Gyre Holdings LLC, d/b/a Gyre Research, is the data controller responsible for the processing of your personal data. For inquiries regarding this Privacy Policy or data protection matters:
| Contact | Details |
|---|---|
| Entity Name | Gyre Holdings LLC d/b/a Gyre Research |
| Address | 131 Daniel Webster Highway, Suite 425, Nashua, NH 03060 |
| Data Protection Contact | Legal Department |
| [email protected] |
This Privacy Policy applies to personal data collected through: (a) the Gyre Research Platform; (b) our website(s) at gyreresearch.com; (c) email, telephone, and other direct communications between you and Gyre Research; and (d) events, conferences, and marketing activities.
This Privacy Policy does not apply to third-party services, websites, or platforms that may be linked from our Platform. We encourage you to review the privacy policies of any third-party services you access.
Processing on Behalf of Clients: Where we process personal data on behalf of a Client as a data processor (e.g., personal data contained within Client Data uploaded to the Platform), such processing is governed by the Data Processing Agreement between Gyre Research and the Client, not this Privacy Policy. This Privacy Policy governs our processing of personal data for our own purposes as a data controller.
| Category | Examples | Source |
|---|---|---|
| Account Information | Full name, job title, business email address, business phone number, company name | Directly from you upon registration |
| Authentication Data | Hashed passwords, multi-factor authentication tokens, session tokens | Generated during account setup and login |
| Billing Information | Billing address, payment method details (handled by third-party payment processor), invoicing records | Directly from you or your organization's finance department |
| Usage Data | Login timestamps, features accessed, search queries, report generation activity, API call logs | Automatically collected through Platform use |
| Device and Technical Data | IP address, browser type and version, operating system, screen resolution, time zone, language preferences | Automatically collected via web technologies |
| Communication Data | Contents of emails, support tickets, chat messages, and other correspondence with Gyre Research | Directly from you |
| Cookie and Tracking Data | Cookie identifiers, analytics IDs, referral URLs, page interaction data | Automatically collected via cookies and similar technologies (see Section 10) |
| Marketing Data | Marketing preferences, event attendance records, responses to surveys or feedback requests | Directly from you or from event registration platforms |
| SMS Data | Mobile phone number, SMS opt-in/opt-out status, message delivery records | Directly from you when enabling SMS notifications in the Platform |
Sensitive Data: Gyre Research does not intentionally collect sensitive personal data (also known as "special category data" under GDPR), including racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or data concerning sexual orientation. If you believe sensitive data has been inadvertently provided to us, please contact us immediately.
We collect personal data through the following means:
| Purpose | Data Categories Used | Legal Basis (GDPR) |
|---|---|---|
| Provide and maintain the Platform | Account, Authentication, Usage, Technical | Performance of contract (Art. 6(1)(b)) |
| Process payments and billing | Account, Billing | Performance of contract (Art. 6(1)(b)) |
| Customer support and communication | Account, Communication, Usage | Performance of contract; Legitimate interest (Art. 6(1)(f)) |
| Platform improvement and analytics | Usage, Technical, Cookie/Tracking | Legitimate interest (Art. 6(1)(f)) |
| Security, fraud prevention, and abuse detection | Authentication, Usage, Technical | Legitimate interest (Art. 6(1)(f)); Legal obligation (Art. 6(1)(c)) |
| Legal and regulatory compliance | All categories as necessary | Legal obligation (Art. 6(1)(c)) |
| Marketing and promotional communications | Account, Marketing | Consent (Art. 6(1)(a)) or Legitimate interest (Art. 6(1)(f)) |
| Aggregate analytics and benchmarking | Usage (aggregated and anonymized) | Legitimate interest (Art. 6(1)(f)) |
Legitimate Interest Assessments: Where we rely on legitimate interest as a legal basis, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.
AI and Large Language Model Processing: Certain Platform features use third-party large language model (LLM) providers to generate AI-powered insights and natural language analytics. When these features are used, relevant data may be transmitted to the LLM provider for real-time inference only. Your data is never used to train, fine-tune, or improve any AI or machine learning model. You may disable all LLM-powered features at any time through the Platform's control panel settings, after which no data will be transmitted to any LLM provider. For full details, see Section 4.3 of our Data Processing Agreement.
SMS Messaging: If you opt in to receive transactional SMS messages (two-factor authentication codes, account alerts, and platform notifications), your mobile phone number is shared with our SMS service provider, Twilio, solely for the purpose of message delivery. We do not sell, rent, or share your phone number with third parties for marketing or promotional purposes. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. SMS opt-in data and consent are not shared with any third party. You may opt out at any time by replying STOP or disabling SMS in your account settings. For full details, see our SMS Terms & Conditions.
We do not sell personal data. We may disclose personal data to the following categories of recipients:
| Recipient Category | Purpose | Safeguards |
|---|---|---|
| Service Providers | Cloud hosting, payment processing, email delivery, customer support tools, analytics | Data Processing Agreements with contractual obligations at least as protective as this Policy |
| Market Data Providers | To facilitate data entitlements and license compliance | Limited to information necessary for license verification |
| Professional Advisors | Legal, accounting, and audit services | Professional confidentiality obligations |
| Law Enforcement and Regulators | Where required by law, regulation, or legal process | Disclosure limited to information legally required; prompt notification to you where legally permissible |
| Corporate Transactions | In connection with a merger, acquisition, reorganization, or sale of assets | Successor entity bound by terms at least as protective as this Policy |
Gyre Research is headquartered in the United States. Your personal data may be transferred to and processed in the United States and other countries that may not provide the same level of data protection as your home jurisdiction.
Where we transfer personal data from the EEA, UK, or Switzerland to countries not recognized as providing adequate data protection, we implement appropriate safeguards, including:
For APAC jurisdictions with cross-border transfer restrictions (including Japan, South Korea, and Australia), we comply with applicable local requirements as detailed in Section 13.
You may request a copy of the applicable transfer safeguards by contacting us.
We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. Our retention criteria include:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account Information | Duration of subscription + 3 years | Contractual necessity; statute of limitations |
| Authentication Data | Duration of subscription; promptly deleted upon termination | Security purposes |
| Billing Information | 7 years from date of transaction | Tax and financial reporting obligations |
| Usage Data | 24 months from collection | Platform improvement and support |
| Device and Technical Data | 12 months from collection | Security and analytics |
| Communication Data | Duration of subscription + 3 years | Support history and dispute resolution |
| Cookie Data | Per cookie-specific durations (see Section 10) | Varies by purpose |
| Marketing Data | Until consent withdrawn or 3 years from last engagement | Consent or legitimate interest |
| SMS Data | Duration of subscription; phone number and opt-in records deleted within 30 days of opt-out or account termination | Consent; legal compliance |
When personal data is no longer required, we securely delete or anonymize it. Anonymized data (from which you can no longer be identified) may be retained indefinitely for statistical and analytical purposes.
Gyre Research implements technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:
While we employ commercially reasonable measures, no method of transmission or storage is completely secure. We cannot guarantee absolute security.
We use cookies and similar technologies to operate the Platform, analyze usage, and improve your experience. Below is a summary of the categories of cookies we use:
| Category | Purpose | Duration | Consent Required? |
|---|---|---|---|
| Strictly Necessary | Authentication, security, session management | Session or up to 24 hours | No (exempt under ePrivacy Directive) |
| Functional | Remember preferences, language, display settings | Up to 12 months | Yes (EU/UK); varies by APAC jurisdiction |
| Analytics | Usage statistics, performance monitoring, error tracking | Up to 24 months | Yes (EU/UK); varies by APAC jurisdiction |
| Marketing | Ad targeting, campaign measurement (if applicable) | Up to 12 months | Yes |
Cookie Consent: For users in the EU, UK, and jurisdictions with consent-based cookie requirements, we present a cookie consent banner upon first visit. You may manage your preferences at any time through our cookie settings panel or your browser settings. Strictly necessary cookies cannot be disabled as they are essential for Platform operation.
Do Not Track: We honor Do Not Track (DNT) browser signals where technically feasible. Where we detect a DNT signal, we will not load analytics or marketing cookies.
Depending on your jurisdiction, you may have some or all of the following rights with respect to your personal data. We will respond to all verifiable requests within the time periods required by applicable law.
| Right | Description | Applicable Jurisdictions |
|---|---|---|
| Access | Request a copy of the personal data we hold about you | All (GDPR Art. 15, CCPA, APPI, PDPA, PDPO, Privacy Act) |
| Rectification | Request correction of inaccurate or incomplete personal data | EU/UK (GDPR Art. 16), Japan, Singapore, Australia |
| Erasure | Request deletion of your personal data (subject to legal retention requirements) | EU/UK (GDPR Art. 17), CCPA (right to delete) |
| Restriction | Request temporary restriction of processing in certain circumstances | EU/UK (GDPR Art. 18) |
| Portability | Receive your personal data in a structured, commonly used, machine-readable format | EU/UK (GDPR Art. 20) |
| Objection | Object to processing based on legitimate interest or for direct marketing purposes | EU/UK (GDPR Art. 21) |
| Withdraw Consent | Withdraw consent at any time (without affecting lawfulness of prior processing) | All where consent is the legal basis |
| Non-Discrimination | Not be discriminated against for exercising privacy rights | California (CCPA/CPRA) |
| Opt-Out of Sale/Sharing | Direct us not to sell or share personal data for cross-context behavioral advertising | California (CCPA/CPRA); note: we do not sell personal data |
| Lodge a Complaint | File a complaint with a supervisory authority in your jurisdiction | EU/UK (GDPR Art. 77), and equivalent APAC authorities |
How to Exercise Your Rights: Submit requests by email to [email protected] or by mail to the address in Section 1. We will verify your identity before processing requests and respond within 30 days (GDPR), 45 days (CCPA/CPRA), or the applicable statutory period. Complex requests may require an extension, in which case we will notify you.
Authorized Agents: You may designate an authorized agent to submit requests on your behalf. We require written proof of the agent's authorization and identity verification of both you and the agent.
The Platform is designed for institutional financial professionals and is not directed at individuals under 18 years of age (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected personal data from a minor, we will take prompt steps to delete such data.
Data Protection Officer: Not required under Article 37 GDPR. Our designated data protection contact is listed in Section 1. If a DPO is not required under Article 37 GDPR, our designated data protection contact is listed in Section 1.
Legal Bases: We process personal data on the legal bases set forth in Section 5. Where we rely on legitimate interest, you have the right to object (Section 11).
Automated Decision-Making: We do not engage in solely automated decision-making (including profiling) that produces legal effects or similarly significantly affects individuals, within the meaning of Article 22 GDPR.
Supervisory Authority: You have the right to lodge a complaint with the supervisory authority of the EU Member State in which you reside, work, or in which the alleged infringement occurred. A list of supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
Data Protection Impact Assessments: Where required under Article 35 GDPR, we conduct Data Protection Impact Assessments for high-risk processing activities.
Supervisory Authority: You may lodge a complaint with the Information Commissioner's Office (ICO): https://ico.org.uk.
UK International Data Transfers: Where we transfer personal data outside the UK to countries without an adequacy decision, we rely on the UK IDTA or the UK Addendum to the EU SCCs, as approved by the ICO.
UK Data Protection Act 2018: Processing of personal data is also subject to the provisions of the UK Data Protection Act 2018 (DPA 2018), including any applicable exemptions.
Categories and Business Purpose: In the preceding 12 months, we have collected the categories of personal information described in Section 3 for the business purposes described in Section 5.
No Sale of Personal Information: Gyre Research does not sell personal information as defined by the CCPA/CPRA, and has not done so in the preceding 12 months.
No Sharing for Cross-Context Behavioral Advertising: We do not share personal information for cross-context behavioral advertising as defined by the CPRA.
Sensitive Personal Information: We do not collect or process sensitive personal information (as defined by the CPRA) beyond what is necessary and for permissible purposes.
California Residents' Rights: California residents have the rights described in Section 11, including the rights to know, delete, correct, opt-out of sale/sharing, and limit use of sensitive personal information. You will not receive discriminatory treatment for exercising these rights.
Submission of Requests: California residents may submit requests via email to [email protected] or toll-free at (800) 933-4731.
"Shine the Light" (Civil Code § 1798.83): California residents may request information about our disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.
Additional US State Laws: We also comply with applicable privacy laws in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other US states with comprehensive privacy legislation, providing equivalent rights as described in Section 11.
Handling of Personal Information: We handle personal information in compliance with the APPI, including the 2022 amendments. We specify the purpose of use of personal information before or promptly upon acquisition and do not use personal information beyond the scope necessary for the stated purposes without your consent.
Cross-Border Transfers: Where we transfer personal information from Japan to the United States or other foreign countries, we take measures required under Article 28 APPI, including: (a) obtaining your consent with information about the data protection regime of the destination country; (b) ensuring the receiving party maintains a data protection framework equivalent to Japan's; or (c) implementing contractual safeguards equivalent to APPI protections.
Disclosure and Correction: You have the right to request disclosure, correction, deletion, and cessation of use of your personal information held by us, in accordance with APPI. Requests should be submitted to [email protected].
Personal Information Protection Commission: You may lodge complaints with the Personal Information Protection Commission (PPC) at https://www.ppc.go.jp.
Consent: We collect, use, and disclose personal data in accordance with the PDPA. Where consent is required, we obtain it before or at the time of collection. You may withdraw consent at any time by contacting us, subject to legal and contractual restrictions.
Purpose Limitation: We collect personal data only for purposes that a reasonable person would consider appropriate in the circumstances and that we have informed you of.
Cross-Border Transfers: Where personal data is transferred outside Singapore, we ensure the recipient provides a comparable standard of protection through contractual or other legally recognized means, as required under the PDPA.
Access and Correction: You have the right to access and correct your personal data held by us. We will respond to access requests within 30 days.
Data Breach Notification: We will notify the Personal Data Protection Commission (PDPC) and affected individuals of notifiable data breaches in accordance with the PDPA's breach notification requirements.
PDPC Complaints: You may lodge a complaint with the Personal Data Protection Commission at https://www.pdpc.gov.sg.
Data Protection Principles: We comply with the six Data Protection Principles under the PDPO regarding the collection, accuracy, use, security, openness, and access of personal data.
Direct Marketing: We will not use your personal data for direct marketing without your consent. You may opt out of direct marketing at any time.
Access and Correction: You have the right to request access to and correction of your personal data. We will respond within 40 days of receiving a request.
Privacy Commissioner: You may lodge complaints with the Office of the Privacy Commissioner for Personal Data at https://www.pcpd.org.hk.
Australian Privacy Principles (APPs): We comply with the APPs when handling personal information of Australian individuals.
Cross-Border Transfers: Before disclosing personal information to overseas recipients, we take reasonable steps to ensure the recipient does not breach the APPs, as required under APP 8. Alternatively, we obtain your consent or rely on another permitted exception.
Access and Correction: You may request access to and correction of your personal information. We will respond within 30 days.
Notifiable Data Breaches: We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act and will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of eligible data breaches.
Complaints: You may lodge a complaint with the OAIC at https://www.oaic.gov.au.
Consent: We collect and process personal information with your consent as required under PIPA, clearly informing you of the purposes, categories, and retention period.
Cross-Border Transfers: Where personal information is transferred outside Korea, we comply with the cross-border transfer requirements of PIPA, including obtaining consent and ensuring the recipient maintains appropriate safeguards.
Data Subject Rights: You have the right to access, correct, delete, and suspend processing of your personal information. We will process requests within 10 days as required by PIPA.
Destruction of Data: When personal information is no longer necessary, we promptly destroy it in a manner that prevents recovery, as required by PIPA.
Personal Information Protection Commission: You may lodge complaints with Korea's Personal Information Protection Commission (PIPC) at https://www.pipc.go.kr.
We may update this Privacy Policy from time to time. We will notify you of material changes by: (a) posting the updated policy on our website with a revised "Last Updated" date; (b) sending an email notification to your registered email address; or (c) providing an in-Platform notification. We encourage you to review this Policy periodically. Where required by applicable law, we will obtain your consent before implementing material changes that affect how we process your personal data.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Gyre Holdings LLC d/b/a Gyre Research
Attn: Data Protection / Privacy
131 Daniel Webster Highway, Suite 425, Nashua, NH 03060
Email: [email protected]
Phone: (800) 933-4731
We aim to respond to all inquiries within 10 business days.