Gyre Holdings LLC, d/b/a Gyre One, is the data controller responsible for the processing of your personal data. For inquiries regarding this Privacy Policy or data protection matters:
| Contact | Details |
|---|---|
| Entity Name | Gyre Holdings LLC d/b/a Gyre One |
| Address | 131 Daniel Webster Highway, Suite 425, Nashua, NH 03060 |
| Data Protection Contact | Legal Department |
| legal@gyre.one |
This Privacy Policy applies to personal data collected through: (a) the Gyre One platform, including all AI-powered business tools, website builder, CRM, invoicing, email marketing, project management, and related services (collectively, the "Platform"); (b) our website(s) at gyre.one; (c) websites we build and host on behalf of our users; (d) email, telephone, and other direct communications between you and Gyre One; and (e) events, conferences, and marketing activities.
This Privacy Policy does not apply to third-party services, websites, or platforms that may be linked from our Platform. We encourage you to review the privacy policies of any third-party services you access.
Processing on Behalf of Users: Where we process personal data on behalf of a user as a data processor (e.g., subscriber email addresses used in our email marketing feature, or visitor data collected on websites we host for you), such processing is governed by our Terms of Service and any applicable Data Processing Agreement. This Privacy Policy governs our processing of personal data for our own purposes as a data controller.
Hosted Websites: If you use Gyre One to build and host a website, we may collect analytics data about visitors to your website (such as page views, referral sources, and geographic region) in order to provide you with website performance insights. You are responsible for providing your own privacy disclosures to your website visitors regarding any data collected through your hosted site.
| Category | Examples | Source |
|---|---|---|
| Account Information | Full name, email address, business name, business type, industry | Directly from you upon registration |
| Authentication Data | Hashed passwords, multi-factor authentication tokens, session tokens | Generated during account setup and login |
| Business Data | Business descriptions, financial projections, customer personas, branding assets, market research inputs, legal documents, project details, CRM contacts, invoices | Directly from you through Platform use |
| AI Interaction Data | Prompts submitted to AI features, AI-generated responses, conversation history maintained per organization for context continuity | Generated through your use of AI-powered features |
| Billing Information | Subscription plan, billing address, invoice history, payment status (card details are handled entirely by Stripe and never touch our servers) | Directly from you; payment details via Stripe |
| Usage Data | Features accessed, pages visited, session duration, actions performed, AI feature utilization, email campaigns sent | Automatically collected through Platform use |
| Device and Technical Data | IP address, browser type and version, operating system, screen resolution, time zone, language preferences | Automatically collected via web technologies |
| Communication Data | Contents of emails, support tickets, chat messages, and other correspondence with Gyre One | Directly from you |
| Email Marketing Data | Your subscribers' email addresses, subscriber list metadata, campaign delivery and engagement metrics (opens, clicks, bounces) | Provided by you when using our email marketing feature |
| Domain Registration Data | Domain name, WHOIS registrant information (name, address, email, phone as required by ICANN) | Provided by you when registering a domain through our Platform |
| Website Visitor Data | Page views, referral sources, geographic region, device type, and session data for websites we host on your behalf | Automatically collected from visitors to your Gyre One-hosted website |
| Cookie and Tracking Data | Cookie identifiers, analytics IDs, referral URLs, page interaction data | Automatically collected via cookies and similar technologies (see Section 10) |
| Marketing Data | Marketing preferences, event attendance records, responses to surveys or feedback requests | Directly from you or from event registration platforms |
Sensitive Data: Gyre One does not intentionally collect sensitive personal data (also known as "special category data" under GDPR), including racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or data concerning sexual orientation. If you believe sensitive data has been inadvertently provided to us, please contact us immediately.
We collect personal data through the following means:
| Purpose | Data Categories Used | Legal Basis (GDPR) |
|---|---|---|
| Provide and maintain the Platform (AI tools, website builder, CRM, invoicing, project management, legal templates) | Account, Authentication, Business Data, Usage, Technical | Performance of contract (Art. 6(1)(b)) |
| Deliver AI-powered features (viability analysis, branding, market research, financial planning, content creation) | Account, Business Data, AI Interaction Data | Performance of contract (Art. 6(1)(b)) |
| Process payments and manage subscriptions | Account, Billing | Performance of contract (Art. 6(1)(b)) |
| Website building, hosting, and visitor analytics | Account, Business Data, Website Visitor Data | Performance of contract (Art. 6(1)(b)) |
| Domain registration and management | Account, Domain Registration Data | Performance of contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)) for ICANN requirements |
| Email marketing services (sending emails on your behalf) | Account, Email Marketing Data | Performance of contract (Art. 6(1)(b)) |
| Customer support and communication | Account, Communication, Usage | Performance of contract; Legitimate interest (Art. 6(1)(f)) |
| Platform improvement and analytics | Usage, Technical, Cookie/Tracking | Legitimate interest (Art. 6(1)(f)) |
| Security, fraud prevention, and abuse detection | Authentication, Usage, Technical | Legitimate interest (Art. 6(1)(f)); Legal obligation (Art. 6(1)(c)) |
| Legal and regulatory compliance | All categories as necessary | Legal obligation (Art. 6(1)(c)) |
| Marketing and promotional communications | Account, Marketing | Consent (Art. 6(1)(a)) or Legitimate interest (Art. 6(1)(f)) |
| Aggregate analytics and product improvement | Usage (aggregated and anonymized) | Legitimate interest (Art. 6(1)(f)) |
Legitimate Interest Assessments: Where we rely on legitimate interest as a legal basis, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.
AI and Large Language Model Processing: Gyre One uses Anthropic's Claude API to power AI features including business viability analysis, branding, market research, financial planning, and content creation. When you use these features, your prompts and relevant business context are transmitted to Anthropic for real-time inference only. Your data is never used to train, fine-tune, or improve any AI or machine learning model. AI interaction history is stored per organization to maintain context continuity across sessions. Anthropic's data handling is governed by their API terms of service, which prohibit the use of API inputs and outputs for model training.
Email Marketing Processing: When you use our email marketing feature, you provide us with your subscribers' email addresses and we send emails on your behalf. In this capacity, we act as a data processor for your subscriber data. You are the data controller for your subscriber lists and are responsible for obtaining appropriate consent from your subscribers and complying with applicable anti-spam laws (CAN-SPAM, GDPR, CASL, etc.). We process subscriber data solely to deliver your email campaigns and provide delivery analytics. We do not use your subscriber data for our own marketing purposes.
SMS Messaging: If you opt in to receive transactional SMS messages (two-factor authentication codes, account alerts, and platform notifications), your mobile phone number is shared with our SMS service provider solely for the purpose of message delivery. We do not sell, rent, or share your phone number with third parties for marketing or promotional purposes. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. SMS opt-in data and consent are not shared with any third party. You may opt out at any time by replying STOP or disabling SMS in your account settings. For full details, see our SMS Terms & Conditions.
We do not sell personal data. We may disclose personal data to the following categories of recipients:
| Recipient Category | Purpose | Safeguards |
|---|---|---|
| Anthropic (Claude API) | AI inference for business tools — prompts and business context sent for real-time processing only; not used for model training | Anthropic API terms prohibit training on API data; data encrypted in transit; no persistent storage by Anthropic beyond transient processing |
| Stripe | Payment processing, subscription management, invoicing | PCI DSS Level 1 certified; card details handled entirely by Stripe and never stored on our systems |
| Porkbun | Domain name registration and DNS management on your behalf | WHOIS data provided as required by ICANN; privacy protection enabled by default where available |
| Infrastructure Providers | Cloud hosting, email delivery, analytics, and content delivery | Data Processing Agreements with contractual obligations at least as protective as this Policy |
| Professional Advisors | Legal, accounting, and audit services | Professional confidentiality obligations |
| Law Enforcement and Regulators | Where required by law, regulation, or legal process | Disclosure limited to information legally required; prompt notification to you where legally permissible |
| Corporate Transactions | In connection with a merger, acquisition, reorganization, or sale of assets | Successor entity bound by terms at least as protective as this Policy |
No Sale of Data to Third Parties: We do not sell, rent, or trade your personal data or business data to third parties for their own commercial purposes. We do not share personal data for cross-context behavioral advertising.
Gyre One is headquartered in the United States. Your personal data may be transferred to and processed in the United States and other countries that may not provide the same level of data protection as your home jurisdiction.
Where we transfer personal data from the EEA, UK, or Switzerland to countries not recognized as providing adequate data protection, we implement appropriate safeguards, including:
For APAC jurisdictions with cross-border transfer restrictions (including Japan, South Korea, and Australia), we comply with applicable local requirements as detailed in Section 13.
You may request a copy of the applicable transfer safeguards by contacting us.
We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. Our retention criteria include:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account Information | Duration of subscription + 3 years | Contractual necessity; statute of limitations |
| Authentication Data | Duration of subscription; promptly deleted upon termination | Security purposes |
| Business Data | Duration of subscription + 30 days; available for export prior to deletion | Contractual necessity; user data portability |
| AI Interaction Data | Duration of subscription; deleted within 30 days of account termination | Context continuity for AI features |
| Billing Information | 7 years from date of transaction | Tax and financial reporting obligations |
| Usage Data | 24 months from collection | Platform improvement and support |
| Device and Technical Data | 12 months from collection | Security and analytics |
| Communication Data | Duration of subscription + 3 years | Support history and dispute resolution |
| Email Marketing Data | Duration of subscription; subscriber lists deleted within 30 days of account termination | Contractual necessity; user controls |
| Domain Registration Data | Duration of domain registration + as required by ICANN | Legal obligation (ICANN); contractual necessity |
| Website Visitor Data | 24 months from collection | Website analytics for hosted sites |
| Cookie Data | Per cookie-specific durations (see Section 10) | Varies by purpose |
| Marketing Data | Until consent withdrawn or 3 years from last engagement | Consent or legitimate interest |
| SMS Data | Duration of subscription; phone number and opt-in records deleted within 30 days of opt-out or account termination | Consent; legal compliance |
When personal data is no longer required, we securely delete or anonymize it. Anonymized data (from which you can no longer be identified) may be retained indefinitely for statistical and analytical purposes.
Gyre One implements technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:
While we employ commercially reasonable measures, no method of transmission or storage is completely secure. We cannot guarantee absolute security.
We use cookies and similar technologies to operate the Platform, analyze usage, and improve your experience. Below is a summary of the categories of cookies we use:
| Category | Purpose | Duration | Consent Required? |
|---|---|---|---|
| Strictly Necessary | Authentication, security, session management | Session or up to 24 hours | No (exempt under ePrivacy Directive) |
| Functional | Remember preferences, language, display settings, workspace configuration | Up to 12 months | Yes (EU/UK); varies by APAC jurisdiction |
| Analytics | Usage statistics, performance monitoring, feature adoption tracking, error tracking | Up to 24 months | Yes (EU/UK); varies by APAC jurisdiction |
| Marketing | Campaign measurement (if applicable) | Up to 12 months | Yes |
Cookie Consent: For users in the EU, UK, and jurisdictions with consent-based cookie requirements, we present a cookie consent banner upon first visit. You may manage your preferences at any time through our cookie settings panel or your browser settings. Strictly necessary cookies cannot be disabled as they are essential for Platform operation.
Do Not Track: We honor Do Not Track (DNT) browser signals where technically feasible. Where we detect a DNT signal, we will not load analytics or marketing cookies.
Depending on your jurisdiction, you may have some or all of the following rights with respect to your personal data. We will respond to all verifiable requests within the time periods required by applicable law.
| Right | Description | Applicable Jurisdictions |
|---|---|---|
| Access | Request a copy of the personal data we hold about you | All (GDPR Art. 15, CCPA, APPI, PDPA, PDPO, Privacy Act) |
| Rectification | Request correction of inaccurate or incomplete personal data | EU/UK (GDPR Art. 16), Japan, Singapore, Australia |
| Erasure | Request deletion of your personal data (subject to legal retention requirements) | EU/UK (GDPR Art. 17), CCPA (right to delete) |
| Restriction | Request temporary restriction of processing in certain circumstances | EU/UK (GDPR Art. 18) |
| Portability | Receive your personal data and business data in a structured, commonly used, machine-readable format | EU/UK (GDPR Art. 20) |
| Objection | Object to processing based on legitimate interest or for direct marketing purposes | EU/UK (GDPR Art. 21) |
| Withdraw Consent | Withdraw consent at any time (without affecting lawfulness of prior processing) | All where consent is the legal basis |
| Non-Discrimination | Not be discriminated against for exercising privacy rights | California (CCPA/CPRA) |
| Opt-Out of Sale/Sharing | Direct us not to sell or share personal data for cross-context behavioral advertising | California (CCPA/CPRA); note: we do not sell personal data |
| AI Data Deletion | Request deletion of all AI interaction history associated with your organization | All jurisdictions |
| Lodge a Complaint | File a complaint with a supervisory authority in your jurisdiction | EU/UK (GDPR Art. 77), and equivalent APAC authorities |
How to Exercise Your Rights: Submit requests by email to legal@gyre.one or by mail to the address in Section 1. We will verify your identity before processing requests and respond within 30 days (GDPR), 45 days (CCPA/CPRA), or the applicable statutory period. Complex requests may require an extension, in which case we will notify you.
Authorized Agents: You may designate an authorized agent to submit requests on your behalf. We require written proof of the agent's authorization and identity verification of both you and the agent.
The Platform is designed for business owners and entrepreneurs and is not directed at individuals under 18 years of age (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected personal data from a minor, we will take prompt steps to delete such data.
Data Protection Officer: Not required under Article 37 GDPR. Our designated data protection contact is listed in Section 1.
Legal Bases: We process personal data on the legal bases set forth in Section 5. Where we rely on legitimate interest, you have the right to object (Section 11).
Automated Decision-Making: Our AI-powered business tools provide recommendations and generated content to assist your decision-making. These tools do not make legally binding or similarly significant decisions about you without human involvement. You retain full control over whether to adopt, modify, or discard any AI-generated output.
Supervisory Authority: You have the right to lodge a complaint with the supervisory authority of the EU Member State in which you reside, work, or in which the alleged infringement occurred. A list of supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
Data Protection Impact Assessments: Where required under Article 35 GDPR, we conduct Data Protection Impact Assessments for high-risk processing activities, including our use of AI processing technologies.
Supervisory Authority: You may lodge a complaint with the Information Commissioner's Office (ICO): https://ico.org.uk.
UK International Data Transfers: Where we transfer personal data outside the UK to countries without an adequacy decision, we rely on the UK IDTA or the UK Addendum to the EU SCCs, as approved by the ICO.
UK Data Protection Act 2018: Processing of personal data is also subject to the provisions of the UK Data Protection Act 2018 (DPA 2018), including any applicable exemptions.
Categories and Business Purpose: In the preceding 12 months, we have collected the categories of personal information described in Section 3 for the business purposes described in Section 5.
No Sale of Personal Information: Gyre One does not sell personal information as defined by the CCPA/CPRA, and has not done so in the preceding 12 months.
No Sharing for Cross-Context Behavioral Advertising: We do not share personal information for cross-context behavioral advertising as defined by the CPRA.
Sensitive Personal Information: We do not collect or process sensitive personal information (as defined by the CPRA) beyond what is necessary and for permissible purposes.
California Residents' Rights: California residents have the rights described in Section 11, including the rights to know, delete, correct, opt-out of sale/sharing, and limit use of sensitive personal information. You will not receive discriminatory treatment for exercising these rights.
Submission of Requests: California residents may submit requests via email to legal@gyre.one.
"Shine the Light" (Civil Code Section 1798.83): California residents may request information about our disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.
Additional US State Laws: We also comply with applicable privacy laws in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other US states with comprehensive privacy legislation, providing equivalent rights as described in Section 11.
Handling of Personal Information: We handle personal information in compliance with the APPI, including the 2022 amendments. We specify the purpose of use of personal information before or promptly upon acquisition and do not use personal information beyond the scope necessary for the stated purposes without your consent.
Cross-Border Transfers: Where we transfer personal information from Japan to the United States or other foreign countries, we take measures required under Article 28 APPI, including: (a) obtaining your consent with information about the data protection regime of the destination country; (b) ensuring the receiving party maintains a data protection framework equivalent to Japan's; or (c) implementing contractual safeguards equivalent to APPI protections.
Disclosure and Correction: You have the right to request disclosure, correction, deletion, and cessation of use of your personal information held by us, in accordance with APPI. Requests should be submitted to legal@gyre.one.
Personal Information Protection Commission: You may lodge complaints with the Personal Information Protection Commission (PPC) at https://www.ppc.go.jp.
Consent: We collect, use, and disclose personal data in accordance with the PDPA. Where consent is required, we obtain it before or at the time of collection. You may withdraw consent at any time by contacting us, subject to legal and contractual restrictions.
Purpose Limitation: We collect personal data only for purposes that a reasonable person would consider appropriate in the circumstances and that we have informed you of.
Cross-Border Transfers: Where personal data is transferred outside Singapore, we ensure the recipient provides a comparable standard of protection through contractual or other legally recognized means, as required under the PDPA.
Access and Correction: You have the right to access and correct your personal data held by us. We will respond to access requests within 30 days.
Data Breach Notification: We will notify the Personal Data Protection Commission (PDPC) and affected individuals of notifiable data breaches in accordance with the PDPA's breach notification requirements.
PDPC Complaints: You may lodge a complaint with the Personal Data Protection Commission at https://www.pdpc.gov.sg.
Data Protection Principles: We comply with the six Data Protection Principles under the PDPO regarding the collection, accuracy, use, security, openness, and access of personal data.
Direct Marketing: We will not use your personal data for direct marketing without your consent. You may opt out of direct marketing at any time.
Access and Correction: You have the right to request access to and correction of your personal data. We will respond within 40 days of receiving a request.
Privacy Commissioner: You may lodge complaints with the Office of the Privacy Commissioner for Personal Data at https://www.pcpd.org.hk.
Australian Privacy Principles (APPs): We comply with the APPs when handling personal information of Australian individuals.
Cross-Border Transfers: Before disclosing personal information to overseas recipients, we take reasonable steps to ensure the recipient does not breach the APPs, as required under APP 8. Alternatively, we obtain your consent or rely on another permitted exception.
Access and Correction: You may request access to and correction of your personal information. We will respond within 30 days.
Notifiable Data Breaches: We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act and will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of eligible data breaches.
Complaints: You may lodge a complaint with the OAIC at https://www.oaic.gov.au.
Consent: We collect and process personal information with your consent as required under PIPA, clearly informing you of the purposes, categories, and retention period.
Cross-Border Transfers: Where personal information is transferred outside Korea, we comply with the cross-border transfer requirements of PIPA, including obtaining consent and ensuring the recipient maintains appropriate safeguards.
Data Subject Rights: You have the right to access, correct, delete, and suspend processing of your personal information. We will process requests within 10 days as required by PIPA.
Destruction of Data: When personal information is no longer necessary, we promptly destroy it in a manner that prevents recovery, as required by PIPA.
Personal Information Protection Commission: You may lodge complaints with Korea's Personal Information Protection Commission (PIPC) at https://www.pipc.go.kr.
We may update this Privacy Policy from time to time. We will notify you of material changes by: (a) posting the updated policy on our website with a revised "Last Updated" date; (b) sending an email notification to your registered email address; or (c) providing an in-Platform notification. We encourage you to review this Policy periodically. Where required by applicable law, we will obtain your consent before implementing material changes that affect how we process your personal data.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Gyre Holdings LLC d/b/a Gyre One
Attn: Data Protection / Privacy
131 Daniel Webster Highway, Suite 425, Nashua, NH 03060
Email: legal@gyre.one
We aim to respond to all inquiries within 10 business days.