Privacy Policy

Effective date: October 27, 2025

Who we are: Gr8Loci ("we," "us," "our"), operated from Bermuda; site hosted in Canada.

How to contact us about privacy: Use the contact form on our website and mention "Privacy request".

Quick summary (TL;DR)

We collect first name + email for subscriptions, plus device/usage data via Google Analytics.

Purpose: send blog updates, occasional news, and future marketing offers; understand what content people enjoy; keep the site working and secure.

We don't sell your personal information.

You can unsubscribe anytime.

You have privacy rights that vary by region (EU/UK, Bermuda, Canada, California, etc.).

For EU/UK visitors, we will seek cookie consent where required before using analytics cookies.

1) What we collect

You provide:

  • Email address and first name (subscriptions).
  • Any info you include if you contact us (e.g., via the site form).

We collect automatically:

  • Usage and device data (e.g., page views, approximate location, referrers, session info) via Google Analytics and basic server logs.
  • Cookies and similar technologies (details below).

2) Why we use your data (purposes)

  • Subscriptions: to send blog updates, occasional news, and future marketing offers.
  • Analytics: to understand what content resonates and improve the site.
  • Operations & security: to host, maintain, and protect the site.
  • Compliance: to meet legal obligations and respond to lawful requests.

3) Legal bases (GDPR/UK GDPR)

  • Consent: for email marketing and—for EU/UK visitors—analytics cookies where consent is required. You can withdraw consent anytime (unsubscribe link; or adjust cookie preferences if available).
  • Legitimate interests: for essential site operations, security, and basic (non-profiling) analytics where permitted.
  • Legal obligation: when we must keep or disclose information to comply with laws.

4) Cookies & tracking

We use cookies for essential functions (e.g., security) and analytics (Google Analytics).

If you're in the EU/UK (and similar jurisdictions), we'll obtain cookie consent before setting non-essential cookies.

You can usually control cookies in your browser settings; blocking some cookies may affect site performance.

5) Who processes your data (service providers)

We use trusted providers to run our site. These may change as we grow, but typically include:

  • Hosting & infrastructure: DigitalOcean (Canada)
  • Analytics: Google Analytics
  • Email marketing: Zoho Campaigns or a similar provider

All service providers act under contracts that limit how they may use personal data (they act as processors in many cases).

6) International transfers

We operate from Bermuda and host in Canada. Your data may be processed in these and other locations where our providers operate. When required, we use appropriate safeguards (e.g., Standard Contractual Clauses, contractual commitments, and security measures) to protect your information across borders.

7) How long we keep data (retention)

  • Subscriptions: retained until you unsubscribe or we no longer need to send updates. We may keep a suppression list (your email only) to honor opt-outs.
  • Analytics data: retained per our analytics configuration and/or provider defaults.
  • Communications & logs: retained for a reasonable period for security, operations, and compliance.

8) Your privacy rights

Your rights depend on where you live. We strive to honor valid requests regardless.

EU/UK (GDPR/UK GDPR):

  • Access, correction, deletion, portability, restriction, and objection (including to direct marketing).
  • Withdraw consent at any time (unsubscribe / cookie settings).
  • Lodge a complaint with your local data protection authority.

Bermuda (PIPA):

  • Rights to access, correct, and request deletion, and to fair and lawful processing.

Canada (PIPEDA):

  • Rights to access and correct personal information and to challenge compliance.

California (CCPA/CPRA):

  • Rights to know, access, delete, correct, and to opt out of certain "sharing" for cross-context behavioral advertising.
  • We do not sell personal information. If we ever engage in "sharing" as defined by CPRA, we will provide a "Do Not Share" mechanism.

To exercise rights: Contact us via the website form and state your region and request (e.g., "Access request under GDPR"). We may need to verify your identity and respond within the time limits set by applicable laws.

9) Children's privacy

Our site is not directed to children under 16, and we don't knowingly collect their personal information. If you believe a child provided data, contact us and we'll delete it.

10) Security

We use reasonable technical and organizational measures to protect personal information (e.g., encryption in transit, access controls, and least-privilege practices). No method is 100% secure, but we work to reduce risks.

11) Sharing information

We share personal information only with:

  • Service providers (see Section 5) to operate the site and communications;
  • Authorities where required by law;
  • Successors in the event of a business transition (we'll preserve your rights and notify where reasonable).

We do not sell personal information.

12) Changes to this policy

We may update this Privacy Policy from time to time. We'll update the Effective date above and, where appropriate, note changes on the site.

13) Contact us

For privacy questions or to exercise your rights, please contact us via the form on our website and include "Privacy" in your message.