GDPR Compliance Statement

General Data Protection Regulation (GDPR) compliance commitment — how we protect EU citizens' personal data.

Last updated: April 24, 2026

📑 Table of Contents

1. Our Commitment to GDPR 2. Data We Collect 3. Legal Basis for Processing 4. Your Rights Under GDPR 5. How to Exercise Your Rights 6. Data Transfers Outside the EU 7. Data Retention 8. Security Measures 9. Data Protection Officer (DPO) 10. Supervisory Authority 11. Contact Us
EU PRIVACY RIGHTS

1. Our Commitment to GDPR

Golden Ratio Consulting ("GRC", "we", "us", "our") is committed to protecting the privacy and personal data of all individuals, including citizens of the European Union (EU) and European Economic Area (EEA), in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679.

We believe that data protection is a fundamental right, and we have implemented comprehensive measures to ensure your personal data is handled with the utmost care and in accordance with GDPR requirements.

📢 Our Promise: We are transparent about how we collect and use your data, and we respect your rights as a data subject under GDPR.

2. Data We Collect

We may collect and process the following categories of personal data:

🆔 Identity Data

Name, job title, company name — used for client identification and service delivery.

📞 Contact Data

Email address, phone number, postal address — for communication and invoicing.

💻 Technical Data

IP address, browser type, device information, cookies — for website operation and security.

📊 Usage Data

How you use our website and services — for service improvement and user experience.

✉️ Communication Data

Information from emails, contact forms, and consultations — for client support.

💰 Financial Data

Payment information, billing records — for payment processing (collected only with consent).

We do not collect special categories of personal data (sensitive data) unless explicitly provided by you for a specific service (e.g., HIPAA consulting).

3. Legal Basis for Processing

Under GDPR, we process your data based on one or more of the following legal grounds:

  • Consent: You have given clear consent for us to process your data (e.g., marketing newsletters)
  • Contract: Processing is necessary for a contract with you (e.g., service delivery, invoicing, support)
  • Legal Obligation: Processing is required by law (e.g., tax records, compliance reporting)
  • Legitimate Interests: Processing is necessary for our legitimate business interests (e.g., website security, analytics, fraud prevention)

⚖️ Legitimate Interests Assessment: When relying on legitimate interests, we have conducted an assessment to ensure our interests do not override your fundamental rights and freedoms.

4. Your Rights Under GDPR

As an EU/EEA resident, you have the following rights regarding your personal data:

🔍 Right to Access

Request copies of your personal data

✏️ Right to Rectification

Correct inaccurate or incomplete data

🗑️ Right to Erasure ("Right to be Forgotten")

Request deletion of your data

⛔ Right to Restrict Processing

Limit how we use your data

📋 Right to Data Portability

Receive your data in a machine-readable format

🚫 Right to Object

Object to processing based on legitimate interests

⚙️ Right to Withdraw Consent

Withdraw consent at any time

📢 Right to Lodge a Complaint

File a complaint with your local supervisory authority

5. How to Exercise Your Rights

To exercise any of your GDPR rights, contact us at:

Email: [email protected]
Mail: GDPR Compliance, Golden Ratio Consulting, 125 Summer Street, Suite 1300, Boston, MA 02110, USA

Response Time: We will respond to verified requests within 30 days. If we need an extension, we will notify you within the initial 30-day period.

We do not charge a fee to process requests unless they are excessive, repetitive, or manifestly unfounded.

6. Data Transfers Outside the EU

As a US-based company, your personal data may be transferred to and processed in the United States. We ensure appropriate safeguards are in place for international data transfers:

  • Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs for transfers to US-based processors
  • Data Processing Agreements (DPAs): We sign GDPR-compliant DPAs with all third-party processors

📍 Location Notice: By using our services, you acknowledge that your personal data may be transferred to and stored in the United States. We take all reasonable steps to ensure your data is treated securely and in accordance with this notice and GDPR.

7. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy, or as required by law.

  • Client contract data: Duration of engagement + 7 years (legal/tax requirements)
  • Financial records: 7 years (tax and accounting requirements)
  • Website visitor data: 12 months (anonymized thereafter)
  • Marketing data (with consent): Until consent is withdrawn
  • Support ticket data: 3 years after ticket closure
  • Cookie data: Session cookies cleared when browser closes; Persistent cookies up to 12 months

After the retention period expires, we will securely delete or anonymize your personal data.

8. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
  • Access Controls: Role-based access, multi-factor authentication, least privilege principle
  • Regular Audits: Quarterly security audits and penetration testing
  • Employee Training: Annual GDPR and data protection training
  • Incident Response: Written breach notification procedures

🔒 Data Breach Notification: In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay.

9. Data Protection Officer (DPO)

For GDPR-specific inquiries, you may contact our designated Data Protection Officer (DPO):

DPO Name: Privacy Compliance Officer
Email: [email protected]
Phone: (617) 555-0123

Our DPO is responsible for overseeing our GDPR compliance and can assist with any privacy-related concerns.

10. Supervisory Authority

If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority. For EU residents, a list of authorities is available at:

https://edpb.europa.eu/about-edpb/about-edpb/members_en

We would appreciate the opportunity to address your concerns directly before you approach your supervisory authority. Please contact us first.

11. Contact Us

If you have questions about this GDPR Compliance Statement, our data practices, or need to exercise your rights, please contact us:

📧 Privacy Inquiries: [email protected]
📧 DPO Inquiries: [email protected]
📞 Phone: (617) 555-0123
📬 Mail: GDPR Compliance, Golden Ratio Consulting, 125 Summer Street, Suite 1300, Boston, MA 02110, USA

📝 Response Commitment: We acknowledge receipt of privacy requests within 72 hours and respond substantively within 30 days. For urgent GDPR matters, please call our DPO directly.

Have GDPR Questions?

EU/EEA residents can contact our Data Protection Officer for privacy-related inquiries or to exercise your rights.

CONTACT OUR DPO