Privacy Policy
version: 1/2026
1. INTRODUCTION
This Privacy Policy describes how Gallyn Marketing LLC ("Gallyn", "We", "Us" or "Our") collects, uses, shares and protects personal data in connection with:
- Our website at gallyn.com (the "Website");
- Marketing campaigns and services We deliver on behalf of Our clients (the "Services");
- Lead generation forms and landing pages operated through third-party platforms, including LinkedIn; and
- Any other interactions you may have with Us.
Gallyn is a business-to-business ("B2B") marketing agency. Depending on the context, We act in two capacities:
- Data Controller — for personal data We collect and process for Our own business purposes (e.g. Website visitors, prospective clients, direct marketing contacts); and
- Data Processor — for personal data We process on behalf of Our clients when delivering marketing campaigns and services (see Section 9).
This Privacy Policy applies regardless of how you interact with Us, including through third-party platforms such as LinkedIn, Google and Meta. Where those platforms act as independent controllers of your data, their own privacy policies also apply.
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on Our Website with a revised effective date. We encourage you to review this page periodically.
Effective Date: February 2026
2. WHO IS RESPONSIBLE FOR YOUR PERSONAL DATA?
When Gallyn is the data controller:
Gallyn Marketing LLC is responsible for deciding how and why your personal data is processed in relation to Our own business operations, including the operation of Our Website, direct marketing, and business development activities.
When Gallyn is a data processor:
When We deliver marketing campaigns and services on behalf of a client, that client is the data controller. We process personal data only in accordance with the client's instructions and applicable data processing agreements. See Section 9 for further detail.
Contact:
Gallyn Marketing LLC Email: [email protected] Website: gallyn.com
3. PERSONAL DATA THAT WE COLLECT AND HOW WE COLLECT IT
3.1 Data You Provide Directly
When you contact Us, request a proposal, or engage with Our Website, you may provide:
- Name, job title, and company name
- Email address and phone number
- Message content and communication preferences
- Any other information you choose to provide
3.2 Data from Marketing Campaigns
When you interact with marketing campaigns We operate on behalf of Our clients, We may collect:
- Information submitted through LinkedIn Lead Gen Forms (e.g. name, email, job title, company, and any custom fields configured by the client)
- Responses to surveys, landing page forms, and calls-to-action
- Event registration information
3.3 Data Collected Automatically
When you visit Our Website, We automatically collect certain information through cookies and similar tracking technologies (see Section 7), including:
- IP address (which may be anonymised)
- Browser type, operating system, and device information
- Pages visited, time spent on pages, and referring URLs
- Interactions with advertisements and campaign content
3.4 Data from Third-Party Platforms
We receive personal data from third-party platforms We use to deliver marketing services, including:
- LinkedIn: Campaign performance data, lead form submissions, and audience insights obtained through LinkedIn's Campaign Manager and Marketing APIs
- Google: Analytics data about Website visitors and campaign interactions
- Meta: Campaign delivery and engagement data
3.5 Data from Our Clients
Our clients may provide Us with personal data for the purpose of delivering marketing services, including:
- Audience lists and contact databases for campaign targeting
- Customer relationship management (CRM) data
- Existing customer or prospect information for audience matching and lookalike modelling
4. OUR PURPOSES, LEGAL GROUNDS FOR PROCESSING AND RETENTION PERIODS
| Purpose | Categories of Personal Data | Legal Ground | Retention Period |
|---|---|---|---|
| Delivering marketing services to Our clients — executing campaigns, managing lead generation, and reporting on results | Contact details, lead form submissions, campaign interaction data, audience list data | Performance of a contract (with Our client); Legitimate interest (to deliver services effectively) | For the duration of the client engagement plus 12 months, unless the client instructs otherwise |
| Processing lead generation data — collecting, organising and transmitting leads generated via LinkedIn Lead Gen Forms and other platforms to Our clients | Name, email, job title, company, form responses | Legitimate interest (to fulfil Our service obligations); Consent (where required by applicable law for the underlying data collection) | Transmitted to the client promptly; retained by Gallyn for a maximum of 90 days for quality assurance, unless a shorter period applies (see LinkedIn API limits below) |
| LinkedIn API data compliance — profile data and social activity data obtained through LinkedIn Marketing APIs | Profile data, social activity data | Legitimate interest; Compliance with LinkedIn API terms | Profile data: deleted within 24 hours of retrieval. Social activity data: deleted within 48 hours of retrieval. Aggregated, non-personal campaign analytics may be retained longer. |
| Website analytics — understanding how visitors use Our Website to improve content and user experience | IP address (anonymised where possible), browser/device data, pages visited, session duration | Legitimate interest (to improve Our Website and services) | Up to 26 months from collection |
| Campaign analytics and reporting — measuring campaign performance and providing reports to Our clients | Aggregated engagement data, conversion metrics, audience insights | Legitimate interest (to evaluate and improve campaign performance) | For the duration of the client engagement plus 12 months |
| Direct marketing — sending communications about Gallyn's own services to prospective and existing clients | Name, email, company, job title | Consent (where required); Legitimate interest (to market Our services to business contacts) | Until you unsubscribe or object, or 24 months from last engagement, whichever is sooner |
| Responding to enquiries — communicating with you when you contact Us | Name, email, message content | Legitimate interest (to respond to communications) | 12 months from last communication |
| Legal compliance — complying with applicable laws, regulations, and legal processes | Any personal data We hold | Legal obligation | As required by applicable law |
| Defending legal claims — establishing, exercising, or defending legal claims | Any personal data relevant to the claim | Legitimate interest (to protect Our legal rights) | For the applicable limitation period (up to 6 years, or longer where required) |
5. RECIPIENTS OF PERSONAL DATA
We may share your personal data with the following categories of recipients:
- Our clients — where We process data on their behalf as part of marketing campaign delivery
- Third-party advertising and marketing platforms — including LinkedIn, Google, and Meta, for the purpose of campaign delivery, audience targeting, and analytics
- Service providers — including cloud hosting providers, email delivery services, analytics tools, and other technology providers who assist Us in delivering Our services
- Professional advisors — including lawyers, accountants, and auditors where necessary
- Legal and regulatory authorities — where required by applicable law, court order, or regulatory obligation
We do not sell your personal data. We do not share your personal data with third parties for their own direct marketing purposes without your consent.
6. CROSS-BORDER DATA TRANSFERS
Gallyn Marketing LLC is based in the United States. If you are located outside the United States, your personal data will be transferred to the United States for processing.
Where We transfer personal data from the European Economic Area ("EEA"), the United Kingdom ("UK"), or Switzerland to countries that have not been deemed to provide an adequate level of data protection, We rely on appropriate safeguards, including:
- EU-US Data Privacy Framework (DPF) and the UK Extension to the DPF, where applicable
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), including the UK International Data Transfer Addendum issued by the ICO where required for UK transfers
- Swiss-US Data Privacy Framework and supplementary measures for transfers from Switzerland
Third-party platforms We use (including LinkedIn, Google, and Meta) maintain their own data transfer mechanisms. For further information, please refer to:
- LinkedIn Privacy Policy: https://www.linkedin.com/legal/privacy-policy
- Google Privacy Policy: https://policies.google.com/privacy
- Meta Privacy Policy: https://www.facebook.com/privacy/policy/
7. COOKIES AND OTHER TRACKING TECHNOLOGIES
7.1 What Are Cookies?
A cookie is a small text file that is stored on your computer or mobile device when you visit a website. Cookies enable the website to remember your actions and preferences over a period of time, so you do not have to re-enter them each time you return. We also use similar technologies such as pixel tags and web beacons.
7.2 Types of Cookies We Use
Necessary cookies — required for the basic operation of Our Website. You cannot use Our Website without these cookies.
Functionality cookies — remember your preferences and settings (such as language) so you do not have to configure them each time you visit.
Performance cookies — help Us understand how visitors interact with Our Website by collecting information about pages visited and errors encountered.
Analytics cookies — enable Us to measure and analyse visitor behaviour on Our Website, helping Us improve content and user experience.
Marketing and advertising cookies — used to deliver relevant advertisements and track ad campaign performance across websites and platforms. These cookies may be set by Us or by third-party advertising partners.
7.3 Cookies Used on Our Website
| Cookie Name | Provider | Type | Retention Period | Purpose |
|---|---|---|---|---|
| _ga | Google Analytics | Persistent | 2 years | Distinguishes unique users by assigning a randomly generated number as a client identifier |
| ga* | Google Analytics | Persistent | 2 years | Used by Google Analytics to persist session state |
| _gid | Google Analytics | Persistent | 24 hours | Distinguishes unique users |
| _gat | Google Analytics | Persistent | 1 minute | Used to throttle the request rate to Google Analytics |
| ln_or | Persistent | 1 day | Used to determine if Oribi analytics can be carried out on a specific domain | |
| AnalyticsSyncHistory | Persistent | 30 days | Used to store information about the time a sync with the lms_analytics cookie took place | |
| li_sugr | Persistent | 90 days | Used for making a probabilistic match of a user's identity outside the Designated Countries | |
| bcookie | Persistent | 1 year | Browser identifier cookie for uniquely identifying devices accessing LinkedIn | |
| lidc | Persistent | 24 hours | Used to facilitate data centre selection | |
| UserMatchHistory | Persistent | 30 days | Used for LinkedIn Ads ID syncing | |
| li_fat_id | Persistent | 30 days | Member indirect identifier for conversion tracking, retargeting, and analytics |
7.4 Cross-Device Tracking
We and Our third-party partners, including LinkedIn, may use cross-device tracking technologies to recognise and associate your activity across different devices (e.g. your computer, tablet, and mobile phone). This allows Us to:
- Deliver consistent marketing messages across your devices
- Measure the effectiveness of campaigns across multiple touchpoints
- Provide aggregated analytics and reporting to Our clients
LinkedIn's Insight Tag and similar technologies may collect information about your interactions with Our Website and associate that data with your LinkedIn profile for ad targeting and analytics purposes. This tracking operates across devices where you are signed into your LinkedIn account.
7.5 Managing and Opting Out of Cookies
You can control and delete cookies through your browser settings. You can also opt out of specific tracking technologies:
- Google Analytics: Install the Google Analytics opt-out browser add-on at https://tools.google.com/dlpage/gaoptout
- LinkedIn advertising: Manage your advertising preferences at https://www.linkedin.com/psettings/advertising
- General opt-out: Visit https://optout.aboutads.info or https://www.youronlinechoices.eu for interest-based advertising opt-outs
Please note that disabling cookies may affect the functionality of Our Website.
8. YOUR RIGHTS
Depending on your location and applicable law, you may have the following rights regarding your personal data. To exercise any of these rights, please contact Us using the details in Section 15.
8.1 European Economic Area (GDPR)
If you are in the EEA, you have the following rights under the General Data Protection Regulation (EU) 2016/679:
- Right of access (Article 15) — obtain confirmation of whether We process your personal data and request a copy
- Right to rectification (Article 16) — request correction of inaccurate or incomplete personal data
- Right to erasure (Article 17) — request deletion of your personal data in certain circumstances
- Right to restriction (Article 18) — request that We limit the processing of your personal data
- Right to data portability (Article 20) — receive your personal data in a structured, commonly used, machine-readable format
- Right to object (Article 21) — object to processing based on legitimate interests, including profiling and direct marketing
- Right not to be subject to automated decision-making (Article 22) — not be subject to a decision based solely on automated processing that produces legal or similarly significant effects
You have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
8.2 United Kingdom (UK GDPR)
If you are in the UK, you have equivalent rights under the UK General Data Protection Regulation and the Data Protection Act 2018. You may lodge a complaint with the Information Commissioner's Office (ICO) at https://ico.org.uk.
8.3 Switzerland (FADP)
If you are in Switzerland, you have rights under the Swiss Federal Act on Data Protection (FADP). You may contact the Federal Data Protection and Information Commissioner (FDPIC) at https://www.edoeb.admin.ch.
8.4 California (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:
- Right to know — request information about the categories and specific pieces of personal information We have collected, the sources, the business purposes, and the categories of third parties with whom We share it
- Right to delete — request deletion of your personal information
- Right to correct — request correction of inaccurate personal information
- Right to opt out of sale or sharing — We do not sell your personal information, and We do not share your personal information for cross-context behavioural advertising as defined under the CCPA/CPRA
- Right to limit use of sensitive personal information — where applicable
- Right to non-discrimination — We will not discriminate against you for exercising your privacy rights
Categories of personal information collected in the preceding 12 months:
| CCPA Category | Examples | Source | Business Purpose |
|---|---|---|---|
| Identifiers | Name, email, IP address | Directly from you; campaign platforms | Service delivery, communication |
| Professional/employment information | Job title, company name | Directly from you; LinkedIn Lead Gen Forms | Service delivery, lead generation |
| Internet/electronic network activity | Browsing history, interactions with Website | Automatically via cookies | Analytics, service improvement |
| Geolocation data | Approximate location from IP address | Automatically | Analytics |
We do not sell personal information. We do not use or disclose sensitive personal information for purposes other than those permitted under the CCPA/CPRA.
8.5 Other US State Privacy Laws
If you are a resident of Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Virginia (VCDPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), or other US states with comprehensive privacy legislation, you may have similar rights including the right to access, correct, delete, and opt out of certain processing of your personal data. To exercise any such rights, please contact Us using the details in Section 15.
8.6 Brazil (LGPD)
If you are in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including the right to confirmation of processing, access, correction, anonymisation, portability, deletion, and information about sharing. You may contact the Autoridade Nacional de Proteção de Dados (ANPD) at https://www.gov.br/anpd.
8.7 How to Exercise Your Rights
To exercise any of the rights described above, please contact Us at:
Email: [email protected]
We will respond to your request within the timeframes required by applicable law:
- GDPR / UK GDPR: within one month (extendable by two further months for complex requests)
- CCPA/CPRA: within 45 days (extendable by an additional 45 days)
- Other jurisdictions: within the timeframes required by applicable law
We may need to verify your identity before processing your request. If We cannot verify your identity, We may request additional information. We will not charge a fee for processing your request unless the request is manifestly unfounded or excessive.
8.8 Withdrawal of Consent and Data Deletion
Where We rely on your consent as the legal basis for processing, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
To withdraw consent or request deletion of your personal data:
- Email Us at [email protected] with the subject line "Data Deletion Request" or "Consent Withdrawal"
- Unsubscribe from marketing communications using the link in any marketing email
Upon receiving a verified request, We will delete or anonymise your personal data within 30 days, unless retention is required by law or for the establishment, exercise, or defence of legal claims. Where We have shared your data with third parties, We will notify them of the deletion request.
9. DATA PROCESSED ON BEHALF OF CLIENTS
When Gallyn delivers marketing services on behalf of a client, We typically act as a data processor under applicable data protection laws. In this capacity:
- The client is the data controller and determines the purposes and means of processing
- We process personal data only in accordance with the client's documented instructions and applicable data processing agreements
- We implement appropriate technical and organisational measures to protect the data
- We do not use client data for Our own purposes beyond what is necessary to provide the agreed services
LinkedIn lead data: When We collect leads through LinkedIn Lead Gen Forms on behalf of a client, the lead data is transmitted to the client in accordance with their instructions. Gallyn retains a copy for quality assurance purposes for no longer than 90 days (and in compliance with LinkedIn API data retention requirements as described in Section 4).
If you have questions about how a client uses your personal data, please contact the client directly. If you are uncertain who the relevant controller is, you may contact Us and We will direct your enquiry to the appropriate party.
10. THIRD-PARTY PLATFORM INTEGRATIONS
10.1 LinkedIn
We use LinkedIn's marketing tools and APIs to deliver campaign services, including:
- LinkedIn Campaign Manager — for creating, managing, and reporting on advertising campaigns
- LinkedIn Lead Gen Forms — for collecting lead information from LinkedIn users who interact with sponsored content
- LinkedIn Marketing APIs — for programmatic campaign management and analytics
- LinkedIn Insight Tag — a JavaScript tag placed on Our Website for conversion tracking, retargeting, and website analytics
Data types processed: Campaign performance metrics, lead form submissions (name, email, job title, company, and any custom fields), website interaction data, and audience insights.
How lead data is used: Lead data collected through LinkedIn Lead Gen Forms is transmitted to the relevant client for their sales and marketing follow-up. Gallyn may use the data to provide campaign performance reporting and optimisation recommendations.
API data retention: In compliance with LinkedIn's API Terms of Use, profile data retrieved through LinkedIn APIs is deleted within 24 hours of retrieval, and social activity data is deleted within 48 hours of retrieval. Aggregated, non-personal analytics data may be retained for the duration of the client engagement.
For more information about LinkedIn's data practices, please refer to the LinkedIn Privacy Policy at https://www.linkedin.com/legal/privacy-policy.
10.2 Other Platforms
We may also integrate with other advertising and marketing platforms, including Google Ads, Meta (Facebook/Instagram), and email marketing services. Each platform has its own privacy policy governing how it processes personal data. We encourage you to review the privacy policies of any platforms through which you interact with Our campaigns.
11. DATA SECURITY
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit and at rest
- Access controls limiting data access to authorised personnel
- Regular security assessments and monitoring
- Secure data processing agreements with Our service providers
- Employee training on data protection and security practices
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, We will notify the relevant supervisory authority and, where required, affected individuals, in accordance with applicable law.
12. CHILDREN'S PRIVACY
Our Services are directed at businesses and business professionals. We do not knowingly collect personal data from children under the age of 16 (or the applicable age of consent in your jurisdiction). If We become aware that We have collected personal data from a child, We will take steps to delete that data promptly. If you believe We have collected data from a child, please contact Us at [email protected].
13. DO NOT TRACK SIGNALS
Some web browsers transmit "Do Not Track" (DNT) signals to websites. There is currently no universally accepted standard for how websites should respond to DNT signals. At this time, Our Website does not respond to DNT signals. However, you can manage your tracking preferences through the cookie controls described in Section 7.5.
14. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in Our practices, applicable laws, or for other operational, legal, or regulatory reasons. When We make material changes, We will:
- Post the updated policy on Our Website with a revised effective date
- Where required by applicable law, provide additional notice (such as via email) for material changes
We encourage you to review this Privacy Policy periodically. Your continued use of Our Website or Services after any changes indicates your acceptance of the updated policy.
15. CONTACT DETAILS
If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a complaint about how We handle your personal data, please contact Us:
Gallyn Marketing LLC Website: gallyn.com Email: [email protected]