytics, and the protection of our claims and the claims of our clients. Our legitimate-interest assessment is available on request.
We do not rely on automated decision-making or profiling under Article 22 to make decisions about you.
06
When and with whom we share data
Six categories of recipients, all bound by contract.
- Service providers we engage to operate the site. Webflow (hosting and CDN), Google Workspace (email and document collaboration), Mailchimp (The Picspective delivery), Cloudflare (DDoS protection and CDN edge), and the analytics tooling that supports each. Every provider operates under a written data processing agreement.
- Professional advisors. Counsel, accountants, and auditors bound by confidentiality.
- Government authorities. When required by law, including a lawful subpoena, court order, or regulatory inquiry. We notify you when permitted.
- Successor entities. In the unlikely event of a merger, acquisition, or sale of substantially all PICXM assets, your data may transfer to the successor under the same protections.
- With your direction. When you ask us to share data with a third party, for example a referral or co-engagement partner, we share what you direct.
- What we do not do. We do not sell personal data. We do not share it with advertisers. We do not use it to retarget you across the open web. We do not trade it.
07
AI tools, AI search, and your data
PICXM is AI-native by design. The use of AI inside the firm is held to the same principal-direct standard the rest of the work is held to.
What we do with AI
We use enterprise AI tools (ChatGPT Team, Claude for Work, Perplexity Pro, and others) under data processing agreements that prohibit training on our inputs. We use AI for research, drafting, monitoring, translation, and aggregated analytics inside engagements. Every output is reviewed by a principal before it leaves the firm.
What we do not do with your data
We do not feed your personal data into consumer-tier AI tools that train on user inputs. We do not use AI to make decisions about you. We do not share your data with AI search engines or generative answer engines for model training. We do not use your data to generate look-alike personas, behavioral profiles, or targeted communications outside an engagement you have approved.
AI-cited content from picxm.com
The Picspective, PICXM essays, and analysis published at picxm.com may be cited by ChatGPT, Claude, Perplexity, Google AI Overviews, and other answer engines. We publish to be cited. The content was authored for public reading and AI citation; quoting and citation are welcome. Training commercial AI models on substantial portions of the site requires written permission under our terms.
08
Cookies and similar technologies
Three categories of cookies on picxm.com, each named and explained.
Strictly necessary
Session cookies set by Webflow that make the site load, remember your locale, and protect against cross-site request forgery. These cannot be disabled because the site does not function without them.
Analytics
Aggregated analytics cookies that measure traffic patterns, pages viewed, and session duration in aggregate. The data is reported to us in summary form. No advertising network has access to these signals. The analytics provider is configured to honor Do Not Track and Global Privacy Control signals.
Subscription preference
A first-party cookie set when you subscribe to The Picspective so the subscription confirmation displays correctly. Removed thirty days after subscription.
How to control cookies
Your browser controls cookies. Modern browsers let you block, delete, or restrict cookies per site. Blocking strictly necessary cookies will break parts of the site. Blocking analytics cookies will not change your experience.
09
International data transfers
PICXM is headquartered in the United States. The data we collect is processed primarily in the United States and, for hosting redundancy, may be processed in the European Union, the United Kingdom, and Canada by our service providers.
For transfers of personal data out of the European Economic Area, the United Kingdom, or Switzerland to the United States or other jurisdictions without an adequacy decision, we rely on the European Commission Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, and the Swiss DPA equivalents. A copy of the SCCs in force for our processing chain is available on request at contact@picxm.com.
For our United Kingdom operations PICXM London (the office, not a separate controller) processes data on behalf of PICXM US under an intra-group data transfer agreement.
10
How long we keep your data
Retention is purpose-driven. Each data category has a documented retention period.
| Data category | Retention period |
|---|
| Contact form messages | Three years from the last engagement, then deleted |
| The Picspective subscriber list | Until you unsubscribe, plus thirty days for confirmation |
| Web server logs and aggregated analytics | Thirteen months |
| Engagement records and client files | Seven years from engagement close, then archived per retention policy |
| Tax and accounting records | Seven years per United States federal tax requirements |
| FARA records (where applicable) | Per FARA requirements, three years from filing close |
| Cookies (strictly necessary) | Session only |
| Cookies (analytics) | Thirteen months |
Records subject to a legal hold, active litigation, or regulatory inquiry are retained until the hold or inquiry concludes.
11
How we secure your data
The security standard is the standard a Washington-based team should hold. Six layers.
- Encryption in transit. TLS 1.3 across picxm.com, all subdomains, and every service provider connection. HSTS preload submitted.
- Encryption at rest. Provider-managed encryption on every storage layer (Webflow, Google Workspace, Mailchimp, Cloudflare).
- Access controls. Single sign on with hardware security keys for principal access. Role-based access for every system. Quarterly access review.
- Monitoring. Authentication logs, anomaly detection, and rate-limiting across every public endpoint. Incident response runbook reviewed annually.
- Vendor diligence. Every service provider reviewed against a security questionnaire before engagement and re-reviewed annually.
- Breach response. If a personal data breach occurs, we notify affected individuals and regulators per the law that applies (within seventy-two hours under GDPR, per state breach notification laws in the US). The notification standard is the standard we would want as a recipient.
12
Your privacy rights
The rights below apply universally to readers of picxm.com regardless of jurisdiction. Section 13 adds the specific rights United States state law gives California, Virginia, Colorado, Connecticut, and Utah residents.
- Access. Request a copy of the personal data we hold on you.
- Correction. Ask us to correct inaccurate or incomplete data.
- Deletion. Ask us to delete your data, subject to retention obligations we explain in section 10.
- Restriction. Ask us to restrict processing while a dispute is resolved.
- Portability. Receive a machine-readable export of the personal data you provided to us.
- Objection. Object to processing based on legitimate interest, including for direct marketing.
- Withdrawal of consent. Withdraw consent for any processing that relies on consent. Withdrawal does not affect prior lawful processing.
- Complaint. Lodge a complaint with your supervisory authority (section 17).
To exercise a right, email contact@picxm.com. We respond within thirty days. We may request information to verify your identity before acting. The first request in any twelve-month period is free; additional requests may incur a reasonable fee for excessive requests, with notice.
13
State law rights for California, Virginia, Colorado, Connecticut, and Utah
Residents of these states have additional rights under their consumer privacy laws. The rights overlap with section 12; the items below name the rights with state-statute precision.
California (CCPA / CPRA)
Right to know the categories of personal information collected, the categories of sources, the business purpose, and the categories of third parties to which the information is disclosed. Right to delete, right to correct, right to opt out of sale or sharing (we do not sell or share for cross-context behavioral advertising), right to limit use and disclosure of sensitive personal information, and right to non-discrimination for exercising any right.
California Shine the Light. We do not disclose personal information to third parties for their direct marketing purposes.
Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA)
Right to confirm processing, right to access, right to correct (Virginia, Colorado, Connecticut), right to delete, right to data portability, and right to opt out of targeted advertising and the sale of personal data. PICXM does not engage in targeted advertising or sale of personal data, so there is nothing to opt out of, but the right exists nonetheless.
Right of appeal
If PICXM declines to act on a request, you may appeal the decision by replying to the response with the word Appeal and a brief statement. We will respond to the appeal within sixty days. Virginia, Colorado, and Connecticut residents may then contact the state Attorney General if not satisfied.
How to exercise these rights
Email contact@picxm.com. We respond to verifiable consumer requests within forty-five days, with one forty-five-day extension when permitted. You may designate an authorized agent. Identity verification is required before action.
14
Children and youth
picxm.com is built for purpose-driven founders, executives, communicators, and policy operators. The site is not directed to children. We do not knowingly collect personal information from anyone under sixteen years of age, the COPPA threshold of thirteen for United States children, or the GDPR threshold that applies in the reader EU member state.
If you believe a child has provided personal data, email contact@picxm.com and we will delete the data on confirmation. Parents and legal guardians may also use the rights above on behalf of a minor in their care.
15
Do Not Track and Global Privacy Control
picxm.com honors the Global Privacy Control (GPC) signal as an opt-out signal under the CCPA, the VCDPA, the CPA, and the CTDPA. When GPC is detected, we treat the request as a right-to-opt-out request and configure analytics accordingly.
Do Not Track (DNT) signals are honored on a best-effort basis. The DNT standard is not uniformly enforced; GPC is the more reliable signal and is the one we treat as authoritative.
16
Changes to this policy
We update this policy when our practices change, when new regulations require it, or when we add a service or feature that warrants disclosure. The current version always lives at picxm.com/privacy with the Effective date and Last updated noted in the hero above. We retain prior versions of this policy for at least five years and provide a copy on request.
When the change is material, we notify Picspective subscribers and existing engagement contacts by email at least thirty days before the change takes effect. For non-material changes (clarifications, typo corrections, link updates), we update the page and note the change in the version log.
17
Contact and supervisory authorities
One desk handles every question, complaint, and rights request.
Supervisory authorities
EU readers may lodge a complaint with the supervisory authority of their habitual residence, place of work, or place of alleged infringement. UK readers may complain to the Information Commissioner (ICO) at ico.org.uk. Swiss readers may contact the Federal Data Protection and Information Commissioner (FDPIC). California residents may contact the California Privacy Protection Agency (CPPA) at cppa.ca.gov.
We would rather resolve your concern directly. Reach contact@picxm.com first; we answer within thirty days, usually sooner.
Document control
Privacy Policy, version 3.0, effective 1 June 2026.
PICXM · Policy Impact Communications · 1156 15th Street NW, Washington, D.C. 20005 · United States.