Privacy Policy

Effective Date: February 11, 2026

Introduction

GDU Labs provides an AI-powered enterprise platform that turns fragmented professional data into verified profiles, making people and company data trustworthy and usable for executive search teams and AI agents.

We understand that you are aware of and care about your own personal privacy interests, and we take that seriously. This Privacy Notice describes GDU Labs’s policies and practices regarding its collection and use of your personal data, and sets forth your privacy rights. We recognize that information privacy is an ongoing responsibility, and so we will from time to time update this Privacy Notice as we undertake new personal data practices or adopt new privacy policies.

Data Protection Officer

GDU Labs is headquartered in Chicago, IL, in the United States. GDU Labs has appointed an internal data protection officer for you to contact if you have any questions or concerns about GDU Labs’s personal data policies or practices. If you would like to exercise your privacy rights, please direct your query to GDU Labs’s data protection officer. GDU Labs’s data protection officer’s name and contact information are as follows:

Attn: Data Protection Officer

GDU Labs

33 N Dearborn St

Ste 200

Chicago, IL 60602

privacy@gdulabs.com

How we collect and use (process) your personal information

GDU Labs collects and processes personal information about professionals, website visitors, clients, and client end users. The categories of personal information we process include:

  • Identification data — name, professional headshot or photo (where publicly available)

  • Contact data — work email address, work phone number, work address

  • Professional data — job title, employer name, employment history, education history, skills, certifications, industry, seniority level, and functional role

  • Organizational data — company affiliations, board memberships, organizational relationships, and reporting structures

  • Company data — employer firmographic information such as company size, industry classification, funding history, and location

  • Technical data — internet protocol (IP) address, browser type, operating system, device identifiers, and usage logs collected through our website and services

We process this information to aggregate, enrich, verify, and deliver professional profiles to our clients; to provide data enrichment and search services; to operate and improve our platform; and to comply with our legal obligations.

We provide professional data to our clients as part of the talent intelligence and executive search services they have engaged us to deliver. This sharing is governed by written agreements that define the purpose and scope of use. Outside of this core service, we do not sell personal information and only share it with service providers who assist us in operating our platform.

Sources of personal data

We collect personal data from the following sources:

  • Directly from you — when you visit our website, create an account, or contact us.

  • From our clients — when clients provide data for enrichment, verification, or integration with our platform.

  • From third-party data providers — we procure professional and company data from licensed third-party data providers, including providers of business contact information, company firmographic data, and professional profile data. These providers represent that they have collected the data lawfully, and we use it in accordance with the terms of our agreements with them and applicable law.

  • From publicly available sources — we may collect professional data from publicly available sources, including professional networking sites, public company filings, and other publicly accessible professional information, either via direct access to said sources or through browser extensions.

Use of the GDU Labs Website

As is true of most other websites, GDU Labs’s website collects certain information automatically and stores it in log files. The information may include internet protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system and other usage information about the use of GDU Labs’s website, including a history of the pages you view. We use this information to help us design our site to better suit our users’ needs. We may also use your IP address to help diagnose problems with our server and to administer our website, analyze trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences.

GDU Labs has a legitimate interest in understanding how members, customers and potential customers use its website. This assists GDU Labs with providing more relevant products and services, with communicating value to our sponsors and corporate members, and with providing appropriate staffing to meet member and customer needs.

Cookies and tracking technologies

GDU Labs's website uses cookies and similar tracking technologies to operate the site, analyze usage, and improve your experience. You can control cookie preferences through your browser settings. We use essential cookies required for site functionality and may use analytics cookies to understand how visitors interact with our website.

Use of the GDU Labs platform and services

Global talent data platform

GDU Labs operates a platform that aggregates professional data from multiple sources, enriches and verifies that data, and makes it available to enterprise clients in the form of structured, trustworthy professional profiles. This processing includes matching, deduplication, data quality scoring, and profile assembly.

Categories of individuals: Business professionals, executives, and other individuals whose professional information is available from our data sources.

GDU Labs and its clients have a legitimate interest in maintaining accurate, up-to-date professional data to support executive search, talent intelligence, and related business purposes. We have assessed that this interest is not overridden by the rights of the individuals concerned, particularly given that the data processed is professional in nature and the processing is consistent with reasonable expectations for business professionals.

Client data processing

When clients provide data to GDU Labs for enrichment, verification, or integration, we process that data on behalf of and at the direction of the client. In these cases, the client is the data controller and GDU Labs acts as a data processor. The processing is governed by a Data Processing Agreement between GDU Labs and the client. In certain engagements, both GDU Labs and the client act as independent data controllers, as defined in the applicable Data Processing Agreement.

For enterprise clients, we may maintain tenant-isolated environments to ensure that client data is logically separated from other clients' data and from GDU Labs's general data assets.

When GDU Labs processes personal data in connection with services provided to enterprise clients, the processing is governed by a written agreement between GDU Labs and the client, which may include a Data Processing Agreement that defines the roles, purposes, security requirements, and data subject rights procedures applicable to that engagement. In some engagements, GDU Labs and the client each act as independent data controllers; in others, GDU Labs acts as a data processor on behalf of the client. The specific arrangement is defined in the applicable agreement. Where the terms of a Data Processing Agreement impose requirements that are more specific or more protective than this Privacy Policy, the Data Processing Agreement governs the processing of personal data in connection with those services.

Third-party data procurement

GDU Labs procures professional and company data from licensed third-party data providers to build and maintain our talent data platform. We require our data providers to represent that data has been collected lawfully and in accordance with applicable data protection regulations.


GDU Labs has a legitimate interest in procuring professional data from reputable providers to deliver accurate talent intelligence services. We have conducted a balancing assessment and determined that this interest is not overridden by the rights of the individuals concerned, given the professional nature of the data and the availability of opt-out mechanisms.

AI and automated processing

GDU Labs uses artificial intelligence and machine learning technologies as part of its platform to enrich, verify, and structure professional data. Specifically, AI is, or may in the future be, used to:

  • Match and deduplicate records across data sources

  • Verify and validate professional information

  • Generate structured profile summaries from unstructured data

  • Improve data quality and completeness

No automated decision-making with legal effect. GDU Labs does not use automated processing, including profiling, to make decisions that produce legal effects or similarly significant effects on individuals. Our AI processing is used to improve the quality and structure of professional data, not to make decisions about individuals' access to services, employment, credit, or other matters of legal significance.

AI provider data controls. GDU Labs maintains contractual and technical controls with its AI infrastructure providers to ensure that personal data submitted for AI processing is not retained beyond transient processing and is not used for model training. These controls include zero-retention API configurations and written contractual terms prohibiting the use of inputs or outputs for training purposes.

Human oversight. Client users of the GDU Labs platform exercise human judgment when using the professional profiles and data we provide. Our platform is a tool that supports, rather than replaces, human decision-making.

When and how we share information with third parties

GDU Labs shares personal data with third parties only in the following circumstances:

Service providers and subprocessors. We engage third-party service providers who process personal data on our behalf to deliver our services. These providers are contractually required to process data only for the purposes we specify and to maintain appropriate security measures. Our service providers fall into the following categories:

  • Cloud infrastructure and hosting providers

  • Authentication and identity providers

  • AI inference providers

  • Observability and monitoring tools

  • Data storage and database services

Clients. We share enriched professional data with our clients as part of the services they have engaged us to provide.

Legal and compliance. We may disclose personal data if required by law, regulation, legal process, or governmental request, or to enforce our agreements, protect our rights, property, or safety, or the rights, property, or safety of others.

Business transfers. In the event of a merger, acquisition, or sale of all or a portion of our assets, personal data may be transferred as part of that transaction.

We do not otherwise reveal your personal data to non-GDU Labs persons or businesses for their independent use.

We may gather aggregated data about our services and website visitors and disclose the results of such aggregated (but not personally identifiable) information to partners, service providers, or other third parties for analytical or promotional purposes.

Subprocessors

GDU Labs maintains a list of subprocessors who process personal data on our behalf. This list includes the subprocessor name, purpose of processing, and location.

Our current list of subprocessors is available in our Trust Center at trust.gdulabs.com.

For enterprise clients subject to a Data Processing Agreement, changes to subprocessors are subject to prior written notification and, where contractually required, prior written approval. If you would like to be notified of changes to our subprocessor list, please contact us at privacy@gdulabs.com.

Transferring personal data to the U.S.

GDU Labs has its headquarters in the United States. Information we collect about you may be processed in the United States. By using GDU Labs’s services, you acknowledge that your personal information will be processed in the United States. The United States has not sought nor received a finding of “adequacy” from the European Union under Article 45 of the GDPR. Pursuant to Article 46 of the GDPR, GDU Labs is providing for appropriate safeguards by entering binding, standard data protection clauses, enforceable by data subjects in the EEA and the UK. These clauses have been enhanced based on the guidance of the European Data Protection Board and will be updated when the new draft model clauses are approved.

Depending on the circumstance, GDU Labs also collects and transfers to the U.S. personal data with consent; to perform a contract with you; or to fulfill a compelling legitimate interest of GDU Labs in a manner that does not outweigh your rights and freedoms. GDU Labs endeavors to apply suitable safeguards to protect the privacy and security of your personal data and to use it only consistent with your relationship with GDU Labs and the practices described in this Privacy Statement. GDU Labs also enters into data processing agreements and model clauses with its vendors whenever feasible and appropriate. Since it was founded, GDU Labs has received zero government requests for information.

For more information or if you have any questions, please contact us at privacy@gdulabs.com

Data Subject rights

The European Union’s General Data Protection Regulation (GDPR) and other countries’ privacy laws provide certain rights for data subjects. Data Subject rights under GDPR include the following:

  • Right to be informed

  • Right of access

  • Right to rectification

  • Right to erasure

  • Right to restrict processing

  • Right of data portability

  • Right to object

  • Rights related to automated decision making including profiling


This Privacy Policy is intended to provide you with information about what personal data GDU Labs collects about you and how it is used. 


If you wish to confirm that GDU Labs is processing your personal data, or to have access to the personal data GDU Labs may have about you, please contact us.


You may also request information about: the purpose of the processing; the categories of personal data concerned; who else outside GDU Labs might have received the data from GDU Labs; what the source of the information was (if you didn’t provide it directly to GDU Labs); and how long it will be stored. You have a right to correct (rectify) the record of your personal data maintained by GDU Labs if it is inaccurate. You may request that GDU Labs erase that data or cease processing it, subject to certain exceptions. You may also request that GDU Labs cease using your data for direct marketing purposes. In many countries, you have a right to lodge a complaint with the appropriate data protection authority if you have concerns about how GDU Labs processes your personal data. When technically feasible, GDU Labs will—at your request—provide your personal data to you.


Right to object to legitimate interests processing. Where we process your personal data based on legitimate interests, you have the right to object to that processing. If you object, we will cease processing your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.


Reasonable access to your personal data will be provided at no cost. If access cannot be provided within a reasonable time frame, GDU Labs will provide you with a date when the information will be provided. If for some reason access is denied, GDU Labs will provide an explanation as to why access has been denied.


To exercise your rights, please contact us at privacy@gdulabs.com. We will respond to your request within 30 days.


For questions or complaints concerning the processing of your personal data, you can email us at privacy@gdulabs.com. Alternatively, if you are located in the European Union, you can also have recourse to the European Data Protection Supervisor or with your nation's data protection authority.

Your California privacy rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information.

Right to know. You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected your personal information, our business purpose for collecting your personal information, and the categories of third parties with whom we share your personal information.

Right to delete. You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.

Right to correct. You have the right to request that we correct inaccurate personal information we maintain about you.

Right to opt-out. You have the right to opt out of the sale or sharing of your personal information. GDU Labs does not sell personal information as defined by the CCPA. If this changes, we will update this notice and provide an opt-out mechanism.

Non-discrimination. We will not discriminate against you for exercising any of your CCPA rights.

To exercise your California privacy rights, please contact us at privacy@gdulabs.com.

Security of your information

GDU Labs takes the security of your personal data seriously and implements appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption. We encrypt personal data in transit using TLS and at rest using industry-standard encryption.

Access controls. We enforce role-based access controls, require strong authentication for all platform access, and support single sign-on (SSO) integration for enterprise clients.

Infrastructure isolation. For enterprise clients, we maintain tenant-isolated infrastructure to ensure logical separation of client data.

Monitoring and logging. We maintain audit logs of administrative actions, data access, exports, and access denials. We use monitoring tools to detect and respond to security incidents.

Security assessments. We conduct regular security assessments, including annual independent penetration testing, and maintain a vulnerability management program with defined remediation timelines.


Incident response. We maintain an incident response plan and will notify affected individuals and relevant authorities of qualifying data breaches within the timeframes required by applicable law.


No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee its absolute security.

Data storage and retention

Your personal data is stored by GDU Labs on its servers and on the servers of the cloud-based services GDU Labs engages. Depending on the service and the applicable client agreement, data may be stored in the United States, the European Union, or other regions. Where a client agreement specifies data residency requirements, GDU Labs maintains infrastructure in the designated region to meet those obligations.


GDU Labs retains service data for the duration of the customer's business relationship with GDU Labs and for a period of time thereafter as governed by the applicable Data Processing Agreement, to analyze the data for GDU Labs's own operations, and for historical and archiving purposes associated with GDU Labs's services. GDU Labs retains prospect data until such time as it no longer has business value and is purged from GDU Labs systems. All personal data that GDU Labs controls may be deleted upon verified request from Data Subjects or their authorized agents. For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact us at: privacy@gdulabs.com.

Children’s data

We do not knowingly attempt to solicit or receive information from children. Our services are directed at business professionals and are not intended for use by anyone under the age of 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the "Effective Date" at the top of this policy and, where appropriate, notify you by email or through a notice on our website. We encourage you to review this policy periodically.

Questions, concerns or complaints

If you have questions, concerns, complaints, or would like to exercise your rights, please contact us at:


GDU Labs

33 N Dearborn St

Ste 200

Chicago, IL 60602

privacy@gdulabs.com