Data Privacy & Processing Disclosure

Last updated: December 1, 2025

A. Overview

This Data Privacy & Processing Disclosure (“Disclosure”) explains how GAC Solutions (“GAC”, “we”, “us”, or “our”) processes personal data within our internal and partner-facing platforms and tools (the “Services”).

These Services are typically used by:

  • GAC employees and internal departments;
  • Customers (clients), vendors, and contractors;
  • Consultants and candidates engaged through GAC.

This Disclosure is intended to complement, not replace, any master service agreement, data-processing addendum, or local policy in force between GAC and your organization. If there is a conflict, the signed agreement or applicable local policy will prevail.

B. Roles and Responsibilities

Depending on the specific implementation and contractual structure, GAC Solutions may act as:

  • Data Controller – when we define the purposes and means of processing personal data within our own HR, finance, and internal operations; and/or
  • Data Processor / Service Provider – when we process personal data on behalf of a customer in accordance with written instructions and data-processing terms.

Your employer or contracting organization (for example, a client or vendor using the Services) may be the primary controller for personal data relating to you. In those cases, that organization is responsible for providing you with appropriate notices and for managing your data-subject rights.

C. Categories of Personal Data Processed

Depending on your relationship with GAC and the specific modules enabled, the Services may process the following categories of personal data:

  • Identification data (name, employee/consultant ID, user ID);
  • Contact details (business email, phone number, work location);
  • Organizational data (role, department, manager, client account, vendor affiliation);
  • Engagement and timesheet data (projects, hours worked, rates, approvers);
  • Vendor and invoicing data (bank details and tax-related identifiers, where contractually required);
  • Compliance and onboarding data (document status, expiry dates, training completions);
  • Technical data (log-in timestamps, IP addresses, device/browser details, internal audit logs).

The exact set of data fields depends on your organization’s configuration and applicable agreements.

D. Purposes of Processing

We process personal data in the Services for purposes including:

  • Providing and operating timesheet, onboarding, and vendor-management functionality;
  • Supporting payroll, billing, and vendor payment workflows (where applicable);
  • Facilitating request, ticket, and approval workflows between users and teams;
  • Maintaining access control, security, monitoring, and audit trails;
  • Improving performance, stability, and usability of the Services;
  • Complying with legal, regulatory, and contractual obligations.

Where required by law, we rely on one or more lawful bases for processing, such as performance of a contract, legitimate interests, legal obligations, or consent obtained by your organization.

E. Sources of Personal Data

We obtain personal data primarily from:

  • Your employer, client organization, or vendor organization using our Services;
  • You directly, when you complete forms, submit timesheets, upload documents, or update your profile;
  • Integrated systems (for example, HRIS, identity provider, or financial systems) as part of authorized integrations.

F. Retention

We retain personal data only as long as necessary to:

  • Provide the Services and fulfill contractual obligations;
  • Comply with legal, regulatory, and tax-record requirements;
  • Support audits, security investigations, and dispute resolution.

Retention periods may be defined in your organization’s policies or in the data-processing terms between GAC and your organization. Where we act as processor, your organization typically controls or approves retention rules and deletion schedules.

G. Recipients and International Transfers

Personal data may be accessed or processed by:

  • Authorized GAC staff with a business need (for example, support, operations, finance, or security);
  • Your organization’s authorized users (for example, managers, HR, project owners, or finance teams);
  • Service providers supporting hosting, backup, email delivery, analytics, or security operations;
  • Other parties where required by law, regulation, or court order.

Because our infrastructure and service providers may be located in multiple jurisdictions, your data may be transferred across national borders. Where required, we implement appropriate safeguards (such as contractual clauses or equivalent mechanisms) to protect personal data during such transfers.

H. Security Measures

We use reasonable technical and organizational measures designed to protect personal data, including:

  • Role-based access control and authentication;
  • Encryption in transit (for example, HTTPS/TLS) and at rest where appropriate;
  • Segregation of environments and least-privilege principles;
  • Logging and monitoring of access and administrative actions;
  • Backup, disaster-recovery, and business-continuity controls;
  • Vendor due-diligence and confidentiality obligations.

No system can be guaranteed 100% secure, but we continually review and improve our security controls in line with industry practices and contractual commitments.

I. Data Subject Rights

Depending on your jurisdiction and the role of your organization, you may have rights such as:

  • Accessing your personal data held in the Services;
  • Requesting correction or update of inaccurate information;
  • Requesting deletion or restriction of processing, where appropriate;
  • Objecting to certain types of processing;
  • Receiving a copy of certain data in a portable format, where applicable.

Where GAC acts as a processor, requests to exercise these rights should generally be submitted to your employer or contracting organization, which controls the data. We will support them in responding, as required by our contract and applicable law.

J. Cookies and Tracking Technologies

Our Services may use cookies and similar technologies to:

  • Maintain secure sessions and authentication;
  • Remember user preferences and navigation context;
  • Improve usability and performance.

For more detailed information on cookie types and choices, please refer to our Privacy & Cookie Policy (or your local implementation).

K. Children and Protected Classes

The Services are designed for adult professionals and business users. They are not intended for individuals under the minimum working age in the relevant jurisdiction, and we do not knowingly collect data directly from children.

L. Updates to This Disclosure

We may update this Disclosure from time to time to reflect changes in our Services, legal requirements, or internal practices. When we make material changes, we will update the “Last updated” date and, where appropriate, provide additional notice via the Services or through your organization.

M. Contact

If you have questions about this Disclosure or how your data is processed in connection with the Services, you may contact either:

  • Your employer’s or contracting organization’s data-protection or HR contact; and/or
  • GAC Solutions at:
    GAC Solutions
    1900 E. Golf Road, Suite 925
    Schaumburg, IL 60173
    Email: contracts@gacsol.com