Legal

Privacy Policy

1. Introduction

Granite River, Inc. (“Granite River,” “GRT,” “we,” “our,” or “us”) operates this website (the “Site”). This Privacy Policy describes how we collect, use, retain, and protect information when you visit the Site, and explains the rights you may have with respect to that information under applicable law, including the EU/UK General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, “CCPA/CPRA”), and the privacy statutes of Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, Nebraska, Iowa, and other U.S. states that have enacted comprehensive consumer-data-privacy legislation (collectively, “U.S. State Privacy Laws”).

Our Site is a primarily static informational website. The only interactive feature is a contact form through which visitors may submit business inquiries (“Contact Form”). We do not run advertising, and we do not sell, share, or otherwise disclose visitor or traffic data to advertising networks, data brokers, or any third party for commercial purposes.

By accessing or using the Site, you acknowledge that you have read and agree to this Policy and understand how your information will be handled. If you do not agree with this Policy, you must discontinue use of the Site.

2. Scope

  1. Covered Entities and Services. This Policy applies to:
    1. Individuals who visit or use the Site.
    2. Individuals who submit inquiries through the Contact Form.
    3. Individuals who communicate with us by email or other channels referenced on the Site in relation to the Site or to our business.
  2. Excluded Services. This Policy does not apply to:
    1. Offline interactions unrelated to the Site.
    2. Separate products or services that refer to a different privacy policy.
    3. Third-party sites or services linked from the Site.

3. Information We Collect

3.1 Information You Voluntarily Provide

When you submit the Contact Form, you may provide:

  • Name
  • Business or personal e-mail address
  • Company name or affiliation
  • Phone number (optional)
  • The content of your message or inquiry

We collect only the information you choose to submit. Providing this information is entirely voluntary; however, declining to provide it may limit our ability to respond to your inquiry.

3.2 Information Collected Automatically

When you visit the Site, our web server and any hosting-infrastructure provider may automatically log standard technical data, including:

  • IP address (which may be treated as personal data in certain jurisdictions)
  • Browser type and version
  • Operating system
  • Referring URL
  • Pages viewed and date/time of access
  • HTTP status codes

This server-log data is collected for security, fraud prevention, and routine operational purposes, and is not used to identify individual visitors beyond those purposes.

3.3 Cookies and Similar Technologies

The Site uses only the following categories of cookies and similar tracking technologies:

  • Strictly Necessary Cookies. These cookies are essential to operate the Site (e.g., session security, load balancing). They cannot be disabled without materially impairing Site functionality.
  • Analytics/Performance Cookies (if any). If we deploy any analytics service, it is configured to anonymize IP addresses, disable cross-site tracking, and prohibit use of Site data for any purpose other than aggregate Site-performance reporting. We do not use Google Analytics advertising features, remarketing, or any interest-based profiling.

We do not use advertising cookies, tracking pixels, third-party social-media widgets, or any other technology that transmits information about your visit to an advertising network or data broker.

4. How We Use Information

We use the information we collect solely for the following purposes:

  • Responding to inquiries submitted through the Contact Form.
  • Evaluating and pursuing potential business relationships.
  • Maintaining the security, performance, and integrity of the Site.
  • Complying with applicable legal obligations and defending legal claims.
  • Retaining records required by law or regulation.

We do not use your information for marketing or advertising purposes, and we do not engage in profiling or automated decision-making that produces legal or similarly significant effects on individuals.

5. Legal Bases for Processing (GDPR / UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data on the following legal bases:

  • Legitimate Interests (Art. 6(1)(f) GDPR). Processing Contact Form submissions and server logs to respond to inquiries, operate the Site, and protect our systems, where such interests are not overridden by your rights and freedoms.
  • Legal Obligation (Art. 6(1)(c) GDPR). Retaining records where required by applicable law or regulation.
  • Contract (Art. 6(1)(b) GDPR). Processing information as necessary to take steps at your request prior to, or in performance of, a contract between you and GRT.

Where we rely on legitimate interests, you may object to processing at any time using the contact information in Section 10.

6. Disclosure of Information

We do not sell, rent, trade, or otherwise share personal information with third parties for advertising, marketing, or commercial data-monetization purposes. We may disclose information in the following limited circumstances:

  • Service Providers. We may share information with trusted vendors who assist in hosting, maintaining, or securing the Site (e.g., web-hosting providers), solely to the extent necessary to provide those services and subject to appropriate confidentiality and data-processing obligations.
  • Legal Process and Safety. We may disclose information if required to do so by law, court order, or governmental authority, or if we reasonably believe disclosure is necessary to protect the rights, property, or safety of GRT, our clients, or the public.
  • Business Transfers. In connection with a merger, acquisition, or sale of substantially all of our assets, personal information may be transferred as part of that transaction, subject to the acquirer's commitment to honor this Policy or a materially equivalent policy.

7. Do Not Track

Some browsers transmit a “Do Not Track” (“DNT”) signal to websites. Because there is currently no legally mandated or universally accepted technical standard for how websites must respond to DNT signals, the Site does not alter its data-collection or use practices in response to browser DNT settings.

That said, as described in this Policy, we do not engage in cross-site behavioral tracking, interest-based advertising, or any sale or sharing of personal data for advertising purposes, regardless of whether a DNT signal is present. California residents should see Section 8.2 regarding the Global Privacy Control (“GPC”), which we do honor.

8. Data Retention

We retain Contact Form submissions and related correspondence for as long as reasonably necessary to fulfill the purpose for which they were collected—ordinarily no longer than three (3) years after last contact—unless a longer period is required by law, regulation, or legitimate business need (such as an ongoing business relationship, active litigation, or applicable record-keeping obligations).

Server log data is retained for up to ninety (90) days for security and operational purposes, then deleted or anonymized.

Where you have entered into a business relationship with GRT, we may retain your information for longer periods to the extent required by applicable regulatory, contractual, or legal preservation requirements.

9. Your Privacy Rights

9.1 All Visitors

Subject to applicable law, you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate personal information.
  • Request deletion of your personal information (subject to the qualifications in Section 8.5).
  • Object to or restrict certain processing of your personal information.
  • Receive a portable copy of personal information you have provided to us.

To exercise any of these rights, please contact us at privacy@graniteriver.io. We will respond within the timeframe required by applicable law (generally 30–45 days, with possible extensions).

9.2 California Residents (CCPA / CPRA)

California residents have the following additional rights under the CCPA/CPRA:

  • Right to Know. You may request that we disclose the categories and specific pieces of personal information collected about you, the categories of sources, the business or commercial purpose for collection, and the categories of third parties with whom it is shared.
  • Right to Delete. Subject to certain exceptions, you may request deletion of personal information we have collected from you.
  • Right to Correct. You may request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing. We do not sell or share personal information (including for cross-context behavioral advertising), so this right is not exercisable here. We will not begin to sell or share personal information without first updating this Policy and providing any required notice.
  • Right to Limit Use of Sensitive Personal Information. We do not use or disclose sensitive personal information beyond the purposes permitted by the CCPA/CPRA without consent.
  • Right to Non-Discrimination. We will not discriminate against you for exercising your CCPA/CPRA rights.

Global Privacy Control (GPC). The Site recognizes and honors the GPC browser signal as a valid opt-out of the sale and sharing of personal information. Because we do not sell or share personal information, no further action is taken upon receipt of a GPC signal beyond acknowledgment.

To submit a CCPA/CPRA verifiable consumer request, contact us at privacy@graniteriver.io. We may ask you to verify your identity before processing your request.

9.3 Residents of Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, Nebraska, Iowa, and Other States with Comprehensive Privacy Laws

Residents of U.S. states that have enacted comprehensive consumer-data-privacy legislation generally have rights that parallel those set out in Sections 8.1 and 8.2, including rights to access, correct, delete, and obtain a portable copy of their personal data, as well as the right to opt out of profiling for decisions that produce significant effects. Because we do not engage in targeted advertising, the sale of personal data, or automated profiling, the relevant opt-out rights are inapplicable.

To submit a request, contact us at privacy@graniteriver.io. If we decline your request, you may appeal by responding to our denial notice and requesting review. If we deny your appeal, we will provide information about how to lodge a complaint with your state's Attorney General or relevant supervisory authority.

9.4 EEA, UK, and Swiss Residents

In addition to the rights in Section 8.1, if you are located in the EEA, UK, or Switzerland, you have the right to lodge a complaint with your local data-protection authority (e.g., the Irish Data Protection Commission, the UK Information Commissioner's Office, or the applicable national authority).

9.5 Deletion — Business-Relationship Exception

If you have not entered into a business relationship with GRT, we will honor timely, verified deletion requests with respect to any personal information we hold about you, subject only to legal exceptions (e.g., completion of pending transactions, fraud prevention, legal obligations).

If you have entered into a business relationship with GRT, any request for deletion of personal information is subject to GRT's discretion and to applicable regulatory, contractual, and legal preservation requirements. We will notify you of any limitation on our ability to comply with your deletion request and, where possible, will delete the data that is not subject to a retention requirement or determination.

10. Data Security

We maintain commercially reasonable administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, use, alteration, and destruction. No method of transmission over the Internet or electronic storage is completely secure; accordingly, while we strive to protect your personal information, we cannot guarantee its absolute security.

11. Contact and Data Controller

Granite River, Inc. is the data controller for personal information collected through the Site. For privacy inquiries, to exercise your rights, or to file a complaint or appeal, please contact:

Granite River, Inc.

Attn: Privacy Officer

E-mail: privacy@graniteriver.io

We will acknowledge receipt of your request promptly and respond within the period required by applicable law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last Updated” date at the top of this page. Material changes will be posted on this page with reasonable notice before they take effect. Your continued use of the Site after the effective date of any update constitutes your acknowledgment of and agreement to the revised Policy.