Privacy Policy

Last updated: July 2, 2026

This Privacy Policy explains how Gross Automation, LLC ("we," "us," or "our") collects, uses, protects, and shares personal information when you visit our website at https://www.grossautomation.com — including our subdomains, such as events.grossautomation.com, which we operate for event registration — or interact with our services.

We have structured this policy to be plain, honest, and specific. Where we use a third-party service, we name it. Where we retain data, we say for how long. Where we rely on an architectural pattern to protect you, we describe it.

1. Who we are

Gross Automation, LLC is a Wisconsin-based industrial automation distributor founded in 1990. Approximately 80 to 85 percent of our business is with customers in the United States, with meaningful volume in Canada, additional customers in Mexico, and smaller numbers in the EEA, the UK, and Switzerland. We ship products worldwide except where prohibited by law, export controls, or vendor territorial restrictions. For the purposes of data protection law, Gross Automation, LLC is the data controller for personal information collected through this Website. Commercial terms governing purchases and the customer relationship are documented separately in our Terms & Conditions.

2. Our privacy design principles

Our approach reflects three commitments that inform every technical choice on our site:

  • We do not sell personal information to anyone. Our customer list is one of our most valuable business assets and we actively protect it from competitors.
  • Data minimization at the edge. Customer-facing records (quotes, contacts, newsletter signups) are moved to our ERP system of record (NetSuite) as soon as they are ready for business use. Where technically possible, local database rows are then scrubbed — email addresses replaced with placeholders, names cleared, sensitive fields nulled out — leaving only the NetSuite pointer needed for future reference.
  • UTM-over-cookies transparency. When we need to pass information between our applications — such as a search term, manufacturer name, or product category — we prefer URL parameters (UTMs) over cookies. Those parameters are visible to you in the address bar. We do not use hidden tracking identifiers to pass information behind the scenes, and the information we do pass this way is non-confidential by design.

3. Information we collect

Information you provide directly — through web forms, quote requests, contact and support inquiries, newsletter signups, customer satisfaction surveys, and product configurators:

  • Name, email address, phone number, company name, company website
  • Mailing and billing addresses (validated at submission time)
  • Product interests, categories, and industries selected
  • Message content and file attachments you choose to include
  • Explicit consent signals (marketing opt-in, cookie preferences)

Information collected automatically when you browse:

  • IP address, browser type, operating system, device type
  • Referring URL and basic interaction patterns (pages viewed, search queries, clicks)
  • Cookie and local-storage values (see our Cookie Policy)
  • Request metadata necessary for security (rate limiting, bot detection, threat assessment)

Where technically reasonable, we hash IP addresses (for example in our internal search analytics) rather than storing them in clear text. We rotate the hashing salt monthly to prevent long-term tracking of the same visitor.

Prospecting data from third parties. For business-to-business outreach, we may obtain professional contact information (name, title, company, business email) from data-broker services such as Apollo and Lusha. If you are an EEA or UK resident and we contact you based on such data, we will inform you of the source and your rights upon first contact, consistent with GDPR Article 14.

4. How we use your information

  • Process orders, prepare quotes, and deliver products and services
  • Respond to inquiries and provide customer support
  • Send transactional communications (order confirmations, shipping updates, quote responses)
  • Send marketing communications where you have opted in (you can unsubscribe at any time)
  • Improve our website, product catalog, and customer experience
  • Troubleshoot website issues and fix bugs
  • Protect our site and customers against abuse, fraud, and automated attacks
  • Comply with applicable legal, tax, and financial obligations

5. Legal bases for processing (for EEA/UK residents)

Where GDPR or UK GDPR applies, we rely on the following lawful bases:

  • Contract performance — processing orders, preparing quotes, fulfilling shipments, providing support
  • Consent — marketing emails, non-essential analytics cookies, session-recording analytics
  • Legal obligation — tax, accounting, and regulatory recordkeeping
  • Legitimate interest — site security, bot protection, threat intelligence, fraud prevention, service improvement, B2B prospecting where appropriate

6. Third parties we work with

We share information only with service providers who need it to support our operations, under appropriate confidentiality and data-protection terms. We do not sell personal information and we do not share it with advertising networks for targeting.

Hosting and infrastructure:

  • Amazon Web Services (AWS, us-east-1) — database, file storage, application hosting, logging
  • Cloudflare — content delivery network and security (all public traffic passes through Cloudflare)
  • Elastic Cloud on Google Cloud (us-central1) — product catalog search

Business operations:

  • NetSuite — our ERP system of record for customer accounts, quotes, and orders
  • Microsoft 365 — email delivery (transactional and support correspondence)
  • UPS Address Validation API — to confirm mailing addresses submitted on forms
  • Twilio Lookup API — phone number validation and carrier/line-type intelligence when our staff research a submitted phone number. Only the phone number itself is sent; Twilio returns the carrier, line type (mobile/landline/VoIP), and, where available, the registered caller name (CNAM).

Analytics and user-experience research (consent-gated):

  • Google Analytics 4 (via Google Tag Manager) — traffic patterns and site usage
  • Microsoft Clarity — heatmaps and session recordings used solely by Gross Automation staff for troubleshooting; Clarity automatically masks form inputs and visible personal information in recordings

Security (legitimate-interest basis):

  • Google reCAPTCHA — bot detection on our web forms (newsletter signup, contact, quote, and event registration)
  • AbuseIPDB — we contribute anonymized reports of IP addresses that have attacked our site (honeypots, scanners, scrapers) to this community security database. Routine website visitors and customers filling out forms are not reported.

Product catalog enrichment (no customer personal information involved):

  • OpenAI, Anthropic, Google (Gemini), Mistral, Perplexity, Nebius — AI/ML services used to classify, describe, and enrich product catalog data. These services process product and manufacturer information only, not customer personal data.

Embedded content:

  • YouTube and Vimeo — when you view embedded videos on our site, these providers receive your IP address and viewing activity under their own privacy policies

Web fonts on our site are self-hosted: loading our pages does not send font requests to Google Fonts or other third-party font services. We made this change for both speed and privacy.

Each of the third parties above has its own privacy policy describing how they handle data. Where personal data of EEA or UK residents is transferred outside those regions, we rely on appropriate safeguards (including Standard Contractual Clauses where the receiving vendor offers them).

7. Cookies, tracking, and advertising

We use essential cookies to operate the site (shopping cart, consent preferences, session state) and, with your consent in regulated regions, analytics cookies from Google Analytics and Microsoft Clarity. Full details, including cookie names and durations, are in our Cookie Policy.

We do not run advertising on our Website and we do not use advertising cookies or tracking pixels for ad targeting. In April 2026, as part of a broader privacy audit, we identified and removed several legacy advertising and remarketing tags that had been added to our site by an outside consultant. We also disabled Microsoft's MUID identifier in our analytics configuration so that visitor activity is not linked to Microsoft's advertising ecosystem.

You can manage your cookie preferences at any time using the consent banner and the Cookie Settings link in our footer (on desktop), or the cookie toggle in our footer (on mobile).

8. Data retention

Our retention approach reflects the data-minimization-at-edge architecture described above:

  • Newsletter signups — after confirmation and transfer to NetSuite, the local email address is replaced with a redacted placeholder; only the NetSuite reference remains locally. Unsubscribes update the subscription status; the underlying record remains for compliance tracking.
  • Quote and contact form submissions — the business details (customer, company, requirements) are retained in NetSuite as business records. Where technically practical, local database copies are scrubbed of personal data after the NetSuite handoff. Some legacy records in older tables are being migrated to this pattern.
  • Customer and order records in NetSuite — retained for a minimum of seven years to meet tax, accounting, and warranty obligations, and typically beyond that for the ongoing business relationship.
  • Website interaction logs — general access logs rotate daily and are retained for approximately seven days. Application logs in AWS CloudWatch are retained for thirty days.
  • Search queries and analytics — aggregated analytics data is retained for up to two years. Individual search queries are currently retained indefinitely; we are introducing a 90-day retention policy.
  • Security and threat-intelligence records — IP addresses flagged as attacking our site, bot-detection history, and similar records are retained as long as they remain useful to protect the site and our customers.

If you request deletion of your data, we will delete or anonymize information we hold about you across our systems, except where retention is required by law (for example tax records) or necessary to resolve disputes, enforce agreements, or protect our legitimate interests.

9. Your privacy rights

Depending on where you live, you may have the following rights over your personal information:

  • Access — request a copy of the personal data we hold about you
  • Correction — ask us to fix inaccurate or incomplete information
  • Deletion — ask us to delete your personal data (subject to legal-retention exceptions)
  • Restriction — ask us to restrict processing of your data in specific circumstances
  • Objection — object to processing based on our legitimate interest, including marketing
  • Portability — receive your data in a structured, machine-readable format
  • Withdraw consent — where we rely on consent (for example, marketing emails or non-essential cookies)

How to exercise your rights

Send a request to [email protected] or write to us at the address in section 17. Tell us which right you want to exercise and include enough information to identify yourself and the records involved.

We review each request manually. This is a deliberate safeguard: we verify the authenticity of the requester before acting, because impersonation attempts targeting customer data are a real risk in our industry. Where we cannot confirm authenticity from the information provided, we may ask for additional verification.

We aim to respond within 30 days of a verified request (45 days where permitted by law). If we cannot comply in full, we will explain why.

You can unsubscribe from marketing emails at any time by using the link in the footer of any marketing email or by visiting our unsubscribe page.

10. EEA, UK, and Swiss residents

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights described in section 9 under the GDPR / UK GDPR. You also have the right to lodge a complaint with your national data-protection supervisory authority if you believe we have mishandled your data.

When personal data of EEA, UK, or Swiss residents is transferred to the United States or other countries for processing, we rely on the safeguards provided in our vendors' standard Data Processing Agreements, which typically incorporate Standard Contractual Clauses or participation in the EU-US Data Privacy Framework where applicable. We do not separately negotiate custom transfer terms with individual data subjects.

11. Canadian residents

If you are a resident of Canada, your personal information is handled in a manner consistent with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. You may exercise the rights described in section 9 using the same process. You may also file a complaint with the Office of the Privacy Commissioner of Canada if you believe we have not handled your information appropriately.

12. California and other US state residents

Gross Automation is a small business that does not meet the applicability thresholds of the California Consumer Privacy Act (CCPA) or California Privacy Rights Act (CPRA) under California Civil Code §1798.140(d). Our annual gross revenue is below the statutory threshold, we handle personal information of well under 100,000 California residents per year, and we do not derive revenue from selling personal information. Similar state privacy laws in Colorado, Connecticut, Virginia, and Utah do not apply to us under their respective thresholds.

Notwithstanding non-applicability, we will reasonably accommodate access, correction, deletion, and opt-out requests from US residents using the process described in section 9.

13. Data security

We implement technical and organizational measures that we believe are appropriate to the nature of the data we handle, including:

  • HTTPS / TLS encryption for all public traffic
  • Password hashing using modern algorithms (bcrypt with a strong work factor)
  • Role-based access controls for staff, tied to Microsoft 365 identity and single sign-on
  • Automated bot protection, rate limiting, and threat detection
  • Encryption at rest for database and file storage provided by our hosting infrastructure
  • Ongoing security monitoring and regular route-level auth audits

No system is perfectly secure. If we become aware of a breach that affects your personal information, we will notify you and any applicable regulator in accordance with the law.

14. Children's privacy

Our Website and services are intended for business and professional use and are not directed to individuals under 18. We do not knowingly collect data from anyone under 18. If you believe a minor has provided us with personal information, contact us and we will delete it.

15. Automated decision-making

We do not make decisions that produce legal or similarly significant effects on you based solely on automated processing.

16. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, vendors, or legal obligations. The "Last updated" date at the top of this page indicates when the most recent change was made. Material changes will be highlighted when we make them.

17. Contact us

For privacy-specific questions or to exercise a privacy right, please use the dedicated address below. For general inquiries, use our standard contact information.

Gross Automation, LLC
3680 North 126th Street
Brookfield, WI 53005
United States
Phone: (262) 252-1600
Privacy inquiries: [email protected]
General inquiries: [email protected]