Privacy Policy
Gray Ghost Data Consultants LLC
Last Updated: January 1, 2026
Table of Contents
1. Introduction
Gray Ghost Data Consultants LLC ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our client portal, or engage our cybersecurity and IT consulting services.
This Privacy Policy applies to all personal information collected through our website (grayghostdata.com), client portal, SaaS platforms, and any related services, sales, marketing, or events (collectively, the "Services").
By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.
2. Information We Collect
2.1 Personal Information
We collect personal information that you voluntarily provide to us, including:
- Identity Data: Name, job title, company name, and professional credentials
- Contact Data: Email address, phone number, and business address
- Account Data: Username, password, and account preferences
- Financial Data: Billing address, payment card details (processed by our payment processor), and transaction history
- Communication Data: Records of correspondence, support tickets, and feedback
- Professional Data: Resume, certifications, and professional background (for vCISO and consulting engagements)
2.2 Technical Information
When you access our Services, we automatically collect certain technical information:
- Device Data: IP address, browser type and version, operating system, device identifiers
- Log Data: Access times, pages viewed, referring URL, and actions taken within our Services
- Location Data: General geographic location based on IP address
- Authentication Data: Login timestamps, session duration, and multi-factor authentication status
2.3 Client Service Data
In the course of providing our cybersecurity and IT services, we may process:
- Security Assessment Data: Network configurations, vulnerability scan results, and security logs
- Compliance Documentation: Policies, procedures, and audit evidence
- Infrastructure Data: System configurations, asset inventories, and architecture diagrams
- Incident Data: Security incident details, forensic evidence, and remediation records
This data is processed solely on your behalf and in accordance with our service agreements.
3. How We Use Your Information
We use the information we collect for the following purposes:
3.1 Service Delivery
- Providing, maintaining, and improving our cybersecurity and IT services
- Processing transactions and managing your account
- Delivering security assessments, compliance audits, and consulting engagements
- Providing customer support and responding to inquiries
3.2 Communication
- Sending service-related notices, updates, and security alerts
- Providing information about new services, features, and promotional offers (with your consent)
- Responding to your comments, questions, and requests
3.3 Security and Compliance
- Detecting, preventing, and responding to security incidents and fraud
- Maintaining audit logs and compliance records
- Enforcing our Terms of Service and other policies
- Complying with legal obligations and regulatory requirements
3.4 Analytics and Improvement
- Understanding how you use our Services to improve user experience
- Conducting research and analysis to enhance our security methodologies
- Developing new products, services, and features
4. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:
Contract Performance
Processing necessary to perform our contract with you, including providing Services, managing your account, and processing payments.
Legitimate Interests
Processing necessary for our legitimate interests, such as improving our Services, conducting analytics, marketing our services to existing clients, and protecting against fraud.
Legal Obligation
Processing necessary to comply with legal obligations, such as responding to lawful requests from law enforcement or regulatory authorities.
Consent
Where required, we will obtain your consent before processing personal data, such as for marketing communications or non-essential cookies. You may withdraw consent at any time.
5. Data Sharing and Disclosure
We do not sell your personal information. We may share your information in the following circumstances:
5.1 Service Providers
We share information with trusted third-party service providers who assist us in operating our business, including:
- Cloud infrastructure providers (data hosting and processing)
- Payment processors (financial transactions)
- Authentication providers (identity verification)
- Analytics providers (service improvement)
- Communication platforms (email and messaging services)
These providers are contractually obligated to protect your information and may only use it to perform services on our behalf.
5.2 Legal Requirements
We may disclose your information when required by law or in response to valid legal processes, such as:
- Court orders, subpoenas, or other legal processes
- Requests from law enforcement or government authorities
- To protect our rights, privacy, safety, or property
- To investigate suspected fraud or security incidents
5.3 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.
6. Data Retention
We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including:
- Account Data: For the duration of your account plus 7 years for tax and legal compliance
- Transaction Data: 7 years from the date of transaction for financial record-keeping
- Service Data: As specified in your service agreement, typically 3-7 years
- Security Logs: 2 years for security and audit purposes
- Marketing Data: Until you opt out or 3 years of inactivity
We may retain aggregated, anonymized data indefinitely for research and analytics purposes. When data is no longer needed, we securely delete or anonymize it in accordance with our data retention policies.
7. Your Rights (GDPR)
If you are located in the EEA, United Kingdom, or Switzerland, you have the following data protection rights:
Right of Access
You have the right to request a copy of the personal information we hold about you and information about how we process it.
Right to Rectification
You have the right to request correction of inaccurate or incomplete personal information.
Right to Erasure ("Right to be Forgotten")
You have the right to request deletion of your personal information in certain circumstances, such as when the data is no longer necessary for the purpose it was collected.
Right to Data Portability
You have the right to receive your personal information in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to Object
You have the right to object to processing of your personal information based on legitimate interests or for direct marketing purposes.
Right to Restrict Processing
You have the right to request restriction of processing in certain circumstances, such as while we verify the accuracy of disputed data.
Right to Withdraw Consent
Where we rely on consent for processing, you have the right to withdraw that consent at any time without affecting the lawfulness of prior processing.
To exercise these rights, please contact us at privacy@grayghostdata.com. We will respond to your request within 30 days. You also have the right to lodge a complaint with your local data protection authority.
8. California Privacy Rights (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:
8.1 Right to Know
You have the right to request information about the categories and specific pieces of personal information we have collected, the sources of collection, the purposes for collection, and the categories of third parties with whom we share your information.
8.2 Right to Delete
You have the right to request deletion of your personal information, subject to certain exceptions provided by law.
8.3 Right to Opt-Out of Sale
We do not sell personal information. However, you have the right to opt out of any future sale of your personal information.
8.4 Right to Non-Discrimination
We will not discriminate against you for exercising your CCPA rights. We will not deny you services, charge different prices, or provide a different quality of service.
8.5 How to Exercise Your Rights
To exercise your California privacy rights, you may submit a request by emailing privacy@grayghostdata.com or calling us. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf.
10. Data Security
We implement industry-standard security measures to protect your personal information, including:
- Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Access Controls: Role-based access control and principle of least privilege
- Authentication: Multi-factor authentication for all accounts
- Monitoring: 24/7 security monitoring and intrusion detection
- Compliance: SOC 2 Type II certified operations
- Training: Regular security awareness training for all employees
- Incident Response: Documented incident response procedures
While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly notifying you and relevant authorities in the event of a data breach as required by law.
11. International Data Transfers
We are based in the United States, and your information may be processed and stored in the United States or other countries where our service providers operate.
If you are located outside the United States, please be aware that data protection laws may differ from those in your jurisdiction. By using our Services, you consent to the transfer of your information to the United States.
For transfers from the EEA, UK, or Switzerland, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or rely on service providers' certifications under recognized frameworks.
12. Children's Privacy
Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@grayghostdata.com.
If we learn that we have collected personal information from a child under 18, we will take steps to delete that information as quickly as possible.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this policy
- Notify you by email (for registered users) or by posting a prominent notice on our website
- Provide at least 30 days' notice before material changes take effect
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
14. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Gray Ghost Data Consultants LLC
Data Protection Officer / Privacy Team
Email: privacy@grayghostdata.com
Website: https://grayghostdata.com
For data subject access requests or to exercise your privacy rights, please email privacy@grayghostdata.com with the subject line "Privacy Rights Request" and include:
- Your full name and contact information
- The specific right you wish to exercise
- Any relevant details to help us locate your information
We will respond to your request within 30 days, or within the timeframe required by applicable law.
Related Documents: Terms of Service