Legal

KBRA VDR Privacy Notice

This privacy notice (“Notice”) applies to all users accessing KBRA's virtual data room (hosted by Finsight Group, Inc) (“VDR”). Depending on the KBRA entity providing the rating which you will access in the VDR, we are (i) Kroll Bond Rating Agency Europe Limited, a company incorporated in Ireland with registered office at 2nd Floor, One George's Quay Plaza, George's Quay, Dublin 2, Ireland (“KBRA Europe”) (ii) Kroll Bond Rating Agency, LLC with business address at 805 Third Avenue, 29th floor, NY, NY 10022, USA (“KBRA US”) or (iii) Kroll Bond Rating Agency UK Limited with business address at 2nd Floor, 1 Connaught Place, London W2 2ET, England (“KBRA UK”) (each of KBRA Europe, KBRA US and KBRA UK referred to herein as, “KBRA” “we”, “us”, “our”, as applicable).

KBRA is the data controller of your personal data. In certain instances, KBRA will act as a joint controller with (1) the party who provided you with access to this VDR and (2) certain KBRA affiliates. Please see below for further detail as to when this applies.

KBRA will process your personal data in accordance with applicable European (and where applicable, UK) data protection law including Regulation (EU) 2016/979 (General Data Protection Regulation) (“GDPR”) and where applicable the GDPR as retained in the UK post-Brexit pursuant to the European Union (Withdrawal) Act 2018 and as amended including by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) (the “UK GDPR”).

If you are a resident of the State of California, please see the section entitled “California Notice at Collection and Privacy Rights” below, for information about categories of “personal information” that we collect and your rights under California privacy laws.

What Information Do We Collect?

The personal data that we may collect and otherwise process about you is your name, job title, company, phone number, email address (“Identity Data”), and your IP address, log activity in using the VDR (time of login, document access and where applicable to your permission level, download activity, time spent viewing a document and, depending on your user permission level, records of messages generated using the VDR when you create an account for another user, share a link to, or upload a document to the VDR) geo-location, and your encrypted password (“Technical Data”).

Why we use your Personal Data:

We process your personal data for the following purposes and for the following legal basis:

	Purpose	Categories of Personal Data	Lawful Basis
(1)	Setting up user accounts managing the access to and the distribution of the credit rating by third parties and clients, providing support and investigating suspicious behavior/use of the VDR, or ejecting unauthorised/breaching users of the VDR.	Identity Data Technical Data	KBRA Europe: Necessary for compliance with a legal obligation to which KBRA Europe is subject (obligations under Credit Rating Agencies Regulation and associated European Securities and Markets Authority (ESMA) guidelines). KBRA Europe, KBRA US and KBRA UK: Necessary for the purposes of legitimate interests pursued by KBRA, specifically KBRA's legitimate interests in managing, administering and securing the VDR and responding to requests from clients and users of the VDR to improve our business and for our general business and operational support, including to consider and implement mergers, acquisitions, reorganizations, bankruptcies, and other transactions such as financings, and related to the administration of our general business, accounting, auditing, compliance, recordkeeping, and legal functions, provided such interests are not overridden by the rights and interests of the data subjects concerned.
(2)	Making a credit rating available to our client(s) and our/their authorized and permitted recipients and managing the contractual obligations in the contract with our client.	Identity Data Technical Data	Necessary for (i) (with respect to KBRA Europe only), compliance with a legal obligation to which KBRA Europe is subject and (ii) the purposes of legitimate interests pursued by KBRA, specifically KBRA's legitimate interests in performing our obligations and enforcing our rights under a contract with our client/the party who provided you with access to the VDR providing credit rating services to our client(s) and making such rating available to the client and its permitted recipients, provided such interests are not overridden by the rights and interests of the data subjects concerned.
(3)	Identifying if you are an employee of an investor connected to a rating provided by KBRA which is in the VDR and contacting you in connection with the rating.	Identity Data Technical Data	Necessary for the purposes of legitimate interests pursued by KBRA, specifically KBRA' legitimate interests in understanding and improving investor experience of its services, and subject to applicable laws, for event planning and management, including registration, attendance, and contacting you about relevant events and services provided such interests are not overridden by the rights and interests of the data subjects concerned.

Joint Controllers

In respect of the processing activities listed at (1)(i) above, KBRA Europe acts as a joint controller with the third-party who engaged it to provide the credit rating and who is authorising you to access the VDR, where that party is also subject to the same legal obligation.

In respect of the processing activities listed at (1)(ii) above, KBRA acts as a joint controller with KBRA Holdings, LLC.

In respect of the processing activities listed at (2) and (3) above, KBRA acts as a joint controller with KBRA Holdings, LLC, and as applicable to the specific credit rating, Kroll Bond Rating Agency UK Limited and/or Kroll Bond Rating Agency Europe Limited.

You are entitled to exercise your rights as a data subject against any or all of these joint controllers to the extent that it or they act as a joint controller of your personal data, but you are invited to please direct any such requests KBRA.

How we Collect your Personal Data:

We collect your personal data from you in the following ways:

directly, where we interact directly with you in setting up or administering your VDR account; and/or
automatically through accessing data collected by the VDR when you use the VDR where someone else has invited you to the VDR or provided you with access to the VDR.

Where you provide us with personal data relating to another person, you should ensure that you have that person’s consent or the necessary lawful basis to provide their information for use in accordance with applicable data protection law.

International Transfers

KBRA shares your personal data

within the KBRA group of companies as necessary to perform the purposes described above
through its affiliate, to Finsight Group, Inc and its sub-processors, to provide the VDR.

When transferring your personal data, KBRA will transfer your personal data subject to appropriate safeguards as required by applicable law, and where required to do so by applicable law, KBRA will ensure that recipients have entered into specific contracts approved by the European Commission to give your personal data the same level of protection it has in Europe, or confirm that the recipient is a member of the Data Privacy Framework, which requires the member to provide similar protection to personal data shared between Europe and the US.

How Long we hold your Personal Data:

We will hold your personal data for so long as necessary, for so long as is required to comply with our legal obligations and regulatory obligations and guidance to which we are subject, and for the exercise of and to defend against legal claims which maybe brought by or against us.

Data Security

We, our affiliates and our service providers (in particular Finsight Group, Inc. who provide the underlying VDR and manage the controls) have in place appropriate technical and security measures to protect an appropriate level of protection for your personal data.

Your Legal Rights

Under applicable data protection law you have the rights set out below. If you wish to exercise any of your rights in this regard please email [email protected], but please note these rights are not absolute. We will respond to any request in accordance with applicable data protection law, other applicable laws and regulatory guidance or where the processing of your personal data is necessary to comply with a legal obligation or for the exercise or defense of legal claims.

You can object to the processing of your personal data where our legal basis for processing your personal data is our legitimate interests.
You can request access to a copy of your personal data held by us and details of the processing of your personal data by us. In the European Union and United Kingdom, an initial copy of your personal data is provided free of charge, but we may charge a reasonable fee, based on administrative costs, for any further copies that you request.
You can ask to have your personal data corrected if it is inaccurate or incomplete.
You can request us to delete your personal data in certain circumstances.
You can restrict our processing of your personal data in certain circumstances, including where the processing is unlawful or no longer necessary.
You can request the transfer of your personal data to another party. We will do this in a structured, commonly used, machine-readable format.
You can ask us not to process your personal data for marketing purposes.
You can complain to the relevant data protection supervisory authority, if you think that we are not complying with our obligations in relation to our processing of your personal data.

The above rights may not be exercised in certain circumstances, such as when the processing of your personal data is necessary to comply with a legal obligation or for the exercise or defense of legal claims. If you wish to exercise any of your rights in this regard, please email [email protected]. All requests will be dealt with promptly and any information to which you are entitled will be provided within a reasonable timeframe as required by applicable law, subject to the exemptions stipulated in applicable data protection laws. We may request proof of identification to verify your request.

California Notice at Collection and Privacy Rights

This section of the Notice provides additional information for California residents and describes our information practices pursuant to applicable California privacy laws, including the California Consumer Privacy Act and the regulations issued thereto, each as amended (the “CCPA”). To the extent you are a California resident, and we collect “personal information” subject to the CCPA, the following applies.

This section does not address or apply to our handling of personal information that is exempt under the CCPA, such as publicly available information or de-identified or aggregated information.

Categories of Personal Information Collected and Disclosed. The table below identifies, generally, the categories of personal information we have collected about California residents, as well as the categories of third parties to whom we may disclose this personal information for a business or commercial purpose.

Categories of Personal Information Collected		Categories of Third-Party Disclosures
Identifiers	Includes direct identifiers, such as name, alias, company, job title; email address, phone number, IP address and other online identifiers.	Advisors and agents Regulators, government entities and law enforcement Affiliates and subsidiaries Data analytics providers Internet service providers, operating systems and platforms Others as required by law
User Records	Includes your VDR account information and records that contain personal information, such as contact information, employment information, that individuals provide to us in order to use the VDR.	Advisors and agents Regulators, government entities and law enforcement Affiliates and subsidiaries Internet service providers, operating systems and platforms Others as required by law
Sensitive Personal Information	The encrypted password associated with your account.	Advisors and agents Regulators, government entities and law enforcement Affiliates and subsidiaries Internet service providers, operating systems and platforms Others as required by law
Internet and electronic network activity information	Including, but not limited to information regarding interactions with the VDR such as your log activity (time of login, document access and where applicable to your permission level, download activity, time spent viewing a document and, depending on your user permission level, records of messages generated using the VDR when you create an account for another user, share a link to, or upload a document to the VDR).	Advisors and agents Regulators, government entities and law enforcement Affiliates and subsidiaries Data analytics providers Internet service providers, operating systems and platforms Others as required by law
Location data	Location information about a particular individual or device (such as geolocation data).	Advisors and agents Regulators, government entities and law enforcement Affiliates and subsidiaries Data analytics providers Others as required by law
Professional information	Includes professional and employment-related information such as your current employer(s), position(s), and business contact information.	Advisors and agents Regulators, government entities and law enforcement Affiliates and subsidiaries Others as required by law
Profiles and inferences	Including inferences drawn from any of the information identified above to create a profile reflecting a California resident’s preferences, characteristics, behavior or attitudes.	Advisors and agents Regulators, government entities and law enforcement Affiliates and subsidiaries Others as required by law

Sources of Personal Information. As further described in the section “How We Collection Your Personal Data” above, in general, we may collect the categories of personal information identified in the table above from the following categories of sources: directly from you when setting up or accessing your VDR account or from your employer.

Sales and Sharing of Personal Information. In connection with your use of the VDR, we do not sell or share your personal information as those terms are defined under California law.

Purposes of Collection, Use, and Disclosure. We collect, use, disclose, and otherwise process the above personal information for the following business or commercial purposes and as otherwise directed or consented to by you:

In order to comply with any legal or regulatory obligations;
For our legitimate interests in (a) managing and administering the VDR and providing VDR access to users, (b) communicating with you and responding to your inquiries (c) securing the VDR and making it available to you when processing your personal information (d); managing, administering and improving our business (h) managing and improving our business and Services; and (i) for the prevention and detection of crime and/or unauthorized use of the Services and for those other legitimate interests specifically identified in this Notice, provided our interest are not overridden by your interest;
To protect our rights and the rights of any person or third party;
For our general business and operational support, including to consider and implement mergers, acquisitions, reorganizations, bankruptcies, and other transactions such as financings, and related to the administration of our general business, accounting, auditing, compliance, recordkeeping, and legal functions;
For event planning and management, including registration, attendance, and contacting you about relevant events and services; and
To administer surveys, such as customer satisfaction purposes or improving our services associated with the VDR, to conduct statistical and data analytics, and for other similar purposes.

Sensitive Personal Information. We do not use or disclose “sensitive personal information” beyond the purposes authorized by the CCPA. Accordingly, we only use and disclose sensitive personal information as reasonably necessary and proportionate: (i) to perform our Services requested by you; (ii) to help ensure security and integrity, including to prevent, detect, and investigate security incidents; (iii) to detect, prevent and respond to malicious, fraudulent, deceptive, or illegal conduct; (iv) to verify or maintain the quality and safety of our Services; (v) for compliance with our legal obligations; (vi) to our service providers who perform services on our behalf; and (vii) for purposes other than inferring characteristics about you.

Retention. We will not retain your personal information for longer than is necessary for the purposes for which it was collected, or as otherwise disclosed to you at the time of collection, as required by law, and for the exercise or defense of any legal claims.

California Residents’ Rights. Under the CCPA, California residents have the following rights (subject to certain limitations):

To opt out of sales and sharing. The right to opt-out of our sale and sharing of their personal information.
To limit certain uses and disclosures of sensitive personal information. We do not use or disclose sensitive personal information; thus, this right is not available to you.
Deletion. The right to the deletion of their personal information that we have collected, subject to certain exceptions.
To know/access. The right to know what personal information we have collected about them, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom we disclose personal information, and the specific pieces of personal information we have collected about them.
Correction. The right to correct inaccurate personal information that we maintain about them.
Non-discrimination. The right not to be subject to discriminatory treatment for exercising their rights under the CCPA.

Submitting CCPA Requests. California residents may exercise their CCPA privacy rights as set forth below.

Request to know/access, correct, delete. California residents may submit CCPA requests to access/know, correct and delete their personal information maintained by us by (i) clicking here and completing the form linked; (ii) submitting a written request to (a) Legal Department at Kroll Bond Rating Agency, 805 Third Avenue, 29th floor, NY, NY 10022; or (b) [email protected]; or (iii) calling (646) 731-1240.

When you submit a request, we will take steps to verify your identity and your request by matching the information provided by you with the information we have in our records. In some cases, we may request additional information in order to verify your identity, or where necessary to process your request. If we are unable to verify your identity after a good faith attempt, we may deny the request and, if so, will explain the basis for denial.

You may also designate someone as an authorized agent to submit requests and act on your behalf. Authorized agents will be required to provide proof of their authorization. We may require you to confirm that you have provided the authorized agent permission to submit the request and you must provide the authorized agent with permission. We may deny a request from an authorized agent who does not submit proof that he or she has been authorized to act on your behalf.

Right to Opt Out of Sale or Sharing of Personal Information

Under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), California residents have the right to direct a business that sells or shares personal information to third parties to stop doing so. Because we do not sell or share personal information, there is no need to submit a request to opt out, and you will not see a “Do Not Sell or Share My Personal Information” link on our website. If our practices change in the future, we will update this notice and provide appropriate options for you to exercise your rights.

What Happens When There Are Changes to this Notice?

We may amend this Notice from time to time. If we make any material changes in the way we collect or use personal data, we will notify you by posting a new privacy notice when you next login into the VDR or sending you an email. You will find the most up to date version displayed on each new session login to the VDR.

What If I Have Questions or Concerns?

If you have any questions or concerns regarding privacy using the VDR, please send us a detailed message to [email protected]. We will make every effort to resolve your concerns.

Last Updated: 1 May 2025