Overview & Scope
This Privacy Policy applies to Grey Team Foundation LLC. ("Grey Team Foundation," "we," "our," or "us") and governs the collection, use, and disclosure of personal information we receive from users of our website (www.greyteam-foundation.com), clients of our consulting services, and individuals who interact with us via email, phone, or other channels.
Grey Team Foundation provides cybersecurity consulting services including penetration testing, vulnerability assessments, incident response, compliance advisory (SOC 2, ISO 27001, NIST, HIPAA), and managed security services. This policy covers all data processed in connection with these activities.
Information We Collect
We collect personal information in the following categories:
| Category | Examples | Source |
|---|---|---|
| Identity | Full name, job title, company name | You (forms, contracts) |
| Contact | Email address, phone number, mailing address | You (direct) |
| Financial | Billing address, payment method (processed via third party) | You (invoicing) |
| Technical | IP address, browser type, OS, page interactions | Automatically (website) |
| Communications | Emails, support tickets, meeting notes | You (correspondence) |
| Engagement | Webinar attendance, content downloads, survey responses | You (marketing) |
How We Use Your Data
We process your personal information only for lawful purposes and with a valid legal basis for each use:
- Service Delivery: To provide, manage, and improve our cybersecurity consulting engagements, deliver reports, and fulfill contractual obligations.
- Billing & Payments: To process invoices, collect payments, and maintain financial records as required by law.
- Communications: To respond to inquiries, send service updates, schedule engagements, and provide customer support.
- Marketing: To send newsletters, security advisories, and promotional content — only with your explicit consent, which you may withdraw at any time.
- Security & Fraud Prevention: To detect, investigate, and prevent unauthorized access, fraud, or security incidents involving our own systems.
- Legal Compliance: To comply with applicable laws, regulations, and lawful requests from authorities.
- Analytics & Improvement: To understand how our website and services are used and to improve them.
Data Sharing & Disclosure
We do not sell your personal information. We may share data with:
- Limited Service Providers: Trusted third-party vendors who assist us in delivering services (e.g., cloud hosting, CRM, payment processing), bound by contractual confidentiality obligations.
- Professional Advisors: Attorneys, auditors, and insurers where necessary to protect our legal interests.
- Regulatory Authorities: Government bodies, law enforcement, or regulators when required by law or to protect our legal rights.
- Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred, subject to appropriate protections.
- With Your Consent: Any other sharing will only occur with your explicit, informed consent.
Data Security
As a cybersecurity company, protecting data is core to our identity. We implement industry-leading controls including:
- AES-256 encryption at rest and TLS 1.3 in transit for all personal data
- Role-based access control (RBAC) and least-privilege principles for internal systems
- Multi-factor authentication (MFA) required for all staff accessing client or personal data
- Formal incident response plan with defined breach notification timelines
- Annual security awareness training for all personnel
In the event of a data breach that affects your personal information, we will notify you and applicable regulators within the timeframes required by law (e.g., 72 hours under GDPR).
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy or as required by law. Our general retention periods are:
| Data Type | Retention Period | Basis |
|---|---|---|
| Client engagement records | 60 days post-engagement* | Legal / Tax compliance |
| Financial records | 7 years | Regulatory requirement |
| Marketing preferences | Until withdrawn | Consent |
| Website analytics | 26 months | Legitimate interest |
| Support correspondence | 3 years | Legitimate interest |
Upon expiry, data is securely deleted or anonymized using industry-standard methods.
*For repeat clients, retention periods for engagement records may be extended or consolidated at our discretion — please contact us to discuss your specific circumstances.
Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
Right to Access
Request a copy of the personal data we hold about you.
Right to Rectification
Correct inaccurate or incomplete personal data.
Right to Erasure
Request deletion of your data ("right to be forgotten") where applicable.
Right to Restrict
Limit how we process your data in certain circumstances.
Right to Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests or for direct marketing.
Withdraw Consent
Revoke consent at any time where processing is consent-based.
Lodge a Complaint
File a complaint with your relevant data protection authority.
To exercise any of these rights, contact our Privacy Team at greylead@greyteam-foundation.com. We will respond within 30 days (or 72 hours for urgent breach-related requests).
Cookies & Tracking
Our website uses cookies and similar tracking technologies. We categorize them as follows:
- Strictly Necessary: Required for the website to function. These cannot be disabled.
- Performance & Analytics: Help us understand usage patterns (e.g., Google Analytics). Enabled only with your consent.
- Functional: Remember your preferences and settings.
- Marketing: Used to deliver relevant advertising. Enabled only with your explicit consent.
You can manage your cookie preferences via the cookie banner on our website, your browser settings, or by emailing us. Note that disabling certain cookies may affect site functionality.
Third-Party Services
Our website and services may contain links to or integrations with third-party platforms. We are not responsible for the privacy practices of those third parties; however, we limit third-party connections to ensure clients data remains secure. We encourage you to review their privacy policies. Current third-party service categories we use include: cloud infrastructure providers, payment processors, video conferencing platforms, CRM software, and email marketing tools. All vendors undergo security review prior to onboarding.
Policy Changes
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Notify registered users via email for significant changes
- Display a prominent notice on our website
We encourage you to review this policy periodically. Your continued use of our services after any update constitutes acceptance of the revised terms.
Previous versions of this policy are available upon request by emailing greylead@greyteam-foundation.com.
Contact & DPO
For any questions, concerns, or rights requests related to this Privacy Policy or our data practices, please reach out to us:
Grand Rapids, MI 49546