Data Privacy & Compliance Statement

Naylor Association Solutions is committed to protecting the personal data of members, associations, and users across all our digital platforms. We base our program on the requirements outlined in the General Data Protection Regulation (GDPR), as described in our published GDPR Approach & FAQs (May 2018), and extend those principles to U.S. privacy frameworks including the California Consumer Privacy Act (CCPA) and other evolving state privacy laws.

Key Principles

Roles & Responsibilities
As confirmed in our GDPR FAQ, Naylor acts primarily as a data processor on behalf of our client associations, who remain the data controllers. We process data only under their instructions, ensuring contractual safeguards are in place.

Consent & Communications
We honor the GDPR standard of explicit, affirmative consent for email and marketing communications. In practice, this means no pre-checked boxes and no marketing outreach to EU citizens without proper consent (see GDPR FAQ, “Email Marketing” section).

Individual Rights
We uphold the GDPR’s user rights, including the right to access, correct, delete (erasure), restrict processing, and obtain portable copies of personal data. As stated in our FAQ, Naylor responds to requests within legally defined timeframes (typically within one month), recognizing that some data may be obfuscated rather than fully erased if legal or contractual obligations require retention.

Data Minimization & Retention
Consistent with our FAQ, we maintain defined retention cycles for different systems (e.g., career centers, AMS, communications platforms), balancing operational needs with the GDPR’s principle of data minimization.

Cross-Border Transfers
Our FAQ notes that EU personal data may be processed in U.S. and Canadian data centers (TierPoint and Winnipeg facilities). Where cross-border transfers occur, we rely on Standard Contractual Clauses (SCCs)and other safeguards to ensure equivalent levels of protection.

Cookie & Tracking Consent
In line with GDPR guidance, our systems implement cookie consent banners or forced opt-in modals before activating analytics or tracking tools (FAQ: “Cookie Consent”).

Transparency & Third-Party Vendors
We work with our association clients to ensure privacy policies disclose how data is shared with third parties. Contracts with our vendors require them to maintain privacy and security standards comparable to our own.

CCPA & U.S. State Privacy Laws
In addition to GDPR, Naylor extends privacy principles to cover U.S. state laws, including the CCPA. We provide opt-out mechanisms for data “sales” as defined by California law, honor deletion and disclosure requests, and support evolving U.S. privacy standards.

Governance & Continuous Improvement
While the 2018 FAQ established baseline GDPR compliance, we recognize that privacy expectations continue to evolve. Naylor maintains an internal privacy governance program, periodic reviews, and updates to policies and processes to align with current regulations and best practices.

Limitations & Exceptions

As noted in the GDPR FAQ, full deletion may not always be feasible due to legal retention requirements (e.g., financial records). In such cases, data may be obfuscated or access-restricted rather than purged, ensuring risks are minimized while obligations are met.

Feedback & Contact

For questions about data privacy, or to exercise your rights under GDPR, CCPA, or other applicable laws, please contact us at: