June 6, 2024

Privacy Policy

Last updated: Jun 6, 2024

The mission of the Global Cyber Alliance (GCA) is to improve and enhance Internet security, so we are sensitive to the privacy issues on the Internet and recognize that visitors to this Website are concerned about the types of information we collect and how we use it. GCA is committed to preserving your privacy when visiting this Website, and this policy discusses our practices.

This Privacy Policy explains who we are; how we collect, share, and use personal information about you; and how you can exercise your privacy rights. This Privacy Policy applies where we have obtained your personal data through our Website or otherwise; where we have obtained your personal information offline, for instance, at events or conferences; when you sign up to become a partner; when you sign up for our mailings; when you register for our events or webinars; or register for our Community Forum.

If you have any questions or concerns about our use of your personal information, then please contact us using the contact details provided at the bottom of this Privacy Policy.

What does GCA do?

GCA is an international, cross-sector effort dedicated to eradicating cyber risk and improving our connected world, headquartered in the United States but with group companies all around the world.  Our services help reduce cyber risk by developing and deploying practical, free, real-world solutions that measurably improve our collective cybersecurity.

For more information about GCA, please see the “Our Mission” section of our Website at https://globalcyberalliance.org/our-mission/.

What personal information does GCA collect and why?

The personal information that we may collect about you broadly falls into the following categories:

  • Information that you provide voluntarily

We may ask you to provide personal information voluntarily: for example, you might provide us with your personal information, such as your email address and the entire contents of your email message when you register for an event with us, subscribe to marketing communications from us, and/or to submit inquiries to us.  The personal information that you are asked to provide, and the reasons why you are asked to provide it, will be made clear to you at the point we ask you to provide your personal information. When you provide personal information to us you agree to its disclosure in connection with GCA activities. If you do not wish to have personally identifying information disclosed, we honor all requests to omit individual or organization names from our records. If such a request is made, identifying information will not be disclosed by GCA unless we are legally required to do so.

  • Information that we collect automatically

When you visit our Website, we may collect certain information automatically from your device. In some countries, including countries in the European Economic Area, this information may be considered personal information under applicable data protection laws.

Specifically, the information we collect automatically may include information like your IP address, device type, unique device identification numbers, browser type, broad geographic location (e.g., country or city-level location), and other technical information.  We may also collect information about how your device has interacted with our Website, including the pages accessed and links clicked.

Collecting this information enables us to better understand the visitors who come to our Website, where they come from, and what content on our Website is of interest to them.  We use this information for our internal analytics purposes and to improve the quality and relevance of our Website to our visitors. Some of this information may be collected using cookies and similar tracking technology.

This Website stores cookies on your computer. These cookies are used to collect information about how you interact with our Website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this Website and other media.

  • Information that we obtain from third-party sources

From time to time, we may receive personal information about you from third-party sources (such as through your membership in a group to which we may send correspondence) but only where we have checked that these third parties either have your consent or are otherwise legally permitted or required to disclose your personal information to us.

We may also collect information on malicious domains/emails/IP addresses and other information which in some circumstances may include elements of personal data from third parties. This data is processed via our Domain Trust product for the purposes of combating cyber and other forms of crime.

Who does GCA share my personal information with?

We may disclose your personal information to the following categories of recipients:

  • To our group companies, third-party services providers, and partners who provide data processing services to us (for example, to support the delivery of, provide functionality on, or help to enhance the security of our Website), or who otherwise process personal information for purposes that are described in this Privacy Policy or notified to you when we collect your personal information; and
  • To any competent law enforcement body, regulatory agency, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person.

Legal basis for processing personal information (EEA visitors only)

If you are a visitor from the European Economic Area, our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.

However, we will normally collect personal information from you only (i) where we need the personal information to perform a contract with you, (ii) where the processing is in our legitimate interests and not overridden by your rights, or (iii) where we have your consent to do so.  In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person.

If we ask you to provide personal information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information).

If we collect and use your personal information in reliance on our legitimate interests (or those of any third party), this interest will normally be to operate our platform and communicating with you as necessary to provide our services to you and for our legitimate commercial interest, for instance, when responding to your queries, improving our platform, undertaking marketing, or for the purposes of detecting or preventing illegal activities.  We may have other legitimate interests and if appropriate, we will make clear to you at the relevant time what those legitimate interests are.

If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the “How to contact us” heading below.

How does GCA keep my personal information secure?

GCA has implemented procedures to safeguard the integrity of its information technology assets, including but not limited to authentication, monitoring, and auditing. These security measures have been integrated into the design, implementation, and day-to-day operations of this Website as part of our continuing commitment to the security of electronic content as well as the electronic transmission of information. This includes utilization of two-factor authentication on all systems that store sensitive information, encryption provided by third-party hosting providers, regular auditing of user access, a policy of limited administrative, and monthly vulnerability scans. GCA stores data securely utilizing Hubspot. For further information please visit Hubspot’s website.

We DO NOT sell or distribute email addresses or

other personal information to others for their commercial use.

If you provide personal information to GCA, our employees who have access to this information are required to follow appropriate procedures in handling and disclosing your information. All personal information about you or your organization that we receive via fax or mail is physically protected.

Other Websites

This Website may provide links to Websites maintained by other organizations. A link to another Website does not constitute an endorsement of the content, viewpoint, accuracy, opinions, policies, products, or services of that other Website. Once you navigate from this Website to another site, you are subject to the terms and conditions of that site, including the provisions of its Privacy Policy.

Links to GCA Websites

We welcome links to the GCA Websites. Although we prefer that you link to our homepage, you may create links to specific pages within our Website. Any individual or organization linking to GCA’s Website must comply with all applicable laws and with the following conditions:

  • Unless GCA specifically authorizes you to do so, you may not imply that GCA endorses you, your organization, or your products;
  • You may not misrepresent your, or your organization’s, relationship with GCA;
  • You may not present false information about GCA;
  • You may not link to the GCA Website if you or your organization’s Website contains content that could be construed as distasteful, offensive or controversial, or is not appropriate for viewing by all age groups;
  • GCA may change content on our site at any time, causing other organizations to have a broken or incorrect link; and
  • GCA is not responsible for misdirected links from external Websites.

The information provided in this Privacy Policy cannot be interpreted as business, legal, or other advice, or as warranting fail-proof security for information provided through this Website. Information provided on this Website is intended to allow the public access to information related to GCA. While all attempts are made to provide accurate, current, and reliable information, there is the possibility of human and/or mechanical error.

Therefore, GCA makes no representations or promises as to the accuracy, completeness, currency, or suitability of the information provided on this Website and denies any express or implied warranty as to such information. This Privacy Policy is not intended to and does not create any contractual or other legal rights for or on behalf of any party.

International data transfers

Your personal information may be transferred to, and processed in, countries other than the country in which you are resident.  These countries may have data protection laws that are different to the laws of your country.

Specifically, our Website servers are located in the United States, and our group companies and third-party service providers and partners operate around the world. This means that when we collect your personal information, we may process it in any of these countries.

However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Policy. These include implementing the European Commission’s Standard Contractual Clauses for transfers of personal information between our group companies, which require all group companies to protect personal information they process from the EEA in accordance with European Union data protection law.

Data retention

We retain personal information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax, or accounting requirements).

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

Your data protection rights

If you are a resident of the European Economic Area, you have the following data protection rights:

  • If you wish to access, correct, update, or request deletion of your personal information, you can do so at any time by contacting us using the contact details provided under the “How to contact us” heading below.
  • In addition, you can object to processing of your personal information, ask us to restrict processing of your personal information, or request portability of your personal information. Again, you can exercise these rights by contacting us using the contact details provided under the “How to contact us” heading below.
  • You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing emails we send you.  To opt-out of other forms of marketing (such as postal marketing or telemarketing), then please contact us using the contact details provided under the “How to contact us” heading below.
  • Similarly, if we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
  • You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority.

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.

Updates to this Privacy Policy

We may update this Privacy Policy from time to time in response to changing legal, technical, or business developments. When we update our Privacy Policy, we will take appropriate measures to inform you, consistent with the significance of the changes we make.  We will obtain your consent to any material Privacy Policy changes if and where this is required by applicable data protection laws.

You can see when this Privacy Policy was last updated by checking the “last updated” date displayed at the top of this Privacy Policy.

This Privacy Policy applies only to the GCA Websites (https://globalcyberalliance.org/; https://dmarc.globalcyberalliance.org/; https://dmarcguide.globalcyberalliance.orghttps://gcatoolkit.orghttps://community.globalcyberalliance.org/https://edu.globalcyberalliance.org/; https://www.gcaaide.orghttps://act.globalcyberalliance.org/; https://commongoodcyber.org/; https://www.manrs.org/; https://observatory.manrs.org/; and https://gcacyberflex.org/) and to the processing of personal data obtained offline by GCA as described above.

If you have any questions or concerns about our use of your personal information, please contact us using the following details:

  • United States: Mary Kavaney, Chief Legal and Administrative Officer, [email protected]
  • United Kingdom: Mary Kavaney, CLAO, and Terry Wilson, Global Partnership Director, [email protected]
  • Belgium: Mary Kavaney, CLAO, and Alejandro Fernández-Cernuda Díaz, Director of Engagement, Internet Integrity Program, [email protected]

The data controller of your personal information is the Global Cyber Alliance headquarters incorporated in the United States.