PRIVACY POLICY

GRAYS™ Strategy LLC

Last Updated: March 25, 2026

GRAYS™ Strategy does not collect, sell, or monetize visitor information. This site exists to communicate — not to gather. What little data passes through it is handled with the same discretion we bring to every client engagement.

Introduction

GRAYS™ Strategy LLC (“we,” “us,” “our”) operates the website graysstrategy.com (the “Website”). This Privacy Policy explains how we collect, use, disclose, and protect information when you visit our Website or contact us.

By using our Website, you consent to the practices described in this Privacy Policy.

GRAYS™ Strategy LLC is a Wyoming limited liability company providing strategic consulting services to healthcare organizations. This Privacy Policy applies only to information collected through our Website.

Information We Collect

We collect limited information necessary to respond to inquiries and improve our Website.

INFORMATION YOU PROVIDE DIRECTLY

When you contact us via email at info@graysstrategy.com, we receive:

• Your email address

• Your message content

• Any information you choose to include in your email (such as name, organization, role)

Providing this information is voluntary. You may choose not to contact us if you prefer not to share this information.

INFORMATION COLLECTED AUTOMATICALLY

When you visit our Website, we automatically collect certain information through cookies and analytics:

• Device information (browser type, operating system, device type)

• Usage information (pages visited, time spent on site, navigation paths)

• Geographic location (city and state level, not precise location)

• Traffic source (how you found our Website)

• IP address (anonymized)

This information is collected through Google Analytics and does not personally identify you.

How We Use Your Information

We use the information we collect for the following purposes:

EMAIL INQUIRIES

• To respond to your inquiries

• To provide information about our services

• To schedule consultations or discovery calls

• To pursue legitimate business development activities

WEBSITE ANALYTICS

• To understand how visitors use our Website

• To improve Website functionality and user experience

• To analyze traffic patterns and content engagement

• To optimize Website performance

We do NOT use your information for:

• Marketing to third parties

• Selling or renting your personal information

• Targeted advertising

• Purposes unrelated to our consulting services

Third-Party Services

We use the following third-party services that may process your information:

GOOGLE ANALYTICS (Analytics Provider)

• Purpose: Website traffic analysis and performance monitoring

• Data collected: Anonymous usage data (see “Information Collected Automatically” above)

• Privacy Policy: https://policies.google.com/privacy

We have configured Google Analytics with privacy-focused settings:

• IP anonymization enabled

• Data retention set to 14 months

• Advertising features disabled

• Google Signals disabled

SITEGROUND (Website Hosting)

Purpose: Website hosting, content delivery, and security

Data collected: Technical logs, IP addresses for service delivery

MICROSOFT 365 (Email Service)

Purpose: Receiving and managing email inquiries sent to info@graysstrategy.com, privacy@graysstrategy.com, and accessibility@graysstrategy.com

• Data collected: Email content you send to us

• Privacy Policy: https://privacy.microsoft.com/privacystatement

These third-party services maintain their own data protection practices. We are not responsible for their privacy practices. We encourage you to review their privacy policies.

EMAIL SECURITY AND LIMITATIONS

When you send email to info@graysstrategy.com, privacy@graysstrategy.com, or accessibility@graysstrategy.com:

• Your email is transmitted using your email provider’s infrastructure

• We receive your email via Microsoft 365

• Email security depends on both your email provider and our email service

• We cannot guarantee the security of information sent via standard email

• Email is not encrypted end-to-end unless you use encrypted email services

We are not responsible for the security practices of your email provider or the transmission of email over the internet.

The Website contains direct email links and contact buttons. Use of these links does not guarantee that you will have read the HIPAA notice below. Do not include PHI in any email to us under any circumstances. HIPAA-compliant communication channels will be established through formal engagement agreements before any PHI is discussed.

Cookies and Tracking Technologies

Our Website uses cookies to collect the automatic information described above.

WHAT ARE COOKIES?

Cookies are small text files stored on your device that help websites function and analyze usage.

COOKIES WE USE

Analytics Cookies (Google Analytics):

• Collect anonymous usage data

• Help us understand how visitors use our Website

• Can be disabled through browser settings or by enabling Do Not Track

We do NOT use:

• Advertising cookies

• Social media tracking cookies

• Third-party marketing cookies

DO NOT TRACK

Our systems recognize browser “do-not-track” requests. You may enable Do Not Track in your browser settings to prevent analytics tracking.

MANAGING COOKIES

You can control cookies through your browser settings. However, disabling cookies may affect Website functionality.

Browser instructions:

• Chrome: Settings > Privacy and Security > Cookies

• Firefox: Settings > Privacy & Security > Cookies and Site Data

• Safari: Preferences > Privacy > Cookies and Website Data

• Edge: Settings > Privacy, Search, and Services > Cookies

COOKIE NOTICE

When you first visit our Website, you will see a simple cookie notice:

“This site uses cookies to analyze site traffic and improve your experience. By continuing to use this site, you consent to our use of cookies. Learn more in our Privacy Policy.”

You may dismiss this notice. It will not reappear once dismissed.

Data Security

We implement reasonable security measures to protect your information from unauthorized access, use, alteration, or disclosure.

TECHNICAL MEASURES

• SSL/TLS encryption for all data transmission (HTTPS)

• Secure website hosting with industry-standard protections

• Secure email transmission using encrypted channels

• No storage of data on unsecured systems

• Regular security updates and monitoring

ACCESS CONTROLS

• Limited access to email inquiries

• Secure email transmission using Microsoft 365

• No storage of information on unsecured systems

SECURITY LIMITATIONS

No method of transmission over the internet or electronic storage is 100% secure. While we maintain commercially reasonable safeguards, we cannot guarantee absolute security.

EMAIL SECURITY CONSIDERATIONS

Standard email is not encrypted end-to-end. When you email us:

• Your email provider’s security practices apply to transmission

• Our email service (Microsoft 365) applies its security practices to storage

• We cannot control security of email in transit over the internet

• For sensitive communications, we recommend waiting until formal engagement begins and secure communication channels are established

DATA BREACH NOTIFICATION

In the event of a data breach affecting your personal information, we will notify you within 30 days via email and provide information about the nature of the breach and steps we are taking to address it.

Data Retention

We retain your information only as long as necessary for legitimate business purposes.

EMAIL INQUIRIES (Prospects)

We retain email inquiries for up to 2 years unless an active business relationship exists. After 2 years, if no engagement has materialized, we delete the information.

You may request earlier deletion at any time (see “Your Privacy Rights” below).

ACTIVE CLIENT RELATIONSHIPS

For clients with whom we have executed service agreements, we retain contact information and project records for the duration of the engagement plus 7 years thereafter.

This retention period is:

• Required for professional liability and contractual obligations

• Necessary for tax and legal compliance

• Consistent with professional services industry standards

WEBSITE ANALYTICS DATA

Google Analytics data is retained for 14 months and then automatically deleted. This data contains no personally identifiable information.

RETENTION FLEXIBILITY

We may retain data longer when required for legal compliance, dispute resolution, or legitimate business purposes.

We periodically review and delete data that is no longer necessary.

Children’s Privacy

Our Website and services are not directed to individuals under the age of 18.

We do not knowingly collect personal information from anyone under 18 years of age.

If you are under 18, do not use this Website or submit any information through email.

If we become aware that we have collected information from a person under 18, we will delete that information immediately.

Parents or guardians who believe we may have collected information from someone under 18 should contact us at info@graysstrategy.com.

HIPAA Compliance — Important Notice

⚠️ CRITICAL: Standard email is NOT HIPAA-compliant.

DO NOT INCLUDE THE FOLLOWING IN EMAILS TO info@graysstrategy.com, privacy@graysstrategy.com, or accessibility@graysstrategy.com:

• Protected Health Information (PHI)

• Patient names, medical record numbers, or identifiers

• Diagnoses, treatment information, or health conditions

• Any information subject to HIPAA privacy rules

IF YOUR INQUIRY INVOLVES PHI OR REQUIRES HIPAA-SECURE COMMUNICATION:

• Indicate this need in your message WITHOUT including any PHI

• We will provide secure communication channels after initial contact

• All PHI discussions will occur through HIPAA-compliant platforms after appropriate agreements are in place

OUR SERVICES

GRAYS™ Strategy LLC provides strategic consulting services to healthcare organizations. We do not provide direct patient care or services requiring HIPAA business associate agreements unless explicitly contracted.

Your Privacy Rights

CALIFORNIA CONSUMER PRIVACY ACT (CCPA)

If you are a California resident, you have specific rights regarding your personal information under the California Consumer Privacy Act (CCPA).

RIGHT TO KNOW

You have the right to request:

• Categories of personal information we collected about you

• Specific pieces of personal information we hold about you

• Purposes for which we use your personal information

• Categories of third parties with whom we share information

RIGHT TO DELETE

You have the right to request deletion of personal information we collected from you, subject to certain exceptions for legal obligations and legitimate business purposes.

RIGHT TO CORRECT

You have the right to request correction of inaccurate personal information.

RIGHT TO OPT-OUT

We do NOT sell personal information.

We do NOT share personal information for cross-context behavioral advertising.

RIGHT TO NON-DISCRIMINATION

We will not discriminate against you for exercising your CCPA rights.

CATEGORIES OF PERSONAL INFORMATION WE COLLECT (CCPA)

EMAIL CONTACT INFORMATION

• Email address, name (if provided), organization (if provided), role/title (if provided), message content

• Collected directly from you via email

• Used to respond to inquiries and pursue business development

• Shared with: Microsoft 365 (email service)

INTERNET/NETWORK ACTIVITY

• Pages visited, time on site, navigation paths, referral source, IP address (anonymized)

• Collected automatically via Google Analytics

• Used to analyze Website usage and improve services

• Shared with: Google Analytics, SiteGround (hosting)

We do NOT collect: Social security numbers, financial information, medical information, biometric data, geolocation data (precise), or other sensitive personal information.

HOW TO EXERCISE YOUR CALIFORNIA RIGHTS

To exercise your rights under CCPA, contact us at:

Email: privacy@graysstrategy.com

Subject line: “CCPA Privacy Rights Request”

We will respond to verified requests within 45 days.

To verify your identity, we may request additional information to confirm you are the person about whom we collected data.

ALL USERS (REGARDLESS OF LOCATION)

All users have the following rights:

RIGHT TO ACCESS

Request information about what personal data we hold about you.

RIGHT TO CORRECTION

Request correction of inaccurate information.

RIGHT TO DELETION

Request deletion of your information (subject to legal retention requirements).

RIGHT TO OPT-OUT OF COMMUNICATIONS

Opt out of future communications from us.

HOW TO EXERCISE YOUR RIGHTS

Subject line: “Privacy Rights Request”

We will respond within 10 business days.

Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or business operations.

WHEN WE MAKE CHANGES:

• We will update the “Last Updated” date at the top of this policy

• Material changes will be indicated with a notice on our Website

• Continued use of our Website after changes constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy periodically.

Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

GRAYS™ Strategy LLC

Email: privacy@graysstrategy.com

Website: www.graysstrategy.com

For privacy-specific inquiries, use subject line: “Privacy Inquiry”

We will respond to privacy inquiries within 10 business days.

Consent

By using our Website and contacting us via email, you acknowledge that you have read, understood, and agree to this Privacy Policy.

If you do not agree with this Privacy Policy, please do not use our Website or contact us via email.