Legal · Privacy policy

Privacy policy.

Last updated April 16, 2026

This policy explains what information CD Grayson collects, how we use it, and how we protect it. Because our work involves security and data, we take this seriously and we've tried to say what we actually do — not what sounds good.

01 — ControllerWho we are

CD Grayson is the controller of the personal information covered by this policy. Questions can be sent to hello@cdgrayson.net.

When we process data on behalf of a client as part of an engagement — for example, during a security assessment or a data engineering project — we act as a data processor. That relationship is governed by the engagement's statement of work and, where required, a separate data processing agreement or business associate agreement.

02 — CollectionInformation we collect

From prospective clients and visitors

When you contact us through the website, email us, or take the security assessment on our site, we may collect your name, email address, company name, and the content of your inquiry. The on-site assessment itself doesn't require an email or identifying information — answers are processed in your browser and not sent to us unless you reach out.

From clients

When we engage with a client, we collect information necessary to perform the work and administer the relationship: primary contact names and emails, business address, billing contact, engagement details, and any information shared with us about your systems, data, or operations.

About website usage

When you visit our website, we automatically collect limited technical data: IP address, browser type, device characteristics, referring page, and pages viewed. We use this for security, analytics, and troubleshooting.

About you as a person

If you're authorized to act on behalf of a client — signing contracts, approving scope, receiving reports — we'll keep a record of your role and the materials you've signed or approved.

03 — Client dataDuring engagements

Security and data engagements routinely expose us to our clients' sensitive information — system configurations, vulnerability details, customer data, employee records, financial information. This data belongs to the client, not to us. We handle it under the engagement's confidentiality obligations and applicable law.

Specifically, during an engagement:

We access client data only to the extent necessary for the work defined in the SOW
We store it on systems configured for the purpose, with encryption and access controls
We don't use client data for anything outside the engagement — including our own product development, marketing, or machine learning training
At the end of the engagement, we return or delete client data as specified in the SOW
Vulnerability findings and similar sensitive materials are treated with heightened care

04 — UsesHow we use information

To respond to inquiries and conduct business discussions
To deliver services we've been engaged to perform
To send business communications about active engagements
To issue invoices and process payments
To maintain records for legal, tax, and accounting obligations
To detect and prevent fraud, abuse, or security incidents
To improve our services based on aggregate, non-personal learnings

We don't sell personal information. We don't rent it. We don't share it for advertising purposes. We don't use client data to train machine learning models.

05 — SharingWho we share information with

Subprocessors. We use a small number of third-party services to operate — email, accounting, cloud infrastructure, payment processing. They only receive what they need, and they're contractually required to protect it. A current list is available on request.
Legal requirements. If we receive a valid legal demand — subpoena, court order, warrant — we may disclose information as legally required. We'll notify the affected party unless legally prohibited.
Protection of rights. To investigate fraud, security incidents, or violations of our terms.
Business transfers. If we're acquired or merged, information may transfer but will remain subject to this policy or an equivalent one.

06 — RetentionHow long we keep it

Engagement records and deliverables: typically seven years after the engagement ends, for legal, tax, and professional reasons.
Client data accessed during an engagement: returned or deleted as specified in the SOW, generally within 30 days of completion.
Security findings and testing artifacts: retained for the duration of the engagement plus a limited period for follow-up, then securely destroyed.
Website analytics and logs: typically 30 to 90 days.
Business records: as required by applicable law — typically seven years for financial records.

07 — SecurityHow we protect it

We use encryption in transit and at rest for sensitive data, role-based access controls internally, separate environments for client engagements, and activity logging. Our own internal systems are audited and updated regularly — we think it would be embarrassing to be a security consultancy that doesn't take its own security seriously.

That said, no system is perfectly secure. If we become aware of a security incident that affects your information, we'll notify you in accordance with applicable law and our contractual obligations.

08 — Your rightsWhat you can request

Depending on where you live, you may have rights to access, correct, delete, or export the personal information we hold about you, or to object to certain uses. To exercise these rights, email hello@cdgrayson.net.

Where we process data on behalf of a client (as a data processor), requests from individuals whose data belongs to the client should generally be directed to that client, not to us. We'll forward the request if needed.

09 — InternationalData location

Our operations are based in North America. Information you provide may be processed there. If you're located outside the US, US law may provide different privacy protections than your jurisdiction.

10 — ChildrenAge restrictions

Our services aren't directed at children under 13, and we don't knowingly collect information from them.

11 — CookiesWebsite tracking

Our website uses minimal cookies — only what's needed for basic functionality. We don't run advertising trackers. If we add analytics in the future, we'll use privacy-respecting tools and update this policy.

12 — ChangesUpdates to this policy

We may update this policy over time. Material changes will be announced to active clients via email. The "last updated" date at the top always reflects the current version.

13 — ContactQuestions and requests

Questions, requests, concerns: hello@cdgrayson.net.