Effective Date: May 15, 2026 | Governing Jurisdiction: Wyoming, United States | EU Representative: See §9
This Privacy Policy applies to the Global Community-Completeness Analytics Institute (“GCCAI,” “the Institute,” “we,” “our”) and all services accessible at gccai.institute and associated subdomains, including the Institutional Virtual Data Room. We are committed to data minimization, transparency, and compliance with applicable privacy law worldwide.
Who We Are & What We Collect
The GCCAI is a Standard Development Organization (SDO) incorporated under the laws of the State of Wyoming, United States. We operate under a Zero-Ingestion Mandate — the Institute does not ingest, process, store, or monetize proprietary financial, actuarial, clinical, or regulated institutional data.
The following personal data may be collected when you interact with our services:
| Data Category | Specific Data | Collection Context | Retention |
|---|---|---|---|
| Identity | Email address, firm name (extracted from email domain) | Data Room login | Session only; no persistent storage |
| Session Cookie | Encrypted HTTP-only cookie (no PII inside) | Data Room authentication | Expires at browser close or 24 hours |
| Inquiry Data | Name, email, message content | Contact/Inquiries form | 90 days, then deleted |
| Server Logs | IP address, request path, timestamp (standard access logs) | All site visits (Cloud Run infrastructure) | 30 days, auto-purged by Google Cloud |
We do not collect: financial account data, Social Security or national ID numbers, health or clinical records, biometric data, location data, device identifiers for tracking purposes, or children’s data (the site is directed exclusively at institutional professionals).
Legal Bases for Processing (GDPR Article 6)
For users located in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Data Room session authentication | Legitimate interests (Art. 6(1)(f)) — securing access to institutional documents |
| Responding to inquiries | Performance of pre-contractual steps (Art. 6(1)(b)) |
| Server access logs | Legitimate interests (Art. 6(1)(f)) — security and abuse prevention |
| Legal compliance | Legal obligation (Art. 6(1)(c)) — where required by applicable law |
Cookies
We use only strictly necessary cookies. We do not use analytics cookies, advertising cookies, or third-party tracking cookies.
| Cookie Name | Type | Purpose | Duration |
|---|---|---|---|
gccai_dr_session | HTTP-only, encrypted, first-party | Data Room authenticated session. Contains no PII — only a cryptographic session token. | 24 hours or browser close |
Because we use only strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive or UK PECR. You may disable cookies in your browser settings; doing so will prevent Data Room access but will not affect public pages.
Data Room: Institutional Access Logging
Access to the Institutional Virtual Data Room is provisioned via a Master Passcode architecture. When a delegate authenticates, we record:
- The email address provided at login (used to extract firm name from domain)
- Timestamp of authentication
- Documents accessed during the session (page paths only — no behavioral profiling)
This log exists solely for the purpose of institutional fiduciary audit trails — specifically, to document that a formal transmittal was received and accessed, consistent with In re McDonald’s Corp. Stockholder Derivative Litigation (Del. Ch. 2023) and DGCL §141(e) notice requirements. Logs are retained for 12 months and are not shared with third parties except as required by court order.
Data Sharing & Third Parties
We do not sell, rent, or trade personal data. We share data only in the following limited circumstances:
- Google Cloud (Infrastructure Processor)
- The website runs on Google Cloud Run. Google processes server logs as a data processor under our instructions. Google’s DPA is available at cloud.google.com/terms/data-processing-addendum.
- Legal Process
- We will disclose data if required by a valid court order, subpoena, or applicable law. We will notify you to the extent permitted by law before complying.
- Business Transfer
- If the Institute is acquired or merged, data will be transferred to the successor entity subject to equivalent privacy protections.
No data is transferred to countries outside the EEA except to the United States (where our infrastructure is hosted). Google Cloud’s Standard Contractual Clauses (SCCs) cover EU→US transfers in compliance with GDPR Chapter V.
Your Rights (GDPR Articles 15–22)
If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:
| Right | What It Means | How to Exercise |
|---|---|---|
| Access (Art. 15) | Obtain a copy of your personal data we hold | Email privacy@gccai.institute. We respond within 30 days. |
| Rectification (Art. 16) | Correct inaccurate data | |
| Erasure (Art. 17) | Request deletion (subject to legal retention obligations) | |
| Restriction (Art. 18) | Restrict processing while a dispute is resolved | |
| Portability (Art. 20) | Receive your data in machine-readable format | |
| Objection (Art. 21) | Object to processing based on legitimate interests |
You also have the right to lodge a complaint with your national supervisory authority. For EU users, find your authority at edpb.europa.eu. For UK users: ico.org.uk.
California Residents — CCPA / CPRA Rights
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA grants you additional rights:
- Right to Know
- You may request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
- Right to Delete
- You may request deletion of personal information we have collected, subject to legal exceptions.
- Right to Opt-Out of Sale / Sharing
- We do not sell or share personal information for cross-context behavioral advertising. No opt-out action is required.
- Right to Non-Discrimination
- We will not discriminate against you for exercising your CCPA rights.
- Sensitive Personal Information
- We do not collect sensitive personal information as defined under CPRA §1798.121.
To exercise California rights, contact privacy@gccai.institute. We do not require you to create an account to submit a request.
Data Security
The GCCAI implements technical and organizational measures appropriate to the risk, including:
- All data in transit encrypted via TLS 1.3
- Session cookies: HTTP-only, Secure, SameSite=Strict — inaccessible to JavaScript
- SHA-256 cryptographic hash verification on all proof artifacts
- Google Cloud IAM access controls with principle of least privilege
- No persistent database of user credentials — authentication is stateless by design
In the event of a data breach affecting your personal data, we will notify you and relevant supervisory authorities as required by GDPR Article 33/34 (within 72 hours of discovery) and applicable US state breach notification laws.
Contact & EU/UK Representative
- Data Controller
- Global Community-Completeness Analytics Institute (GCCAI)
The Secretariat, Wyoming, United States - Privacy Inquiries
- privacy@gccai.institute
- EU Representative (GDPR Art. 27)
- Given our current scale of EU data processing (limited to institutional delegate access), we are in the process of appointing a formal EU Art. 27 representative. Until appointment is complete, EU residents may direct inquiries to privacy@gccai.institute and we will respond within the GDPR-mandated timeframe.
- UK Representative (UK GDPR)
- Same as above. UK residents may also contact the ICO directly at ico.org.uk if they believe their rights have not been respected.
Changes to This Policy
We may update this Privacy Policy as our services evolve or as law requires. Material changes will be posted at this URL with an updated effective date. For significant changes affecting your rights, we will provide direct notice where we hold your contact information.
Last updated: May 15, 2026. Governing law: Wyoming, United States, with EU GDPR and UK GDPR compliance as applicable.