The European Union has promulgated a new privacy and security framework called the General Data Protection Regulation (“GDPR”). It imposes a number of obligations on data controllers and data processors and affords data subjects a number of important rights, including access and rectification. This document is intended to provide transparency regarding Gerald operations in the United States (“Gerald”) as required under Articles 13 and 14 of the GDPR when we process “personal data” from the EU.
Gerald acts as both a “Data Controller” and a “Data Processor” under the GDPR. Gerald acts as a data controller with respect to personal data about its contractors in the EU (i.e., human resource data), personal data it collects from its clients and prospective clients (i.e., its own customer relationship management data), and personal data about EU citizens it licenses from others (i.e., EU personal data Gerald licenses to its clients).
Gerald acts as a data processor under GDPR to the extent it processes personal data about EU citizens on behalf of its clients. In this instance, our clients are considered data controllers. Gerald processes the personal data according to contract and written instructions from the data controller.
This privacy notice focuses on the personal data that Gerald collects and processes that is used for insight, recognition, and contact purposes. Employees of Gerald partners in the European Union should refer to their employee handbook for information regarding Gerald’s privacy policies.
The name of our company is Gerald Technologies, Inc. We conduct business primarily in the United States. Individuals wishing to contact us about data protection issues may reach us at:
Consumer Advocate by emailing us at info@Gerald.app.
Gerald holds personal data such as names, addresses, ages, dates of birth, emails, telephone numbers, transactional data, lifestyle and demographic data. This information may be kept in its identifiable form, or in an aggregated form (so that individuals cannot be identified), for the purposes listed below. This information is primarily obtained from third parties and publicly accessible sources.
We do not hold any sensitive personal data on people, as defined by GDPR.
We use personal data to create solutions to be used for insight, recognition, and contact purposes.
Insight : we use this data to create a marketing picture of individuals. This includes demographics such as age, income, hobbies and interests that relate to people’s lifestyle choices and market specific predictors such as technology and financial product ownership. We use a combination of actual data held (at individual level or summarized at household, address, postcode or other geographical level) and derived information (through statistical modeling or by applying a logical rule set) which indicates an individual’s likelihood of having a particular attribute, e.g. a person’s likelihood to have to purchase insurance of financial products. The resulting dataset is then used by our clients for retention or product placement.
Recognition : we use this data for matching and linking to other databases. For example, a partner or client sends us a list of names and addresses, we then match those names and addresses to our product. Where there is a match, we add triggers that we hold on those matched individuals to partner or client file.
Recognition : we use the contact information from this data to create a trigger and monitoring file. For example, we create a file of names and addresses of individuals which is used for customer retention and engagement.
We use personal data collected from our clients and prospective clients to contact them and conduct business.
We share information with our clients – such as insurance agents and companies to help them deliver better services and products to their customer base. They may use this personal data for the following purposes:
We share data directly via our APIs and Dashboards. We also share data (usually in a form where individuals cannot be directly identified) with other marketing companies such as social media and programmatic platforms. We make sure the recipients of our data are reputable entities by conducting appropriate checks on them. Before we share our data, we enter into written agreements with recipients which contain data protection terms that safeguard your data.
Personal data used in Gerald’s data products and services may also be passed to and used by members of the Gerald group of companies, worldwide. We may also pass data to other companies that process personal data on our behalf to help us conduct our business. When we do so, we ensure that appropriate contractual safeguards are put in place.
Gerald may also disclose personal data as required by law and to comply with legal process.
The data we hold is non-sensitive personal data and not subject to any sector specific data retention requirements. Our data retention periods are as follows:
|DATA USE||RETENTION PERIOD|
|INSIGHT||We retain data for as long as it is useful in our products, either as an actual variable or in order to derive other variables|
|RECOGNITION||We retain data for as long as it improves the matching and linking ability of our recognition products|
|CONTACT||We retain data for as long as we are comfortable it is accurate and can be relied upon|
Personal data that is not used for any purpose is deleted. If a data subject under GDPR objects to us processing their data, we will remove it from our data products, and then from our environment in accordance with our data deletion cycle, unless we have a valid justification to hold on to it, such as to resolve disputes or comply with our legal obligations. We also retain personal data which is necessary to keep on a suppression file so if we obtain someone’s data again, we will know not to use it.
Where business needs exist, Gerald intends to transfer your personal data to entities outside the US and EU. However, your personal data will not be transferred unless a valid transfer mechanism is in place legitimizing such a transfer. In the case of transfers referred to in Article 46, 47, or the second paragraph of Article 49(1), this will typically involve EU model clauses or the EU-US Privacy Shield Framework. Safeguards afforded by the EU model clauses may be accessed here: https://ico.org.uk/media/1571/model_contract_clauses_international_transfers_of_personal_data.pdf
Information about the EU-US Privacy Shield Framework may be accessed here: www.privacyshield.gov.
Individuals may request access to, deletion or correction of their personal data, or restrict or object to the use of their data by writing to us at
by emailing us at firstname.lastname@example.org
We do not collect personal data about citizens residing in a country other than the US, Argentine, Australia, Austria, Belgium, Brazil, Canada, India, Ireland, Italy, Japan, Mexico, Spain, Sweden, and Switzerland. If your request relates to your personal data for countries other than these, it is unlikely we have any personal data about you.
Lastly, if you are living in UK or Germany and are interested in exercising your rights, you can do so at the respective Gerald office by contacting them through the following link or email address:
Gerald uses and shares personal data based on its legitimate commercial interests, and those of its partner businesses, for direct marketing, fraud prevention, information security, and organizational purposes, in accordance with Article 6(1)(f) of the GDPR. We take great care to handle all personal data in accordance with data protection law and to ensure that it is never used in ways that unduly prejudice individuals’ interests. Users of our data are prohibited by contractual restrictions from using our data in a way which discriminates unfairly against individuals or produces legal or similar effects. You have the right to object to this processing if you wish and if you wish to do so please inform us by using one of the contact channels in the preceding section.
Effective: November, 21, 2019