Privacy Policy

1. Introduction

Gray Ghost Data Consultants LLC ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our client portal, or engage our cybersecurity and IT consulting services.

This Privacy Policy applies to all personal information collected through our website (grayghostdata.com), client portal, SaaS platforms, and any related services, sales, marketing, or events (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.

2. Information We Collect

2.1 Personal Information

We collect personal information that you voluntarily provide to us, including:

• Identity Data: Name, job title, company name, and professional credentials
• Contact Data: Email address, phone number, and business address
• Account Data: Username, password, and account preferences
• Financial Data: Billing address, payment card details (processed by our payment processor), and transaction history
• Communication Data: Records of correspondence, support tickets, and feedback
• Professional Data: Resume, certifications, and professional background (for vCISO and consulting engagements)

2.2 Technical Information

When you access our Services, we automatically collect certain technical information:

• Device Data: IP address, browser type and version, operating system, device identifiers
• Log Data: Access times, pages viewed, referring URL, and actions taken within our Services
• Location Data: General geographic location based on IP address
• Authentication Data: Login timestamps, session duration, and multi-factor authentication status

2.3 Client Service Data

In the course of providing our cybersecurity and IT services, we may process:

• Security Assessment Data: Network configurations, vulnerability scan results, and security logs
• Compliance Documentation: Policies, procedures, and audit evidence
• Infrastructure Data: System configurations, asset inventories, and architecture diagrams
• Incident Data: Security incident details, forensic evidence, and remediation records

This data is processed solely on your behalf and in accordance with our service agreements.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery

• Providing, maintaining, and improving our cybersecurity and IT services
• Processing transactions and managing your account
• Delivering security assessments, compliance audits, and consulting engagements
• Providing customer support and responding to inquiries

3.2 Communication

• Sending service-related notices, updates, and security alerts
• Providing information about new services, features, and promotional offers (with your consent)
• Responding to your comments, questions, and requests

3.3 Security and Compliance

• Detecting, preventing, and responding to security incidents and fraud
• Maintaining audit logs and compliance records
• Enforcing our Terms of Service and other policies
• Complying with legal obligations and regulatory requirements

3.4 Analytics and Improvement

• Understanding how you use our Services to improve user experience
• Conducting research and analysis to enhance our security methodologies
• Developing new products, services, and features

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

5. Data Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

5.1 Service Providers

We share information with trusted third-party service providers who assist us in operating our business, including:

• Cloud infrastructure providers (data hosting and processing)
• Payment processors (financial transactions)
• Authentication providers (identity verification)
• Analytics providers (service improvement)
• Communication platforms (email and messaging services)

These providers are contractually obligated to protect your information and may only use it to perform services on our behalf.

5.2 Legal Requirements

We may disclose your information when required by law or in response to valid legal processes, such as:

• Court orders, subpoenas, or other legal processes
• Requests from law enforcement or government authorities
• To protect our rights, privacy, safety, or property
• To investigate suspected fraud or security incidents

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

6. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including:

• Account Data: For the duration of your account plus 7 years for tax and legal compliance
• Transaction Data: 7 years from the date of transaction for financial record-keeping
• Service Data: As specified in your service agreement, typically 3-7 years
• Security Logs: 2 years for security and audit purposes
• Marketing Data: Until you opt out or 3 years of inactivity

We may retain aggregated, anonymized data indefinitely for research and analytics purposes. When data is no longer needed, we securely delete or anonymize it in accordance with our data retention policies.

7. Your Rights (GDPR)

If you are located in the EEA, United Kingdom, or Switzerland, you have the following data protection rights:

To exercise these rights, please contact us at privacy@grayghostdata.com. We will respond to your request within 30 days. You also have the right to lodge a complaint with your local data protection authority.

8. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

8.1 Right to Know

You have the right to request information about the categories and specific pieces of personal information we have collected, the sources of collection, the purposes for collection, and the categories of third parties with whom we share your information.

8.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions provided by law.

8.3 Right to Opt-Out of Sale

We do not sell personal information. However, you have the right to opt out of any future sale of your personal information.

8.4 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights. We will not deny you services, charge different prices, or provide a different quality of service.

8.5 How to Exercise Your Rights

To exercise your California privacy rights, you may submit a request by emailing privacy@grayghostdata.com or calling us. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf.

9. Cookies and Tracking Technologies

9.1 What Are Cookies

Cookies are small text files placed on your device when you visit our website. We use cookies and similar technologies (such as pixels, local storage, and session storage) to enhance your experience.

9.2 Types of Cookies We Use

• Essential Cookies: Required for the operation of our Services, including authentication and security
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how visitors interact with our Services
• Marketing Cookies: Used to deliver relevant advertisements (only with your consent)

9.3 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. However, blocking essential cookies may affect the functionality of our Services.

9.4 Do Not Track

Some browsers offer a "Do Not Track" (DNT) feature. We currently do not respond to DNT signals. However, you can opt out of tracking through the cookie management options described above.

10. Data Security

We implement industry-standard security measures to protect your personal information, including:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access control and principle of least privilege
• Authentication: Multi-factor authentication for all accounts
• Monitoring: 24/7 security monitoring and intrusion detection
• Compliance: SOC 2 Type II certified operations
• Training: Regular security awareness training for all employees
• Incident Response: Documented incident response procedures

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly notifying you and relevant authorities in the event of a data breach as required by law.

11. International Data Transfers

We are based in the United States, and your information may be processed and stored in the United States or other countries where our service providers operate.

If you are located outside the United States, please be aware that data protection laws may differ from those in your jurisdiction. By using our Services, you consent to the transfer of your information to the United States.

For transfers from the EEA, UK, or Switzerland, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or rely on service providers' certifications under recognized frameworks.

12. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@grayghostdata.com.

If we learn that we have collected personal information from a child under 18, we will take steps to delete that information as quickly as possible.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you by email (for registered users) or by posting a prominent notice on our website
• Provide at least 30 days' notice before material changes take effect

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For data subject access requests or to exercise your privacy rights, please email privacy@grayghostdata.com with the subject line "Privacy Rights Request" and include:

• Your full name and contact information
• The specific right you wish to exercise
• Any relevant details to help us locate your information

We will respond to your request within 30 days, or within the timeframe required by applicable law.