Privacy Policy
Effective Date: 1st January 2025 · Version: 2026-05-31 Controller: The Global Council for Behavioral Science (GCBS), Ontario, Canada · Contact: privacy@gc-bs.org
Introduction#
At GCBS (“we”, “us”, “our”) we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit gc-bs.org, apply for membership, become a member, or contact us. We are the data controller for personal data collected through this site. Some third parties we work with act as independent controllers in their own right (see Who We Share Information With and International Data Transfers).
GCBS is based in Ontario, Canada and is primarily regulated under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Where we offer services to, or monitor, individuals in the EU/EEA or UK, the GDPR / UK GDPR also applies.
Information We Collect#
Information you provide
- Membership application (paid tiers): title, first and last name, preferred first name, email address, education level, membership type, any additional information you enter, and documents you upload (e.g. CV, certificates). Honorary/free memberships are awarded by invitation and do not require an application.
- Member account & profile: email, display name, password (stored only as a salted hash — we never see your password), and any optional profile content you choose to add — biography, location, website, profile photo (avatar), work experience, education, skills, contact links (e.g. phone, LinkedIn, X/Twitter, GitHub, Instagram, a custom link), and professional documents (résumé, certification, portfolio, diploma). You control the visibility of each profile item (public / subscribers-only / private).
- Contact form: your name, email, and message.
- Acknowledgement & consent records: when you register we record your acknowledgement of this Policy (its version, text, a timestamp and your email) as evidence that we informed you. If you opt in to the optional profile/CV, we separately record that consent. The two are kept distinct and the profile consent can be withdrawn independently.
Information collected automatically
- Security & operational data: your IP address and browser/device information, used for security, abuse prevention, rate-limiting, and an audit log.
- Cookies & analytics data: see Cookies and Analytics below. Analytics are loaded only with your consent.
We do not require special-category/sensitive data (e.g. health, religious, or political data). Please do not submit such data in free-text fields or uploaded documents unless necessary; anything you choose to publish on a public profile is treated as information you have manifestly made public.
How We Use Your Information and Our Lawful Basis#
For visitors in the EU/EEA/UK we rely on the following GDPR Article 6 bases. For individuals in Canada, our collection, use and disclosure is based on your consent and on purposes a reasonable person would consider appropriate, as required by PIPEDA.
| What we process | Lawful basis (GDPR Art. 6) |
|---|---|
| Your membership application and the operation of your account, including access to members-only content | Contract — Art. 6(1)(b): necessary to provide the membership you requested. An account is a core membership feature. |
| Your optional profile / CV (bio, location, website, work experience, education, skills, contact details, documents, avatar) | Consent — Art. 6(1)(a): you separately opt in and may withdraw at any time. Withdrawing erases this content while keeping your account and members-only access. |
| Security and abuse-prevention — audit log, rate limits, account lockout | Legitimate interest — Art. 6(1)(f): protecting the service and members from abuse. IP addresses in the audit log are anonymised after 90 days. |
| Analytics cookies (Google Analytics, Microsoft Clarity, Umami) | Consent — Art. 6(1)(a): loaded only after you accept the cookie banner; withdrawable at any time. |
| Taking payment and keeping financial/tax records | Contract — Art. 6(1)(b) + legal obligation — Art. 6(1)(c). |
| Responding to contact-form enquiries | Legitimate interest — Art. 6(1)(f): replying to a message you sent us. |
| Evidence of acknowledgement / consent | Legal obligation / accountability — Art. 6(1)(c) / Art. 5(2). |
Important — account vs. profile: When you register you acknowledge this Privacy Policy so we can demonstrate compliance. This acknowledgement is not the legal basis for your account — your account runs on the contract basis above and works without a profile. The optional profile runs on consent, which you give separately and can withdraw without losing your account or members-only access.
We do not sell your personal data, and we do not conduct our own targeted advertising.
Payments#
Paid memberships are taken through PayPal. After your application is approved, we issue a PayPal invoice to your email; the payment link asks only for your Application ID. We pass PayPal only the name, email and Application ID we already hold — we do not collect or store any card or bank details (PayPal handles those entirely). Membership is valid for one (1) year from activation and is non-refundable; a digital membership badge bearing your name is emailed to you on activation.
PayPal acts as an independent data controller of the payment data it processes. See the PayPal Privacy Statement.
Cookies#
On your first visit you are shown a consent banner with three categories:
- Functional (always on) — required for the site and your signed-in session to work.
- Analytics (off until you accept) — loads Google Analytics, Microsoft Clarity and Umami (see Analytics).
- Marketing (off until you accept).
You can change your choice at any time. Your consent choice is stored for ~90 days. Signed-in members also have a session cookie (sub_jwt) and a CSRF-protection cookie (sub_csrf).
Analytics#
We use the following analytics tools, loaded only after you accept analytics cookies:
Google Analytics 4 — to understand site traffic and usage. Google acts as our data processor; Google Consent Mode is set to “denied” until you consent, and we have disabled Google Signals and data-sharing for Google’s own products, so the data is not used for ad personalisation. See Google’s Privacy & Terms and Safeguarding your data with Google Analytics.
Microsoft Clarity — for behavioural analytics, heatmaps and session replay, to help us improve the site. We use Clarity for analytics purposes only. Microsoft acts as an independent data controller for the data collected via Clarity and stores it in the Microsoft Azure cloud; Microsoft may use it for its own purposes, including product improvement and advertising, as described in the Microsoft Privacy Statement. Clarity captures interaction data using cookies; sensitive on-screen content is masked.
Umami — privacy-focused, cookieless website analytics, served first-party. Umami acts as our data processor.
Who We Share Information With#
We share personal data only as needed to run GCBS, under written agreements:
| Recipient | Role | Purpose |
|---|---|---|
| DreamHost | Processor | Website hosting, database, email delivery, file storage |
| Google (Analytics 4) | Processor | Website analytics (with consent) |
| Umami | Processor | Website analytics (with consent) |
| Microsoft (Clarity) | Independent controller | Behavioural analytics / session replay (with consent) |
| PayPal | Independent controller | Membership-fee payments |
We may also disclose information where required by law or to establish/defend legal claims. We do not sell personal data.
How Long We Keep It#
| Data | Retention |
|---|---|
| Active membership account (email, display name, password) | Until you close your account (membership term is 1 year from activation) |
| Optional profile / CV data | Until you withdraw profile consent or close your account |
| Membership application files | Duration of membership + 1 year, then automatically deleted |
| Audit log — IP addresses | Anonymised after 90 days |
| Audit log — event records | Purged after 1 year |
| Acknowledgement / consent records — text, version & timestamp | Kept indefinitely (accountability evidence) |
| Acknowledgement / consent records — email address | Identifiable for 5 years from capture, then replaced with a one-way cryptographic pseudonym |
| Payment records | PayPal retains payment data per its own policy (typically the relationship + ~10 years); GCBS holds only your name, email and Application ID |
Withdrawing profile consent: your optional profile/CV data is erased immediately; your account and members-only access are unaffected. The consent record is unlinked and your IP removed; the text, version and email are kept up to 5 years as evidence, then pseudonymised.
Closing your account: your entire account and all associated personal data are permanently erased. (Where data sits in encrypted disaster-recovery backups, it is removed as those backups rotate — within about two weeks for files and a few days for the database.)
Your Rights#
If you are in Canada (PIPEDA)#
You have the right to access the personal information we hold about you, request correction of inaccuracies, and withdraw your consent (subject to legal or contractual restrictions). To exercise these rights, contact privacy@gc-bs.org. If you are not satisfied with our response, you may complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca).
If you are in the EU/EEA, UK or Switzerland (GDPR)#
You have the right to access, portability, rectification, erasure, restriction, objection, and to withdraw consent at any time, and to lodge a complaint with your national supervisory authority. Members can exercise access, portability, erasure and profile-consent-withdrawal directly from account settings, or by emailing privacy@gc-bs.org.
Because Microsoft (Clarity) and PayPal are independent controllers, you may also exercise rights directly with them via their privacy statements (linked above).
California residents#
We do not sell or share your personal information, and we believe the CCPA does not apply to GCBS. If you are a California resident with a privacy request, contact privacy@gc-bs.org and we will respond as appropriate.
We aim to respond to all requests within 30 days.
Data Security#
We implement appropriate technical and organisational measures, including HTTPS/TLS in transit, hashing of passwords, access controls, rate-limiting, signed time-limited links for file access, and an audit log. Our processors maintain their own certified security programmes (e.g. ISO 27001 / SOC / PCI-DSS). No method of transmission or storage is 100% secure.
International Data Transfers#
GCBS is based in Canada. Our hosting provider, DreamHost, stores data on servers in the United States (US-West region, Hillsboro, Oregon), and some of our service providers operate in the US and other countries. This means your personal data may be processed outside your country of residence, including in the United States, where it may be subject to access by authorities under applicable law.
Where required, transfers are protected by appropriate safeguards:
- DreamHost (processor): EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA) under its Data Processing Addendum.
- Google (Analytics 4, processor): SCCs.
- Umami (processor): hosted in the US and Germany; SCCs + UK IDTA + Swiss clauses.
- Microsoft (Clarity, independent controller): EU-US / UK / Swiss Data Privacy Framework and SCCs.
- PayPal (independent controller): EU SCCs + UK IDTA plus Binding Corporate Rules; EEA contracting entity PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg).
Children & Minimum Age#
You must be at least 18 years old to register for an account or apply for membership with GCBS. Our services are intended for adults and are not directed to children under 18, and we do not knowingly collect personal data from anyone under that age. If we become aware that we have collected personal data from someone under 18, we will delete it.
Accounts can only be created through an invitation that an administrator issues individually to a named recipient — this invite-only checkpoint is our practical measure for keeping membership limited to adults. If you believe a member does not meet this age requirement, please contact privacy@gc-bs.org.
Changes to This Privacy Policy#
We may update this Policy from time to time. We will post the updated version here and, where appropriate, notify you. Please review it periodically.
Contact Us#
- Controller: The Global Council for Behavioral Science — Ontario, Canada
- Privacy contact / accountable individual: privacy@gc-bs.org