GSDSI privacy notice: data-broker sale and sharing disclosures, CCPA categories and retention, Global Privacy Control, cookies, sensitive PI, consumer rights.
GSDSI operates under CCPA/CPRA, CAN-SPAM, TCPA, GDPR, and the evolving US state-privacy-act landscape (Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Iowa ICDPA, Montana CDPA, Oregon OCPA, Texas TDPSA, Florida FDBR, and others). Consumer-report-adjacent products carry FCRA-ineligible labeling. Privacy-request handling meets the 45-day verification SLA required by California law.
This Privacy Notice for Global Source Data Solutions, Inc. ("GSDSI") describes how we access, collect, store, use, and share personal information when you use our services, visit https://www.gsdsi.com, or when partners transfer data to us. This document is a transparency notice, not a contract to purchase data.
Questions? Contact privacy@gsdsi.com (monitored privacy mailbox).
Healthcare-related data. GSDSI is not a HIPAA Covered Entity or Business Associate and does not handle Protected Health Information as defined under 45 CFR §160.103. Healthcare-adjacent marketing data is derived from non-clinical, consent-verified sources. For Washington My Health My Data Act and related state health-privacy questions, see our Consumer Health Data Notice.
State data-broker disclosures: /trust/data-broker-registrations.
You may provide name, contact details, employment information, and other personal information when you interact with GSDSI. We may also collect device and usage information such as IP address, identifiers, and analytics on our website when you accept cookies or when necessary for security.
We receive personal information from customers, partners, public sources, and other data brokers. Categories include business contact details, professional identifiers, demographic information, inferences, and precise geolocation and mobility signals where permitted by source contracts and law.
We also receive voter registration and voter history information sourced from state and county voter files and licensed political-data partners. These records may include name, address, year of birth or age range, registration status and date, jurisdiction, political party affiliation (as stated on the public file or derived from primary-election participation), and a history of whether (not how) the individual voted in past elections. We do not receive ballot choices. Voter data is licensed only for purposes permitted by the law of the source state and by our source agreements; we do not license voter data for general commercial or analytics purposes.
We do not intentionally collect HIPAA-protected health records, payment card data, or biometric templates of non-customers from third parties for our standard catalog. Wellness-interest and healthcare-adjacent audience products are described in the health-data notice and are licensed only under separate agreements.
GSDSI is a data broker. We sell and share personal information as those terms are defined by the California Consumer Privacy Act (CCPA), as amended by the CPRA, and comparable state laws. This includes licensing pseudonymous identifiers (for example, mobile advertising IDs), location-derived insights, and audience segments to enterprise customers for advertising, analytics, measurement, and risk use cases.
Voter registration and voter-history data (including party affiliation) is licensed only to recipients who qualify as permitted users under the law of the state that released the record, and only for the specific purposes that source state permits — typically election, political-campaign, governmental, scholarly, or journalistic uses. We do not license voter data for general commercial or analytics purposes, and we do not license it from any state whose law prohibits commercial use or resale unless the recipient and use independently qualify under that state's conditions.
Every voter record is tagged with its source state and release conditions. Where a state restricts use or prohibits resale, we suppress or withhold those records from licenses that do not satisfy the state's conditions, and we contractually bind every recipient to the source-state permitted-use and no-resale restrictions. Party affiliation is released only to electoral- and political-qualified recipients.
Voter registration and voter-history data are not consumer reports under the Fair Credit Reporting Act (FCRA) and may not be used for credit, employment, insurance, tenancy, or other eligibility determinations. You may opt out of the sale or sharing of your personal information, including voter-derived identifiers, using the methods described below.
You have the right to opt out of sale/sharing. Use Do Not Sell or Share My Personal Information, our privacy rights request form, a recognized Global Privacy Control (GPC) signal, or—for California residents—the State of California's DELETE Act platform (DROP), accessible through the CPPA at cppa.ca.gov/data_brokers.
GSDSI will not discriminate against you for exercising privacy rights.
The tables below summarize categories collected in the last 12 months, whether each category is sold or shared, and how long we retain it or the criteria we use. Sources are described in the sections above (information you provide, partners, public records, and licensed panels). Detailed field lists appear in customer data dictionaries under NDA.
| Category | Business / commercial purposes | Sold / shared | Recipient categories |
|---|---|---|---|
| Identifiers (name, email, phone, MAID, IP) | Licensing, analytics, marketing, security | Yes / Yes | Enterprise customers; ad/measurement partners; service providers |
| Professional / business contact | B2B licensing, sales, enrichment | Yes / Yes | B2B customers; data partners |
| Demographic / interest inferences | Audience products, measurement | Yes / Yes | Advertisers; analytics buyers |
| Precise geolocation / mobility | Location intelligence, POI, measurement | Yes / Yes | Location/measurement customers |
| Internet / network activity | Site analytics & performance (service providers) | No / No | Google Analytics, Vercel — contractually restricted service providers, no advertising use |
| Internet / network activity | Conversion measurement for advertising | No / Yes (only when marketing tags accepted) | Microsoft (Bing UET); other ad/measurement partners |
| Voter registration & voter history (incl. party affiliation) | Source-state-permitted electoral, political-campaign, governmental, scholarly, or journalistic licensing — not general commercial/analytics | Yes / Yes | Qualified political organizations, campaigns, agencies, and other recipients permitted under the source state's voter-data law, under permitted-use contract |
| Sensitive PI (precise geo; other categories as defined) | As licensed; exclusions per program | Yes / Yes | Qualified buyers under contract |
| Category | Retention period or criteria |
|---|---|
| Website account / inquiry records | Life of relationship + 3 years (legal/tax) |
| Consumer marketing / DSR logs | Request log 24 months; suppression flags while legally required |
| Licensed identity / MAID graph | Per product schedule in customer agreement (typically 12–36 months active; decay fields published) |
| Mobility / location panels | Rolling panel per license (often 12–24 months); sensitive-place exclusions refreshed per release |
| B2B contact enrichment | While business relationship remains active or 24 months after last verified use, whichever is shorter |
| Voter registration / voter history file | Refreshed per source-state update cycle; retained per license term and to maintain accuracy of the political file (typically updated each election cycle; superseded records replaced on refresh) |
We use personal information to provide and improve services, license data products, personalize experiences, support advertising and marketing, comply with law, provide analytics and reporting, and run our business.
We share personal information with customers and partners, service providers, for security and fraud prevention, when required by law, in business transactions, and with your consent. Revoke consent for future uses via our privacy rights request form. Sale and sharing for commercial licensing are addressed in Sale and Sharing above.
Depending on the product, GSDSI processes sensitive personal information as defined by the CPRA, including:
We license these categories to qualified buyers under contract. You may limit the use and disclosure of your sensitive personal information to what is necessary to perform services by submitting a request at Limit the Use of My Sensitive Personal Information or through the DSR portal (select "Limit sensitive use").
Political party affiliation is not enumerated as “sensitive personal information” under the CCPA/CPRA. Nevertheless, GSDSI treats voter and political data as a protected category and licenses it only to recipients who qualify under source-state voter-data law for permitted electoral, political-campaign, governmental, scholarly, or journalistic purposes. Party affiliation is released only to electoral- and political-qualified recipients. Under the EU/UK GDPR, political opinions are a special category of personal data; GSDSI's voter products concern U.S. residents and are licensed for U.S. use only.
Our sensitive-location compliance checklist describes venue exclusions and consent provenance aligned with FTC location-data orders.
Some U.S. states regulate consumer health data beyond HIPAA. GSDSI's public site does not offer PHI. Healthcare-adjacent or wellness-interest products, where offered, are governed by the Consumer Health Data Notice, separate license terms, and buyer obligations under laws such as Washington's My Health My Data Act (MHMDA).
GSDSI honors a valid Global Privacy Control (GPC) signal as a request to opt out of the sale and sharing of personal information on our website, consistent with California, Colorado, Connecticut, Texas, Oregon, and other applicable state laws. When GPC is detected, we set advertising and analytics tags to denied via Google Consent Mode and do not load optional marketing scripts until you affirmatively accept cookies.
Legacy Do Not Track (DNT) browser signals are not uniformly standardized; GPC is the supported universal opt-out mechanism on this site. The same practices are described on /do-not-sell.
Our cookie banner lets you Reject All or Accept All with equal prominence. No marketing cookies are pre-selected. Non-essential tags remain denied until you accept or until Consent Mode receives an update.
Manage choices anytime via Your Privacy Choices or clear site data in your browser.
For EEA, UK, and Swiss personal data we rely on:
Indirect collection from partners is documented in our DPIA and sourcing methodology; we do not rely on consent alone for all broker-sourced panels.
We implement technical and organizational safeguards. Internet transmission cannot be guaranteed fully secure.
See Categories, Purposes, and Retention for category-level periods. We may retain information longer when required by law, litigation, or signed customer agreements.
We may process information in the United States. For transfers of personal data from the EEA, the United Kingdom, and Switzerland, we rely on the European Commission's Standard Contractual Clauses (with the UK International Data Transfer Addendum and Swiss adaptations as applicable), together with supplementary measures where appropriate.
EU and UK individuals may limit marketing uses by contacting privacy@gsdsi.com. When GSDSI processes data as a processor for customers, we act on controller instructions.
Opt out of interest-based ads via the DAA at aboutads.info/choices.
We require service providers and subprocessors that process personal data on our behalf to do so under written contracts limiting them to our documented instructions and imposing confidentiality and security obligations. We remain responsible for personal data we transfer to them. A current list is available at /trust/sub-processors.
We apply technical and organizational safeguards appropriate to the risk, limit processing to the purposes described in this notice, retain personal data only as long as needed for those purposes, and disclose information when legally required or in connection with a corporate transaction.
If you have a concern about how we handle your personal data, contact our Privacy & Compliance Department at 3410 Galt Ocean Dr., Fort Lauderdale, FL 33308, or privacy@gsdsi.com. EEA, UK, and Swiss individuals may also contact our EU/UK representative (see Representatives in the European Union and United Kingdom) and have the right to lodge a complaint with their local data protection supervisory authority — in the UK, the Information Commissioner's Office (ICO); in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC).
Exercise your rights using any of the following:
California: Right to know, delete, correct, opt out of sale/sharing, and limit sensitive PI. Opt out at /do-not-sell or via GPC. These mechanisms apply to voter-derived records as well as other identifiers we hold. DROP requests: California residents may delete their personal information from all registered data brokers in a single request through the State of California's Delete Request and Opt-out Platform (DROP), operated by the California Privacy Protection Agency, accessible via cppa.ca.gov/data_brokers. From August 1, 2026, GSDSI will process eligible DROP deletion requests at least every 45 days. Annual consumer-request metrics required under CPRA Regulations § 7102 are published in California Consumer Request Metrics (2025) below.
Voter data: Voter registration and voter history data licensed by GSDSI are not consumer reports under the Fair Credit Reporting Act (FCRA) and may not be used for credit, employment, insurance, tenancy, or other eligibility determinations.
Europe / UK: Access, delete, restrict, port, object, and withdraw consent. Contact our EU/UK representative in Representatives in the EU and United Kingdom below, or lodge a complaint with your supervisory authority.
Statutory rights: Nothing in the Governing Law section below limits non-waivable privacy rights under CPRA, GDPR, or other applicable law.
Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, a business that bought, sold, or shared the personal information of 10,000,000 or more consumers in a calendar year must disclose the following metrics regarding consumer requests received during that calendar year. The metrics below cover the period January 1, 2025 through December 31, 2025.
| Request type | Requests received | Complied with (in whole or in part) | Denied | Median days to respond | Mean days to respond |
|---|---|---|---|---|---|
| Requests to Know | 0 | 0 | 0 | N/A | N/A |
| Requests to Delete | 0 | 0 | 0 | N/A | N/A |
| Requests to Correct | 0 | 0 | 0 | N/A | N/A |
| Requests to Opt-Out of Sale/Sharing | 0 | 0 | 0 | N/A | N/A |
| Requests to Limit Use of Sensitive Personal Information | 0 | 0 | 0 | N/A | N/A |
GSDSI received no consumer rights requests during the 2025 calendar year. Median and mean response times are not applicable because no requests were received.
This disclosure was last updated on June 2, 2026.
Our website and standard consumer data products are not directed to children under 13. We do not knowingly collect personal information from children under 13 without appropriate parental consent as required by COPPA. If you believe we collected a child's information without authorization, contact privacy@gsdsi.com.
Consumers under 16. GSDSI does not knowingly sell or share the personal information of a consumer we know to be under 16 years of age unless we have received affirmative authorization to do so — from the consumer directly where they are between 13 and 15 years of age, or from a parent or guardian where they are under 13. If we learn that we have sold or shared the personal information of a consumer under 16 without the required opt-in, we will stop and will delete or suppress the affected records. Consumers, parents, or guardians may contact privacy@gsdsi.com regarding a minor's personal information.
Texas and other state children's-privacy laws may impose additional duties on downstream buyers; see customer license terms.
This notice is governed by Florida law. Disputes about this website notice (not statutory privacy-rights requests) may be resolved through binding arbitration in Miami-Dade County, Florida under AAA commercial rules, except where prohibited. Your CPRA, GDPR, and other non-waivable privacy rights are not limited by this section.
If any portion is unenforceable, the remainder stays in effect. We may archive prior versions of this notice on request.
Privacy & Compliance Department, Global Source Data Solutions, Inc., 3410 Galt Ocean Dr., Fort Lauderdale, FL 33308, USA. Email: privacy@gsdsi.com.
We have appointed Superset Representatives SASU as our representative in the European Union under GDPR Article 27 and in the United Kingdom under UK GDPR Article 27.
Contact: gsdsi.com@supersetreps.com
Postal address: Superset Representatives SASU, 12 Rue Pierre Fontaine, 75009 Paris, France
EEA and UK individuals may contact this representative on matters related to the processing of personal data by GSDSI, in addition to privacy@gsdsi.com.
GSDSI maintains a public index for California, Vermont, Texas, Oregon, and Connecticut at /trust/data-broker-registrations. GSDSI is registered with the California Privacy Protection Agency under the Delete Act; the authoritative public listing is the CPPA Data Broker Registry. Vermont (W2026R0127861), Texas (20260018), and Oregon (DATA-00413) registration numbers are published on that page. Connecticut's data-broker registry framework (Public Act 26-64) takes effect October 1, 2026; brokered-data sales or licensing in Connecticut on or after January 1, 2027 require registration. California Delete Act (SB 362) requires annual registration and DROP deletion processing—see that page for status. Where annual broker registrations enumerate data categories collected, sold, or shared, voter registration and voter history (including derived political identifiers) are included.
We post updates on this page with a revised effective date. Last updated June 5, 2026 (narrowed voter-data licensing to source-state-permitted electoral, political, governmental, scholarly, and journalistic uses; removed general commercial/analytics framing; California CPPA Data Broker Registry link; prior update corrected DROP link and broker registrations).
If GSDSI becomes aware of a security incident materially affecting personal information subject to our role as processor or controller, enterprise customers should refer to contractual notice windows. Public diligence mirrors Tier 1/2 escalations summarized on Trust — Security Program: provisional notification for suspected incidents within five US business days with confirm-or-clear follow-up inside two weeks, and accelerated timelines consistent with GDPR requirements when confirmed breaches involve identified customer payloads.
Consumers exercising privacy rights remain directed to this notice’s dispute and contact clauses; enterprise vendor-risk teams validating SLAs pair this Privacy Policy with subprocessors enumerated at /trust/sub-processors and the downloadable DPA template.