Data Sourcing and Privacy Compliance at Convex

Data is core to how we help commercial services sales teams win new businesses.  We take pride in acting in an ethical and compliant manner, but regulations can be confusing.  This is a straightforward guide to our approach and common questions.

Customer uploaded data

No part of our data that we make available to customers is repurposed from our customer’s own data.  We would not be in business for long if we did.

All of the data we provide is acquired independently of our customers and is provided as a service that all customers can benefit from out of the box.

Customers may import their own data into our product, and the vast majority do.  Doing so unlocks powerful plays like targeting neighbors of current customers, building route density, and planning winback campaigns.  However, these uploads are never contributed to our data platform that other customers see.

Convex does, however, build features using deidentified, aggregated data from users.  For example, Convex recommends contacts based on common titles other users have clicked on, but this is accomplished based on deidentified, aggregated statistics.

Security of customer data

Convex takes extensive, industry standard measures to protect both customer data and Convex systems.

Convex is a SOC2 Type II compliant organization, which is a set of standards that validates the security practices and internal controls we have in place.  Our compliance with this standard is audited annually by an independent organization.  Customers are also welcome to request a copy of our audit report here.

Convex also submits to annual, independent penetration tests, where cybersecurity experts search for vulnerabilities in our systems.

Data sources

Convex sources data exclusively from reputable organizations that include several public companies and well known organizations who themselves are subject to intensive compliance scrutiny.  Convex doesn’t “scrape” data or buy lists of unknown provenance that commonly are based on hacked information. Questionable, low cost data products are often built on such data.

Convex Signals

Convex’s Signals offering provides groundbreaking insights on organizations that are likely in market for a commercial services purchase (often called “intent”), based on organizations’ internet activity.  

Our product respects individual privacy by not linking any internet activity back to individual browsing, but only to the company and location level.  In other words, Convex’s offering would only report “Acme Data Center in Los Angeles may be in the market for fire protection”, but never “here is the browsing history of James, the facility manager”.  We don’t collect such information.

Consumer Privacy Regulations

A number of states have passed, or are currently working to advance consumer privacy protection laws, and we support these efforts.  We too believe consumers should be in control of their data online.  

The most prominent and stringent of these laws is the California Consumer Privacy Act, as amended by the California Privacy Rights Act (the “CCPA”). Other states, including Colorado, Connecticut, Utah, Virginia, Texas, and Oregon have passed, or are advancing, similar legislation.

Convex takes appropriate steps in relation to these laws; you will see evidence of this across our company in our Privacy Policy, the Do Not Sell My Information form we offer on our website, and in our active registration as a California Data Broker

We strive to promptly honor all requests to remove information and other requests by consumers to exercise rights under the CCPA and other applicable consumer privacy laws.  We also extend the benefits afforded to Californians under these laws to any consumer, regardless of their state.


The broad set of European regulations known as the General Data Protection Regulation (GDPR) are not applicable to Convex since we do not operate in Europe or work with European data.  We take steps to prevent European data from even entering our systems. 

However, regulations like those under the CCPA are similar to the GDPR, which we do support.


The CAN-SPAM Act is a law that relates to how firms perform email marketing.  Although it doesn’t apply to how we collect our data, it does apply to what our users do with it.  Customers are responsible for using Convex data responsibly, including in compliance with CAN-SPAM.  

One of the requirements of CAN-SPAM is that recipients may opt out of your marketing messages.  This is sometimes confused with the notion of “opting in”.  Although companies can choose to build a marketing program where recipients exclusively opt-in, this is a marketing decision and not a requirement of CAN-SPAM.

Do Not Call Lists

In general, most privacy laws are directed at protecting consumers (for example, a person in their personal affairs) rather than marketing to businesses (for example, one business marketing to another business).  In our view, this is a sensible approach.

In the US, the Do Not Call registry exists to protect consumers and residences from unsolicited marketing.  Telemarketing calls to business are considered exempt from the Do Not Call Registry.   However, please remember that cell phone numbers on the Do Not Call Registry are considered to be residential subscribers and as such should be respected.

Convex Recommended Contacts

The contacts we recommend are not derived based on Signals data or those contacts’ internet activity. These contacts are based on the product history of our users, industry knowledge, and popular titles among our users.

Reach Out

Have questions or concerns? Our dedicated team is ready to help.

For Customers, email us at
For Non-Customers, please learn more about us on our website or Contact Us.

Sign Up Form
Get Updated

Sign up to receive the latest news