Privacy Policy

Effective date: May 17, 2026 · Last updated: May 17, 2026

This Privacy Policy explains how Member Solutions ("we," "us," or "our") collects, uses, discloses, and protects personal information when you visit our website, contact us through web forms, request information about our services, or otherwise interact with us. It is written to comply, in good faith, with the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the seventeen other US state consumer privacy laws currently in force, the EU and UK General Data Protection Regulation (GDPR), and the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada.

1. Scope of This Policy

Member Solutions provides billing services, payment processing, and member management software to businesses with recurring revenue. This policy covers personal information collected through our public-facing website at https://membersolutions.com, through web forms (contact, billing assessment, demo requests, lead-magnet downloads), through telephone and email correspondence with our sales and support teams, and through automated tools such as cookies and server logs.

This policy does not cover personal information collected from end-customers of our business clients (for example, members of a fitness studio that uses our software to bill their members). Where we act as a service provider or processor on behalf of a business client, that client's own privacy policy governs the personal information processed in their account. Our role and obligations in that context are described in the data processing agreement (DPA) we sign with each client.

2. Information We Collect

We collect personal information that falls into the following CCPA/CPRA categories. Each category lists the specific data elements involved and whether collection is direct (you provide it) or automatic (collected by our systems).

A. Identifiers

  • Full name
  • Business email address
  • Business telephone number
  • Mailing or business address (when provided for a quote or contract)
  • Internet Protocol (IP) address of the device you use to interact with our site
  • Online identifiers, including our first-party cookies (described in Section 13) and a server-issued client identifier used to deduplicate analytics events

B. Commercial Information

  • Records of services you have inquired about or purchased from us
  • Pricing proposals, signed agreements, and invoice records (where applicable)
  • Communication history with our sales, billing, and support teams

C. Internet or Other Electronic Network Activity

  • Pages viewed on our website, time and duration of each visit, and click and scroll patterns
  • Referring URL (the page or search engine that linked you to us)
  • UTM parameters and other campaign attribution tokens present in your URL when you arrive
  • Device type, operating system, browser type and version, screen resolution, and timezone
  • HTTP request headers, including User-Agent string and Accept-Language

D. Geolocation Information (Inferred, Not Precise)

We infer approximate city, region, and country from your IP address using a third-party IP geolocation service (currently ip-api.com). This inference is at the city level only. We do not collect precise GPS coordinates, and we do not request location permissions from your browser or device.

E. Professional or Employment-Related Information

  • Business name, industry vertical, and approximate company size (when you provide them on a form)
  • Job title or role (when relevant to qualifying a sales inquiry)
  • Approximate monthly billing volume or recurring revenue (when you choose to share it on the free billing assessment form)

F. Technical Submission Metadata

When you submit a form, our server records a set of technical signals that help us combat fraud and spam, debug delivery issues, and reconcile analytics. These signals are captured automatically and are not extracted from your form fields:

  • IP address and inferred city/region (as described above)
  • User-Agent string, browser name, browser version, operating system
  • Screen resolution and color depth
  • Browser-reported timezone
  • Referring page and the page the form was submitted from
  • Server-side timestamp of the submission
  • A request fingerprint used to detect duplicate or scripted submissions

We do not collect Social Security numbers, driver's license numbers, financial account numbers, payment card numbers, precise geolocation, racial or ethnic origin, religious beliefs, union membership, genetic data, biometric data, health information, or sex-life or sexual-orientation information through our public website. If you provide any such information voluntarily in a free-text field, we treat it as if it were any other inquiry record and store it under the same protections.

3. Sources of Information

We obtain personal information from three sources:

  • Directly from you. When you fill out a contact form, request a free billing assessment, sign up for a webinar, download a lead magnet, call our phone number, email us, or chat with us through the chat widget on our site.
  • Automatically from your device. When you visit our site, our web server, analytics shim, and CDN log standard technical signals — IP address, request headers, page-view events, and timing data — as described in Section 2.
  • From third parties (rare). We do not currently purchase contact lists or buy prospect data from data brokers. We may, occasionally, receive a referral introduction from an existing client or partner — in which case the referrer provides your name and a way to contact you with your permission.

4. How We Use Your Information

We use the personal information we collect for the following business and commercial purposes:

  • Service delivery and inquiry response. Responding to your contact form, billing assessment request, or sales inquiry; preparing pricing proposals; onboarding you as a client if you decide to proceed.
  • Marketing communications. Sending you, with your consent or under our legitimate interest where permitted, follow-up emails relevant to the inquiry you started, occasional educational content (operator playbooks, retention guides, billing benchmarks), and product announcements. Every marketing email contains a one-click unsubscribe link.
  • Analytics and product improvement. Understanding which pages and content perform well, where users encounter friction, and how our marketing campaigns convert — so we can improve the site and our messaging.
  • Fraud prevention and security. Detecting and blocking spam form submissions, scripted abuse, brute-force attempts, and other malicious traffic. Our CDN and WAF provider applies its own fraud and bot detection on traffic before it reaches our origin server.
  • Legal compliance and recordkeeping. Retaining records required by law, responding to lawful requests from courts or regulators, and exercising or defending legal claims.
  • Operational and debugging. Reproducing and diagnosing technical issues reported by users, monitoring uptime and error rates, and ensuring forms reliably deliver to our internal systems.

5. Who Receives Your Information

We share personal information with a small number of third-party service providers (sometimes called "processors" or "sub-processors") who help us operate our website, communicate with prospects and clients, and analyze traffic. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising (see Section 7).

The processors we currently use:

  • HubSpot, Inc. — Customer relationship management (CRM) and marketing automation. Form submissions, contact records, and email communications are stored in HubSpot. HubSpot Privacy Policy · HubSpot DPA.
  • Resend, Inc. — Transactional email delivery (form confirmations, lead-magnet delivery, internal notifications to our team). Resend Privacy Policy · Resend DPA.
  • Cloudflare, Inc. and Imperva, Inc. — Content delivery network (CDN), web application firewall (WAF), and distributed-denial-of-service (DDoS) protection. Network-level traffic, including IP addresses and request headers, transits these providers before reaching our origin. Cloudflare Privacy Policy · Imperva Privacy Policy.
  • Google LLC (Google Analytics 4). — Aggregate website traffic analytics. Events are sent server-side via the GA4 Measurement Protocol on most pages, and via the standard gtag.js client-side library on a limited allowlist of conversion-critical pages. Google Privacy Policy.
  • ip-api.com (Linkkit Networks Ltd.) — IP-to-city geolocation lookup used for spam detection and lead context. We pass only the IP address; we receive back inferred city and region. ip-api.com Legal.

We may also disclose personal information to (a) our professional advisors (lawyers, accountants, auditors) under duties of confidentiality; (b) a successor entity in connection with a merger, acquisition, or sale of assets; and (c) government authorities or other parties when required by law, court order, or to protect our rights, property, or safety.

We require every processor that handles personal information on our behalf to do so under a written contract (typically a DPA) that limits their use of the information to the services they provide to us, requires appropriate security safeguards, and prohibits onward sale.

6. Categories of Information Disclosed in the Past 12 Months

In the 12 months preceding the effective date of this policy, we have disclosed the following CCPA/CPRA categories of personal information for a business purpose:

  • Identifiers — disclosed to HubSpot, Resend, Cloudflare, Imperva, Google Analytics, ip-api.com
  • Commercial information — disclosed to HubSpot
  • Internet or network activity — disclosed to Cloudflare, Imperva, Google Analytics, HubSpot
  • Geolocation (inferred, city-level only) — disclosed to ip-api.com (origin) and HubSpot (storage)
  • Professional or employment-related information — disclosed to HubSpot

7. "Sale" and "Sharing" Disclosure

We do not sell personal information as that term is defined in the CCPA/CPRA or any other US state consumer privacy law. We do not share personal information for cross-context behavioral advertising (sometimes called "targeted advertising"). We do not run third-party advertising trackers on our site. We do not allow advertising networks, social media platforms, or data brokers to read our cookies or attach pixels to our pages.

We have not sold or shared personal information in the 12 months preceding the effective date of this policy, and we have no plans to do so. If this changes, we will update this policy and provide a right-to-opt-out mechanism in advance, as required by law.

8. Data Retention

We retain personal information only as long as needed for the purposes described in this policy, or as required by law. The following retention periods apply:

  • Contact and inquiry records (HubSpot). Retained while you remain an active prospect or client and for a reasonable follow-up period thereafter. Inactive prospect records may be retained indefinitely for sales-intelligence and re-engagement purposes; we are reviewing a defined retention schedule and will update this section when it is in place.
  • Server-side form submission archive. A copy of each contact-form submission is also written to our origin server's internal records for delivery-failure recovery and dispute resolution. These records are currently retained indefinitely; pruning automation is an open follow-up.
  • Analytics events (Google Analytics 4). Retained according to the GA4 data retention setting on our property, currently set to 14 months for event-level data. Aggregate reports persist longer.
  • Server logs (origin and CDN). Retained typically for 30 to 90 days for security and operational purposes, with longer retention for security incidents under investigation.
  • Marketing email engagement records (opens, clicks). Retained while you are a subscriber and for a reasonable period after unsubscribe to honor the unsubscribe and prevent re-add.
  • Cookies. Per their stated lifetimes (see Section 13).

You may request deletion of your personal information at any time, subject to limited exceptions described in Section 9 (for example, where we must retain a record to comply with a legal obligation or to defend a legal claim).

9. California Residents — CCPA/CPRA Rights

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

  • Right to know. The right to request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we have shared it, over the past 12 months (or, since January 1, 2022, on request).
  • Right to delete. The right to request that we delete personal information we have collected from you, subject to legal exceptions.
  • Right to correct. The right to request that we correct inaccurate personal information we maintain about you.
  • Right to opt out of sale and sharing. The right to direct us not to sell your personal information or share it for cross-context behavioral advertising. As noted in Section 7, we do not currently sell or share, so this right is honored automatically.
  • Right to limit use of sensitive personal information. The right to limit our use of sensitive personal information to the specific purposes permitted by CCPA/CPRA. We do not collect or use sensitive personal information for any purpose beyond what CCPA/CPRA permits without an opt-out.
  • Right to non-discrimination. We will not discriminate against you for exercising any of these rights — your service, pricing, or quality of treatment will not change.
  • Right to data portability. A subset of the right to know; on request we will provide a copy of your personal information in a structured, commonly used, machine-readable format.

How to exercise these rights. Email us at info@membersolutions.com with the subject line "Privacy Rights Request" and tell us which right you wish to exercise. We will respond within 45 days (extendable by an additional 45 days where reasonably necessary, with notice to you). To protect your privacy, we will verify your identity by asking you to confirm two or more pieces of identifying information already in our records (typically your name, the email address used to contact us, and the approximate date or topic of your inquiry).

Authorized agents. You may designate an authorized agent to make a request on your behalf. The agent must provide written, signed permission from you, and we may still require you to verify your own identity directly.

"Shine the Light" (California Civil Code § 1798.83). California residents may also request, once per calendar year, a list of personal information disclosed to third parties for those third parties' direct-marketing purposes during the prior calendar year. We do not disclose personal information for third-party direct marketing, so the response to such a request will be that no such disclosures occurred.

10. Other US State Privacy Rights

Residents of the following US states have consumer privacy rights under their respective state laws. We honor these rights on the same terms set out below, regardless of which state's law strictly applies, in order to maintain a consistent practice. The applicable laws are:

  • Virginia Consumer Data Protection Act (VCDPA)
  • Colorado Privacy Act (CPA)
  • Connecticut Data Privacy Act (CTDPA)
  • Utah Consumer Privacy Act (UCPA)
  • Texas Data Privacy and Security Act (TDPSA)
  • Oregon Consumer Privacy Act (OCPA)
  • Montana Consumer Data Privacy Act (MCDPA)
  • Iowa Consumer Data Protection Act (ICDPA)
  • Tennessee Information Protection Act (TIPA)
  • Indiana Consumer Data Protection Act (INCDPA)
  • Delaware Personal Data Privacy Act (DPDPA)
  • Kentucky Consumer Data Protection Act (KCDPA)
  • Maryland Online Data Privacy Act (MODPA)
  • Minnesota Consumer Data Privacy Act (MCDPA-MN)
  • Nebraska Data Privacy Act (NDPA)
  • New Hampshire Data Privacy Act (NHDPA)
  • New Jersey Data Privacy Act (NJDPA)
  • Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

If you are a resident of any of these states, you have the right to:

  • Access the personal information we hold about you.
  • Correct inaccuracies in your personal information.
  • Delete personal information we have collected from you (subject to legal exceptions).
  • Portability — obtain a copy of your personal information in a portable, machine-readable format.
  • Opt out of targeted advertising — we do not engage in targeted advertising, so this right is honored automatically.
  • Opt out of the sale of personal information — we do not sell personal information, so this right is honored automatically.
  • Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in such profiling.

Texas residents. Under the Texas Data Privacy and Security Act, controllers that sell sensitive personal data or biometric personal data must post specific notices on their site. We do not sell either category of data and therefore no such notice is required. If you are a Texas resident, you have all the rights listed above and may exercise them as described in Section 16.

Appeals. If you disagree with our response to a privacy rights request, several state laws (including Virginia, Colorado, Connecticut, Texas, and others) give you the right to appeal. To appeal, reply to the response email or send a new email to info@membersolutions.com with the subject "Privacy Rights Appeal." We will respond within 60 days. If your appeal is denied, you may contact your state Attorney General's office.

11. European Union, United Kingdom, and Other GDPR-Equivalent Jurisdictions

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction whose data protection law mirrors the General Data Protection Regulation (collectively, "GDPR jurisdictions"), the rights and disclosures in this section apply to you in addition to anything stated above.

Controller. For personal information collected through our public website and forms, Member Solutions is the data controller. Contact details are in Section 18.

Legal bases for processing. We process personal information under one or more of the following GDPR Article 6 legal bases:

  • Consent (Article 6(1)(a)). Where you have given clear consent — for example, by submitting a form, ticking a marketing opt-in box, or accepting non-essential cookies (when our cookie consent mechanism is in place).
  • Performance of a contract (Article 6(1)(b)). Where processing is necessary to deliver a service or product you have requested, including pre-contract steps like preparing a proposal.
  • Legitimate interests (Article 6(1)(f)). Where processing supports our legitimate interest in operating our business — for example, security and fraud prevention, follow-up on a sales inquiry, basic website analytics, and product improvement — provided that our interests are not overridden by your fundamental rights and freedoms. We have documented these balancing tests internally and can share an overview on request.
  • Legal obligation (Article 6(1)(c)). Where we must retain or disclose information to comply with applicable law.

Your rights. Under GDPR, you have the rights to:

  • Access your personal information and obtain a copy.
  • Rectification — correct inaccurate or incomplete personal information.
  • Erasure ("right to be forgotten") — request deletion of your personal information, subject to GDPR's limited exceptions.
  • Restriction of processing in certain circumstances.
  • Data portability — receive your personal information in a structured, commonly used, machine-readable format.
  • Object to processing based on legitimate interests, including profiling, and to direct marketing at any time.
  • Withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu; UK residents may contact the Information Commissioner's Office at ico.org.uk.

Automated decision-making. We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing, including profiling.

Cookie consent. We are working toward implementing an explicit cookie consent mechanism for EU/UK visitors that meets the standards of the ePrivacy Directive and GDPR. Until that mechanism is live, we limit cookies to those that are strictly necessary or analytics-only (no advertising or cross-context behavioral tracking).

12. Canadian Residents — PIPEDA

If you are a resident of Canada, the federal Personal Information Protection and Electronic Documents Act (PIPEDA), and the substantially similar provincial laws of Quebec (Law 25), British Columbia (PIPA), and Alberta (PIPA), apply to our collection and use of your personal information.

You have the right to:

  • Access the personal information we hold about you.
  • Correct personal information that is inaccurate, incomplete, or out of date.
  • Withdraw consent to our continued collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions and reasonable notice.
  • File a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca, or with the privacy regulator in your province.

Our Privacy Officer for purposes of PIPEDA can be reached at info@membersolutions.com with the subject line "PIPEDA Inquiry."

13. Cookies and Tracking Technologies

A cookie is a small text file stored by your browser when you visit a website. We use a small number of first-party cookies and one third-party analytics cookie. We do not use third-party advertising cookies, social-media tracking pixels, or any cookie that supports cross-context behavioral advertising.

The cookies we set:

  • msi_first_touch — First-party cookie that stores the first marketing source, medium, and campaign (UTM parameters) that brought you to our site, plus a timestamp. Used for attribution. Lifetime: 30 days.
  • msi_session_n — First-party cookie that increments to count the number of distinct sessions you have had with us. Used to distinguish first-visit from returning-visitor analytics. Lifetime: 2 years.
  • msi_client_id — First-party identifier set by our origin server on first contact, used to join events between the browser and server-side analytics destinations. Lifetime: 2 years.
  • _ga — Standard Google Analytics 4 cookie that distinguishes unique visitors. Set only on the limited allowlist of pages where the gtag.js client-side library loads. Lifetime: 2 years.
  • Strictly necessary cookies. Our CDN/WAF provider may set short-lived cookies for bot detection and security challenges. These cannot be disabled without breaking the site's basic security posture.

How to control cookies. Most browsers let you block or delete cookies through their settings. If you block analytics cookies, our site will continue to work, but our analytics will undercount your visits. You can also opt out of GA4 specifically by installing the Google Analytics opt-out browser add-on.

Global Privacy Control (GPC). Some browsers transmit a "Sec-GPC: 1" HTTP header to indicate the user does not want their personal information sold or shared. Because we do not sell or share personal information (Section 7), there is no sale or share for GPC to suppress. We do not currently honor GPC as an instruction to disable analytics or marketing emails specifically; building network-level GPC honoring is an open follow-up item.

Do Not Track. Most browsers transmit a Do Not Track signal that has no consistent industry-wide interpretation. We do not respond to Do Not Track signals at this time.

14. Children's Privacy

Our website and services are intended for business users. We do not knowingly collect personal information from children under the age of 13 (or under the age of 16 for residents of certain jurisdictions), in compliance with the Children's Online Privacy Protection Act (COPPA) and equivalent international standards.

If we learn we have collected personal information from a child under the applicable age of consent, we will delete that information promptly. If you are a parent or guardian who believes a child has provided us with personal information, please contact us at info@membersolutions.com.

15. International Data Transfers

Member Solutions is headquartered in the United States. The processors we use (HubSpot, Resend, Cloudflare, Imperva, Google, ip-api.com) operate global infrastructure and may process personal information in countries outside your home jurisdiction, including in the United States, Canada, the European Union, the United Kingdom, and other locations.

Where personal information of EU, UK, or Swiss residents is transferred to a country outside the EEA, UK, or Switzerland that has not received an adequacy decision, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses (SCCs) — which our processors include in their standard data processing agreements — and, where applicable, supplementary technical and organizational measures.

For Canadian residents, we will inform you in this policy and through other appropriate means if personal information is processed outside Canada. By submitting personal information to us, you understand and accept that it may be transferred to and processed in the United States and other jurisdictions whose data protection laws may differ from those of your home country.

16. How to Exercise Your Rights

To exercise any of the rights described in this policy — whether under CCPA/CPRA, another US state law, GDPR, PIPEDA, or otherwise — please send an email to info@membersolutions.com with one of the following subject lines, depending on what you would like:

  • "Privacy Rights Request — Access"
  • "Privacy Rights Request — Deletion"
  • "Privacy Rights Request — Correction"
  • "Privacy Rights Request — Portability"
  • "Privacy Rights Request — Opt-Out"
  • "Privacy Rights Request — Other"

What to include. Please tell us (a) which right you wish to exercise; (b) the email address or other identifier you used when interacting with us, so we can locate your record; and (c) any additional context that will help us understand your request.

Verification. To protect your privacy and prevent fraud, we will verify your identity before responding to substantive requests. Typically this means asking you to confirm two or more pieces of identifying information already in our records — for example, your name, the email address used to contact us, and the approximate date or topic of your inquiry. We will not use this information for any purpose other than verification.

Response time. We will acknowledge receipt of your request within 10 business days and respond substantively within 45 days. If we need additional time, we will tell you why and extend by up to 45 additional days (CCPA/CPRA) or one additional month (GDPR), as the applicable law permits.

Cost. Exercising your rights is free. We may charge a reasonable fee, or refuse to act, only where the law expressly permits — for example, where a request is manifestly unfounded or excessive, particularly because of its repetitive character.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, changes in applicable law, or feedback from users and regulators. When we do, we will update the "Effective date" and "Last updated" lines at the top of this page.

For material changes — for example, the introduction of a new category of personal information, a new processor with access to your data, or a new sharing practice — we will provide more prominent notice. Where we have your email address on file and you have an active relationship with us, this typically means a direct email notification, in addition to an in-product banner on the site for the first 30 days after the change takes effect. Where applicable law requires prior consent for a change, we will obtain that consent before the change takes effect for you.

Older versions of this policy will be retained internally and are available on request via the address in Section 18.

18. Contact Us

If you have questions about this Privacy Policy, would like to exercise any of the rights described above, or have any other privacy-related concern, please contact us:

Member Solutions


Hatboro, PA

Phone: (888) 277-4408

Email: info@membersolutions.com

This Privacy Policy was prepared in good faith to align with current US, EU, UK, and Canadian privacy law as of the effective date. It has not yet been reviewed by external legal counsel; if you are an attorney, regulator, or compliance professional and notice something that should be tightened, please write to us — we treat that feedback as a priority.