R&D Binder
Effective date: 2026-05-09 Last updated: 2026-05-24 Related: Terms of Service

Use of the Site and Services is also governed by the Terms of Service. The two documents are intended to be read together; the Terms of Service control on non-privacy matters and incorporate this Privacy Policy by reference (Terms §10).

Who we are

R&D Binder is the trade name of Aliso LLC, a California limited liability company with a principal place of business in Orange County, California. For the purposes of applicable U.S. state privacy laws, Aliso LLC is the "business" responsible for processing personal data described in this Privacy Policy. Where the EU or UK General Data Protection Regulation applies, Aliso LLC is the "controller" of personal data described in this Privacy Policy unless an executed Data Processing Agreement provides otherwise.

The short version

  • No tracking cookies. R&D Binder sets zero first-party or third-party tracking cookies.
  • Cookieless aggregate analytics on the marketing site only. We use Plausible to count aggregate pageviews and a small number of named conversion events on rdbinder.com (for example, /estimate clicks, /sample views, /contact submissions). Plausible does not set cookies, does not retain Internet Protocol (IP) addresses, does not enable cross-site or cross-device tracking, and does not share data with advertising networks. No Google Analytics, no Fathom, no behavioral profiling. The contact-form payload, the binder-rendering pipeline, and Customer Content (commit metadata, payroll register, narrative drafts) are not instrumented with Plausible. Separately, R&D Binder may generate aggregated, de-identified operational metrics about the Services (Terms §8.4); those are service-level statistics, not visitor analytics.
  • No advertising or fingerprinting scripts. The only third-party script that loads on this site is the Plausible analytics beacon (above). No ad networks, no chat widgets, no embedded video, no marketing pixels, no fingerprinting libraries.
  • One use of local storage, only to remember that you dismissed the on-site privacy notice if we add one. It never leaves your browser.
  • If you email us or submit the contact form, we have what you sent us, nothing more. See the sections below for exactly where that data goes and for how long.

What we do not collect

R&D Binder does not retain your Internet Protocol (IP) address, does not set tracking cookies, and does not profile or fingerprint visitors. The public marketing site loads Plausible for cookieless aggregate analytics (see Third parties below); Plausible derives country-level geographic detail from a daily-rotating hash and does not retain the IP address itself. We make no requests to advertising networks, behavioral-profiling services, or fingerprinting libraries. Outside of the Plausible beacon, the Site does not load third-party analytics, advertising, tracking, or embedded-content scripts in visitors' browsers. Browsers may make routine background requests (such as OCSP certificate-validity checks or safe-browsing lookups) that R&D Binder neither initiates nor controls.

Our hosting and content-delivery providers (described in Hosting below) may process IP addresses and request metadata at the network level for security, abuse prevention, and content delivery; that processing is governed by the providers' own privacy policies. R&D Binder does not routinely access, analyze, or use those infrastructure logs for analytics, profiling, or marketing purposes.

Local storage

If we ever add an on-site privacy notice (the bar that appears at the bottom of the screen on first visit), it will need to remember you dismissed it so it does not reappear on every page. To do that we would set a single key in your browser's local storage:

  • rdb-notice-dismissed-v1, value "1", set when you click "Got it".

Local storage is first-party and is never transmitted to any server, including ours. You can clear it any time via your browser's site-data controls. As of the effective date above, no notice has been deployed and no key is set.

If you submit the contact form or email us

The contact form at /contact sends the fields you fill in (first and last name, work email, optional company, subject, and message) to a same-origin Cloudflare Pages Function. From there, your submission is forwarded to our customer relationship management (CRM) system as a contact record and to our email-delivery service so a human can reply. "Contact" links elsewhere on the site open a standard mailto: in your email client, which transmits your email address to our inbox directly.

We use anything you send us solely to reply, to scope the engagement, and (if you become a customer) to deliver the binder. We do not add you to a marketing list. We do not share, sell, or transfer your information to any third party beyond the service providers listed in the "Third parties" section below. If you ask us to delete your record and any associated data, we will follow the process and timelines described in "Your rights" below.

If you become a customer

To deliver an R&D credit binder for your business, R&D Binder needs read-only access to (a) the source-control repositories where your engineering work happens (typically GitHub), (b) summaries of your engineering payroll register (W-2 wages and contractor invoices for the tax year covered), and (c) any project narratives, architecture documents, or design records you choose to share. We use this data only to (i) cluster commits into Section 41 business components, (ii) score each component against the four-part test, (iii) compute Qualified Research Expense (QRE) allocations, (iv) draft the binder narrative, and (v) deliver the binder to you. Your raw source code and payroll detail are not redistributed. The binder PDF and accompanying workpaper are yours; we keep an archive copy for our own audit-trail and dispute-resolution purposes.

How long we keep your data

The retention periods below apply by default. You can request deletion at any time (see Your rights); a deletion request shortens the retention window for personal-data records to the timelines described there.

  • Contact-form data and CRM record (your contact details, company, subject, message): retained while the relationship is active and for as long as we may reasonably need it for follow-up engagements, dispute resolution, and operational records, unless you request deletion. Retained until no longer reasonably necessary for these purposes and reviewed periodically for deletion; deleted within 30 business days of a deletion request, subject to the legal-records carve-out below.
  • Email correspondence: retained in our email-delivery service's logs and in our mail provider's archive while the relationship is active, unless you request deletion. Retained until no longer reasonably necessary for these purposes and reviewed periodically for deletion; deleted within 30 business days of a deletion request, subject to the legal-records carve-out below.
  • Customer Content for an engaged binder (commit metadata, payroll register summary, narrative drafts): retained for the duration of the engagement plus 24 months after delivery to support audit-defense conversations with your CPA. Deleted within 30 business days of a deletion request, except where audit-defense or dispute-resolution holds apply.
  • Delivered binder PDF and workpaper: archived by R&D Binder for 7 years to support potential IRS examinations, mirroring the standard records-retention period under U.S. tax law. The customer's own copy is unrestricted.
  • Paid invoices and tax records: 7 years, retained by our payment processor and by R&D Binder as required by tax and accounting law. We can remove your name and company from any draft, unpaid, or voided invoice on request, but cannot delete paid-invoice records during the retention period.

Legal-records carve-out: R&D Binder may retain certain records longer than the periods above where required by law (for example, tax and accounting records under U.S. and California law; records under legal hold or active dispute resolution; records relevant to an ongoing IRS examination of a customer's tax year for which we produced documentation). The carve-out is narrow and applies only to the specific records covered.

Security incidents and breach notification

R&D Binder implements commercially reasonable administrative, technical, and organizational safeguards to protect personal data and Customer Content (see Terms of Service §9.2). In the event of a security incident affecting your personal information, R&D Binder will notify affected individuals and any required authorities consistent with applicable law, including California Civil Code §1798.82. For customers under an executed Data Processing Agreement, R&D Binder commits to notify the customer of a confirmed Personal Data Breach without undue delay and, where practicable, within seventy-two (72) hours of becoming aware of the breach (DPA §11). No security measure is perfect; R&D Binder does not guarantee that personal data or Customer Content cannot be accessed by an unauthorized party as a result of an event outside R&D Binder's reasonable control.

Why we are allowed to process your data

R&D Binder is designed primarily for U.S.-based businesses and does not intentionally target individuals in the EU or UK. R&D Binder's ordinary-course processing is scoped to applicable U.S. state privacy laws, including California's Consumer Privacy Act and California Privacy Rights Act. Where the EU or UK General Data Protection Regulation applies, R&D Binder processes personal data under the legal bases described below and pursuant to any executed Data Processing Agreement. The legal bases below describe the framework under which we process personal data:

  • Performance of a contract: to provide the documentation Services you have engaged us to perform (intake, scope, payment, binder construction, delivery, follow-up).
  • Legitimate interests: to respond to inbound inquiries, to operate and secure the Site and contact API, to maintain audit-trail integrity, to prevent abuse, and to develop anonymized and aggregated analytics about the Services in line with Terms of Service §8.4. These interests are balanced against your rights and freedoms; if you object, contact us at the address in Your rights.
  • Legal obligation: to retain tax, accounting, and dispute-resolution records, to respond to lawful requests from public authorities, and to comply with applicable law.
  • Consent: where you provide it explicitly for specific processing activities beyond the legal bases above.

Hosting

This site is a static collection of HTML, CSS, JavaScript, and images served by Cloudflare Pages, which delivers content through Cloudflare's global edge network. Cloudflare may retain access logs (including IP addresses and request headers) at the infrastructure level for security and content delivery, as described in Cloudflare's privacy policy. DNS for rdbinder.com is provided by GoDaddy at the time of writing and may process DNS query metadata under GoDaddy's privacy policy; this may change to Cloudflare DNS in the future without affecting this Privacy Policy. The contact form posts to a Cloudflare Pages Function at the same origin; future paid-customer intake at api.rdbinder.com will run on Cloudflare's edge-compute platform (Cloudflare Workers) and may retain its own access logs at the infrastructure level. R&D Binder does not routinely access, analyze, or use these providers' infrastructure logs for analytics, profiling, or marketing purposes.

Third parties

When you submit the contact form or become a customer, your data flows through a short list of service providers we need to actually deliver the documentation. The list below mirrors Terms of Service §6.7 (Third-party providers) and is grouped by what each provider handles. The canonical, regularly updated subprocessor list (with regions and roles) is published at /subprocessors.

Personal-data processors (handle your contact details, your company information, and your payment information):

  • Cloudflare: hosts the marketing site (Cloudflare Pages), handles the contact form (Cloudflare Pages Functions), and (for paid customers) runs the future intake API at api.rdbinder.com (Cloudflare Workers).
  • HubSpot: customer relationship management (CRM) system holding your contact record and deal record.
  • Resend: email-delivery service for contact replies, scope, kickoff, and follow-up emails.
  • Stripe: payment processor for invoices and the hosted checkout you are redirected to. R&D Binder never sees your card data.
  • Migadu: inbound email mailbox provider (hosts the hello@rdbinder.com inbox where your replies and direct emails are received).

Documentation backends (process your Customer Content, meaning the commit metadata, payroll-register summary, and project narratives you submit; not intended to receive customer contact records, although Customer Content may incidentally contain personal information submitted by the customer, such as employee names in payroll data or contributor identities in commit metadata):

  • Anthropic: large language model (LLM) backend for narrative drafting and four-part-test reasoning.
  • GitHub: source-control platform R&D Binder reads (read-only) under the access you grant.
  • Railway: container hosting for the binder-rendering pipeline service that ingests, clusters, and renders your Customer Content.

AI processing, retention, and model training. Customer Content sent to Anthropic for analysis is processed under Anthropic's commercial API terms, which provide that customer inputs and outputs are not used to train Anthropic's models. R&D Binder does not use Customer Content to train, fine-tune, or otherwise develop AI models, and does not authorize any subprocessor to do so. R&D Binder configures available retention controls on subprocessor APIs, including zero-retention or limited-retention modes where supported and appropriate. Aggregated operational metrics derived from engagements (Terms §8.4) are de-identified and do not include Customer Content.

Marketing-site analytics (touches only the public marketing site at rdbinder.com; never the contact-form payload, the binder-rendering pipeline, or Customer Content):

  • Plausible: aggregate website analytics on the public marketing site only (cookieless; no Internet Protocol address retention; country-level geographic detail derived from a daily-rotating hash; no Customer Content; no contact details; no payroll or commit data). Plausible Insights OÜ is incorporated in Estonia and processes data on infrastructure operated by European companies within the European Union. Privacy and data processing addendum at plausible.io/data-policy and plausible.io/dpa. Plausible is not a subprocessor of Customer Content under an executed Data Processing Agreement; the thirty-day pre-notification commitment in DPA §6 therefore does not apply to its addition.

Each provider acts as a data processor under our instructions and is governed by its own privacy policy and our data-processing agreement with it. We do not share, sell, or transfer your information to any third party beyond this list. For links to each provider's current privacy statement, use the contact form.

Subprocessor change notice. For customers under an executed Data Processing Agreement, R&D Binder will give at least thirty (30) days' advance notice (where practicable) before engaging a new subprocessor that will process personal information, allowing the customer to raise reasonable objection on data-protection grounds (DPA §6). For non-DPA contacts (website visitors and inbound inquiries), R&D Binder will update this Privacy Policy and the /subprocessors page before adding a new subprocessor that materially affects personal-data processing.

International transfers. Personal data may be processed in the United States and other jurisdictions where our subprocessors operate, subject to applicable contractual and legal safeguards. Customers requiring specific transfer mechanisms (such as EU Standard Contractual Clauses or the UK International Data Transfer Addendum) may address those terms through an executed Data Processing Agreement.

Outside of that pipeline and the cookieless Plausible analytics beacon on the public marketing site, this site uses no advertising networks, chat widgets, embedded video, marketing pixels, or fingerprinting libraries. We use the system font stack rather than a third-party font service. We do not embed YouTube, Vimeo, X/Twitter, Calendly, Intercom, or any other widget. Outside of form submission and the Plausible beacon, the only outbound network call you will make from any page on this site is to follow a link you click yourself.

Publicity

Per Terms of Service §11, R&D Binder will not use your name, logo, or engagement details in marketing materials, case studies, or public references without your prior written consent. If you are willing to be identified as a customer, you may indicate so in writing via the contact form. Any consented use will be limited to factual descriptions of the engagement and will not disclose Confidential Information.

Children

This site is intended for an adult business audience. We do not knowingly collect any information from anyone under the age of 18, consistent with Terms of Service §1.

Your rights

R&D Binder itself generally does not maintain visitor-identifiable records for users who only browse the Site without submitting information; in that case, rights like access, rectification, deletion, and portability have nothing for R&D Binder to act on. If you have submitted the form or emailed us, you can exercise those rights through the contact form. We will acknowledge within 5 business days and complete the action within 30 business days, across each of the systems involved: our CRM, the email-delivery service's message logs, the contact-form operational storage, and our email threads. Invoices already paid are retained by our payment processor for the period required by tax law (generally 7 years); we can remove your name and company from any draft, unpaid, or voided invoice, but cannot delete paid-invoice records.

Identity verification. To protect you against fraudulent requests, R&D Binder may, at its discretion, take reasonable steps to verify your identity before fulfilling a request involving access, deletion, or portability of personal data (for example, by requesting that you confirm the request from the email address on file with us, or by asking you to provide information that only the data subject would reasonably know). R&D Binder will not require more verification than is reasonably necessary in light of the sensitivity of the requested action and the data involved, and will not deny a verified request without a documented reason permitted by applicable law.

The rights listed above (access, rectification, deletion, portability, and objection to processing) are intended to satisfy applicable obligations under California law (the California Consumer Privacy Act and California Privacy Rights Act) and EU and UK law (the General Data Protection Regulation and UK GDPR), where each applies. Residents of those jurisdictions have any additional rights granted by local law; we will honor any such rights on the same request mechanism. You also have the right to lodge a complaint with your local data-protection authority (in California, the California Privacy Protection Agency; in the EU, your member-state supervisory authority; in the UK, the Information Commissioner's Office).

California consumers. R&D Binder does not sell or share personal information as those terms are defined under the California Consumer Privacy Act and California Privacy Rights Act. R&D Binder does not use or disclose sensitive personal information for purposes other than those permitted under Cal. Civ. Code §1798.121(a). R&D Binder will not discriminate against you for exercising any right granted by California law, including by denying Services, charging different prices, or providing a different level or quality of Services.

Changes to this policy

If we materially change how we process personal information on this site - for example, by introducing tracking cookies, behavioral profiling, an advertising network, or a new service provider that processes personal data - we will update this page and change the "Last updated" date at the top. Material changes will be reflected before, not after, the change goes live.

Contact

Questions about this policy or about R&D Binder's data practices can be sent directly to hello@rdbinder.com or via the contact form. Privacy rights requests may be submitted by either method.

Aliso LLC
d/b/a R&D Binder
A California limited liability company
Orange County, California