Who we are.
Gravitas, Acumen & Co (referred to as "GAC", "we", "us") is an international cooperative of independent operators, registered in Canada and Panama, with members across three continents.
We are the data controller for the personal information you share with us through this website, our application forms, and direct correspondence with our Managing Partners.
What we collect.
We collect only the data we need to do our job. Most of it is information you give us directly when you book a call, apply for a scorecard, or apply to join the cooperative.
| Category | What's in it |
|---|---|
| Identity & contact | First and last name, work email, phone (optional), role, company, website. |
| Engagement context | Reason for reaching out, current challenges, team size, channels, tooling, budget range. Only what you choose to share in a form or call. |
| Candidate profile | For coop partner applications: referral source, background, prior roles, LinkedIn, motivation. We never request government IDs at this stage. |
| Correspondence | Emails, meeting notes, and call transcripts (only when we tell you we're recording and you consent). |
| Technical | IP address, browser type, device, referring URL, and aggregated analytics events. No third-party advertising trackers. |
We do not collect special-category data (health, race, religion, biometric, financial account numbers). If you accidentally include any in a form, we delete it on review.
Why we collect it.
Each piece of data we hold maps to a specific, narrow purpose and a corresponding legal basis (GDPR, PIPEDA, CCPA, and equivalents):
- To evaluate fit. Reviewing whether your operation matches our mandate criteria. (legitimate interest)
- To deliver what you requested. Scheduling discovery calls, running scorecards, responding to candidacy applications. (contract / pre-contract)
- To staff cooperative mandates. Matching the right partner to the right client when there's mutual interest. (contract)
- To improve our practice. Aggregated benchmarks across mandates — always anonymized. (legitimate interest)
- To meet our obligations. Tax, accounting, anti-money-laundering, professional record-keeping. (legal obligation)
We do not sell, rent, or trade your data. We do not use it to train third-party AI models. We do not run ad-retargeting.
International transfers.
Because our cooperative spans three continents, some of your data is processed outside your home country. We use only providers that offer either Standard Contractual Clauses (EU), adequacy decisions, or equivalent safeguards under PIPEDA and other applicable laws.
Primary processing locations: Canada, the European Union, and Panama. No data is processed in jurisdictions without recognized data-protection frameworks.
How long we keep it.
| Data type | Retention |
|---|---|
| Inquiry & discovery-call notes (no engagement) | 12 months, then deleted. |
| Scorecard application data | 24 months from delivery, then anonymized. |
| Coop partner application (not accepted) | 18 months, then deleted. |
| Active engagement records | For the duration of the mandate + 7 years (professional record-keeping). |
| Accounting & tax records | 7 years (Canadian tax law minimum). |
| Server logs & analytics | 13 months, rolling window. |
After retention expires, data is either deleted irreversibly or anonymized so it can no longer be linked to you.
Your rights.
Depending on where you live, you have most or all of the following rights over the personal data we hold about you. We honor them regardless of jurisdiction unless local law explicitly restricts us.
Access
Request a copy of what we hold about you.
Rectification
Correct inaccurate or incomplete information.
Erasure
Ask us to delete your data when no longer needed.
Restriction
Limit how we process your data in specific cases.
Portability
Receive your data in a machine-readable format.
Object
Opt out of processing based on legitimate interest.
Withdraw consent
At any time, where processing relies on consent.
Lodge a complaint
With your local supervisory authority.
To exercise any of these rights, email cx@gravitasacumen.org from the address you used with us. We confirm receipt within 5 business days and respond in full within 30 days.
Security.
We take reasonable, role-appropriate measures to protect your data:
- TLS encryption in transit, AES-256 at rest where supported by our providers.
- Role-based access — only the Managing Partner reviewing your file can see it.
- Two-factor authentication required on every internal account.
- Annual access review and supplier audit.
- Incident-response protocol: affected individuals notified within 72 hours of confirmed breach.
No system is perfectly secure. If you suspect a vulnerability in ours, please email cx@gravitasacumen.org. We don't pursue good-faith researchers.
Children.
Our services are intended for business professionals. We don't knowingly collect data from anyone under 16. If you believe a minor has submitted a form, contact us and we'll delete the record.
Changes to this policy.
When we materially change how we handle your data, we update the version number and effective date at the top of this page, and — when the change affects you — notify you by email or in-app prompt before it takes effect.
Minor edits (typos, formatting, clarifications that don't expand processing) are made silently. The current version is always the one shown above.
Contact us.
The fastest way to reach us about anything privacy-related:
If we can't resolve your concern, you have the right to lodge a complaint with the data-protection authority in your country of residence — the OPC in Canada, the CNIL in France, the ICO in the UK, your state attorney general in the US, etc.
Questions we didn't answer?
Email cx@gravitasacumen.org or book a 15-minute call with a Managing Partner — we'd rather talk it through than leave you guessing.