United States Regional Privacy Notice

Effective: June 2026 | Last revised: June 2026

Scope & applicability

This United States Regional Privacy Notice (Notice) applies to individuals residing in the United States whose personal data is processed by Granicus LLC and its affiliates (collectively, Granicus, we, us, or our). It supplements the Granicus Global Privacy Policy available at granicus.com/privacy-policy.

Processor / Service Provider Clarification. Granicus provides technology platforms to government agencies and other public-sector entities (Agency Customers). In those contexts, the Agency Customer is the data controller and Granicus acts solely as a data processor or service provider operating under a Data Processing Agreement (DPA). Personal data processed under a DPA is governed by the DPA and applicable law, and individuals should direct rights requests relating to Agency Customer data to the relevant Agency Customer. This Notice applies to personal data for which Granicus independently determines the purposes and means of processing (e.g., Granicus’s own marketing, website analytics, and account management).

Federal Agency Context. When Granicus processes data on behalf of federal agency customers, those agencies retain obligations under the Privacy Act of 1974 (5 U.S.C. § 552a) and the E-Government Act of 2002 (44 U.S.C. § 3501 et seq.). Granicus supports Agency Customers in meeting those obligations, including with respect to System of Records Notices, Privacy Impact Assessments, and records-management requirements, as specified in applicable government contracts and DPAs.

For clarity, Sections relating to analytics, profiling, automated decision-making, and marketing apply solely to processing activities where Granicus acts as a controller, and not to processing performed on behalf of Agency Customers under a Data Processing Agreement.

Key definitions

Personal Data means any information that identifies, relates to, describes, or is reasonably capable of being associated with a particular individual or household.

Sensitive Personal Data means a subset of personal data including racial or ethnic origin; religious beliefs; mental or physical health data; sexual orientation; transgender or nonbinary status; genetic or biometric data; geolocation (precise); immigration status; and financial account data.

Sale means the disclosure of personal data for monetary or other valuable consideration, as defined in applicable state law (including under the CCPA/CPRA, TDPSA, and equivalent statutes).

Automated Decision-Making Technology (ADMT) means any system, algorithm, or machine-learning model that substantially replaces human decision-making to produce outputs such as predictions, recommendations, scores, or classifications that inform decisions about individuals.

Profiling means any automated processing of personal data to evaluate, analyse, or predict aspects concerning an individual’s characteristics, behaviour, interests, or preferences.

Personal data we collect, how we use it, and legal basis

The table below describes the categories of personal data Granicus collects as a controller, the specific examples within each category, and the purposes for which we use it. The sources of this data are: directly from you; from Agency Customers and their platforms; from cookies and tracking technologies on our Services; and from third-party analytics and data-enrichment providers.

Data category Specific examples Purposes for collection and use
Identifiers Name; business/personal email, address, and telephone number; account credentials; IP address.
  • Service delivery and account administration.
  • Customer support and communications.
  • Insights and analytics.
  • Survey responses.
  • Promotional and marketing communications.
  • Third-party marketing on behalf of customers.
  • Evaluation, improvement, and development of Services.
  • De-identified and aggregated data.
  • Lawful processes; protection of legal rights.
  • Business transactions (mergers, acquisitions, etc.).
Sensitive personal data Race and ethnicity; sexual orientation; transgender or nonbinary status; religious beliefs; health and lifestyle data.
  • Lawful processes; protection of legal rights.
  • Survey responses (with prior consent where required).
  • De-identified and aggregated data (with safeguards).
  • Performance of contractual obligations at your direction.
  • With your explicit opt-in consent.
Geolocation information Approximate location derived from IP address. Precise geolocation only if you and your agency customer enable this feature.
  • Lawful processes; protection of legal rights.
  • Survey responses (with prior consent).
  • De-identified and aggregated data.
  • NOT sold (California; Oregon prohibits sale of geolocation data).
Demographic information Family size, marital status, estimated income level.
  • Survey responses (with consent).
  • Insights and analytics (aggregated/de-identified).
Protected classification data Age (40+); race; color; ancestry; national origin; citizenship; religion; marital status; medical condition; physical or mental disability; sex, gender identity and expression; sexual orientation; veteran/military status; genetic information.
  • Lawful processes; protection of legal rights.
  • Survey responses (with consent).
  • De-identified and aggregated data.
  • Contractual performance at your direction.
  • With your explicit consent.
Professional/Employment information Job title; position; management level; work location; division; department.
  • Service delivery and account administration.
  • Insights and analytics.
  • Promotional and marketing communications.
  • Third-party marketing on behalf of customers.
  • Evaluation and improvement of Services.
  • De-identified and aggregated data.
  • Lawful processes; protection of legal rights.
  • Business transactions.
Internet and electronic network activity IP address; time-zone setting; operating system; browser type and plug-ins; domain name; clickstream data; page interaction data; referring/exit URLs; session duration; device identifiers.
  • Improving, modifying, and updating Services.
  • Monitoring and ensuring orderly operation of Services.
  • Statistical analysis (including for third parties in aggregate form).
  • Personalising user experience and content.
Audio, visual, and similar data Content submitted via live chat, messaging features, or recordings where applicable.
  • Service delivery.
  • Customer support.
  • Lawful processes; protection of legal rights.

Data Minimisation. Consistent with applicable law, including the Maryland Online Data Privacy Act (MODPA) where applicable, Granicus collects only personal data that is reasonably necessary and proportionate to the disclosed purpose. We do not collect personal data for its own sake or beyond what is needed to deliver the relevant Service or function.

Disclosure of personal data to third parties

We disclose personal data to third parties only as described in this Notice or as permitted by applicable law. The following table summarises categories of data disclosed, recipient categories, and purposes.

Data categories disclosed Categories of third-party recipients Purposes for disclosure
Identifiers; Professional / Employment Information; Internet Activity; Audio / Visual Data
  • Affiliates, subsidiaries, and related Granicus entities.
  • Successor owners in M&A or asset-sale transactions.
  • Third-party service providers (payment processors, analytics, fraud prevention, cloud storage, IT, marketing companies).
  • Law enforcement and government authorities (as required by law).
  • Government entities at your or your agency customer’s direction (see Survey Responses).
  • Service delivery and communications.
  • Insights and analytics.
  • Promotional and marketing communications.
  • Third-party marketing on behalf of customers.
  • Evaluation and improvement of Services.
  • De-identified and aggregated data.
  • Lawful processes; protection of legal rights.
  • Business transactions.
Sensitive Personal Data; Protected Classifications; Geolocation Information
  • Government entities at your or your agency customer’s direction (see Survey Responses).
  • Law enforcement (as required by law).
  • Lawful processes; protection of legal rights.
  • Survey responses.
  • De-identified and aggregated data.
  • With your explicit consent.

Third-party websites and social media

Our Services may contain links to third-party websites and social media platforms. Those platforms operate under their own privacy policies. We are not responsible for their data practices. Social media plugins (including Facebook, LinkedIn, and X/Twitter) may collect your IP address and usage data independently of Granicus. We recommend reviewing the privacy policies of any third-party platform before submitting personal data to it.

Selling and sharing

Granicus does not sell personal data in the traditional sense of an exchange for money. However, certain disclosures to advertising and analytics partners, and the sending of marketing communications on behalf of Agency Customers, may constitute a sale or sharing under the CCPA/CPRA and equivalent state laws. You have the right to opt out of such activities. To exercise your opt-out right, contact us using the methods in Section 10.

In the preceding 12 months, Granicus has shared or sold personal data (in the form of identifiers and professional/employment information) with Agency Customers at their discretion and with advertising/analytics partners for marketing and campaign-improvement purposes. We have not sold sensitive personal data, and we do not do so consistent with our obligations under MODPA and as a matter of policy.

Data retention

Retention periods vary depending on the nature of the data, applicable contractual obligations, and legal requirements. Where specific retention periods are not mandated, Granicus applies reasonable retention criteria, including the duration of the customer relationship, operational needs, and legal or regulatory requirements.

The table below sets out our standard retention periods (or the criteria used to determine them) for each category of personal data.

Data category Retention period / criteria
Account and identifiers Duration of the customer relationship, plus 3 years following contract termination, or as required by applicable law or government contract obligations.
Sensitive personal data and protected classifications Retained only for the period necessary to fulfil the specific purpose for which it was collected (generally limited to the period necessary to fulfil the disclosed purpose), or as required by law. Deleted or de-identified promptly thereafter.
Geolocation information Retained only for as long as necessary for the disclosed purpose and in accordance with applicable state law or contract.
Professional / Employment information Duration of the customer relationship, plus 2 years.
Internet and electronic network activity Generally retained for a limited period necessary to support analytics and security monitoring, after which it is deleted or de-identified.
Survey responses (non-sensitive) Retained for a limited period following submission, unless a different retention period is specified by the applicable government agency customer.
Survey responses (sensitive) Retained only for as long as necessary to fulfil the disclosed purpose, taking into account any retention period specified by the applicable government agency customer.
Audio / visual data (live chat) Generally retained for a limited period (such as up to 12 months) to support quality assurance and legal purposes, after which it is deleted or de-identified.

Where a government contract or applicable law requires a longer or shorter retention period, that requirement will govern. Data that is no longer required will be securely deleted or de-identified. Granicus periodically reviews retention schedules to ensure compliance with evolving legal requirements.

Cookies, tracking technologies, and opt-out signals

Types of tracking technologies

We use cookies and similar technologies (pixel tags, web beacons, device fingerprinting) to operate, secure, and improve our Services, and for analytics and advertising purposes. See our Cookie Policy at granicus.com/trust-center/cookie-policy/ for full details.

Global Privacy Control and Universal Opt-Out Mechanism (UOOM)

Granicus honors Global Privacy Control (GPC) and Universal Opt-Out Mechanism (UOOM) signals where required by applicable state law, including California and Oregon. When our Services detect a valid GPC or UOOM signal from your browser or device, we will treat that signal as a request to opt out of the sale and sharing of your personal data for cross-contextual behavioural advertising. You can configure GPC via browser extensions or privacy-first browsers. The opt-out will apply to the browser or device from which the signal is sent.

Certain third-party analytics and advertising technologies operate independently. Disabling cookies in your browser settings or using an ad blocker may limit some tracking. For third-party social media tracking, we recommend the opt-out steps described in Section 4.1 above.

Insights, profiling, and analytics

Granicus may, in limited circumstances and where acting as a controller, use personal data to generate aggregated analytics and marketing insights. Such insights generally relate to engagement metrics, interests, or market segment classifications and do not typically include inferred sensitive characteristics. Where Granicus processes personal data on behalf of Agency Customers, any profiling or analytics is performed solely at the direction of the Agency Customer and is governed by the applicable DPA.

Automated Decision-Making Technology (ADMT)

Disclosure of ADMT use

Consistent with California CPPA ADMT Regulations effective January 1, 2026, and equivalent provisions in other state laws, Granicus discloses the following regarding its use of ADMT:

To the extent Granicus uses automated tools when acting as a controller, such tools are limited to marketing analytics, segmentation, and communication optimization. Granicus does not use automated decision-making technology to make decisions that produce legal or similarly significant effects on individuals.

Use of automated decision-making within Granicus products is governed by customer contractual terms and customer-facing disclosures.

Risk assessments and cybersecurity audits

Granicus evaluates high-risk processing activities, including the use of sensitive personal data and targeted advertising, in accordance with applicable law. Where required, Granicus will conduct and maintain risk assessments and make them available to regulators as required. Granicus also maintains a security program that includes periodic assessments and reviews designed to evaluate the effectiveness of our controls.

Your privacy rights

Subject to applicable law and available exceptions, you may have the following rights with respect to personal data for which Granicus is the controller. Rights exercisable against Agency Customer-controlled data must be directed to the relevant Agency Customer.

Right Description
Right to Confirm and Access Confirm whether Granicus processes your personal data and request access to specific pieces, categories, sources, purposes, and third-party recipients.
Right to Data Portability Receive a copy of your personal data in a structured, commonly used, machine-readable format.
Right to Deletion Request deletion of personal data collected from you, subject to legal exceptions.
Right to Correction Request correction of inaccurate personal data.
Right to Opt-Out of Sale / Sharing Opt out of the sale or sharing of your personal data, including sharing for cross-contextual behavioral advertising.
Right to Opt-Out of Targeted Advertising Opt out of processing your personal data for targeted advertising.
Right to Opt-Out of ADMT / Profiling Opt out of automated decision-making technology and profiling (California and other applicable states). See Section 8.
Right to Limit Sensitive Data Processing Limit or opt out of processing of sensitive personal data to what is necessary for service delivery.
Right to Non-Discrimination Exercise any right without discriminatory treatment.
Right to Appeal Appeal a denial of any rights request. See Section 10.

Not Applicable to All States. The availability of specific rights varies by state. Consult Section 11 (State-Specific Notices) for the rights applicable to your state of residence.

How to exercise your rights, submit requests, and appeal

Submitting a Request

To exercise any right described in this Notice, you may contact us by:

Your request must include sufficient information for us to verify your identity and understand the nature of your request. Granicus will respond within the timeframe required under applicable law (generally 45 days, with a permissible 45-day extension). Requests relating to opt-out of sale or sharing do not require identity verification beyond what is necessary to process the request.

Authorised Agents

You may designate an authorised agent to submit a request on your behalf. We will require: (a) written, signed authorisation from you specifying the agent’s authority; or (b) a power of attorney under applicable law. We may verify your identity independently and confirm your authorisation directly with you.

Appeal

If we deny your rights request, you have the right to appeal our decision in all states that provide an appeal right (including Virginia, Colorado, Connecticut, Texas, Oregon, New Jersey, Minnesota, Montana, Delaware, Iowa, New Hampshire, Nebraska, Maryland, Indiana, Kentucky, and Rhode Island). To appeal, email customercare@granicus.com with: (a) your full name; (b) a description of the original request and our decision; and (c) the basis for your appeal. We will respond within the time period required by applicable law.

Non-Discrimination

Granicus will not discriminate against you for exercising any rights under this Notice or applicable law. We will not deny Services, charge different prices, or provide a degraded level of service as a result of a rights request.

Children’s data

Granicus’s own commercial website and direct marketing services are not directed at children under the age of 16, and we do not knowingly collect or sell the personal data of children under 16. If we discover that we have inadvertently collected personal data from a child under 16, we will promptly delete it. This limitation applies only to Granicus’s consumer-facing websites and marketing activities. Granicus may process personal data of children when acting as a service provider to Agency Customers, in which case the Agency Customer is responsible for obtaining any required consents.

COPPA. Some Agency Customers operate platforms that may be directed at or knowingly collect data from children under 13 (e.g., government youth services). In those cases, the Agency Customer, as controller, is responsible for compliance with the Children’s Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6506) and for obtaining required parental consent. Granicus, in its processor capacity, supports Agency Customers’ COPPA compliance obligations as specified in the applicable DPA.

State Children’s Privacy Laws. Granicus monitors developments under California’s Age-Appropriate Design Code and equivalent state children’s data laws and will update this Notice and our practices as those laws take effect.

State-specific privacy notices

The following table provides jurisdiction-specific information for residents of states with comprehensive privacy laws. All rights described herein are subject to applicable legal exceptions and exemptions.

State Applicable law(s) Key state-specific provisions
California CCPA / CPRA (as amended); CPPA ADMT Regulations (eff. 1 Jan 2026) Residents have all rights listed above plus rights related to ADMT/profiling, cybersecurity audit rights, and risk assessment disclosures. The CPPA is the primary enforcement authority. Penalties: up to $2,663 per unintentional violation; $7,988 per intentional violation (inflation-adjusted). Granicus honours Global Privacy Control (GPC) signals.
Virginia Virginia Consumer Data Protection Act (VCDPA) Rights: access, correction, deletion, portability, opt-out of targeted advertising, opt-out of sale, opt-out of profiling for significant decisions. Appeal: customercare@granicus.com.
Colorado Colorado Privacy Act (CPA) Rights as above. Granicus honours Universal Opt-Out Mechanism (UOOM) signals. Cure period has expired; enforcement proceeds immediately. Appeal: customercare@granicus.com.
Connecticut Connecticut Data Privacy Act (CTDPA) Rights as above. Appeal: customercare@granicus.com.
Utah Utah Consumer Privacy Act (UCPA) Rights: access, deletion, portability, opt-out of targeted advertising and sale. No correction right under Utah law.
Texas Texas Data Privacy and Security Act (TDPSA) No volume threshold: applies to all non-exempt entities doing business in Texas. Rights: access, correction, deletion, portability, opt-out of sale, targeted advertising, and profiling. Appeal: customercare@granicus.com.
Oregon Oregon Consumer Data Privacy Act (OCDPA) (eff. 1 Jul 2024; amended 1 Jan 2026) Granicus honours UOOM signals. Sale of geolocation data is prohibited. Transgender/nonbinary status is expressly sensitive data. Appeal: customercare@granicus.com.
Montana Montana Consumer Data Protection Act (MCDPA) (eff. 1 Oct 2024) Rights as above. Appeal: customercare@granicus.com.
New Jersey New Jersey Data Privacy Act (NJDPA) (eff. 15 Jan 2025) Rights as above. Specific third-party recipient names (not just categories) available on request. Appeal: customercare@granicus.com.
Delaware Delaware Personal Data Privacy Act (DPDPA) (eff. 1 Jan 2025) Rights as above. Appeal: customercare@granicus.com.
Iowa Iowa Consumer Data Protection Act (Iowa CDPA) (eff. 1 Jan 2025) Rights: access, deletion, portability, opt-out of sale and targeted advertising. Appeal: customercare@granicus.com.
Nebraska Nebraska Data Privacy Act (NDPA) (eff. 1 Jan 2025) Rights as above. Appeal: customercare@granicus.com.
New Hampshire New Hampshire Privacy Act (NHPA) (eff. 1 Jan 2025) Rights as above. Appeal: customercare@granicus.com.
Minnesota Minnesota Consumer Data Privacy Act (MCDPA) (eff. 31 Jul 2025) Rights include right to question profiling results and be informed about profiling types. Appeal: customercare@granicus.com.
Maryland Maryland Online Data Privacy Act (MODPA) (eff. 1 Oct 2025; processing obligations from 1 Apr 2026) Strictest data minimisation standard in any US state: Granicus collects only data reasonably necessary and proportionate to the disclosed purpose. Sale of sensitive personal data is prohibited (not merely opt-out). Low threshold: 35,000 consumers OR 10,000 consumers if >20% revenue from data sales. Appeal: customercare@granicus.com.
Indiana Indiana Consumer Data Protection Act (INCDPA) (eff. 1 Jan 2026) Rights mirror VCDPA. Appeal: customercare@granicus.com.
Kentucky Kentucky Consumer Data Protection Act (KCDPA) (eff. 1 Jan 2026) Rights mirror VCDPA. Appeal: customercare@granicus.com.
Rhode Island Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) (eff. 1 Jan 2026) Low threshold: 35,000 consumers OR 10,000 if >20% revenue from data sales. Specific named third-party recipients available on request. Appeal: customercare@granicus.com.
Nevada Nevada Revised Statutes Chapter 603A Granicus does not sell covered information as defined under Nevada law.

Security

Granicus implements technical, administrative, and physical safeguards designed to protect personal data from unauthorised access, disclosure, alteration, or destruction, including encryption in transit and at rest, access controls, and regular security assessments. No transmission or storage system can be guaranteed to be 100% secure. In the event of a personal data breach, Granicus will notify affected individuals and regulators as required by applicable law.

Changes to this Notice

We may update this Notice from time to time to reflect changes in applicable law, our practices, or our Services. Material changes will be communicated via email or a prominent notice on our website at least 30 days before taking effect, where practicable. The effective date at the top of this Notice indicates when it was last revised. Continued use of our Services after the effective date constitutes acceptance of the revised Notice.

Contact us

For questions, concerns, or requests relating to this Notice or our privacy practices, please contact us at:

Granicus Privacy Team

Email: customercare@granicus.com
Telephone: 800-314-0147
Website: granicus.com/trust-center/us-privacy-notices/

For privacy matters relating to data processed by Granicus on behalf of a specific government agency, please contact the relevant agency directly.

BEGIN THE JOURNEY

Ready to deliver exceptional outcomes?

Book a demo