1. Who we are
This Privacy Policy explains how GFC Scale LLC (“GFC Scale,” “we,” “us,” or “our”) processes personal data. We are the data controller for personal data collected through https://gfcscale.com and https://client.gfcscale.com (together, the “Services”).
Registered address: [STREET ADDRESS], Fort Lauderdale, FL [ZIP], USA
Privacy contact: legal@gfcscale.com
2. The personal data we collect
We collect personal data in three ways:
Information you give us directly
- Contact & intake forms: name, business email, company, role, phone (optional), and the operational details you share in the intake questionnaire.
- Booking & payment: name, billing address, payment-card details (processed by Stripe — we never see full card numbers), VAT/Tax ID where applicable.
- Client portal: account credentials, profile details, and any documents, notes, or files you upload to your engagement.
- Correspondence: email, chat, and call notes when you contact us.
Information we collect automatically
- Essential cookies: session cookies (Supabase auth) and security tokens that keep you logged in and protect against fraud. See our Cookie Policy for the full list.
- Server logs: IP address, user-agent, request path, and timestamp. Retained for 30 days for security and debugging only.
- No third-party analytics or advertising trackers are currently deployed. If we add any in the future, we will update this policy and seek your consent first.
Information from third parties
- Payment confirmation: Stripe sends us payment status and the last four digits of your card so we can attribute the order.
- Public business data: if you provide your company name, we may look up publicly available information about your business (e.g. industry, size) to tailor our response.
3. Why we use your data (and our legal basis)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Respond to inquiries and provide our consulting services | Performance of a contract / pre-contractual steps |
| Process payments and issue invoices | Performance of a contract; legal obligation (tax records) |
| Send transactional emails (account, payment, deliverables) | Performance of a contract |
| Generate AI-assisted operational analyses of materials you submit | Performance of a contract; legitimate interests |
| Secure the Services and prevent fraud | Legitimate interests |
| Send marketing emails to existing customers about similar services | Legitimate interests (soft opt-in; you can unsubscribe at any time) |
| Comply with legal obligations and respond to lawful requests | Legal obligation |
4. AI processing of your content
Where you submit business content (intake answers, operational documents, meeting notes) for analysis, we send that content to Anthropic’s Claude API via a zero-retention commercial endpoint. Anthropic does not use that content to train its models, and the prompts and responses are deleted from Anthropic infrastructure within 30 days. We store the resulting analysis in our Supabase database under your engagement record.
5. Who we share data with
We share personal data only with the following categories of recipients, and only to the extent necessary:
- Sub-processors we use to deliver the Services (see full list below).
- Professional advisers (lawyers, accountants, auditors) under confidentiality.
- Authorities when required by law (subpoena, court order, regulatory demand).
- A successor in interest in the event of a merger, acquisition, or asset sale — with continued protection for your data.
We do not sell personal data, and we do not share it for cross-context behavioural advertising. See section 9 for your California-specific rights.
Sub-processors
| Vendor | Purpose | Location | DPA / Privacy |
|---|---|---|---|
| Vercel Inc. | Web hosting, edge caching, deployment infrastructure | United States (global edge network) | link |
| Supabase Inc. | Database, authentication, file storage | United States / EU (project-dependent) | link |
| Stripe, Inc. | Payment processing, fraud prevention | United States / Ireland | link |
| Resend Inc. | Transactional email delivery | United States | link |
| Anthropic, PBC | AI-assisted analysis of business operations content you submit (zero-retention API; not used to train models) | United States | link |
| Google LLC (Workspace / Gmail SMTP) | Email delivery for outbound business correspondence | United States / EU | link |
6. International data transfers
Some of our sub-processors are located outside the European Economic Area / United Kingdom (primarily in the United States). Where we transfer personal data outside the EEA/UK, we rely on the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), supplemented by the vendor’s technical and organisational measures.
7. How long we keep your data
- Inquiry and intake records: 24 months from last contact, then deleted or anonymised.
- Active client records: for the duration of the engagement plus 7 years (US tax + recordkeeping requirements).
- Server logs: 30 days.
- Marketing emails: until you unsubscribe or after 24 months of no engagement.
8. Your rights
Subject to applicable law, you have the right to:
- Access a copy of the personal data we hold about you.
- Rectification of inaccurate or incomplete data.
- Erasure (“right to be forgotten”).
- Restriction of processing in certain circumstances.
- Portability — receive your data in a machine-readable format.
- Object to processing based on legitimate interests or for direct marketing.
- Withdraw consent where processing is based on consent — without affecting prior lawful processing.
- Lodge a complaint with your local supervisory authority. EU/UK residents can find their authority at edpb.europa.eu.
To exercise any of these rights, email legal@gfcscale.com. We will respond within one month (extendable by two months for complex requests, in which case we will tell you).
9. California residents (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the CPRA:
- The right to know what personal information we collect and how we use it.
- The right to delete personal information we hold about you.
- The right to correct inaccurate personal information.
- The right to limit the use of sensitive personal information (we do not knowingly collect sensitive personal information beyond what is necessary to provide the Services).
- The right to opt out of the sale or sharing of personal information. We do not sell or share personal information, but you can confirm this and submit a request at Do Not Sell or Share My Personal Information.
- The right to non-discrimination for exercising your rights.
Authorized agents may submit requests on your behalf with verified written permission. We will verify your identity before responding.
10. Children
The Services are not directed to anyone under 16, and we do not knowingly collect personal data from children. If you believe we have collected such data, contact legal@gfcscale.com and we will delete it.
11. Security
We protect personal data with TLS in transit, encryption at rest in Supabase, role-based access controls, row-level security in our database, audit logging, and the principle of least privilege. Notwithstanding our controls, no method of transmission or storage is 100% secure. We will notify affected users and the relevant authority within 72 hours of becoming aware of a personal data breach where legally required.
12. Changes to this policy
We update this policy when our practices change. The “Last updated” date at the top of this page reflects the most recent change. For material changes, we will notify you by email or a prominent notice on the Services before the change takes effect.
13. Contact us
Questions, requests, or complaints about this policy or our data practices: legal@gfcscale.com.