Legal

Privacy Notice

This Privacy Notice ("Notice") describes how each of KBRA Holdings, LLC and its affiliates and/or subsidiaries (collectively, "KBRA", "we", "our" or "us") collect, use, process and disclose personal data about you as a data controller.

If you are a resident of California, please see the section California Notice at Collection and Privacy Rights for information about categories of "personal information" that we collect and your rights under California privacy laws.

Table of Contents

1.
Scope of this Notice

Except as otherwise described below, this Notice describes the Personal Data that KBRA collects, uses processes and discloses related to:

  1. Clients: when you use or access to the services, features, content or applications we offer, including but not limited to any credit rating, other permissible service, research or press release (the "Services"), through our websites (individually and collectively, the "Website"), or by any other means or when your data is provided to us by a third party in connection with the provision of any of our Services;
  2. Event Attendees: when you register for, speak at or attend events which we host or sponsor;
  3. Vendors: when you tender for, provide services to or are employed or engaged by a third party tendering to provide goods or services to KBRA including where you or your employer provide(s) services to us;
  4. Other Parties: when we interact with you in the course of our business or you access our services or other content when made available through third-party channels; and/or
  5. Applicants: when you apply for a job with KBRA.

This Notice also sets out certain data subject rights and our obligations under applicable privacy laws.

2.
What Data Does This Notice Cover

This Notice covers any data relating to an individual who can be identified directly from that data or indirectly in conjunction with other information ("Personal Data"), that we process in relation to the Services and includes "personal information", as such term is defined under the California Consumer Privacy Act of 2018 ("CCPA") (Civil Code § 1798.100) (as amended or supplemented from time to time), "private information", as such term is defined under the New York Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") (N.Y. Gen. Bus. L. §899-bb), and "personal data", as such term is defined under the European Union General Data Protection Regulation (EU) 2016/679 and the United Kingdom General Data Protection Regulation.

3.
How We Collect Your Personal Data

We receive your Personal Data from various sources, including without limitation: (i) if you register for the Website and the Services, through your user account on the Services (your "Account"); (ii) your use of the Services generally; (iii) your purchase of any of the Services; (iv) your or your employer's contact and/or communication with any of our employees either in relation to our Services or services which are to be provided to KBRA; (v) from you directly when you register or attend an event which we sponsor or host or when you share your contact details with one of our employees at events which we both attend; (vi) from you directly when you apply for a job with us (or from a recruiter where they contact us on your behalf) or where you send communications to our employees; (vii) from publicly accessible sources where relevant to the provision of our Services; and (viii) from third-party websites and services including data analytics providers and data brokers.

For details on the data controller of your Personal Data, please see the section entitled Data Controller Information below.

4.
What Personal Data Do We Collect and What Do We Use It For?

Account Information

When you create an account for the Services ("Account"), you will need to provide information such as your username, password and email address and we will associate a unique user ID with your account. We may use your contact information to: (i) send you information about our Services; (ii) send you marketing information; (iii) invite you to conferences or events; (iv) request meetings with you; (v) evaluate your use of the Services; and (vi) add you to internal contact and distribution lists. We may contact you when we believe it is necessary, such as for account recovery purposes. You may unsubscribe from marketing messages at any time through your Account settings, via the "unsubscribe" link in an email we have sent you, or by emailing [email protected].

Information Collected Automatically

Due to how the internet operates, when you visit any of our Websites, we automatically receive and record information from your web browser when you interact with it and the Services, including your IP address, type, version and settings of your browser and device type.

We then use that information to provide the Services to you and from that information, we use your IP address, type, version and settings of your browser and device type for the following additional purposes:

(i) fight spam/malware; (ii) facilitate the collection of data concerning your interaction with the Services (e.g., which links you have clicked on or how many articles you have downloaded); (iii) prevent and identifying unauthorized access to and use of the Services; (iv) track overall website usage; and (v) seek to recognize certain browser signals. We collect usage information, such as the number and frequency of visitors to the Services. We may use this data in aggregate form, that is, as a statistical measure. This type of aggregate data collection enables us and third parties authorized by us to better understand and operate the Services, such as by helping us figure out how often individuals use parts of the Services so that we can analyze and improve them. Where permitted by applicable law, we may also collect data regarding individuals' accessing of the Services for sales and marketing purposes.

We use that data for our legitimate interest in managing our business including protecting and improving our Services, protecting your account and account details, and to comply with applicable laws and regulations.

Communications and Monitoring

We monitor the use of our IT and devices connecting to KBRA systems. We monitor and store communications sent to or from us and any of our employees, including emails and text messages sent and received by our corporate phones and devices, and on any KBRA instances of applications. In limited circumstances, in accordance with our policies and procedures, we may also review and retain copies of electronic business communications which have been sent to, or received from you by any of our employees on their personal devices. We do this (a) to comply with legal and regulatory obligations (including, as applicable, (1) monitoring and reporting on compliance by employees with the Credit Rating Agency Regulations 2009 (CRAR) and CRAR as adopted by the UK pursuant to Credit Rating Agencies (Amendment etc.) (EU Exit) Regulations 2019 (UK CRAR); and (2) keeping records of electronic communications received and sent by KBRA and its employees) as required by the CRAR and UK CRAR, and (b) for our legitimate interest in managing our business including legal, personnel, administrative and management purposes, to protect our systems, information and property, for the purposes of monitoring and evidencing discussions in relation to business activities, including to avoid non-compliance with legal and regulatory rules and obligations outside of the EU/UK (as applicable) including in the United States and other jurisdictions in which we operate, and for the prevention and detection of crime. Where we send you subscriber marketing or promotional e-mails regarding our products or services from our different divisions and affiliates, we do so based on your consent, if required by applicable law, which you may withdraw at any time. When you subscribe to alerts emails, we may also send you emails about our and/or KBRA affiliates events, services and products.

Unsubscribing from emails

If you wish to opt-out of receiving marketing or alert subscription emails from us, please update your preferences at https://www.kbra.com/account-preferences or click the link in the email footer at any time and delete any emails that you have received from us. You can also unsubscribe at any time by contacting us at [email protected].

Information Collected Using Cookies and Tracking Technologies

With your consent, in alerts emails and any marketing emails you have subscribed to, or webforms relating to any of events we host or sponsor which you RSVP to, we use tracking pixels. With your consent, in alerts emails and any marketing emails you have subscribed to, or webforms relating to any of events we host or sponsor which you RSVP to, we use tracking pixels. We use these to improve the effectiveness of our emails. To do this, we review the data collected to see which emails were opened or forwarded and whether the links were clicked, to understand how many recipients were interested in the content. We can then provide more tailored content/event invitations to subscribers based off their positive interaction with similar content. We identify if the email was presented appropriately for browsers of the majority of devices used to view our emails and visit our Websites. The lawful basis for this processing is your consent, which you may withdraw at any time, and our legitimate interest in maintaining, operating and improving our emails using optimal presentation; (ii) providing our services to recipients and subscribers; and (iii) managing and improving our business and services by understanding which marketing campaigns, events and alerts were more successful or of interest to recipients, provided such interests are not overridden by the rights and interests of the data subjects concerned.

We also use cookies and tracking technologies on our websites. As part of our compliance with applicable laws, we use a cookie consent platform on our Websites. When you set or update your preferences, we record the date and time, your confirmed preferences and a unique ID associated with your device. We aggregate the data of all users who set their consent preferences, so that we can confirm that the cookie consent platform is working correctly.

For more information of the cookies we use, their purposes and the lawful basis for the processing of your personal data when using those cookies and tracking technologies, please see our Cookie Policyhere.

User Generated Data

Data generated by you in your use of the Services and your Account settings will be visible to necessary KBRA employees and will remain visible to such employees until you disable your Account.

Service Providers/Consultants

In respect of employees or representatives of our service providers, vendors, consultants or in respect of sole traders, we process contact/identifying details, including name, address, payment details, and when relevant to the services being provided, residential status/work authorization status, relevant work experience, service description and services provided and leave data. We process this data to select service providers, vendors, consultants, manage the receipt of the services, communicate with you and review the performance of services. We also process your personal data as it relates to your access to our premises, systems and devices including surveillance footage and audio captured through the legitimate use of surveillance cameras, system and login and access records, download and print records, and where you use a KBRA device to provide services, by remote wiping of emails and forced lock code setting of KBRA-issued mobile phones if the device has been lost or stolen, and where you use, access or interact with us over our systems, to monitor use of IT and communications in accordance with our policies and procedures we monitor and retain communications as further described above in the section entitled Communications and Monitoring.

Data from Third-Party Sources Who Make our Content Available

We receive data from certain third-party sources when you access our Services on their websites, or as part of their services. The data we receive is your name, city, state and country and a unique identifier associated with you and your company. We use this data to understand engagement with our content on that third-party service, such as the authentic view count and the regions where readers are based, so that we can improve and develop our business and provide content that is of most interest.

Planning and Managing Events

We may use the personal information we collect for event and webinar planning, and other management-related purposes, such as registration, attendance, connecting you with other event attendees, and contacting you about relevant events and Services.

Security and Protection of Rights

We may use the personal information we collect to protect the Services and our business operations, and to protect our rights or those of our stakeholders; to prevent and detect fraud, unauthorized activities and access, and other misuse; where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety or legal rights of any person or third party, or violations of our Terms of Use.

General Business and Operational Support

We may use the personal information that we collect to assess and implement mergers, acquisitions, reorganizations, bankruptcies, and other business transactions such as financings, and to administer our business, accounting, auditing, compliance, recordkeeping, and legal functions.

Surveys, Market Research and Customer Satisfaction

We may use the personal information we collect to administer surveys, such as for market research, customer satisfaction purposes or improving our events, products and Services, to conduct statistical and data analytics, and for other similar purposes.

5.
Automated Decision Making

We use software to help us better understand how you like us to communicate with you and whether you may be interested in our products and services. For example, based on our records that you have recently shown an interest in a certain product, our software helps us identify related products and services that may interest you. Subject to applicable laws, we may then use this information to contact you about these services.

6.
Where Is My Personal Data Stored

As a global business, the information that we collect from you may be transferred to, and stored at, any of our locations which may be inside or outside the European Economic Area or United Kingdom including, in particular, the United States for the purposes described above. Our primary servers are in the United States. Some countries may not provide an adequate level of protection in relation to processing your data. We also store some data in paper form.

We have in place requirements relating to such international data transfers, for transfers both: (i) among our legal entities; and (ii) to third parties. We use specific contractual clauses designed to cause those third parties to respect the confidentiality of your Personal Data and use it only in connection with providing their services to us and in compliance with applicable data privacy laws. Please contact us at [email protected] if you wish to obtain information concerning such safeguards.

We will not retain your Personal Data for longer than is necessary for the purposes for which it was collected, or as otherwise disclosed to you at the time of collection, as required by law, and for the exercise or defense of any legal claims.

7.
How, and With Whom, Is My Personal Data Shared

Some of the information collected through or in connection with the Services is shared with third parties.

Downloading CUSIP Data

When you register for an Account, you accept additional terms which constitute an agreement with CUSIP Global Services ("CGS") on behalf of the American Bankers Association. You acknowledge therein that the following information will be provided to CGS in connection with your download of any CUSIP data: your username, firm name downloaded by you, email address and IP address. This information will be used for purposes of monitoring compliance with your agreement with CGS and will be stored securely in the United States. It may be reviewed and corrected by contacting [email protected]. For additional information about CUSIP customer privacy practices, please visit www.CUSIP.com.

Websites Hosted by Squarespace

Some of our Websites are hosted via Squarespace, and for such Websites your Personal Data is processed by Squarespace, including for protection and improvement of Squarespace's services, as further described in Squarespace's Privacy Policy.

IP Address Information

While we collect and store IP address information, that information is not made public. We do at times, however, share this information with third parties that provide us with certain services (each a "Service Provider" and collectively, "Service Providers"), and as otherwise specified in this Notice.

Aggregate Information

We collect statistical information about how both unregistered and registered users, collectively, use the Services ("Aggregate Information"). Some of this information is derived from Personal Data. We may use this Aggregate Information for any purpose in connection with our business and may share Aggregate Information with our partners, Service Providers and other persons with whom we conduct business. We share this type of statistical data for purposes such as helping our partners and Service Providers to understand how and how often people use our Services and their services or websites, which facilitates improving both their services and how our Services interface with them. In addition, these third parties may share with us non-private, anonymized, aggregated or otherwise non Personal Data about you that they have independently developed or acquired.

Information Shared with Our Service Providers

We may need to share Personal Data with our Service Providers in order for them to perform their services. Unless we tell you differently, our Service Providers do not have any right to use Personal Data or other information we share with them beyond what is necessary to assist us. For example, we share your relevant personal data with our cookie consent platform provider in the process of using the platform.

Information Disclosed Pursuant to Business Transfers

If we or our affiliates are or may be acquired by, merged with, or invested in by another company, or if any of our assets are or may be transferred to another company, whether as part of a bankruptcy or insolvency proceeding or otherwise, we may transfer the information we have collected from you to the other company. We may also share certain personal information as necessary prior to the completion of such a transaction or corporate transactions such as financings or restructurings, to lenders, auditors, and third-party advisors, including attorneys and consultants, as part of due diligence or as necessary to plan for a transaction.

Information Disclosed for Our Protection and the Protection of Others

We also reserve the right to access, read, preserve, and disclose any information as we reasonably believe is necessary to (i) satisfy any applicable law, regulation, legal process or governmental or regulator request, (ii) enforce this Notice and our Terms of Use, including investigation of potential violations hereof, (iii) detect, prevent, or otherwise address fraud, security or technical issues, (iv) respond to user support requests, or (v) protect our rights, property or safety, our users and the public. This includes exchanging information with other companies and organizations for fraud protection and spam/malware prevention.

Information We Share

Except as set forth herein (such as to regulators or as otherwise required by legal process), you will be notified when your Personal Data may be shared with third parties, and will be able to prevent the sharing of this information.

8.
Security Measures

We have implemented appropriate technical and security measures designed to protect your personal data from unauthorized access, destruction, loss or misuse. Neither the internet nor any electronic or physical system is ever fully secure and many factors outside our control may impact the security of your data, including unauthorized entry or use, hardware or software failure and we cannot guarantee its security when being transmitted. If you are a KBRA accountholder, you must take measures to protect the confidentiality of any password and/or login details we provide to access our Website, log out when you are not using the Website and limit access to your device. You should be aware that your transmission of your data is at your own risk. Once we receive it, we will use appropriate measures designed to protect it, but we cannot guarantee or warrant the security of any information that you transmit to us.

We will only process your Personal Data relying on the legal bases set out below, to the extent necessary:

  • In order for your contract with us to be performed;
  • In order to comply with any legal or regulatory obligations; or
  • For our legitimate interest in (a) managing, administering and improving our business; (b) responding to your inquiries; (c) understanding what content is of interest to you, enhancing our Services, keeping you informed about updates, new features, and product offerings; (d), securing our Website and making it available to you when processing your personal data; (e) confirming that the cookie platform is functioning correctly so that we can comply with applicable legal obligations; (f) maintaining, operating and improving our emails using optimal presentation; (g) providing our Services to recipients and end users/subscribers; (h) managing and improving our business and Services by understanding which marketing campaigns, events and alerts were more successful or of interest to recipients; and (i) for the prevention and detection of crime and/or unauthorized use of the Services and for those other legitimate interests specifically identified in this Notice, provided our interest are not overridden by your interest.

Generally, we do not rely on consent as a legal basis for processing your Personal Data, except where required by applicable law or as otherwise identified in this Notice, although we will get your consent before sending direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us and as set out below.

10.
What Personal Data of Mine Can I Access

If you are a registered user, you can access certain profile information associated with your Account by logging into the Services. To update or access other information, please contact [email protected].

11.
Minors

Our website is not intended for, and should not be used by, minors under the age of 18. We do not knowingly collect personal data from individuals who are under 18 years of age.

12.
What Choices Do I Have Regarding My Personal Data

You have certain choices regarding our processing of your personal data, and we make available several ways for you to manage your preferences and privacy choices, as described below.

  • Marketing Communications: We may send periodic promotional and operational emails or other similar communications to you. You may change your preferences or unsubscribe by following the instructions provided to you in the communication. If you opt out of receiving promotional emails from us, we may still send you communications that you have requested to receive from us.
  • Manage Cookies: To manage cookies on our Website, please read our Cookie Policy here or visit our Manage Cookies feature which appears on the bottom of the Website.
  • You can use some of the informational and marketing features of the Website without registering, thereby limiting the information that we collect.
  • You can always opt not to disclose certain information to us, even though it may be needed to take advantage of some of our features.
  • You can disable your Account. If you decide to do this, email [email protected]. If you disable your Account, any association between your Account and information we store will no longer be accessible through your Account. However, any activity on your Account prior to disabling the Account and your contact information will remain stored on our servers. Any public comments you have made through the Services will remain accessible to the public. Please note that we will need to verify that you have the authority to disable the Account.

13.
Your Privacy Rights

If you are a European Union ("EU") / United Kingdom ("UK") Resident

If you are a resident of the EU or UK, the GDPR/UK GDPR provides you with specific rights with respect to your personal data. If you wish to exercise any of your rights please email [email protected], or if you wish to file a complaint with the authority please contact that authority. Please note these rights are not absolute and may not be exercised in certain circumstances, such as when the processing of your personal data is necessary to comply with a legal obligation or for the exercise or defense of legal claims. We will respond to any request in accordance with applicable data protection law, other applicable laws and regulatory guidance. All requests will be dealt with promptly and any information to which you are entitled will be provided within a reasonable timeframe as required by applicable law, subject to the exemptions stipulated in applicable data privacy laws. We may request proof of identification to verify your request.

  1. The right to request access to a copy of your personal data and details of the processing. (An initial copy of your personal data is provided free of charge, but we may charge a reasonable fee, based on administrative costs, for any further copies that you request.)
  2. The right to ask us to correct any inaccurate or incomplete personal data we hold about you.
  3. The right to request that we delete your personal data in certain circumstances, including: (i) the personal data are no longer needed for the purpose for which they were collected; (ii) you withdraw your consent (where the processing was based on consent); (iii) you object to the processing and there are no overriding legitimate grounds justifying us processing the personal data (see further your right to object below); (iv) the personal data has been unlawfully processed; or (v) to comply with a legal obligation. This right does not apply where, for example, the processing is necessary (a) to comply with a legal obligation; or (b) for the establishment, exercise or defense of legal claims.
  4. The right to ask us to restrict or suspend our processing of your personal data in certain circumstances, including where you query the accuracy of the data, where the processing is unlawful or no longer necessary or where you have objected.
  5. The right to object to the processing of your personal data where our legal basis for processing your personal data is our legitimate interests (or those of a third party). In such a case, we will stop processing your personal data unless we can demonstrate compelling legitimate interests which override your interests, and you have a right to request information on the balancing test we have carried out. You also have the right to object where we are processing your personal data for direct marketing purposes. To do this, please refer to the sub-section entitled Unsubscribing from emails above.
  6. The right to request that we provide the personal data you provided to us in a structured, commonly used and machine-readable format or to transmit the personal data to a third party without hindrance, where technically feasible.
  7. The right to withdraw your consent at any time where we are relying on consent to process your personal data. The withdrawal of your consent will not invalidate any processing we carried out prior to your withdrawal and based on your consent.
  8. You have the right to lodge a complaint with the relevant data protection supervisory authority if you think that we are not complying with our obligations in relation to our processing of your personal data.
  9. We use automated decision making and profiling as follows: in respect of marketing email subscribers, we use software to help us better understand how you like us to communicate with you and whether you may be interested in our products and services. For example, based on our records that you have recently shown an interest in a certain product, our software helps us identify related products and services that may interest you. We may then use this to contact you about these by post or telephone. You can object to any decision about you based solely on this automated processing (and profiling) that produces legal effects or otherwise significantly affects you.

14.
Data Controller Information

For the purpose of applicable data privacy laws, the data controller of your personal data is:

  1. for visitors to the Services generally (excluding KBRA Analytics Services and emails): KBRA Holdings LLC;
  2. for customers of and subscribers to KBRA Analytics products or visitors to KBRA Analytics products, Services or content: KBRA Analytics, LLC;
  3. for customers of KBRA: Kroll Bond Rating Agency, LLC;
  4. for customers of KBRA Europe: Kroll Bond Rating Agency Europe Limited; and
  5. for customers of KBRA UK: Kroll Bond Rating Agency UK Limited.

In respect of any processing of personal data described in 2-5 above, KBRA Holdings, LLC acts as a joint data controller with the data controller identified.

You are entitled to exercise your rights as a data subject against any or all of these joint controllers to the extent that it or they act as a joint controller of your personal data by directing any such requests to [email protected].

In limited circumstances (such as our use of social media and advertising on third-party websites), we may also act as a joint controller with another non-KBRA party. In such circumstances, upon your request to exercise any of the above rights we will advise you if there is another controller who you should contact. Please note that any other such joint controller will also have its own privacy notice and cookie policy.

This Notice does not apply to the practices of third parties that we do not own or control, including but not limited to any third-party websites, services and applications, social media platforms and media providers (each a "Third-Party Service" and collectively, "Third-Party Services") that you elect to access through the Service, for example by clicking on links to those Third-Party Services from within the Website, who make our content or Services available to you via their services or on their applications or websites, or to individuals we do not manage or employ. While we attempt to engage with or facilitate access only to those Third-Party Services that share our respect for your privacy, we cannot take responsibility for the content or privacy notices of those Third Party Services. We encourage you to carefully review the privacy notices of any Third-Party Services you access.

16.
California Notice at Collection and Privacy Rights

This section of the Notice provides additional information for California residents and describes our information practices pursuant to applicable California privacy laws, including the California Consumer Privacy Act and the regulations issued thereto, each as amended (the "CCPA"). To the extent you are a California resident, and we collect "personal information" subject to the CCPA, the following applies.

This section does not address or apply to our handling of personal information that is exempt under the CCPA, such as publicly available information or de-identified or aggregated information.

Categories of Personal Information Collected and Disclosed. The table below identifies, generally, the categories of personal information we have collected about California residents, as well as the categories of third parties to whom we may disclose this personal information for a business or commercial purpose.

Categories of Personal Information CollectedCategories of Third-Party Disclosures

Identifiers

Includes direct identifiers, such as name, alias, user ID, username, account number or unique personal identifier; email address, phone number, address and other contact information; IP address and other online identifiers.

  • Advisors and agents
  • Regulators, government entities and law enforcement
  • Affiliates and subsidiaries
  • Data analytics providers
  • Internet service providers, operating systems and platforms
  • Others as required by law

Registered Users/Visitor Records

Includes your account information and registered user/visitor records that contain personal information, such as user ID, account name, contact information, employment information, account number, and financial or payment information that individuals provide to us in order to purchase or obtain our Services.

  • Advisors and agents
  • Regulators, government entities and law enforcement
  • Affiliates and subsidiaries
  • Internet service providers, operating systems and platforms
  • Others as required by law

Commercial information

Includes records of Services purchased, obtained, or considered, or other purchasing or use histories or tendencies.

  • Advisors and agents
  • Regulators, government entities and law enforcement
  • Affiliates and subsidiaries
  • Data analytics providers
  • Others as required by law

Internet and electronic network activity information

Including, but not limited to, browsing history, clickstream data, search history, and information regarding interactions with an internet website, application, or advertisement, including other usage data related to your use of any of our Services or other online services.

  • Advisors and agents
  • Regulators, government entities and law enforcement
  • Affiliates and subsidiaries
  • Data analytics providers
  • Internet service providers, operating systems and platforms
  • Others as required by law

Location data

Location information about a particular individual or device.

  • Advisors and agents
  • Regulators, government entities and law enforcement
  • Affiliates and subsidiaries
  • Data analytics providers
  • Others as required by law

Audio, visual and other electronic data

Includes audio, visual or similar information, such as CCTV footage (e.g., collected from visitors to our premises) and call recordings (e.g., of customer support calls).

  • Advisors and agents
  • Regulators, government entities and law enforcement
  • Affiliates and subsidiaries
  • Others as required by law

Professional information

Includes professional and employment-related information such as your current employer(s), position(s), and business contact information.

  • Advisors and agents
  • Regulators, government entities and law enforcement
  • Affiliates and subsidiaries
  • Others as required by law

Profiles and inferences

Including inferences drawn from any of the information identified above to create a profile reflecting a California resident's preferences, characteristics, behavior or attitudes.

  • Advisors and agents
  • Regulators, government entities and law enforcement
  • Affiliates and subsidiaries
  • Others as required by law

Sources of Personal Information. As further described in the section How We Collect Your Personal Data above, in general, we may collect the categories of personal information identified in the table above from the following categories of sources: directly from you, from your employer, from public sources, and from third-party websites and services, including data analytics providers.

Sales and Sharing of Personal Information. The CCPA defines "sale" as disclosing or making available personal information to a third party in exchange for monetary or other valuable consideration, and "sharing" includes disclosing or making available personal information to a third party for purposes of cross-contextual behavioral advertising. While we do not disclose personal information to third parties in exchange for monetary compensation, our use of third-party analytics cookies may be considered "selling" and "sharing" under the CCPA. Based on the CCPA's definitions, we may "sell" or "share" the following categories of personal information: identifiers; commercial information; location information (via your IP address); and internet and network activity information. We do not sell or share any sensitive personal information, nor do we sell or share personal information about individuals who we know are under sixteen (16) years old.

Purposes of Collection, Use, and Disclosure. As further described under the section How, and With Whom, Is My Personal Data Shared, and the section Our Legal Basis for Processing Your Personal Data, we collect, use, disclose, and otherwise process the above personal information for the following business or commercial purposes and as otherwise directed or consented to by you:

  • In order for your contract with us to be performed;
  • In order to comply with any legal or regulatory obligations;
  • For our legitimate interest in (a) managing, administering and improving our business, (b) communicating with you and responding to your inquiries (c) understanding what content is of interest to you, enhancing our Services, keeping you informed about updates, new features, and product offerings, (d), securing our Website and making it available to you when processing your personal data (e) confirming that the cookie platform is functioning correctly so that we can comply with applicable legal obligations (f) maintaining, operating and improving our emails using optimal presentation; (g) providing our Services to recipients and end users/subscribers; (h) managing and improving our business and Services; and (i) for the prevention and detection of crime and/or unauthorized use of the Services and for those other legitimate interests specifically identified in this Notice, provided our interest are not overridden by your interest;
  • To protect our rights and the rights of any person or third party;
  • For our general business and operational support, including to consider and implement mergers, acquisitions, reorganizations, bankruptcies, and other transactions such as financings, and related to the administration of our general business, accounting, auditing, compliance, recordkeeping, and legal functions;
  • For event planning and management, including registration, attendance, and contacting you about relevant events and Services;
  • To administer surveys, such as market research, customer satisfaction purposes or improving our products and Services, to conduct statistical and data analytics, and for other similar purposes.

Sensitive Personal Information. We do not use or disclose "sensitive personal information" beyond the purposes authorized by the CCPA. Accordingly, we only use and disclose sensitive personal information as reasonably necessary and proportionate: (i) to perform our Services requested by you; (ii) to help ensure security and integrity, including to prevent, detect, and investigate security incidents; (iii) to detect, prevent and respond to malicious, fraudulent, deceptive, or illegal conduct; (iv) to verify or maintain the quality and safety of our Services; (v) for compliance with our legal obligations; (vi) to our service providers who perform services on our behalf; and (vii) for purposes other than inferring characteristics about you.

Retention. We will not retain your personal information for longer than is necessary for the purposes for which it was collected, or as otherwise disclosed to you at the time of collection, as required by law, and for the exercise or defense of any legal claims.

California Residents' Rights. Under the CCPA, California residents have the following rights (subject to certain limitations):

  • To opt out of sales and sharing. The right to opt-out of our sale and sharing of their personal information.
  • To limit certain uses and disclosures of sensitive personal information. We do not use or disclose sensitive personal information; thus, this right is not available to you.
  • Deletion. The right to the deletion of their personal information that we have collected, subject to certain exceptions.
  • To know/access. The right to know what personal information we have collected about them, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom we disclose personal information, and the specific pieces of personal information we have collected about them.
  • Correction. The right to correct inaccurate personal information that we maintain about them.
  • Non-discrimination. The right not to be subject to discriminatory treatment for exercising their rights under the CCPA.

Submitting CCPA Requests. California residents may exercise their CCPA privacy rights as set forth below.

Request to know/access, correct, delete. California residents may submit CCPA requests to access/know, correct and delete their personal information maintained by us by (i) clicking here and completing the form linked; (ii) submitting a written request to (a) Legal Department at Kroll Bond Rating Agency, 805 Third Avenue, 29th floor, NY, NY 10022; or (b) [email protected]; or (iii) calling (646) 731-1240.

When you submit a request, we will take steps to verify your identity and your request by matching the information provided by you with the information we have in our records. In some cases, we may request additional information in order to verify your identity, or where necessary to process your request. If we are unable to verify your identity after a good faith attempt, we may deny the request and, if so, will explain the basis for denial.

You may also designate someone as an authorized agent to submit requests and act on your behalf. Authorized agents will be required to provide proof of their authorization. We may require you to confirm that you have provided the authorized agent permission to submit the request and you must provide the authorized agent with permission. We may deny a request from an authorized agent who does not submit proof that he or she has been authorized to act on your behalf.

Requests to Opt Out. California residents may exercise their right to opt out of the sale and/or sharing of their personal information by opting out of all but strictly necessary cookies via our Manage Cookies feature which appears on the bottom of the Website.

In addition, our website responds to global privacy control—or "GPC"—signals, which means that if we detect that your browser is communicating a GPC signal, we will process that as a request to opt that particular browser and device out of sales and sharing (i.e., via cookies and tracking tools) on our website. Note that if you come back to our website from a different device or use a different browser on the same device, you will need to opt out (or set GPC for) that browser and device as well. More information about GPC is available at: https://globalprivacycontrol.org/.

17.
What Happens When There Are Changes to this Notice?

We may change this Notice from time to time. If we make any changes, we will post those changes in this document and update the "Last Updated" date at the bottom of this Notice. However, if we make material changes to this Notice, we will notify you by means of a prominent notice through our Service prior to the change becoming effective.

18.
What If I Have Questions or Concerns?

If you have any questions or concerns regarding privacy using the Services, please send us a detailed message to [email protected]. We will make every effort to resolve your concerns.

In accordance with applicable laws, you may lodge a complaint with the data protection supervisory authority for your country or region, or where an alleged infringement of applicable data privacy law occurs.

Effective Date: March 25th, 2025

CONNECT WITH KBRA
805 Third Avenue
29th Floor
New York, NY 10022
+1 (212) 702-0707
Contact Us

© 2010-2025 Kroll Bond Rating Agency, LLC. All Rights Reserved. Kroll Bond Rating Agency, LLC is not affiliated with Kroll Inc., Kroll Associates Inc., KrollOnTrack Inc., or their affiliated businesses.

SitemapTerms of UsePrivacy NoticeCookie PolicyRegulatory