GSDSI privacy notice: data-broker sale and sharing disclosures, CCPA categories and retention, Global Privacy Control, cookies, sensitive PI, and consumer rights.
GSDSI operates under CCPA/CPRA, CAN-SPAM, TCPA, GDPR, and the evolving US state-privacy-act landscape (Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Iowa ICDPA, Montana CDPA, Oregon OCPA, Texas TDPSA, Florida FDBR, and others). Consumer-report-adjacent products carry FCRA-ineligible labeling. Privacy-request handling meets the 45-day verification SLA required by California law.
This Privacy Notice for Global Source Data Solutions, Inc. ("GSDSI") describes how we access, collect, store, use, and share personal information when you use our services, visit https://www.gsdsi.com, or when partners transfer data to us. This document is a transparency notice, not a contract to purchase data.
Questions? Contact privacy@gsdsi.com (monitored privacy mailbox).
Healthcare-related data. GSDSI is not a HIPAA Covered Entity or Business Associate and does not handle Protected Health Information as defined under 45 CFR §160.103. Healthcare-adjacent marketing data is derived from non-clinical, consent-verified sources. For Washington My Health My Data Act and related state health-privacy questions, see our Consumer Health Data Notice.
State data-broker disclosures: /trust/data-broker-registrations.
You may provide name, contact details, employment information, and other personal information when you interact with GSDSI. We may also collect device and usage information such as IP address, identifiers, and analytics on our website when you accept cookies or when necessary for security.
We receive personal information from customers, partners, public sources, and other data brokers. Categories include business contact details, professional identifiers, demographic information, inferences, and precise geolocation and mobility signals where permitted by source contracts and law.
We do not intentionally collect HIPAA-protected health records, payment card data, or biometric templates of non-customers from third parties for our standard catalog. Wellness-interest and healthcare-adjacent audience products are described in the health-data notice and are licensed only under separate agreements.
GSDSI is a data broker. We sell and share personal information as those terms are defined by the California Consumer Privacy Act (CCPA), as amended by the CPRA, and comparable state laws. This includes licensing pseudonymous identifiers (for example, mobile advertising IDs), location-derived insights, and audience segments to enterprise customers for advertising, analytics, measurement, and risk use cases.
You have the right to opt out of sale/sharing. Use Do Not Sell or Share My Personal Information, our privacy rights request form, a recognized Global Privacy Control (GPC) signal, or—for California residents—the DELETE Act (DROP) platform when available.
GSDSI will not discriminate against you for exercising privacy rights.
The tables below summarize categories collected in the last 12 months, whether each category is sold or shared, and how long we retain it or the criteria we use. Sources are described in the sections above (information you provide, partners, public records, and licensed panels). Detailed field lists appear in customer data dictionaries under NDA.
| Category | Business / commercial purposes | Sold / shared | Recipient categories |
|---|---|---|---|
| Identifiers (name, email, phone, MAID, IP) | Licensing, analytics, marketing, security | Yes / Yes | Enterprise customers; ad/measurement partners; service providers |
| Professional / business contact | B2B licensing, sales, enrichment | Yes / Yes | B2B customers; data partners |
| Demographic / interest inferences | Audience products, measurement | Yes / Yes | Advertisers; analytics buyers |
| Precise geolocation / mobility | Location intelligence, POI, measurement | Yes / Yes | Location/measurement customers |
| Internet / network activity | Site analytics, conversion measurement | No / Yes (if ads tags accepted) | Google; Microsoft; Vercel (analytics) |
| Sensitive PI (precise geo; other categories as defined) | As licensed; exclusions per program | Yes / Yes | Qualified buyers under contract |
| Category | Retention period or criteria |
|---|---|
| Website account / inquiry records | Life of relationship + 3 years (legal/tax) |
| Consumer marketing / DSR logs | Request log 24 months; suppression flags while legally required |
| Licensed identity / MAID graph | Per product schedule in customer agreement (typically 12–36 months active; decay fields published) |
| Mobility / location panels | Rolling panel per license (often 12–24 months); sensitive-place exclusions refreshed per release |
| B2B contact enrichment | While business relationship remains active or 24 months after last verified use, whichever is shorter |
We use personal information to provide and improve services, license data products, personalize experiences, support advertising and marketing, comply with law, provide analytics and reporting, and run our business.
We share personal information with customers and partners, service providers, for security and fraud prevention, when required by law, in business transactions, and with your consent. Revoke consent for future uses via our privacy rights request form. Sale and sharing for commercial licensing are addressed in Sale and Sharing above.
Depending on the product, GSDSI processes sensitive personal information as defined by the CPRA, including:
We license these categories to qualified buyers under contract. You may limit the use and disclosure of your sensitive personal information to what is necessary to perform services by submitting a request at Limit the Use of My Sensitive Personal Information or through the DSR portal (select "Limit sensitive use").
Our sensitive-location compliance checklist describes venue exclusions and consent provenance aligned with FTC location-data orders.
Some U.S. states regulate consumer health data beyond HIPAA. GSDSI's public site does not offer PHI. Healthcare-adjacent or wellness-interest products, where offered, are governed by the Consumer Health Data Notice, separate license terms, and buyer obligations under laws such as Washington's My Health My Data Act (MHMDA).
GSDSI honors a valid Global Privacy Control (GPC) signal as a request to opt out of the sale and sharing of personal information on our website, consistent with California, Colorado, Connecticut, Texas, Oregon, and other applicable state laws. When GPC is detected, we set advertising and analytics tags to denied via Google Consent Mode and do not load optional marketing scripts until you affirmatively accept cookies.
Legacy Do Not Track (DNT) browser signals are not uniformly standardized; GPC is the supported universal opt-out mechanism on this site. The same practices are described on /do-not-sell.
Our cookie banner lets you Reject All or Accept All with equal prominence. No marketing cookies are pre-selected. Non-essential tags remain denied until you accept or until Consent Mode receives an update.
Manage choices anytime via Your Privacy Choices or clear site data in your browser.
For EEA, UK, and Swiss personal data we rely on:
Indirect collection from partners is documented in our DPIA and sourcing methodology; we do not rely on consent alone for all broker-sourced panels.
We implement technical and organizational safeguards. Internet transmission cannot be guaranteed fully secure.
See Categories, Purposes, and Retention for category-level periods. We may retain information longer when required by law, litigation, or signed customer agreements.
We may process information in the United States. For EEA, UK, and Swiss transfers we use Standard Contractual Clauses or the EU-U.S. Data Privacy Framework where applicable.
GSDSI participates in the EU-U.S. Data Privacy Framework (EU-U.S. DPF), UK Extension, and Swiss-U.S. DPF programs. Verify current certification status on the official participant list before relying on framework transfers: dataprivacyframework.gov/list. If Principles conflict with this notice, the Principles govern for covered transfers.
EU and UK individuals may limit marketing uses by contacting privacy@gsdsi.com. When GSDSI processes data as a processor for customers, we act on controller instructions.
Opt out of interest-based ads via the DAA at aboutads.info/choices.
Subprocessors are contractually restricted. GSDSI remains responsible under DPF principles when subprocessors process inconsistently, subject to DPF terms. See /trust/sub-processors.
We apply safeguards for EU and UK personal data and disclose information when legally required or in corporate transactions.
HR data complaints under DPF may be referred to EU DPAs, UK ICO, or Swiss FDPIC per DPF employment provisions.
The FTC has jurisdiction over DPF compliance. Contact our DPO at 3410 Galt Ocean Dr., Fort Lauderdale, FL 33308 or privacy@gsdsi.com. Unresolved DPF complaints may proceed to binding arbitration via JAMS where applicable under the Framework.
Exercise your rights using any of the following:
California: Right to know, delete, correct, opt out of sale/sharing, and limit sensitive PI. Opt out at /do-not-sell or via GPC. DROP requests: deleteMyData.com. From August 1, 2026, registered data brokers must process eligible DROP deletion requests at least every 45 days—GSDSI is preparing operational workflows for that cadence. When required by CPRA, annual request metrics will be published in this notice by July 1 each year—contact privacy@gsdsi.com for the current figures.
Europe / UK: Access, delete, restrict, port, object, and withdraw consent. Contact our EU/UK representative in Representatives in the EU and United Kingdom below, or lodge a complaint with your supervisory authority.
Statutory rights: Nothing in the Governing Law section below limits non-waivable privacy rights under CPRA, GDPR, or other applicable law.
Our website and standard consumer data products are not directed to children under 13. We do not knowingly collect personal information from children under 13 without appropriate parental consent as required by COPPA. If you believe we collected a child's information without authorization, contact privacy@gsdsi.com.
Texas and other state children's-privacy laws may impose additional duties on downstream buyers; see customer license terms.
This notice is governed by Florida law. Disputes about this website notice (not statutory privacy-rights requests) may be resolved through binding arbitration in Miami-Dade County, Florida under AAA commercial rules, except where prohibited. Your CPRA, GDPR, and other non-waivable privacy rights are not limited by this section.
If any portion is unenforceable, the remainder stays in effect. We may archive prior versions of this notice on request.
Privacy & Compliance Department, Global Source Data Solutions, Inc., 3410 Galt Ocean Dr., Fort Lauderdale, FL 33308, USA. Email: privacy@gsdsi.com.
We have appointed Superset Representatives SASU as our representative in the European Union under GDPR Article 27 and in the United Kingdom under UK GDPR Article 27.
Contact: gsdsi.com@supersetreps.com
Postal address: Superset Representatives SASU, 12 Rue Pierre Fontaine, 75009 Paris, France
EEA and UK individuals may contact this representative on matters related to the processing of personal data by GSDSI, in addition to privacy@gsdsi.com.
GSDSI maintains a public index for California, Vermont, Texas, and Oregon at /trust/data-broker-registrations. Registration numbers are published when verified. California Delete Act (SB 362) requires annual registration and DROP deletion processing—see that page for status.
We post updates on this page with a revised effective date. Last updated May 21, 2026 (privacy audit remediation).
If GSDSI becomes aware of a security incident materially affecting personal information subject to our role as processor or controller, enterprise customers should refer to contractual notice windows. Public diligence mirrors Tier 1/2 escalations summarized on Trust — Security Program: provisional notification for suspected incidents within five US business days with confirm-or-clear follow-up inside two weeks, and accelerated timelines consistent with GDPR requirements when confirmed breaches involve identified customer payloads.
Consumers exercising privacy rights remain directed to this notice’s dispute and contact clauses; enterprise vendor-risk teams validating SLAs pair this Privacy Policy with subprocessors enumerated at /trust/sub-processors and the downloadable DPA template.