Global Privacy Notice

This Global Privacy Notice (“Notice”) was last updated: July 2026.

Applicable jurisdictions: United Kingdom | European Union | Canada | Australia. This Notice uses the EU General Data Protection Regulation (GDPR) as its baseline standard.

Please take a moment to review this Privacy Notice in detail to understand our views and practices regarding your personal data and how we will treat it.

Overview

Granicus is committed to protecting the privacy of your personal information. We have written this Privacy Notice to let you know how Granicus uses your personal data. In this statement you will find information about the types of personal data we collect from you, when we collect your personal data and how long we keep it for, how we collect your personal data, our reasons for collecting and using your personal data, and information about how we share your personal data. When we say “we”, “us”, “our”, or “Granicus” in this Privacy Notice, we mean Granicus LLC, Granicus-Firmstep, Ltd., Granicus Canada Holdings ULC, Granicus Australia Pty Ltd., Granicus Technologies India Pvt Ltd, Rock Solid Technologies PR, GovLoop, Simpleview LLC, and Indigov Inc.

Granicus LLC complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and has certified its adherence to the EU-U.S. DPF Principles with regard to personal data received from the European Union. For UK data subjects, transfers to the United States are made under the UK-US Data Bridge (UK International Data Transfer (Adequacy) (United States of America) Regulations 2023, in force 12 October 2023) and, where applicable, UK IDTAs.

If there is any conflict between the terms in this Privacy Notice and the Data Privacy Framework Principles, the Data Privacy Framework Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

This Notice does not apply to information Granicus handles as a data processor on behalf of its B2B customers, nor to employment or candidate data (governed by separate notices). A separate US Privacy Notice addresses CCPA/CPRA and other US state law requirements; that notice is not part of this global document.

This Privacy Notice and the DPF Principles apply to all Granicus group of companies mentioned above.

This Privacy Notice is incorporated into and made a part of our Terms of Use, any applicable mobile app end user license agreement, and any other agreement that references this Privacy Notice or governs access to or use of the Services (together, our “Terms”).

We may update this Notice periodically. Where changes are material, we will provide at least 30 days’ advance notice by posting a prominent notice on our website and, where we hold your contact details, notifying you by email. Minor or non-material updates may take effect on posting. Continued use of our website following notice of material changes does not constitute consent to new processing activities that require it; fresh consent will be sought where required by applicable law.

Contact us

The identity of the data controller varies by your jurisdiction of residence: (a) UK: Granicus-Firmstep Ltd. (England & Wales) — dpo@granicus.com; (b) EU/EEA: Simpleview-Granicus EU SL — dpo@granicus.com; (c) Canada: Granicus Canada Holdings ULC (Privacy Officer) — privacy@granicus.com; (d) Australia: Granicus Australia Pty Ltd. — privacy-australia@granicus.com. General enquiries: dpo@granicus.com.

Office for Data Protection Compliance

E: customercare@granicus.com

Office for Data Protection Compliance

E: customercare@granicus.com

What personal data does Granicus collect from me and use?

We collect, store and use the following categories and types of personal data which identify you or which can be used to identify you:

Category of personal data When / how collected Purpose of processing Lawful basis (Art. 6(1) UK/EU GDPR) Retention period (Art. 13(2)(a) UK/EU GDPR)
Identity & contact data: name, business/personal email address, postal address and telephone number. Directly from you via website contact forms, chatbot interactions, event registrations or account set-up. Responding to enquiries.
Marketing communications.
Account administration.
Art. 6(1)(a) UK/EU GDPR – Consent. 3 years from your last interaction, or for the duration of the contractual relationship plus 1 year thereafter. Marketing data is retained until you withdraw your consent or object to the processing, whichever occurs first.
Professional data: job title, seniority, department, employer and work location. Directly from you when registering for webinars, events or product demonstrations. Event administration.
Marketing segmentation.
Sales prospecting.
Art. 6(1)(a) UK/EU GDPR – Consent. For the duration of the relevant engagement plus 1 year, or 3 years from collection where there is no ongoing engagement, whichever is shorter. Deleted upon receipt of a valid objection under Article 21 UK/EU GDPR.
Premises & access data: CCTV images, door/card-swipe records, visitor logs, network access logs and time-recording data. Automatically collected when you visit our premises or access our corporate network. Health and safety compliance.
Security of our premises and systems.
Prevention of crime.
Art. 6(1)(c) UK/EU GDPR – Legal obligation.
Art. 6(1)(f) UK/EU GDPR – Legitimate interests (security and crime prevention).
Special category data (where applicable): Art. 9(2)(b) UK/EU GDPR.
CCTV footage: 30 days (extended to 90 days where required for an incident investigation).
Card-swipe/access logs: 12 months.
Visitor logs: 6 months.
Network access logs: up to 3 years, subject to applicable law.
Technical & device data: IP address, browser type and version, browser plug-ins, operating system, time zone, domain name, pages visited and session duration. Automatically collected via cookies and server logs when you visit our website (subject to your cookie preferences for non-essential cookies). Website security and fraud prevention.
Analytics and service optimisation.
Ensuring the correct display and functionality of website content.
Art. 6(1)(f) UK/EU GDPR – Legitimate interests (strictly necessary cookies and security logging).
Art. 6(1)(a) UK/EU GDPR – Consent (non-essential and analytics cookies).
Strictly necessary/security logs: up to 13 months.
Analytics cookie data: up to 13 months from placement.
Cookie consent records: 3 years from the date consent was provided.
Job application data: CV, cover letter, qualifications, references and right-to-work documentation. Directly from you when you submit an application through our careers portal or a third-party recruitment platform. Assessment and selection of candidates.
Compliance with employment law obligations.
Art. 6(1)(b) UK/EU GDPR – Pre-contractual steps.
Art. 6(1)(a) UK/EU GDPR – Consent (where retained for future opportunities). Processing is governed by the separate Granicus Candidate Privacy Notice.
Unsuccessful applicants: 6 months from notification of the recruitment outcome (extended to 12 months where consent has been provided for future vacancies).
Successful applicants: transferred to the employee record and retained in accordance with the Employee Privacy Notice.

Lawful bases for processing (Article 6 UK/EU GDPR)

Some of the laws that apply to us require us to tell you the legal reason for using your personal data. We list these below:

Where we rely on consent as our lawful basis (Article 6(1)(a) UK/EU GDPR), we will make clear at the point of collection that consent is voluntary. You may withdraw consent at any time without detriment by contacting us or using the unsubscribe link in any marketing email. Withdrawal does not affect the lawfulness of processing carried out before withdrawal (Article 7(3) UK/EU GDPR).

Where we rely on legitimate interests (Article 6(1)(f) UK/EU GDPR), we have conducted a balancing test and are satisfied that our interests are not overridden by your rights and freedoms. Our legitimate interests include: operating, securing, and improving our websites and services; communicating with prospects and clients about relevant services; protecting our premises and networks; and analytics and service improvement. You have the right to object to processing based on legitimate interests at any time; we will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests.

We use your personal data for our legitimate interests to provide you with information about our products and services and to understand your use of our website, products, and/or services. We use information collected via cookies (electronic text files) that we place on to your machine in order to provide you with the best level of service when using our tools. These analytics tell us whether you had technical difficulties when using our website or to provide you with a service that is tailored to you.

Our Cookie Policy provides you with more information about our use of cookies.

Legal Requirement: At times we may receive requests from regulators or other authorised bodies to use your personal data in order to comply with a legal or regulatory obligation. Where this is the case, we will ensure that the request is legitimate.

Overall, the provision of your personal data is voluntary for you and not required by law. However, in order to provide the website to you, to carry out a contractual relationship with you and/or to offer other products and services to you, your personal data are necessary. Not providing your personal data may result in disadvantages for you – for example, we may not be able to carry out a contractual relationship with you or you may not be able to use certain products and services or may accept limited functionality. However, not providing your information will not result in legal consequences for you.

Data retention

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected and to comply with our legal obligations. Retention periods by data category are set out in the table above. In determining retention periods we apply: (a) the duration of our relationship with you; (b) applicable statutory limitation periods (6 years in England & Wales, Limitation Act 1980; 6 years under Australian contract law; 3 years under Quebec civil law; 2–6 years under applicable Canadian provincial law); (c) any legal, regulatory, or contractual obligation requiring retention; and (d) any legitimate business need for the defence of legal claims. On expiry, personal data is securely deleted or irreversibly anonymised.

Your rights in relation to your personal data

The rights available to you depend on your jurisdiction of residence. The rights below apply, to the extent indicated, to data subjects in the UK, EU, Canada, and Australia. We will respond within one calendar month (UK/EU GDPR Art. 12), 30 days (PIPEDA s.8), or 30 days (Australian Privacy Act), extendable for complex requests with prior notification. No fee will be charged unless a request is manifestly unfounded or excessive. Your rights include:

  • Right to access: You may have the right to obtain from Granicus confirmation as to whether or not we process your personal data, and, where this is the case, you may have the right to access your personal data.
  • Right to data portability: You may have the right to receive all such personal data about you from Granicus in a structured, commonly used and machine-readable format, and also to require us to transmit it to another entity where this is technically feasible.
  • Right to deletion: You may have the right to request the deletion of your personal data that we have collected.
  • Right to correction: You may have the right to request the correction of your personal data that we collected.
  • Right to restriction: You may have the right to request restriction of processing.
  • Right to object: You may have the right to object to the processing of your personal data at any time.
  • Right to withdraw consent: In the event your personal data is processed on the basis of your consent, you may have the right to withdraw consent at any time with effect for the future.
  • You have the right to lodge a complaint with the supervisory authority in your jurisdiction: UK: ICO (ico.org.uk, 0303 123 1113); EU: your national DPA (edpb.europa.eu); Canada: OPC (priv.gc.ca, 1-800-282-1376) or, for Quebec, CAI (cai.gouv.qc.ca, 1-888-528-7741); Australia: OAIC (oaic.gov.au, 1300 363 992).

See the “What should I do if I am not happy with how my information is being used?” section below for further information on how you may exercise such rights—where applicable.

How can I find out what personal data Granicus’ holds about me?

You may contact us using the contact information above if you would like more detailed information about what personal data we have collected from you, including the categories of personal data processed, the purposes of the processing and the third parties to whom that data is transferred. You may also request a copy of your data. Note that we do have to take into account the interests of others, and certain other legal obligations or restrictions, so this is not an absolute right.

Can I ask granicus to delete or correct my personal data?

You may contact us using the contact information above if you would like us to delete your personal data or to have your personal data corrected and, if required to do so, we will comply with your request.

Can I ask granicus to stop using my personal data?

You may contact us using the contact information above if you would like us to stop using your personal data (either entirely or for some of our Processing Activities) and, if required to do so, we will comply with your request.

Can I ask granicus to transfer my personal data to a third party?

You may contact us using the contact information above if you would like us to transfer your personal data to a third party in a structured, commonly used and machine readable format and, if required to do so, we will comply with your request.

Does Granicus securely store my personal data?

We apply strict security standards, controls and processes to protect your personal information from unauthorised access, loss or accidental deletion. These include restricting who can have access to your personal data and protecting your data with security tools appropriate to the type of information e.g. encryption software and secure file transfer tools. We also require that our third party processors who handle your personal data do the same.

Does Granicus use cookies and collect other trackers?

Cookies are text files containing small amounts of information which are downloaded to your computer or mobile device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognizes that cookie. Cookies are useful because they allow a website to recognize a user’s device. Cookies allow you to navigate between pages efficiently, remembering your preferences and generally improving the user experience.

Our Cookie Policy provides you with more information about our use of cookies.

Does Granicus share my personal data with third parties?

To help us carry out our Processing Activities, we may need to share your personal data with entities within and outside of Granicus as follows:

Granicus entities – we may transfer your data to other Granicus entities who may collect, transfer and/or use the personal data we have collected from you for some or all of our Processing Activities. Where we share your personal information with other Granicus entities, they will use your information in a manner consistent with the purposes for which it was originally collected and consistent with this Privacy Notice and applicable data protection and privacy laws.

Our data processors – from time to time, we may share your personal data with our third party service providers or with other Granicus entities who provide us with investor relationship, company secretarial, legal, regulatory, corporate advisory, event management, talent management, recruitment, marketing, communication and/or IT support services (“Data Processors”). In order to provide such services, our Data Processors process your personal data on our behalf. Our Data Processors have met our criteria as trusted guardians of personal data and are subject to contractual obligations to implement appropriate security measures to safeguard your personal data and to process personal data only as instructed by us.

Other third parties – your personal data may also be transferred to regulators, courts, and other authorities (e.g. tax and law enforcement authorities) and independent external advisors (e.g. lawyers, auditors). We may also share certain personal data with business partners, customers and suppliers to carry out our business activities.

For the full list of the Granicus entities, Data Processors and other third parties that we may share your data with, please contact us as set out above. Our website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we have no control over how they may use your personal information. You should check the privacy policies of third party websites before you submit any personal information to them.

Granicus may share personal data with its service providers for the purpose of helping Granicus execute certain tasks outsourced to them, or providing capabilities Granicus requires. The service providers to which Granicus provides personal data in connection with the personal data collected through the Website are: (1) email service providers for email campaigns management and to send you emails on our behalf, with the express provision that their use of such information must comply with our instructions; (2) recruiting service providers, in relation to activities on the Website related to submission and processing of CV and job applications through the Website; (3) registration management of users to events through the website; (4) billing, processing payments, marketing automation, Granicus advertisements on social media, CRM platform, analytics tools providers, web page building tools, cloud services, support and maintenance operation tools. Our service providers do not have any right to use your personal data collected from the Website beyond what is necessary for the purpose of facilitating their services for us and are subject to data protection agreements to the extent required under applicable law.

Granicus does not share personal data on a discretionary or open-ended basis. All sharing of personal data is limited to the purposes set out in this Notice and is subject to a documented lawful basis under Article 6 UK/EU GDPR.

Social media features – the Website includes social media plugins, including links to Facebook, LinkedIn and Twitter. These features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the plugin to function properly. Social media features are governed by the privacy policy of the company providing it.

Do we participate in the data privacy framework?

Yes. Granicus LLC is certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF). For EU/EEA data subjects, transfers to the US are made in reliance on the EU-US DPF. For UK data subjects, the applicable adequacy instrument is the UK-US Data Bridge.

With respect to personal data received or transferred pursuant to Data Privacy Framework, we are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In addition, Granicus commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO),the Gibraltar Regulatory Authority (GRA) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF. You may engage such authorities if you have concerns regarding our adherence to the Data Privacy Framework Principles or any applicable privacy law or regulations. We will respond directly to such authorities regarding investigations and resolution of complaints. Under certain conditions, more fully described on the Data Privacy Framework website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

Does Granicus transfer my personal data overseas?

Some of the Granicus entities, Data Processors and other third parties that we share your personal data with are located outside of the UK or European Economic Area (EEA).

If we transfer your personal data to entities outside of the EEA (which include our IT service providers, recruitment partners and other Granicus entities in the US and India), we will make sure that your data is being protected as required by applicable data protection law, as described in more detail below.

For UK data subjects, the applicable adequacy instrument is the UK-US Data Bridge. For EU/EEA data subjects, transfers are made under the EU-US DPF and, as a fallback, EU Standard Contractual Clauses (SCCs). For other transfers, Granicus uses UK IDTAs (for UK) and EU SCCs (for EU/EEA). Granicus group entities in India (Granicus Technologies India Pvt Ltd) and Costa Rica may access personal data in the course of providing technical and operational support to the group. All such access is governed by a binding Intra-Group Data Processing Agreement to which all Granicus affiliates are signatories, which incorporates the EU Standard Contractual Clauses (Controller-to-Processor and/or Processor-to-Processor modules, as applicable) and the UK Addendum thereto issued by the ICO under s.119A of the Data Protection Act 2018. Access is granted on a least-privilege, need-to-know basis. Transfer Impact Assessments (EU) and Transfer Risk Assessments (UK) have been conducted and are maintained by the Granicus data protection function.

Canadian data subjects: Transfers are subject to contractual protections consistent with PIPEDA’s accountability principle. Granicus Canada Holdings ULC remains accountable for personal data transferred to agents and service providers in other jurisdictions.

Australian data subjects: Cross-border disclosures are made in accordance with Australian Privacy Principle 8 (APP 8). Before disclosing personal information overseas, Granicus Australia Pty Ltd. takes reasonable steps to ensure the overseas recipient complies with the APPs.

Data security

We implement appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Measures include: role-based access controls and multi-factor authentication; encryption in transit and at rest; secure file transfer protocols; regular penetration testing; staff data protection training; and binding contractual obligations on processors. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (Article 33 UK/EU GDPR; Australian NDB scheme, Privacy Act 1988 (Cth) Part IIIC). Where the breach is likely to result in a high risk to you, we will notify you directly without undue delay (Article 34 UK/EU GDPR; Australian NDB scheme).

What should I do if I am not happy with how my information is being used?

You can contact us using the contact information above if you are not happy with how we are handling your personal data.

You have the right to lodge a complaint with the supervisory authority in your jurisdiction without prejudice to any other administrative or judicial remedy: UK: Information Commissioner’s Office (ICO), ico.org.uk, 0303 123 1113; EU: your national DPA (edpb.europa.eu); Canada (federal): OPC, priv.gc.ca, 1-800-282-1376; Canada (Quebec): CAI, cai.gouv.qc.ca, 1-888-528-7741; Australia: OAIC, oaic.gov.au, 1300 363 992.

Data controller identification

The data controller responsible for your personal data varies by your jurisdiction of residence:

  • United Kingdom: Granicus-Firmstep Ltd. (registered in England & Wales) is the UK GDPR controller for UK data subjects. Contact: dpo@granicus.com.
  • European Union / EEA Simpleview-Granicus EU SL Contact: dpo@granicus.com.
  • Canada: Granicus Canada Holdings ULC is the accountable organisation under PIPEDA and applicable provincial legislation. Contact: privacy@granicus.com.
  • Australia: Granicus Australia Pty Ltd. is the APP entity responsible under the Privacy Act 1988 (Cth). Contact: privacy-australia@granicus.com.

For general data protection enquiries: dpo@granicus.com.

Children’s data

Our websites and services are not directed at children under the age of 16 (or such lower age as is applicable in the relevant jurisdiction under Article 8 GDPR or equivalent national implementing law). We do not knowingly collect personal data from children under 16.

If you believe we have inadvertently collected personal data from a child under 16, please contact dpo@granicus.com immediately. We will take prompt steps to delete that information from our systems.

Canadian privacy — PIPEDA and Quebec Law 25

Federal (PIPEDA): Granicus Canada Holdings ULC is the accountable organisation for personal information collected in Canada under the Personal Information Protection and Electronic Documents Act (PIPEDA). Privacy Officer contact: privacy@granicus.com. We collect, use, and disclose personal information only with your knowledge and consent, except where permitted or required by law. You have the right to access personal information we hold and to challenge its accuracy. Complaints may be directed to the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.

Quebec (Law 25 — An Act to Modernise Legislative Provisions as Regards the Protection of Personal Information): For Quebec residents: (i) Right to data portability — to receive personal information in a structured, commonly used, technology-based format and have it transmitted to any person or body you designate; (ii) Right to de-indexation — to request we cease disseminating personal information or de-index any hyperlink attached to your name, where permitted by law; (iii) Automated decision-making rights — where Granicus makes decisions based solely on automated processing, you may request the personal data used, the reasons and principal factors, and human review. Complaints: Commission d’accès à l’information (CAI), cai.gouv.qc.ca.

Australian privacy — Privacy Act 1988 (Cth) and Australian Privacy Principles

Granicus Australia Pty Ltd. complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), as amended by the Privacy and Other Legislation Amendment Act 2024 (introducing a statutory tort for serious invasions of privacy, enhanced OAIC enforcement powers, and new children’s online privacy protections).

Collection: We collect personal information only by lawful and fair means and only if reasonably necessary for our functions (APP 3). Access and correction: You have the right to access personal information we hold (APP 12) and to request correction of inaccurate, incomplete, or misleading information (APP 13).

Notifiable Data Breaches (NDB): We comply with the NDB scheme under Part IIIC of the Privacy Act 1988. If a data breach is likely to result in serious harm to you, we will notify both you and the OAIC as soon as practicable.
Cross-border disclosures: Before disclosing personal information overseas, we take reasonable steps to ensure the overseas recipient complies with the APPs in relation to that information (APP 8).

Complaints: OAIC, oaic.gov.au, 1300 363 992.

Automated decision-making

You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects or similarly significant effects on you (Article 22 UK/EU GDPR; Quebec Law 25).

If Granicus uses automated decision-making that meets this threshold in relation to you, we will inform you. You may: (a) request human review of the decision; (b) obtain information about the personal data used; and (c) be informed of the reasons and principal factors leading to the decision.

As at the date of this Notice, Granicus does not use solely automated decision-making that produces legal or similarly significant effects on data subjects in the UK, EU, Canada, or Australia. If this position changes, this Notice will be updated and you will be notified in accordance with the change-of-notice procedure above.

BEGIN THE JOURNEY

Ready to deliver exceptional outcomes?

Book a demo