Privacy Policy.

Last Updated: May 2026

1. Introduction

Welcome to Glyz Consulting. We are committed to protecting your personal data and respecting your privacy in accordance with the EU General Data Protection Regulation (GDPR), the Irish Data Protection Acts 1988 to 2018, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and India's Digital Personal Data Protection Act 2023 (DPDPA).

This Privacy Policy explains who we are, what personal data we collect, why we collect it, how we use it, who we share it with, how long we keep it, and what your rights are. Please read this policy carefully.

2. Who We Are (Data Controller)

The data controller responsible for your personal data is:

• Company name: Glyz Consulting Limited
• Registered address: 20 Harcourt Street, Dublin 2, D02 H364, Ireland
• Company registration number: 771141
• Email: [email protected]
• Website: glyzconsulting.com

Glyz Consulting also operates offices in Brampton, Ontario, Canada and India. Where data processing activities occur in these jurisdictions, we apply the applicable local data protection laws in addition to this policy.

3. What Personal Data We Collect

3.1 Data you provide directly

• Name, email address, phone number, and message content submitted via our contact form
• Name and email address if you subscribe to communications or our podcast
• Name, email address, and any other information you provide when applying for a role with us
• Business contact information shared with us in the course of a client or partnership engagement

3.2 Data collected automatically

• IP address, browser type, operating system, and device information when you visit our website
• Pages visited, time spent on pages, links clicked, and referral source (via analytics tools)
• Cookie identifiers and consent preferences (see Section 7)
• Approximate geographic location derived from your IP address (country/region level only)

3.3 Data from third parties

• Professional profile information where you or your organisation shares this with us for a business purpose
• Analytics data from third-party tools including Google Analytics (see Section 7)

We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has provided us with personal data, please contact us immediately.

4. Legal Basis for Processing (GDPR)

Under GDPR Article 6, we process your personal data on the following lawful bases:

Purpose	Lawful Basis
Responding to your enquiry or contact form submission	Legitimate interests (Art. 6(1)(f)) / Pre-contractual steps (Art. 6(1)(b))
Sending marketing or newsletter communications	Consent (Art. 6(1)(a))
Delivering consulting services under a client contract	Contract performance (Art. 6(1)(b))
Complying with legal or regulatory obligations	Legal obligation (Art. 6(1)(c))
Website analytics and improving our services	Legitimate interests (Art. 6(1)(f))
Managing cookie consents	Legal obligation (Art. 6(1)(c)) and Legitimate interests (Art. 6(1)(f))
Recruitment and job application processing	Legitimate interests (Art. 6(1)(f)) / Pre-contractual steps (Art. 6(1)(b))

Where we rely on legitimate interests, we have assessed that our interests do not override your rights and freedoms. You can request details of this assessment by contacting us.

5. How We Use Your Data

• To respond to your enquiries, requests, and comments promptly
• To deliver consulting and advisory services you have engaged us for
• To send you communications you have opted into, including updates, insights, and podcast notifications
• To maintain and improve our website, diagnose technical issues, and analyse usage patterns
• To manage and record cookie consent in compliance with the ePrivacy Directive and GDPR
• To process job applications and assess candidates for employment
• To meet our legal, regulatory, financial, and audit obligations
• To protect the security of our systems and prevent fraud or misuse

We will not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you.

6. Who We Share Your Data With

We do not sell, rent, or trade your personal data. We may share your data with the following categories of recipients, strictly where necessary:

Recipient Category	Purpose	Location
Website hosting provider	To host and maintain our website	EU / USA (SCCs applied)
Google Analytics	Website usage analytics (anonymised where possible)	USA (SCCs applied)
Email service providers	To deliver communications you have consented to	EU / USA (SCCs applied)
WPForms / form processing	To receive and process your contact form submissions	USA (SCCs applied)
Real Cookie Banner	To manage and record cookie consent	EU
Spam detection services	To filter automated or malicious form submissions	USA (SCCs applied)
Professional advisors	Legal, financial, and audit obligations where required	Ireland / Canada / India
Regulatory or law enforcement authorities	Only where required by law or to protect legal rights	Varies

"SCCs applied" means EU Standard Contractual Clauses are in place to ensure adequate protection for international data transfers under GDPR Chapter V.

7. Cookies and Tracking Technologies

We use cookies and similar technologies on our website. Cookies are small text files stored on your device. We obtain your consent for non-essential cookies before placing them.

7.1 Cookie categories we use

Category	Purpose	Consent required?
Strictly necessary	Essential for the website to function (e.g. session management, security, GDPR consent records)	No
Analytics / performance	Google Analytics — understand how visitors use our site (anonymised IP)	Yes
Functional	Remember your preferences and settings across visits	Yes
Marketing / third-party	Currently not in use. We will update this policy if this changes.	Yes

We use Real Cookie Banner to manage your consent. You can change or withdraw your cookie preferences at any time by clicking the cookie settings link in the footer of our website. For details of how Real Cookie Banner processes data, see: devowl.io/rcb/data-processing/.

For more information about Google Analytics and how to opt out, see: Google Analytics Opt-out.

8. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy, or as required by law. Our standard retention periods are:

Data Type	Retention Period	Reason
Contact form submissions and enquiries	2 years from last contact	Legitimate interest in managing business relationships
Client contract and engagement data	7 years from end of engagement	Irish statutory and tax obligations
Marketing consent records	Until consent is withdrawn, plus 1 year	GDPR accountability obligations
Website analytics data	26 months (Google Analytics default)	Service improvement and performance monitoring
Cookie consent logs	3 years	GDPR accountability and compliance audit trail
Job application data (unsuccessful)	6 months from decision	Defence of potential employment claims
Job application data (successful)	Duration of employment plus 7 years	Employment law obligations

When data is no longer required, we securely delete or anonymise it.

9. International Data Transfers

Glyz Consulting is headquartered in Ireland and also operates in Canada and India. Personal data may be transferred between these locations in the course of delivering our services. We ensure that such transfers are subject to appropriate safeguards:

• Ireland to Canada: Canada has been recognised by the European Commission as providing an adequate level of data protection under PIPEDA for commercial organisations.
• Ireland to India: Where data is transferred to India, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to provide appropriate safeguards.
• Ireland to USA (third-party providers): We rely on Standard Contractual Clauses and, where applicable, supplementary measures to ensure adequate protection.

You can request a copy of the relevant transfer mechanism by contacting us at [email protected].

10. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or the UK, you have the following rights regarding your personal data:

Right	What it means
Right of access	Request a copy of the personal data we hold about you (Subject Access Request)
Right to rectification	Request correction of inaccurate or incomplete data
Right to erasure	Request deletion of your data where there is no lawful basis to continue processing it
Right to restrict processing	Request that we limit how we use your data in certain circumstances
Right to data portability	Receive your data in a structured, commonly used format where processing is based on consent or contract
Right to object	Object to processing based on legitimate interests or for direct marketing purposes
Right to withdraw consent	Withdraw consent at any time where processing is consent-based, without affecting prior processing
Right not to be subject to automated decisions	Not to be subject to decisions made solely by automated processing that significantly affect you

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (extendable by a further two months for complex requests). We may need to verify your identity before processing your request.

If you are based in Canada, you have equivalent rights under PIPEDA. If you are based in India, you have rights under the DPDP Act 2023 including the right to access, correct, and erase your data.

11. Right to Lodge a Complaint

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the relevant supervisory authority:

• Ireland (lead supervisory authority for EU): Data Protection Commission (DPC) — dataprotection.ie
• Canada: Office of the Privacy Commissioner of Canada — priv.gc.ca
• India: Data Protection Board of India (once fully operational under the DPDP Act 2023)

We would appreciate the opportunity to address your concerns before you approach a supervisory authority, so please contact us first.

12. Security of Your Data

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, loss, or destruction. These include:

• HTTPS encryption across our website
• Access controls limiting who within our organisation can access personal data
• Regular review of our security practices and third-party provider agreements
• Staff awareness of data protection obligations

No internet transmission or electronic storage system is completely secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Data Protection Commission within 72 hours and, where required, notify you directly without undue delay.

13. Third-Party Links

Our website may contain links to third-party websites, including our podcast platform and social media profiles. We are not responsible for the privacy practices of those websites. We encourage you to read their privacy policies before providing any personal data. This policy applies only to glyzconsulting.com and services operated directly by Glyz Consulting.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or business operations. When we make material changes, we will update the "Last Updated" date at the top of this page. We encourage you to review this policy periodically.

Continued use of our website after changes are posted constitutes your acknowledgement of the updated policy. Where required by law, we will seek your fresh consent for any material changes affecting how we use your data.

15. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or how we handle your personal data, please contact us:

• Email: [email protected]
• Post: Glyz Consulting Limited, 20 Harcourt Street, Dublin 2, D02 H364, Ireland
• Hours: Monday to Friday, 9am to 5pm GMT

We aim to respond to all data protection enquiries within 5 working days and to all formal rights requests within 30 calendar days.