1. Introduction and Scope
Zaruba INC (formerly BlueBird IT LLC), a California stock corporation converted from a California limited liability company on August 19, 2025 pursuant to California Corporations Code §17710.03, with California Secretary of State Entity Number 202463017518 (the "Company," "Zaruba," "we," "us," or "our"), is a United States defense engineering company that designs and manufactures unmanned aerial systems, electronic-warfare equipment, drone-detection technology, radio signal detection systems, and related defense systems for the United States Department of Defense, federal agencies, prime contractors, and allied governments.
We are committed to protecting the privacy, operational security, and civil liberties of the individuals and entities who interact with us.
This Privacy Notice describes how we collect, use, share, retain, and protect personal information in connection with:
- our public website located at https://zaruba.tech (the "Site");
- our business and government sales activities (RFI/RFQ submissions, partnership inquiries, procurement discussions);
- our recruiting and hiring activities;
- our supplier and vendor management activities;
- our marketing and communications activities; and
- our other business operations described in this Privacy Notice.
This Privacy Notice is intended to provide the information required under applicable data protection laws, including information about the categories of personal information we collect, the purposes and lawful bases for processing, the categories of recipients, retention periods, international transfers, and privacy rights.
Where the California Consumer Privacy Act, as amended by the California Privacy Rights Act and implementing regulations (“CCPA”), applies to us, this Privacy Notice also serves as our Notice at Collection. If the CCPA does not apply to us because we do not meet the statutory thresholds, we may still extend certain CCPA-style privacy rights as a matter of best practice.
2. Critical Scope Limitation
This Privacy Notice applies exclusively to our public-facing digital properties and corporate operations. It does NOT apply to:
- the operational deployment of our hardware products (drone detectors, FPV combat drones, ground stations, retransmitters, electronic-warfare systems);
- the handling of Controlled Unclassified Information ("CUI"), classified national-security data, ITAR-controlled technical data, EAR-controlled technology, or telemetry generated during active military operations;
- the processing of personal data inside customer-operated or government-operated systems that incorporate our hardware.
Such data is governed by specific Department of Defense contracts, the Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012), the National Institute of Standards and Technology framework (NIST SP 800-171), and separate secure data-handling protocols agreed under applicable contractual or regulatory obligations.
The Site is not an interface for managing, controlling, configuring, or monitoring any of our hardware products. It is an informational and business-development platform.
Where a separate agreement, government contract, security protocol, or product-specific notice applies, that separate document will govern the relevant processing activity.
3. Security Warning — Do Not Submit Restricted Information
This Site is a public-domain asset. Do not submit through public contact forms, email links, file uploads, or other public Site features:
- classified information of any kind;
- Controlled Unclassified Information ("CUI");
- ITAR-controlled technical data (22 C.F.R. Parts 120–130);
- EAR-controlled technology or software (15 C.F.R. Parts 730–774);
- engineering drawings, non-public product specifications, source code, schematics, or build instructions;
- mission-critical operational parameters, tactical deployment requirements, sensor data, or telemetry;
- non-public information of the U.S. Government, any other government, any prime contractor, or any allied force.
If Zaruba requires the exchange of restricted information in connection with a sales inquiry, partnership, or procurement, our compliance team will initiate an offline, secure, and verified channel after confirming "U.S. Person" status (22 C.F.R. § 120.62) and any required export license, technical-assistance agreement, or end-use authorization.
If you submit information contrary to this notice, we may delete, quarantine, decline to review, or otherwise restrict handling of the submission to protect our systems, personnel, customers, and compliance posture. Unauthorized transmission of export-controlled data may constitute a violation of federal law under 22 U.S.C. § 2778 (AECA) or 50 U.S.C. § 4819 (ECRA).
4. Who You Are to Us
We treat the personal information we collect differently depending on your relationship with us. The categories of individuals to whom this Privacy Notice applies are:
- Site Visitors — anyone who browses zaruba.tech;
- Business and Government Contacts — individuals who submit RFIs, RFQs, sales inquiries, partnership inquiries, or media inquiries on behalf of a federal agency, prime contractor, allied government, or other organization;
- Job Applicants — individuals who apply, or whose information is submitted, to fill an open position at the Company;
- Suppliers and Vendors — individuals who interact with us as representatives of a vendor, supplier, consultant, or service provider.
- Other Contacts — individuals who communicate with us by email, phone, events, forms, or other channels.
We do not maintain consumer accounts and we do not sell goods or services to consumers through this Site. We do not use personal information collected through this Site for consumer retail profiling, abandoned-cart marketing, consumer loyalty programs, or online checkout analytics, because this Site does not operate a consumer e-commerce flow.
5. Categories of Personal Information We Collect
In the preceding twelve (12) months, we have collected, or may have collected, the following categories of personal information, as defined under the CCPA. We apply a principle of data minimization: we collect only what is reasonably necessary for the stated B2G/B2B, recruiting, security, and compliance purposes.
|
Category |
Examples |
Source |
Business Purpose |
|
A. Identifiers |
Name, business postal address, business email, business phone, professional title, employer, government agency affiliation, IP address, device identifier, online identifier |
Directly from you; automatically via first-party cookies + Google Analytics (where enabled after consent ); from your employer; public sources (SAM.gov, LinkedIn for prospecting) |
Identity verification; B2G procurement; site administration; web analytics |
|
B. Customer Records (Cal. Civ. Code §1798.80(e)) |
Name, address, telephone in contact / RFI / RFQ submission |
Directly from you via corporate communications |
Process RFI / RFQ; facilitate contracting |
|
C. Commercial Information |
Products, programs, capability briefs requested; contract or evaluation history with government / commercial customers |
Directly from you during B2B / B2G consultations |
Provide product specifications; align solutions with mission parameters |
|
D. Internet / Network Activity |
Pages visited, time on page, referring URL, browser type, language, navigation paths, page-level events |
Server logs + first-party cookies + Google Analytics 4 and Google Tag Manager (where enabled after consent r) + Cloudflare security logs (where applicable) |
Site security, structural integrity, performance, marketing analytics |
|
E. Professional / Employment Information |
Job title, employer, work history, professional licensure, security-clearance status, resume / CV |
Directly from applicants via careers email; from recruiting platforms; from references |
Evaluate candidates; conduct U.S. Persons / export-control screening; clearance processing |
|
F. Education Information |
Academic institutions, degrees, certifications |
Directly from applicants |
Evaluate candidates |
|
G. Sensory Information |
Audio of telephone calls (with notice and continued participation); video from physical-security cameras at our facilities |
Directly from you (with notice); facility security cameras |
Customer-service quality, facility security |
|
H. Inferences |
Suitability for a role; qualification under U.S. Persons criteria; fit with procurement opportunity |
Derived from categories above |
Recruiting; B2G procurement qualification; security assessment |
|
I. Sensitive Personal Information ("SPI") |
(i) Government IDs (SSN, passport number, DDTC PIN where applicable); (ii) Immigration / citizenship status (22 C.F.R. § 120.62); (iii) Precise geolocation (only if voluntarily provided for site-visit scheduling) |
Directly from applicants / federal points of contact where strictly necessary |
U.S. Persons verification; security-clearance processing; export-control screening |
We do not knowingly collect biometric information, racial or ethnic origin, religion, union membership, health information, sex life or sexual-orientation data, or genetic information through the Site.
Use of Sensitive Personal Information. We do not use or disclose SPI for purposes other than those listed in 11 C.C.R. § 7027(m). We do not use SPI to infer characteristics about you. We do not use SPI for cross-context behavioral advertising. We do not intentionally disclose SPI to Google Analytics, Google Tag Manager, advertising platforms, or marketing analytics services, and such tools should be configured to prevent the collection of SPI.
6. Sources of Personal Information
We collect personal information from the following categories of sources:
- directly from you, when you submit a form, send us an email, apply for employment, attend an industry event we host or sponsor, or interact with us in person;
- automatically, through first-party cookies and a small set of authorized third-party services on the Site, including Google Tag Manager and Google Analytics 4 (including Google Tag Manager and Google Analytics 4, where enabled after consent and subject to applicable data-processing, service-provider, contractor, or similar contractual terms For full details and links to their privacy policies, see our Cookie Notice at https://zaruba.tech/cookie-policy;
- automatically, through security and infrastructure providers such as Cloudflare (bot protection, web application firewall) and Captcha providers (Google reCAPTCHA / Cloudflare Turnstile) on contact and recruiting forms — each operating under its own privacy policy;
- from your employer, your government agency, your prime contractor, or another organization that has identified you as a point of contact;
- from publicly available sources, including company websites, government registries (such as SAM.gov, USASpending.gov, GovWin, FPDS), industry directories, trade-show registrations, and professional social networks (such as LinkedIn) when used in a sales-prospecting context;
- from service providers and contractors acting on our behalf (such as background-check vendors, recruiting platforms, hosting providers, applicant tracking systems where applicable, and customer-relationship-management providers including KeyCRM), in each case as permitted by law and contract.
7. Purposes for Which We Use Personal Information
We use personal information for the following business and commercial purposes, each consistent with the context in which the information was collected:
- responding to RFI / RFQ, sales, partnership, and media inquiries;
- qualifying, evaluating, and pursuing federal, state, allied, and commercial defense procurement opportunities;
- recruiting, evaluating, and hiring Job Applicants, including U.S. Persons verification, export-control screening, security-clearance processing, and pre-employment background and reference checks where permitted by law;
- administering, securing, and improving the Site and our information systems, including detecting and preventing fraud, unauthorized access, and other security incidents;
- measuring and analyzing site traffic, visitor behavior, conversion rates, and marketing-campaign effectiveness through Google Analytics 4 and Google Tag Manager (only after user opt-in via the cookie banner, and never for visitors with a Global Privacy Control signal);
- administering and performing contracts with the U.S. Government, federal agencies, prime contractors, allied governments, and commercial customers, including fulfilling contractual flow-down requirements;
- complying with U.S. export-control laws (ITAR; EAR), federal acquisition regulations (including Section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019, Pub. L. No. 115-232), federal-contractor anti-discrimination and equal-employment laws, and applicable state and local laws;
- responding to lawful requests from law-enforcement, regulatory, and national-security authorities;
- defending and asserting legal rights and complying with our own record-keeping obligations, including the five-year recordkeeping requirement under 22 C.F.R. § 122.5(b) and 15 C.F.R. § 762.6;
- general site administration; managing customer relationships through our customer-relationship-management system (KeyCRM); and conducting other business operations as reasonably necessary.
8. Lawful Bases for Processing under GDPR
Where GDPR, UK GDPR, Swiss data protection law, or similar data protection laws apply, we rely on the following lawful bases:
● Responding to RFI/RFQ, sales, partnership, media, supplier, vendor, and other business inquiries — legitimate interests; pre-contractual steps where applicable.
● Qualifying, evaluating, and pursuing procurement opportunities — legitimate interests; pre-contractual steps; legal obligation where applicable.
● Recruiting, evaluating, and hiring job applicants — pre-contractual steps; legitimate interests; legal obligation; consent where required.
● Administering, securing, and improving the Site and our information systems — legitimate interests.
● Measuring and analyzing site traffic and marketing effectiveness through analytics and tag-management technologies — consent, where required by law.
● Administering and performing contracts — performance of a contract; legitimate interests; legal obligation.
● Complying with legal, regulatory, contractual, audit, security, and recordkeeping obligations — legal obligation; legitimate interests.
● Responding to lawful requests and protecting legal rights — legal obligation; legitimate interests.
● Managing customer, supplier, vendor, and partner relationships — legitimate interests; performance of a contract.
Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect processing that occurred before consent was withdrawn. Where processing is based on legitimate interests, we balance our interests against your rights, freedoms, and expectations.
9. How We Share Personal Information
We disclose personal information to the categories of recipients listed below for the business purposes described in Section 7.
Sale / Share Disclosure. We do not sell personal information for monetary consideration. We do transmit limited personal information (online identifiers, IP address, browser / device metadata, page-view events) to Google LLC in connection with our use of Google Analytics 4 and Google Tag Manager, and we may, with your separate opt-in, transmit similar limited information to other authorized advertising service providers. Under the CCPA, depending on how regulators interpret the use of these services, this transmission may be considered "sharing" for cross-context behavioral advertising purposes. We honor opt-out requests (including the Global Privacy Control signal) for this transmission. See Section 12 below.
Categories of recipients:
- Affiliates and Subsidiaries. For the purposes described in this Privacy Notice, subject to the same protections.
- Service Providers and Contractors. Vendors that provide hosting, email delivery, customer-relationship management ("CRM"), applicant tracking (where applicable), background-check, IT, security, audit, legal, web analytics, tag management, security and bot protection, and anti-bot challenge services, in each case bound by written contracts that limit their use of the information to the services provided. Each service operates under its own privacy policy:
- Google LLC (Google Analytics 4, Google Tag Manager, Google Ads, Google reCAPTCHA, YouTube embedded videos) — https://policies.google.com/privacy
- Meta Platforms, Inc. (Facebook, Instagram, Threads, WhatsApp Business — to the extent any pixel or business tool is deployed) — https://www.facebook.com/privacy/policy
- LinkedIn Corporation (LinkedIn Insight Tag, if and when deployed) — https://www.linkedin.com/legal/privacy-policy
- X Corp. (X / Twitter Ads Pixel, if and when deployed) — https://twitter.com/en/privacy
- Reddit, Inc. (Reddit Pixel, if and when deployed) — https://www.reddit.com/policies/privacy-policy
- Cloudflare, Inc. (security, web application firewall, bot protection, Turnstile, if and where deployed) — https://www.cloudflare.com/privacypolicy/
- KeyCRM (customer-relationship management) — privacy policy available at https://keycrm.app
- Hetzner Online GmbH (hosting provider) — privacy policy available at https://www.hetzner.com/legal/privacy-policy/
- U.S. Government Customers and Prime Contractors. When reasonably necessary to qualify for, perform under, or report compliance with a federal contract or subcontract, including disclosures required by 22 C.F.R. Parts 122 and 130, FAR Subpart 4.21 (Section 889), and DFARS 252.204-7012 where applicable.
- Federal, State, and Foreign Authorities. When required by law, legal process, court order, or to respond to a national-security or law-enforcement request.
- Professional Advisors. Accountants, auditors, attorneys, and consultants subject to confidentiality obligations.
- Acquirers. In connection with a corporate transaction such as a merger, acquisition, financing, restructuring, or asset sale.
- With Your Consent. To any other recipient where you direct us to do so.
Some vendors act as our service providers or contractors. Others, especially analytics, advertising, embedded-media, and social-media providers, may also act as independent controllers, third parties, businesses, or similar roles under applicable law.
We are based in the United States. If you access the Site from outside the United States, your personal information may be transferred to, stored in, or processed in the United States and other jurisdictions. Where GDPR, UK GDPR, Swiss data protection law, or similar laws apply, we rely on appropriate safeguards for international transfers where required, such as adequacy decisions, the EU-U.S. Data Privacy Framework where applicable to a certified recipient, Standard Contractual Clauses, contractual safeguards with service providers, and other lawful transfer mechanisms. You may contact us for more information about the safeguards used for international transfers.
10. Export Controls — ITAR, EAR, and U.S. Persons
This Site contains general marketing information about products and capabilities that may be subject to U.S. export-control laws, including the International Traffic in Arms Regulations (22 C.F.R. Parts 120–130) ("ITAR") and the Export Administration Regulations (15 C.F.R. Parts 730–774) ("EAR"). Detailed technical data about controlled products is not made available through public Site pages.
We may, in connection with a sales inquiry or job application, ask you to confirm whether you qualify as a "U.S. Person" within the meaning of 22 C.F.R. § 120.62. Where access to controlled technical data is necessary, we may decline to share that data, or may make it available only after obtaining an export license, technical-assistance agreement, or other authorization from the U.S. Department of State Directorate of Defense Trade Controls ("DDTC") or the U.S. Department of Commerce Bureau of Industry and Security ("BIS").
If and to the extent Company engages in the manufacture or export of defense articles within the meaning of 22 C.F.R. § 120.6 — including unmanned aerial systems (ITAR Category VIII) and electronic warfare equipment (ITAR Category XI) — Company will comply with the registration requirements of 22 C.F.R. § 122.1. We retain records relating to ITAR-controlled activities for a minimum of five (5) years from the expiration of the relevant license, agreement, exemption, or transaction date, in accordance with 22 C.F.R. § 122.5. We retain records relating to EAR-controlled activities for a minimum of five (5) years in accordance with 15 C.F.R. § 762.6.
11. Federal Contractor and Section 889 Statement
Zaruba is a defense engineering company that may, from time to time, become a federal contractor or subcontractor. To the extent that we hold any federal contract or subcontract, we comply, and we require our suppliers and subcontractors to comply, with the prohibition on use of "covered telecommunications equipment or services" under Section 889 of the John S. McCain NDAA for FY 2019 (Pub. L. No. 115-232) and Federal Acquisition Regulation subparts 4.21 and 52.204-25. We make required disclosures to our contracting officers in accordance with FAR 52.204-24 and 52.204-25.
To the extent we hold any federal contract subject to applicable obligations, we comply with the equal-employment and affirmative-action obligations applicable to us, including those under Executive Order 11246, Section 503 of the Rehabilitation Act of 1973, and the Vietnam Era Veterans' Readjustment Assistance Act, where applicable.
12. Retention of Personal Information
We retain personal information only for as long as reasonably necessary for the purposes described in this Privacy Notice, unless a longer period is required or permitted by law, contract, audit obligations, security requirements, or litigation hold. :
|
Data category |
Retention period |
|
Inquiry and B2G / B2B communications records |
Thirty-six (36) months following close of inquiry, except where a longer retention is required for an active or ongoing relationship |
|
Job-application materials for unselected candidates |
Twelve (12) months following close of requisition, except where a longer period is required by federal-contractor record-keeping rules (41 C.F.R. § 60-1.12 — two (2) years for federal contractors) |
|
Records relating to ITAR-controlled activities, including U.S. Persons verification |
Minimum five (5) years from expiration of the relevant license, agreement, exemption, or transaction (22 C.F.R. § 122.5) |
|
Records relating to EAR-controlled activities |
Minimum five (5) years (15 C.F.R. § 762.6) |
|
Cookie consent state |
Stored in your browser as a first-party cookie for twelve (12) months. We do not maintain a separate server-side consent log |
|
Google Analytics data |
Fourteen (14) months under Google's data-retention controls (privacy-maximizing default). We do not extract or replicate this data into our own systems |
|
Server, security, and access logs |
Twelve (12) to twenty-four (24) months for security forensics |
|
Cloudflare security logs (if applicable) |
Retained by Cloudflare under their own retention policy |
|
KeyCRM customer-relationship records |
Same period as the underlying business relationship plus five-year audit trail |
|
Vendor / supplier / partner due-diligence records |
Seven (7) years post-engagement for federal-contractor audit trail |
|
Records subject to litigation hold |
Until the hold is lifted |
13. Your California Privacy Rights (CCPA / CPRA)
Where the CCPA applies, and otherwise as a matter of best practice where we choose to extend similar protections, California residents may have the following rights with respect to personal information we have collected about them in the preceding twelve (12) months
- Right to Know — request that we disclose the categories and specific pieces of personal information we have collected, the categories of sources, the purposes for collection, and the categories of recipients;
- Right to Delete — request that we delete personal information we have collected from you, subject to exceptions (including those for federal record-keeping obligations such as ITAR / EAR five-year retention);
- Right to Correct — request that we correct inaccurate personal information we maintain about you;
- Right to Opt Out of Sale or Sharing — including any "sharing" arising from our use of Google Analytics, Google Tag Manager, or any future marketing-pixel deployment. You may exercise this right at any time via the cookie banner, the "Do Not Sell or Share My Personal Information" link in our footer, or by sending a Global Privacy Control signal from your browser;
- Right to Limit Use of Sensitive Personal Information — request that we limit our use of SPI to those purposes specified in 11 C.C.R. § 7027(m). SPI is never transmitted to Google Analytics or any marketing analytics service;
- Right to Non-Discrimination — we will not discriminate against you for exercising any of these rights.
You may also designate an authorized agent to make a request on your behalf, subject to verification.
How to Submit a Request. To exercise any of these rights, please use one of the following channels:
- Online form: https://zaruba.tech/privacy-request
- Email: [email protected]
- Postal mail: Zaruba INC, Attn: Privacy Office, 10755 Massachusetts Avenue, Suite 201, Los Angeles, California 90024
We will verify your request using information we already maintain about you, plus, when reasonably necessary, two to three additional data points. For SPI-related or deletion-related requests we may require an additional, signed declaration under penalty of perjury.
We will respond to verifiable requests within forty-five (45) days, with a possible forty-five-day extension when reasonably necessary and on notice to you.
GPC Signal Handling. We recognize and honor the Global Privacy Control ("GPC") opt-out preference signal. When the Site receives a respective signal (request):
- We treat it as a verifiable consumer request to opt out of the sale and sharing of personal information for the browser sending the signal.
- We configure Google Tag Manager and Google Analytics in Consent Mode v2 to deny analytics_storage and ad_storage for that session.
- We do not write optional cookies for that browser.
- Where you are also identified to us and applicable law requires or permits us to link the opt-out to your identified profile, we will apply the opt-out accordingly.
Confirmation of Honored Opt-Out. After processing a request to opt out of sale or sharing, we will display a confirmation in the same browser session and, if you have provided contact information, by email.
14. Job Applicants and Candidates
If you apply for a position with Zaruba, we will process your personal information in accordance with this Section 13 (which serves as our Applicant Privacy Notice).
Application channels. As of the Effective Date, Zaruba accepts résumés and applications via email to [email protected]. We do not currently operate a careers portal or use an Applicant Tracking System ("ATS"). If Zaruba subsequently deploys an ATS (such as Greenhouse, Lever, Workday, Ashby, or SmartRecruiters), this Section will be updated to identify that vendor, and the vendor will be bound by a written data-processing agreement.
Pre-employment screening. Where permitted by law and job-related necessity, we may conduct:
- background checks (subject to a separate FCRA-compliant standalone notice and authorization);
- reference checks;
- employment-eligibility verification under Form I-9 and the federal E-Verify program (after offer, before hire date);
- security-clearance processing (subject to applicable government procedures);
- U.S. Persons / export-control screening narrowly tailored to the role.
Where any of these checks involves Sensitive Personal Information, we will use it only for the corresponding employment, security, or export-compliance purpose and only as permitted under 11 C.C.R. § 7027(m).
Note on Recruiting and Analytics. Career-related forms and email submissions are subject to anti-bot protection via Google reCAPTCHA / Cloudflare Turnstile (see Section 8). Submitted applicant data is never transmitted to Google Analytics or Google Tag Manager — it flows directly to our internal recruiting workflow under appropriate confidentiality and Service Provider agreements. Page-level analytics (number of visits to /careers, time on page) may be captured via Google Analytics if you have opted in to analytics cookies.
15. Children's Privacy
The Site is not directed to children. We do not knowingly collect personal information from any individual under thirteen (13) years of age, and we do not knowingly sell or share personal information of any individual under sixteen (16) years of age. If you believe we have inadvertently collected such information, please contact us at [email protected] and we will delete it.
16. Security
We maintain administrative, technical, and physical safeguards appropriate to the nature of the information we hold, including, where applicable, those required for the protection of Controlled Unclassified Information ("CUI") under DFARS 252.204-7012 and NIST SP 800-171, and incident-reporting obligations to the Department of Defense Cyber Crime Center within seventy-two (72) hours of discovery of a reportable cyber incident affecting covered defense information or covered contractor information systems.
No method of electronic transmission or storage is, however, completely secure, and you submit personal information at your own risk.
17. Your European Privacy Rights (EEA, UK, Switzerland)
For visitors located in the European Economic Area ("EEA"), the United Kingdom, Switzerland, or other jurisdictions that require a stated legal basis, we rely on one or more of the following legal bases under the EU GDPR, UK GDPR, and Swiss FADP:
- Consent — for optional cookies (including Google Analytics, Google Tag Manager marketing tags) and certain marketing communications;
- Legitimate interests — including website security, B2B communications, business development, and federal-contractor compliance, balanced against your fundamental rights and freedoms;
- Compliance with a legal obligation — including export-control, federal-contractor, anti-discrimination, and tax laws;
- Steps taken at your request prior to entering into a business relationship or other arrangement.
In addition to the rights described in Section 12, you have the following rights under the GDPR:
- Right of Access (Art. 15) — request a copy of personal data we hold about you;
- Right of Rectification (Art. 16) — request correction of inaccurate or incomplete data;
- Right of Erasure / "Right to Be Forgotten" (Art. 17) — request deletion of your personal data, subject to exceptions;
- Right to Restrict Processing (Art. 18) — request that we limit how we process your data in specified circumstances;
- Right to Data Portability (Art. 20) — receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller;
- Right to Object (Art. 21) — object to processing based on legitimate interests, including direct marketing;
- Rights related to Automated Decision-Making and Profiling (Art. 22) — we do not currently make decisions based solely on automated processing that produce legal or similarly significant effects;
- Right to Withdraw Consent at any time, without affecting the lawfulness of processing prior to withdrawal;
- Right to Lodge a Complaint with a Supervisory Authority (Art. 77) — you may file a complaint with the data-protection authority in your country of residence. For example:
- UK: Information Commissioner's Office (https://ico.org.uk)
- Ireland: Data Protection Commission (https://www.dataprotection.ie)
- France: Commission nationale de l'informatique et des libertés (CNIL — https://www.cnil.fr)
- Germany: federal and state data-protection authorities (https://www.bfdi.bund.de)
To exercise any of these rights, please contact us at [email protected]. We will respond within thirty (30) days, extendable by sixty (60) days where reasonably necessary.
International Transfers. Where required for international transfers (for example, transfers of EEA / UK personal data to Google, Meta, LinkedIn, X, Reddit, Cloudflare, or KeyCRM infrastructure outside the EEA / UK), we rely on the data-transfer mechanisms published by those providers, including the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, where applicable, the EU-U.S. Data Privacy Framework or its UK / Swiss extensions.
Data Protection Officer. Company has not appointed a Data Protection Officer because we do not satisfy the mandatory-appointment criteria under GDPR Article 37. Inquiries from data subjects in the EEA / UK / Switzerland should be directed to [email protected].
18. Your Canadian Privacy Rights (PIPEDA)
If you are located in Canada, the Personal Information Protection and Electronic Documents Act ("PIPEDA"), substantially similar provincial legislation (including Quebec's Law 25), and the principles of the federal Office of the Privacy Commissioner of Canada ("OPC") apply to our processing of your personal information.
We comply with the ten PIPEDA Fair Information Principles: accountability; identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance.
You have the right to:
- access personal information we hold about you;
- request correction of inaccurate information;
- withdraw consent (subject to legal or contractual restrictions);
- file a complaint with our privacy officer at [email protected]; and
- file a complaint with the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca or, if you are a Quebec resident, with the Commission d'accès à l'information du Québec at https://www.cai.gouv.qc.ca.
We will respond to verifiable Canadian privacy requests within thirty (30) days.
19. International Visitors
The Site is operated from the United States. If you visit the Site from outside the United States, you understand that personal information you provide may be transferred to, stored in, and processed in the United States. Because we serve U.S. defense customers and are subject to U.S. export-control laws, we may decline to provide certain information or services to visitors located in sanctioned or embargoed jurisdictions (see Section 3 of our Terms of Use for the full list).
20. Third-Party Sites and Services
Our Site may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties, and we encourage you to review their privacy notices.
In addition, the Site integrates a small number of authorized third-party services, each operating under its own privacy policy. We are not responsible for the data-processing practices of these providers; you should review their policies directly. The full list of authorized third parties is set forth in Section 8 above and in our Cookie Notice.
If we add additional embedded third-party content or tools that set cookies or collect information from your browser, we will:
- update this Privacy Notice and our Cookie Notice to disclose the third party;
- update the Cookie Inventory in our Cookie Notice;
- where required, request additional consent before those technologies are activated; and
- where possible, configure such embeds in privacy-enhanced mode (for example, YouTube Privacy-Enhanced Mode) or self-host the content to avoid data leakage to third-party domains.
21. Mobile Applications (Future)
Company has announced plans to release a mobile application on Google Play and the Apple App Store (the "App"). If and when the App is released, separate App-Specific Privacy and End-User License Agreement documents will be published and linked from the App's store listings, in compliance with Apple's App Privacy Labels and Google Play's Data Safety section requirements. This Privacy Notice applies to the Site only and does not govern data collection within the App.
22. Trademark Notice
"Zaruba" and the Zaruba logo are trademarks of Zaruba INC (formerly BlueBird IT LLC). As of the Effective Date, Company has not registered any trademark with the United States Patent and Trademark Office; accordingly, unregistered trademarks are designated with the "™" symbol. Registered trademarks will be designated with the "®" symbol only upon completion of USPTO registration.
23. Changes to This Privacy Notice
We may update this Privacy Notice from time to time to reflect evolving legal, regulatory, or operational requirements within the defense sector. The "Last Updated" date at the top reflects the most recent revision. Material changes will be communicated through a banner on the Site for at least thirty (30) days following the change.
24. Contact Us
Zaruba INC (formerly BlueBird IT LLC)
Attn: Privacy Office / Compliance Department
10755 Massachusetts Avenue, Suite 201
Los Angeles, California 90024
United States of America
Privacy Email: [email protected]
General Email: [email protected]
Legal Email: [email protected]
Web Request Form: https://zaruba.tech/privacy-request
California Office (operational):
18344 Oxnard Street, Suite 107
Tarzana, California 91356
United States of America
