1. Introduction
This GDPR Privacy Notice is provided in accordance with the European Union General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies to individuals located in the European Economic Area (EEA), the United Kingdom, and Switzerland.
Government Contracting Authority ("GCA," "we," "us," or "our") is committed to protecting your personal data and respecting your privacy. This notice explains how we collect, use, store, and protect your personal data when you interact with our services or visit our website at gcagov.com.
If you have any questions about this privacy notice or our data practices, please contact our Data Protection Officer using the details provided in Section 15.
2. Data Controller Information
The data controller responsible for your personal data is:
Government Contracting Authority
1309 Coffeen Ave, Suite 11198
Sheridan, WY 82801, USA
Email: privacy@gcagov.com
Phone: 202-990-6030
Website: gcagov.com
Our Data Protection Officer can be reached at privacy@gcagov.com.
3. Legal Bases for Processing
We process your personal data only when we have a valid legal basis to do so. The legal bases we rely on include:
- Consent (Article 6(1)(a)): Where you have given clear consent for us to process your personal data for a specific purpose, such as subscribing to our newsletter or opting in to marketing communications.
- Contract Performance (Article 6(1)(b)): Where processing is necessary for the performance of a contract with you, or to take pre-contractual steps at your request, such as providing our consulting services.
- Legitimate Interests (Article 6(1)(f)): Where processing is necessary for our legitimate interests or those of a third party, provided your fundamental rights and freedoms do not override those interests. This includes improving our services, fraud prevention, and business administration.
- Legal Obligation (Article 6(1)(c)): Where processing is necessary to comply with a legal obligation, such as tax reporting or responding to lawful requests from public authorities.
Where we rely on consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
4. Categories of Personal Data
Identity Data
- Full name, date of birth, nationality
- Government identification numbers (when required for compliance)
Contact Data
- Email address, telephone number, postal address
- Business address and contact information
Technical Data
- IP address, browser type, operating system
- Device identifiers, cookies, and similar tracking technologies
- Log data from your interactions with our website and services
Usage Data
- Pages visited, time spent, features accessed
- Course or training completion status
- User preferences and settings
Financial Data
- Payment method information (processed securely by third-party providers)
- Billing address and transaction history
Professional Data
- Job title, employer name, industry, professional certifications
- Government contracting experience and qualifications
- Educational background and training history
5. Purposes of Processing
Service Delivery
- Providing government contracting training and consulting services
- Fulfilling contractual obligations and managing your account
- Delivering course materials, certifications, and support
Government Contracting Support
- Offering guidance on government procurement processes
- Connecting you with government contracting resources and opportunities
- Supporting compliance with government regulations
Marketing & Communications
- Sending promotional materials (with consent where required)
- Notifying you about new services, updates, and events
- Maintaining communication about your account and services
Legal Compliance & Safety
- Complying with applicable laws and regulations
- Preventing fraud and unauthorized access
- Protecting GCA, your rights, and the rights of others
Service Improvement
- Analyzing user behavior to improve our services
- Personalizing your experience based on preferences
- Conducting research and developing new features
6. Your Rights Under the GDPR
Under the GDPR, you have the following rights regarding your personal data:
- Right of Access (Article 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access the data and receive a copy.
- Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data and completion of incomplete data.
- Right to Erasure (Article 17): You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.
- Right to Restriction (Article 18): You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data.
- Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
- Right to Object (Article 21): You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
- Right Not to Be Subject to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.
To exercise any of these rights, please contact us at privacy@gcagov.com. We will respond to your request within 30 days.
7. International Data Transfers
EU-US Data Privacy Framework
Standard Contractual Clauses
Adequacy Decisions
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. To determine the appropriate retention period, we consider:
- The nature and sensitivity of the personal data
- The potential risk of harm from unauthorized use or disclosure
- The purposes for which we process your data and whether we can achieve those purposes through other means
- Applicable legal, regulatory, tax, accounting, or other requirements
In general:
- Client data: Retained for the duration of the engagement plus 7 years for legal and tax compliance
- Marketing data: Retained until you withdraw consent or opt out
- Website analytics data: Retained for up to 26 months in aggregated form
- Communication records: Retained for up to 3 years
When personal data is no longer required, we securely delete or anonymize it.
9. Automated Decision-Making and Profiling
- You have explicitly consented to such processing
- Processing is necessary for entry into or performance of a contract with you
- Processing is authorized by applicable law
10. Data Security Measures
Technical Measures
- AES-256 encryption for data at rest and TLS 1.3 encryption in transit
- Multi-factor authentication (MFA) for account access
- Regular security assessments, penetration testing, and vulnerability scanning
- Intrusion detection and prevention systems (IDPS)
- Secure data backups with encryption and regular testing
Organizational Measures
- Data protection training for all employees
- Access controls limiting employee access to minimum necessary data
- Background checks and confidentiality agreements for all staff
- Privacy impact assessments for new processing activities
- Incident response procedures and breach notification protocols
Compliance Frameworks
- Alignment with NIST Cybersecurity Framework standards
- Compliance with ISO 27001 information security standards
- Regular security audits and compliance assessments
11. Third-Party Data Sharing
Service Providers
- Payment processors for handling financial transactions
- Email service providers for communications
- Cloud hosting and storage providers
- Analytics and customer relationship management (CRM) platforms
Legal Compliance
- Government agencies and law enforcement when legally required
- Courts and legal authorities responding to lawful requests
Business Partners
- Other government contracting firms and training providers (with consent)
- Government agencies providing contracting resources
12. Updates to This Privacy Notice
- Prominently display the updated notice on our website
- Send a notification to your registered email address
- Request your acknowledgment of the updated terms (where applicable)
13. Right to Lodge a Complaint
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. You may do so in the EU/EEA member state of your habitual residence, place of work, or the place of the alleged infringement.
While we encourage you to contact us first so we can address your concerns directly, we fully respect your right to lodge a complaint with the relevant supervisory authority at any time.
14. Contact Information
Attention: Data Protection Officer
Email: privacy@gcagov.com
Phone: 202-990-6030
Address: 1309 Coffeen Ave, Suite 11198, Sheridan, WY 82801, USA
Last Updated: March 2026 · © Government Contracting Authority