Privacy Policy

Effective Date: May 18, 2026

1. Data Collection & Intake

When you submit an inquiry through our consulting intake form or register for a secure web portal account, Lillywhite Water Solutions LLC collects your name, email address, project scope, location, and required deliverables. This information is used primarily for the purpose of communicating with you, drafting a Scope of Work (SOW), executing conflict checks for expert witness services, securing your individual access to simulation models, processing invoices, and complying with applicable legal obligations. We retain intake data for no longer than three (3) years following the conclusion of our engagement, after which it is securely deleted. We do not sell, rent, or trade your personal information to third parties.

For users of the R-THYM platform, the following data retention terms apply. We retain your account information, saved project files, model data, and associated personal data for as long as your account remains active. If you elect to delete your R-THYM account, we will permanently delete your saved models, project files, and personal data within thirty (30) days of receiving your deletion request, except to the extent that retention of certain data is strictly required to: (i) comply with applicable financial, tax, or legal reporting obligations; (ii) resolve outstanding billing disputes; or (iii) enforce any terms governing prior transactions. Any data retained solely for these limited purposes will be held in a restricted environment, will not be used for any other purpose, and will be deleted as soon as the applicable retention obligation expires. To submit an account deletion request, please contact us using the information provided in Section 8 below.

2. Confidential Infrastructure Data

During any engagement with Lillywhite Water Solutions LLC - including custom modeling, litigation support, and self-serve use of the R-THYM platform - all client-supplied and user-uploaded datasets (including but not limited to SCADA logs, GIS shapefiles, hydraulic facility drawings, and operational rulesets) are securely uploaded to an encrypted AWS S3 vault. This protection applies equally to users who independently build, configure, or run models within the R-THYM platform without direct consulting support from Lillywhite Water Solutions LLC. AWS acts as a subprocessor and is bound by a data processing agreement consistent with applicable data protection law. Access is strictly limited to authorized personnel actively working on your project. We do not use client infrastructure, user-uploaded data, or any proprietary data to train generalized artificial intelligence models (such as LLMs) unless explicitly authorized by the client or user in a separate written instrument. In the event of a data breach affecting your confidential infrastructure data, we will notify you as promptly as practicable and in any event within the timeframe required by applicable law. Where Washington state law applies, notification will be provided no later than thirty (30) days after discovery of the breach, consistent with RCW 19.255.010. Where a breach affects more than five hundred (500) Washington residents, we will also notify the Washington State Attorney General's Office as required by law. If you are subject to additional breach notification obligations under other applicable law (including GDPR or UK GDPR), we will cooperate with you in meeting those requirements.

3. Payment Processors and Third-Party Disclosures

In connection with our paid subscription and consulting services, we share certain personal and billing information with carefully selected third-party subprocessors that are essential to delivering our services. Specifically:

  1. Payment Processing. We use third-party payment processors, such as Stripe, Inc., to securely collect, transmit, and process credit card and other payment information. When you submit payment information, it is transmitted directly to our payment processor and is not stored on our systems. Our payment processors are PCI-DSS compliant and are bound by data processing agreements consistent with applicable data protection law. We share only the information necessary to complete your transaction, such as your name, billing address, and email address.
  2. Email and Communications Services. We use third-party email service providers, such as SendGrid (Twilio Inc.) and Mailchimp (The Rocket Science Group LLC), to send transactional, account-related, and service communications, including subscription confirmations, invoices, platform notifications, and onboarding emails. We share your name and email address with these providers solely for the purpose of delivering communications on our behalf. These providers are prohibited from using your information for their own marketing or any purpose other than providing services to us.
  3. General. All third-party subprocessors referenced in this section are contractually obligated to protect your information in a manner consistent with this Privacy Policy and applicable law. We do not sell, rent, or trade your personal information to any third party for their independent commercial purposes.

4. Hosted Digital Twins & Telemetry

For clients utilizing our cloud hosting services or embedded web applications, we automatically collect and log anonymous runtime performance metrics (such as API response latency, CPU cycle durations, RAM footprint, and payload sizes). This data is strictly used to monitor system health, enforce SaaS tier limitations, compute variable cloud hosting costs, and ensure strict SLA compliance. Note that telemetry data used to compute hosting costs may directly affect billing; further detail is provided in your applicable service agreement. We do not inspect, log, or store the specific values of flow, pressure, or operational variables passed through our stateless API endpoints during a simulation unless executing a diagnostics procedure authorized in writing through an active support ticket. Any logs collected during a diagnostics procedure will be permanently deleted upon closure of the associated support ticket. Notwithstanding the foregoing, where a user elects to save a project within the R-THYM platform, we do securely store the associated project files and model data - including network topologies, node properties (such as elevations and demands), and pump curves - in our database solely for the purpose of enabling platform functionality and allowing the user to access, resume, and manage their saved projects. Such project data is stored at the user's request, is accessible only to that user and authorized personnel, and is handled in accordance with the confidentiality protections described in Section 2 above.

5. Cookies and Web Analytics

This website may use essential cookies and similar tracking technologies to temporarily maintain your authenticated session while interacting with the digital model library. These cookies are strictly necessary to provide you with secure access to the features you have requested. We may also utilize generalized, anonymized analytics tools (such as Google Analytics) to understand traffic patterns and improve performance on public-facing showcase pages. You may opt out of analytics tracking at any time by adjusting your browser settings or using the opt-out mechanism provided by the applicable analytics provider.

6. Your Rights

Depending on your jurisdiction, you may have the right to: (a) request access to the personal data we hold about you; (b) request correction of inaccurate or incomplete data; (c) request deletion of your personal data, subject to our legal retention obligations; (d) request a portable copy of your data in a machine-readable format; and (e) withdraw any consent previously provided. To exercise any of these rights, please contact us using the information provided below. We will respond to verifiable requests within thirty (30) days.

7. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the Effective Date at the top of this policy and, where appropriate, notify you by email or through a prominent notice on our website. Your continued use of our services following notice of any changes constitutes your acceptance of the updated policy.

8. Contact & Governing Law

For privacy-related inquiries, data requests, or to report a concern, please contact Lillywhite Water Solutions LLC directly at jason@lillywhitewater.com. This Privacy Policy is governed by the laws of the State of Washington, without regard to its conflict of law provisions. You are advised that violations of applicable Washington privacy laws, including the Washington My Health My Data Act (RCW 19.373), constitute per se violations of the Washington Consumer Protection Act (RCW 19.86), which is enforceable by the Washington State Attorney General and through private action. This website and our services are not directed at individuals under the age of 18, and we do not knowingly collect personal data from minors.