DOCUMENT REF: GS-LEGAL-001  |  CLASSIFICATION: PUBLIC

PRIVACY POLICY

EFFECTIVE DATE: MAY 2026 LAST UPDATED: MAY 2026 JURISDICTION: UNITED STATES
■ TABLE OF CONTENTS
  1. § I. Introduction
  2. § II. Data We Collect
  3. § III. How We Use Your Data
  4. § IV. Data Sharing & Third Parties
  5. § V. Data Retention
  6. § VI. Security
  7. § VII. Your Rights
  8. § VIII. Cookies & Tracking
  9. § IX. Children's Privacy
  10. § X. Changes to This Policy
  11. § XI. Contact Us
§ I

§ I. INTRODUCTION

GaiaSignal ("GaiaSignal," "we," "us," or "our") operates the website located at gaiasignal.com and provides environmental litigation intelligence services to legal professionals, investment analysts, and risk management teams.

This Privacy Policy describes what personal information we collect, how we use it, who we share it with, and what rights you have with respect to your information. By accessing our website or submitting information through our pilot access request form, you acknowledge that you have read and understood this Privacy Policy.

SUMMARY: We collect only the information you provide when requesting pilot access. We do not sell your data to third parties. We use standard AWS infrastructure in the United States to store and process your information securely.
§ II

§ II. DATA WE COLLECT

We collect personal information that you voluntarily provide to us and certain technical information that is automatically collected when you access our website. We do not collect sensitive personal information (such as financial account numbers, government identification numbers, health information, or biometric data).

  • Full Name Your first and last name, provided when you submit a pilot access request. Used to identify you and personalize communications.
  • Email Address Your professional or personal email address. Used to deliver pilot access decisions, product updates, and service-related communications. Required for form submission.
  • Organization Your employer or firm name. Used to evaluate pilot access requests and understand the types of organizations using our service.
  • Use Case / Query A description of how you intend to use GaiaSignal, submitted in the optional use case field of the pilot request form. Used to tailor the pilot briefing to your specific needs.
  • IP Address Automatically collected when you access our website, via AWS CloudFront and API Gateway access logs. Used for security monitoring, abuse prevention, and aggregate traffic analysis. Not linked to your identity for marketing purposes.
  • Technical Log Data Browser type, referring URL, timestamps, and HTTP request metadata. Collected automatically by our CDN and API infrastructure. Used for security, debugging, and performance monitoring only.

We do not use third-party analytics platforms (such as Google Analytics) on this website. We do not purchase, scrape, or import personal data about you from data brokers or other external sources.

§ III

§ III. HOW WE USE YOUR DATA

We use the personal information we collect for the following purposes:

  • Service Delivery Evaluate and fulfill pilot access requests. Your name, email, organization, and use case are reviewed by our team to determine pilot eligibility and to deliver your pilot briefing materials.
  • Product Updates Inform you about GaiaSignal developments. With your consent, we may send email updates about new intelligence products, platform capabilities, or significant changes to our service. You may opt out at any time.
  • Communications Respond to your inquiries and requests. We use your contact information to correspond with you about your pilot request, onboarding, and any follow-up questions.
  • Security & Fraud Prevention Protect our platform and users. IP addresses and technical log data are used to detect and prevent abuse, bot submissions, and unauthorized access attempts.
  • Legal Compliance Comply with applicable law. We may process your data to fulfill legal obligations, respond to lawful requests from public authorities, or protect our rights in legal proceedings.

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects. We do not use your data to train machine learning models that are deployed in products sold to third parties.

§ IV

§ IV. DATA SHARING & THIRD PARTIES

We do not sell, rent, or trade your personal information to any third party. We share your data only with the service providers listed below, who process it on our behalf under contractual data processing obligations, and only to the extent necessary to provide our services.

  • AWS Lambda Amazon Web Services Lambda processes pilot access form submissions. Your submitted data (name, email, organization, use case) is passed through Lambda functions for validation, docket number assignment, and routing to storage and notification services. All processing occurs in the AWS us-east-1 (N. Virginia) region.
  • AWS API Gateway Amazon API Gateway handles HTTPS traffic between the website form and our backend Lambda functions. Access logs may record your IP address and request metadata. All data in transit is encrypted via TLS 1.2 or higher.
  • AWS DynamoDB Amazon DynamoDB is our primary data store for pilot access submissions. Your name, email, organization, use case, and assigned docket number are stored in DynamoDB tables in the us-east-1 region. Data is encrypted at rest using AWS-managed keys.
  • AWS SES Amazon Simple Email Service (SES) is used to send confirmation emails to you and internal notification emails to our team upon form submission. SES processes your email address and name for this purpose only.
  • AWS CloudFront Amazon CloudFront serves this website as a content delivery network. CloudFront may log your IP address and request metadata in standard CDN access logs. These logs are used for security and performance monitoring.

Amazon Web Services, Inc. acts as a data processor on our behalf. AWS is certified under ISO 27001, SOC 2, and other recognized security frameworks. For more information about AWS data processing practices, see the AWS Privacy Notice.

We may also disclose your information if required by law, subpoena, court order, or other legal process, or if we reasonably believe disclosure is necessary to protect the rights, property, or safety of GaiaSignal, our users, or the public.

§ V

§ V. DATA RETENTION

We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Pilot access submissions (name, email, organization, use case) are retained in DynamoDB for a maximum of 24 months from the date of submission, unless you request earlier deletion or unless you become an active client (in which case your record is retained for the duration of the client relationship plus a reasonable post-engagement period for recordkeeping purposes).

Technical log data (IP addresses, access logs) is retained by AWS infrastructure for up to 90 days, after which it is automatically deleted in accordance with our logging configuration.

Email communications may be retained for up to 36 months for business correspondence and legal compliance purposes.

You may request deletion of your personal data at any time by contacting us at contact@gaiasignal.com. We will process verified deletion requests within 30 days.

§ VI

§ VI. SECURITY

We implement reasonable technical and organizational measures to protect your personal information against unauthorized access, disclosure, alteration, and destruction. These measures include:

TRANSPORT: All data transmitted between your browser and our services is encrypted using TLS 1.2 or higher via HTTPS. HTTP requests are automatically redirected to HTTPS.

STORAGE: Personal data stored in AWS DynamoDB is encrypted at rest using AWS-managed encryption keys (AES-256).

ACCESS CONTROL: Access to our DynamoDB tables and Lambda functions is restricted via AWS IAM roles with least-privilege policies. No public direct access to database tables is permitted.

INFRASTRUCTURE: Our AWS infrastructure is deployed in a single, controlled region (us-east-1) and managed through infrastructure-as-code practices.

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially reasonable means to protect your personal information, we cannot guarantee its absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and applicable authorities as required by law.

§ VII

§ VII. YOUR RIGHTS

Depending on your location, you may have certain rights with respect to the personal information we hold about you. We honor all valid requests regardless of your jurisdiction.

  • GDPR Right of Access. You may request a copy of all personal data we hold about you, including information about how it is being used and to whom it has been disclosed.
  • GDPR Right to Erasure (Right to be Forgotten). You may request that we delete your personal data. We will comply unless we have a legal obligation or legitimate interest requiring us to retain it.
  • GDPR Right to Rectification. You may request correction of any inaccurate or incomplete personal data we hold about you.
  • GDPR Right to Restrict Processing. You may request that we limit the way we use your data while a dispute is resolved or while you exercise other rights.
  • GDPR Right to Object. You may object to processing of your personal data for direct marketing purposes at any time. We will stop processing your data for such purposes upon receipt of a valid objection.
  • GDPR Right to Data Portability. You may request that we provide your personal data in a structured, commonly used, machine-readable format.
  • CAN-SPAM Right to Opt Out of Commercial Email. Every commercial email we send includes an unsubscribe link or instruction. You may also opt out at any time by emailing contact@gaiasignal.com with the subject line "Unsubscribe." We will process opt-out requests within 10 business days.
  • CCPA California Residents. Under the California Consumer Privacy Act (CCPA), California residents have the right to know, delete, and opt out of the sale of personal information. We do not sell personal information. For all other CCPA rights, contact us using the information in § XI.

To exercise any of the rights above, please contact us at contact@gaiasignal.com. We may need to verify your identity before processing certain requests. We will respond to all verifiable requests within 30 days (or within any shorter period required by applicable law).

If you are located in the European Economic Area (EEA) and believe we have processed your data unlawfully, you have the right to lodge a complaint with a supervisory authority in your member state.

§ VIII

§ VIII. COOKIES & TRACKING

This website does not use first-party cookies for tracking or analytics purposes. We do not deploy third-party tracking scripts, advertising pixels, or behavioral retargeting technologies.

Your browser may cache static assets (HTML, CSS, fonts) served via AWS CloudFront for performance purposes. This is standard browser caching behavior and does not constitute tracking.

Google Fonts are loaded via a Google CDN to render the typefaces used on this site. Your browser may transmit your IP address to Google's servers as part of this request. To avoid this, you may use a browser extension that blocks external font loading.

We do not use any consent management platform (CMP) or cookie consent banner at this time, as our current use of cookies is limited to technically necessary browser caching. If our practices change, we will update this policy and add appropriate consent mechanisms.

§ IX

§ IX. CHILDREN'S PRIVACY

GaiaSignal is a professional-grade intelligence service intended solely for use by adults in a business or professional capacity. Our website and services are not directed at, designed for, or intended to be used by children under the age of 13 (or 16 in the European Economic Area).

We do not knowingly collect personal information from children. If you believe that a child has submitted personal information to us, please contact us at contact@gaiasignal.com and we will delete such information promptly.

§ X

§ X. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, service offerings, or applicable law. When we make material changes, we will update the "Last Updated" date at the top of this page.

We encourage you to review this Privacy Policy periodically. For significant changes that materially affect how we process your personal data, we will provide notice by email (if we have your email address) or by posting a prominent notice on our website prior to the change taking effect.

Continued use of our website or services after changes to this Privacy Policy become effective constitutes acceptance of those changes.

§ XI

§ XI. CONTACT US

If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a privacy concern, please contact us:

GaiaSignal
Privacy Inquiries
Email: contact@gaiasignal.com

Subject line for data rights requests: "Privacy Request — [Your Name]"
Subject line for unsubscribe requests: "Unsubscribe"

We aim to respond to all privacy inquiries within 5 business days. For formal data subject access requests or deletion requests, we will acknowledge receipt within 5 business days and complete processing within 30 days.