Global Health Bond Exchange (GLOHBX) — Privacy Policy

Effective date: [October __, 2025]

This Privacy Policy explains how the Global Health Bond Exchange (“GLOHBX”) and its African demonstration (“AHBX”) collect, use, and share information when you visit our websites, interact with our forms, and use embedded dashboards (collectively, the “Services”). This Policy is tailored to the Phase‑1 MVP described in our implementation plan.

1. Who we are

Controller: Global Health Catalyst (operating the Global Health Bond Exchange).

2. What we collect

A) Information you provide:

• Contact details via forms (name, email, organization, role, country, stakeholder type, areas of interest).

• Optional messages and attachments you submit through contact or partner‑intake forms.

B) Automatically collected:

• Usage data (pages viewed, referrer, device/browser, time on page) via Google Analytics 4 (GA4).

• Marketing analytics via LinkedIn Insight Tag (page visits, campaign attribution).

• Cookies and similar technologies as described in Section 9.

C) Dashboard data:

• The public MVP shows aggregated, non‑patient‑identifiable KPIs (e.g., early detection %, equipment uptime). No patient‑level data is collected or displayed. Future phases may add authenticated access for additional data—those features will be covered by an updated policy.

3. Legal bases (where applicable)

• Consent: newsletter sign‑ups and marketing communications.

• Contract/Pre‑contractual steps: responding to your requests (e.g., partner intake, provider onboarding interest).

• Legitimate interests: operating and improving the Services, security, analytics, and preventing abuse.

• Legal obligations: complying with applicable laws and requests from competent authorities.

4. How we use information

• To respond to inquiries and manage stakeholder engagement (partners, providers, philanthropies, diaspora).

• To operate newsletters and event communications (webinars, updates).

• To maintain and improve the website, measure performance, and detect fraud or abuse.

• To produce aggregated, de‑identified insights (e.g., engagement statistics).

5. Sharing & processors

We use service providers to operate the Services. Typical processors in Phase‑1 MVP include:

• Web hosting/CMS: Webflow (website), Vercel (dashboard app).

• CDN & security: Cloudflare.

• Analytics/attribution: Google Analytics 4 (GA4), LinkedIn Insight Tag.

• CRM & email: Mailchimp and/or HubSpot.

We require processors to handle personal data under appropriate contractual safeguards. We do not sell personal data.

6. International data transfers

Your data may be processed in countries outside your own. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses) and assess risk in line with applicable law.

7. Data retention

• Contact/CRM data: retained while there is an active relationship or reasonable prospect of engagement, then archived or deleted after [24 months] of inactivity.

• Analytics data: retained per provider defaults (e.g., GA4).

• Communications: retained as necessary to demonstrate compliance and manage requests.

8. Your rights

Depending on your jurisdiction (e.g., GDPR/UK GDPR/CCPA/CPRA), you may have rights to access, correct, delete, or port your data; to object or restrict certain processing; and to withdraw consent for marketing at any time. To exercise rights, email [privacy@glohbx.org]. You can also opt out of non‑essential cookies and marketing communications using provided links.

9. Cookies & tracking

• Essential cookies: required for site functionality and security (cannot be disabled).

• Analytics cookies: GA4 helps us understand usage. You can opt out via our cookie banner or browser settings.

• Advertising/attribution tags: LinkedIn Insight Tag may attribute visits to campaigns; you can opt out via our cookie banner and LinkedIn settings.

• Do Not Track: we honor legally required signals where supported (e.g., Global Privacy Control).

10. Security

We use industry‑standard safeguards (encryption in transit, WAF, role‑based access, least privilege). No method of transmission is 100% secure; please use caution when sending information online.

11. Children’s privacy

The Services are not directed to children under 16 and we do not knowingly collect their personal data.

12. Third‑party links

Our Services may link to third‑party sites. We are not responsible for their privacy practices.

13. Changes to this Policy

We may update this Policy. The “Effective date” will indicate the latest revision. Material changes will be communicated through the Services or by email where appropriate.

14. Contact

Questions or requests: [privacy@glohbx.finance].