Legal
KBRA VDR & KBRA Tools & Apps Privacy Notice
This privacy notice (“Notice”) applies to all users accessing (i) KBRA tools and applications (each a “KBRA Tool”) and (ii) the KBRA virtual data room (hosted by Finsight Group, Inc) (“VDR”).
For users of KBRA Tool(s): we are Kroll Bond Rating Agency, LLC, with business address at 805 Third Avenue, 29th floor, NY, NY 10022, USA (“KBRA US”).
For VDR users: depending on the KBRA entity providing the rating which you will access in the VDR, we are (i) Kroll Bond Rating Agency Europe Limited, a company incorporated in Ireland with registered office at 2nd Floor, One George's Quay Plaza, George's Quay, Dublin 2, Ireland (“KBRA Europe”) (ii) Kroll Bond Rating Agency, LLC, with business address at 805 Third Avenue, 29th Floor, NY, NY 10022, USA (“KBRA US”) or (iii) Kroll Bond Rating Agency UK Limited, with business address at 1st Floor, Marble Arch House, 66 Seymour Street, London W1H 5BT, England (“KBRA UK”).
Each of KBRA Europe, KBRA US and KBRA UK referred to herein as, “KBRA” “we”, “us”, “our”, as applicable and “Service/Tool(s)” as used herein shall refer to each of the VDR and the KBRA Tool(s).
KBRA is the data controller of your personal data. In certain instances, KBRA will act as a joint controller with (1) the party who provided you with access to the Service/Tool(s) and (2) certain KBRA affiliates. Please see below for further details as to when this applies.
KBRA will process your personal data in accordance with applicable European (and where applicable, UK) data protection law including Regulation (EU) 2016/679 (General Data Protection Regulation) (“GDPR”) and where applicable the GDPR as retained in the UK post-Brexit pursuant to the European Union (Withdrawal) Act 2018 and as amended including by The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) (the “UK GDPR”).
If you are a resident of California, please see the section “California Notice at Collection and Privacy Rights” below, for information about categories of “personal information” that we collect and your rights under California privacy laws.
This Notice covers any data relating to an individual who can be identified directly from that data or indirectly in conjunction with other information ("personal data"), that we process in relation to the Service/Tools and includes "personal information", as such term is defined under the California Consumer Privacy Act of 2018 ("CCPA") (Civil Code § 1798.100) (as amended or supplemented from time to time), "private information", as such term is defined under the New York Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") (N.Y. Gen. Bus. L. §899-bb), and "personal data", as such term is defined under GDPR and the UK GDPR.
You can find a separate notice for our other services and websites here and our notice for Japan here: Japan Privacy Notice / プライバシー通知 – 日本.
I. GDPR and UK GDPR Notice
How We Collect Your Personal Data
We receive your personal data from your employer or the party who authorized your access to the Service/Tool(s) (including where such party has added you as a user), and from your directly and indirectly through your use of the Service/Tool(s).
What Personal Data Do We Collect?
The personal data that we may collect and otherwise process about you is your name, job title, company, phone number, email address, unique user ID, and your IP address and for K-CST, inferred country of your IP address and when logged in to K-CST, your company, authorization level, your language preference (where offered and selected) (“Identity Data”), log activity in using the Service/Tool(s) (time(s) of login, document access and where applicable to your permission level, download activity and for KBRA Tools only, upload activity, time spent viewing a document and, depending on your user permission level, records of messages generated using the Service/Tool(s) when you create an account for another user, share a link to, or upload a document) geo-location, whether you have accepted optional cookies and date and time of last update to your consent preferences, and your encrypted password and for K-CST only visitor journey, operating system, browser, (“Technical Data”).
Why We Use Your Personal Data:
We process your personal data for the following purposes and for the following legal basis:
VDRs:
Purpose | Categories of Personal Data | Lawful Basis | |
|---|---|---|---|
(1) | Setting up user accounts, managing the access to and the distribution of the credit rating by third parties and clients, providing support, reviewing use of end user accounts and investigating suspicious behavior/use of the VDR, or ejecting or suspending or terminating access of unauthorised/breaching users of the VDR. | Identity Data Technical Data |
provided such interests are not overridden by the rights and interests of the data subjects concerned. |
(2) | Making a credit rating available to our client(s) and our/their authorized and permitted recipients and managing the contractual obligations in the contract with our client. | Identity Data Technical Data | Necessary for
provided such interests are not overridden by the rights and interests of the data subject(s) concerned. |
(3) | Identifying if you are an employee of an investor connected to a rating provided by KBRA which is in the VDR, and contacting you in connection with the rating. | Identity Data Technical Data | Necessary for the purposes of legitimate interests pursued by KBRA, specifically KBRA’s legitimate interests in (i) understanding and improving investor experience of its services, and (ii) event planning and management, including registration, attendance, and contacting you about relevant events and services, subject to applicable laws, and provided such interests are not overridden by the rights and interests of the data subjects concerned. |
Joint Controllers
In respect of the processing activities listed at (1)(i) above, KBRA Europe acts as a joint controller with the third-party who engaged it to provide the credit rating and who is authorising you to access the VDR, where that party is also subject to the same legal obligation.
In respect of the processing activities listed at (1)(ii) above, KBRA acts as a joint controller with KBRA Holdings, LLC.
In respect of the processing activities listed at (2) and (3) above, KBRA acts as a joint controller with KBRA Holdings, LLC, and as applicable to the specific credit rating, KBRA UK and/or KBRA Europe.
Where joint controllers have been identified as applicable above, you are entitled to exercise your rights as a data subject against any or all of these joint controllers, to the extent that it, or they, act as a joint controller of your personal data.
KBRA Tools
Purpose | Categories of Personal Data | Lawful Basis | |
|---|---|---|---|
(1) | Making the KBRA Tool(s) available to our client(s) and authorized users, setting up user accounts, managing the access to the KBRA Tool(s). and the contractual obligations in the contract with our client. | Identity Data Technical Data | Necessary to comply with any legal or regulatory obligations; and Necessary for the purposes of legitimate interests pursued by KBRA, specifically KBRA’s legitimate interests in (i) performing our obligations and enforcing our rights under a contract with our client/the party who provided the user with access to the KBRA Tool(s), (ii) administering user accounts in and securing access to the KBRA Tool(s), (iii) confirming that the cookie platform is functioning correctly so that we can comply with applicable legal obligations, and (iv) for our general business and operational support, including to consider and implement mergers, acquisitions, reorganizations, bankruptcies, and other transactions such as financings, and related to the administration of our general business, accounting, auditing, compliance, recordkeeping, and legal functions; provided such interest is not overridden by the rights and interests of the data subjects concerned. |
(2) | Providing support, and investigating suspicious behavior or use of the KBRA Tool(s) and ejecting, suspending or terminating access of unauthorized users or persons using the KBRA Tool(s) in breach of the applicable terms. | Identity Data Technical Data | Necessary for the purposes of legitimate interest pursued by KBRA, specifically KBRA’s legitimate interest in: (i) managing and securing the KBRA Tool(s) and responding to requests from/communicating with users of the KBRA Tool(s), (ii) for the prevention and detection of crime and/or unauthorized use of the KBRA Tool(s), (iii) for our general business and operational support, including to consider and implement mergers, acquisitions, reorganizations, bankruptcies, and other transactions such as financings, and related to the administration of our general business, accounting, auditing, compliance, recordkeeping, and legal functions, and (iv) to protect our rights and the rights of any person or third party, provided such interests are not overridden by the rights and interests of the data subject(s) concerned. |
(3) | Requesting or receiving feedback with respect to the KBRA Tool(s), and conducting statistical and data analytics. | Identity Data Technical Data | Necessary for the purposes of legitimate interest pursued by KBRA, specifically KBRA’s legitimate interest in: (i) managing the KBRA Tool(s) and responding to requests from/communicating with users of the KBRA Tool(s), (ii) to improve our business and the KBRA Tool(s), and (iii) for our general business and operational support, including to consider and implement mergers, acquisitions, reorganizations, bankruptcies, and other transactions such as financings, and related to the administration of our general business, accounting, auditing, compliance, recordkeeping, and legal functions, provided such interests are not overridden by the rights and interests of the data subject(s) concerned. |
Joint Controllers
In respect of the processing activities listed at (1) and (2) above, KBRA acts as a joint controller with KBRA Holdings, LLC.
Where joint controllers have been identified as applicable above, you are entitled to exercise your rights as a data subject against any or all of these joint controllers to the extent that it, or they, act as a joint controller of your personal data.
You are entitled to exercise your rights as a data subject against any or all of these joint controllers to the extent that it or they act as a joint controller of your personal data by directing any such requests to [email protected].
How We Collect Your Personal Data:
We collect your personal data from you in the following ways:
directly, where we interact directly with you in setting up or administering your account; and/or
automatically through accessing data collected by the Service/Tool(s) when you use the Service/Tool(s) where someone else has invited you to the Service/Tool(s) or provided you with access to the Service/Tool(s).
Where you provide us with personal data relating to another person, you should ensure that you have that person’s consent or the necessary lawful basis to provide their information for use in accordance with applicable data protection law.
With Whom is My Personal Data Shared and International Transfers
KBRA shares your personal data:
within the KBRA group of companies and to its sub-processors as necessary to perform the purposes described above and provide the Service/Tool(s); and
with respect to the VDR only, through its affiliate, to Finsight Group, Inc. and its sub-processors, to provide the VDR.
As a global business, the personal data that we collect from you may be transferred to, and stored at, any of our locations which may be inside or outside the European Economic Area or United Kingdom including, in particular, the United States for the purposes described above. Our primary servers are in the United States. Some countries may not provide an adequate level of protection in relation to processing your data.
We have in place requirements relating to such international data transfers, for transfers both: (i) among our legal entities; and (ii) to third parties. We use specific contractual clauses designed to cause those third parties to respect the confidentiality of your Personal Data and use it only in connection with providing their services to us and in compliance with applicable data privacy laws. Please contact us at [email protected] if you wish to obtain information concerning such safeguards.
We will not retain your Personal Data for longer than is necessary for the purposes for which it was collected, or as otherwise disclosed to you at the time of collection, as required by law, and for the exercise or defense of any legal claims.
When transferring your personal data, KBRA will transfer your personal data subject to appropriate safeguards as required by applicable law, and where required to do so by applicable law, KBRA will ensure that recipients have entered into specific contracts approved by the European Commission to give your personal data the same level of protection it has in Europe, or confirm that the recipient is a member of the Data Privacy Framework, which requires the member to provide similar protection to personal data shared between Europe and the US.
How Long we hold your Personal Data:
We will hold your personal data for so long as necessary to comply with our legal obligations and regulatory obligations and guidance to which we are subject, and for the exercise of and to defend against legal claims which may be brought by or against us.
Security Measures
We, our affiliates and our service providers (in particular, with respect to the VDR only, Finsight Group, Inc. who provide the underlying VDR and manage the controls) have implemented appropriate technical and security measures designed to protect your personal data from unauthorized access, destruction, loss or misuse. Neither the internet nor any electronic or physical system is ever fully secure and many factors outside our control may impact the security of your data, including unauthorized entry or use, hardware or software failure and we cannot guarantee its security when being transmitted. You must take measures to protect the confidentiality of any password and/or login details we provide to access our Service/Tool, log out when you are not using the Service/Tool and limit access to your device. You should be aware that your transmission of your data is at your own risk. Once we receive it, we will use appropriate measures designed to protect it, but we cannot guarantee or warrant the security of any information that you transmit to us.
Minors
Our Service/Tools are not intended for, and should not be used by, minors under the age of 18. We do not knowingly collect personal data from individuals who are under 18 years of age.
Your Legal Rights
Under applicable data protection law you have the rights set out below. If you wish to exercise any of your rights in this regard please email [email protected], but please note these rights are not absolute. We will respond to any request in accordance with applicable data protection law, other applicable laws and regulatory guidance or where the processing of your personal data is necessary to comply with a legal obligation or for the exercise or defense of legal claims.
The right to object to the processing of your personal data where our legal basis for processing your personal data is our legitimate interests (or those of a third party).. In such a case, we will stop processing your personal data unless we can demonstrate compelling legitimate interests which override your interests, and you have a right to request information on the balancing test we have carried out. You also have the right to object where we are processing your personal data for direct marketing purposes. To do this, please contact [email protected].
The right to request access to a copy of your personal data and details of the processing. (An initial copy of your personal data is provided free of charge, but we may charge a reasonable fee, based on administrative costs, for any further copies that you request.)
The right to ask us to correct any inaccurate or incomplete personal data we hold about you.
The right to request that we delete your personal data in certain circumstances, including: (i) the personal data are no longer needed for the purpose for which they were collected; (ii) you withdraw your consent (where the processing was based on consent); (iii) you object to the processing and there are no overriding legitimate grounds justifying us processing the personal data (see further your right to object below); (iv) the personal data has been unlawfully processed; or (v) to comply with a legal obligation. This right does not apply where, for example, the processing is necessary (a) to comply with a legal obligation; or (b) for the establishment, exercise or defense of legal claims.
The right to ask us to restrict or suspend our processing of your personal data in certain circumstances, including where you query the accuracy of the data, where the processing is unlawful or no longer necessary or where you have objected.
The right to request that we provide the personal data you provided to us in a structured, commonly used and machine-readable format or to transmit the personal data to a third party without hindrance, where technically feasible.
The right to withdraw your consent at any time where we are relying on consent to process your personal data. The withdrawal of your consent will not invalidate any processing we carried out prior to your withdrawal and based on your consent.
You have the right to lodge a complaint with the relevant data protection supervisory authority if you think that we are not complying with our obligations in relation to our processing of your personal data.
We use automated decision making and profiling as follows: in respect of marketing email subscribers, we use software to help us better understand how you like us to communicate with you and whether you may be interested in our products and services. For example, based on our records that you have recently shown an interest in a certain product, our software helps us identify related products and services that may interest you. We may then use this to contact you about these by post or telephone. You can object to any decision about you based solely on this automated processing (and profiling) that produces legal effects or otherwise significantly affects you.
The above rights may not be exercised in certain circumstances, such as when the processing of your personal data is necessary to comply with a legal obligation or for the exercise or defense of legal claims. If you wish to exercise any of your rights in this regard, please email [email protected]. We will respond to any request in accordance with applicable data protection law, other applicable laws and regulatory guidance. All requests will be dealt with promptly and any information to which you are entitled will be provided within a reasonable timeframe as required by applicable law, subject to the exemptions stipulated in applicable data privacy laws. We may request proof of identification to verify your request.
II. California Notice at Collection and Privacy Rights
This section of the Notice provides additional information for California residents and describes our information practices pursuant to applicable California privacy laws, including the California Consumer Privacy Act and the regulations issued thereto, each as amended (the “CCPA”). To the extent you are a California resident, and we collect “personal information” subject to the CCPA, the following applies.
This section does not address or apply to our handling of personal information that is exempt under the CCPA, such as publicly available information or de-identified or aggregated information.
Categories of Personal Information Collected and Disclosed. The table below identifies, generally, the categories of personal information we have collected about California residents, as well as the categories of third parties to whom we may disclose this personal information for a business or commercial purpose.
Categories of Personal Information Collected | Categories of Third-Party Disclosures | |
|---|---|---|
Identifiers | Includes direct identifiers, such as name, alias, user ID, username, account number or unique personal identifier email address, phone number, address and other contact information; IP address and other online identifiers. |
|
User Records | Includes your account information and registered user/visitor records that contain personal information, such as user ID, account name, contact information, employment information, that individuals provide to us in order to use the Service/Tool(s). |
|
Internet and Electronic Network Activity Information | Including, but not limited to information regarding interactions with the Service/KRBA Tool(s) such as your log activity (time of login, document access and where applicable to your permission level, download activity, time spent viewing a document and, depending on your user permission level, records of messages generated using the Service/Tool(s) when you create an account for another user, share a link to, or upload a document to the Service/Tool(s)). |
|
Location Data | Location information about a particular individual or device. |
|
Professional Information | Includes professional and employment-related information such as your current employer(s), position(s), and business contact information. |
|
Profiles and Inferences | Including inferences drawn from any of the information identified above to create a profile reflecting a California resident’s preferences, characteristics, behavior or attitudes. |
|
We may also disclose the personal information identified in the table above to our vendors and service providers who provide services or perform functions on our behalf.
Sources of Personal Information. As further described in the section “How We Collect your Personal Data” above, in general, we may collect the categories of personal information identified in the table above from the following categories of sources: directly from you when setting up or accessing your account or from your employer.
Sales and Sharing of Personal Information. The CCPA defines “sale” as disclosing or making available personal information to a third party in exchange for monetary or other valuable consideration, and “sharing” includes disclosing or making available personal information to a third party for purposes of cross-contextual behavioral advertising. While we do not disclose personal information to third parties in exchange for monetary compensation, our use of third-party analytics cookies may be considered “selling” and “sharing” under the CCPA. Based on the CCPA’s definitions, we may “sell” or “share” the following categories of personal information: identifiers; commercial information; location information (via your IP address); and internet and network activity information. We do not sell or share any sensitive personal information, nor do we sell or share personal information about individuals who we know are under sixteen (16) years old.
Purposes of Collection, Use, and Disclosure. As further described under the section “With Whom Is My Personal Data Shared and International Transfer,” and the section “Why We Use Your Personal Data,” we collect, use, disclose, and otherwise process the above personal information for the following business or commercial purposes and as otherwise directed or consented to by you:
In order to comply with any legal or regulatory obligations;
For our legitimate interest in (a) managing and administering the Service/Tool(s) and providing access to the same to users; (b) communicating with you and responding to your inquiries; (c) securing the Service/Tool(s) and making it available to you when processing your personal information; (d) managing, administering and improving our business; (e) managing and improving our business and services, including the Service/Tool(s); (f) confirming that the cookie platform is functioning correctly so that we can comply with applicable legal obligations (g) for the prevention and detection of crime and/or unauthorized use of the Service/Tool(s), and (h) for those other legitimate interests specifically identified in this Notice, provided our interest is not overridden by your interest;
To protect our rights and the rights of any person or third party;
For our general business and operational support, including to consider and implement mergers, acquisitions, reorganizations, bankruptcies, and other transactions such as financings, and related to the administration of our general business, accounting, auditing, compliance, recordkeeping, and legal functions;
For event planning and management, including registration, attendance, and contacting you about relevant events and services; and
To administer surveys, such as market research, customer satisfaction purposes or improving our services associated with the Service/Tool(s), to conduct statistical and data analytics, and for other similar purposes.
Sensitive Personal Information. We do not use or disclose “sensitive personal information” beyond the purposes authorized by the CCPA. Accordingly, we only use and disclose sensitive personal information as reasonably necessary and proportionate: (i) to perform our services requested by you or the party who authorized you to use the Service/Tool(s); (ii) to help ensure security and integrity, including to prevent, detect, and investigate security incidents; (iii) to detect, prevent and respond to malicious, fraudulent, deceptive, or illegal conduct; (iv) to verify or maintain the quality and safety of our Services; (v) for compliance with our legal obligations; (vi) to our service providers who perform services on our behalf; and (vii) for purposes other than inferring characteristics about you.
Retention. We will not retain your personal information for longer than is necessary for the purposes for which it was collected, or as otherwise disclosed to you at the time of collection, as required by law, and for the exercise or defense of any legal claims.
California Residents’ Rights. Under the CCPA, California residents have the following rights (subject to certain limitations):
To opt out of sales and sharing. The right to opt-out of our sale and sharing of their personal information.
To limit certain uses and disclosures of sensitive personal information. We do not use or disclose sensitive personal information; thus, this right is not available to you.
Deletion. The right to the deletion of their personal information that we have collected, subject to certain exceptions.
To know/access. The right to know what personal information we have collected about them, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom we disclose personal information, and the specific pieces of personal information we have collected about them.
Correction. The right to correct inaccurate personal information that we maintain about them.
Non-discrimination. The right not to be subject to discriminatory treatment for exercising their rights under the CCPA.
Submitting CCPA Requests. California residents may exercise their CCPA privacy rights as set forth below.
Request to know/access, correct, delete. California residents may submit CCPA requests to access/know, correct and delete their personal information maintained by us by (i) clicking here and completing the form linked; (ii) submitting a written request to (a) Legal Department at Kroll Bond Rating Agency, 805 Third Avenue, 29th floor, NY, NY 10022; or (b) [email protected]; or (iii) calling 1-833-718-5068.
When you submit a request, we will take steps to verify your identity and your request by matching the information provided by you with the information we have in our records. In some cases, we may request additional information in order to verify your identity, or where necessary to process your request. If we are unable to verify your identity after a good faith attempt, we may deny the request and, if so, will explain the basis for denial.
You may also designate someone as an authorized agent to submit requests and act on your behalf. Authorized agents will be required to provide proof of their authorization. We may require you to confirm that you have provided the authorized agent permission to submit the request and you must provide the authorized agent with permission. We may deny a request from an authorized agent who does not submit proof that he or she has been authorized to act on your behalf.
Requests to Opt Out
KBRA Tools: California residents may exercise their right to opt out of the sale and/or sharing of their personal information by opting out of all but strictly necessary cookies via our cookie preference manager in the KBRA Tool which appears in the Manage Cookies feature in the KBRA Tool.
In addition, the KBRA Tools respond to global privacy control—or “GPC”—signals, which means that if we detect that your browser is communicating a GPC signal, we will process that as a request to opt that particular browser and device out of sales and sharing (i.e., via cookies and tracking tools) on our website. Note that if you come back to the KBRA Tools from a different device or use a different browser on the same device, you will need to opt out (or set GPC for) that browser and device as well. More information about GPC is available at: https://globalprivacycontrol.org/.
What Happens When There are Changes to this Notice?
We may change this Notice from time to time. If we make any changes, we will post those changes in this document and update the "Last Updated" date at the bottom of this Notice. However, if we make material changes to this Notice, we will notify you by means of a prominent notice when you next login into the Service/Tool or by sending you an email prior to the change becoming effective. You will find the most up to date version displayed in the Service/Tool(s).
What If I Have Questions or Concerns?
If you have any questions or concerns regarding privacy using the Service/Tool(s), please send us a detailed message to [email protected]. We will make every effort to resolve your concerns.
In accordance with applicable laws, you may lodge a complaint with the data protection supervisory authority for your country or region, or where an alleged infringement of applicable data privacy law occurs.
Last Updated: June 15, 2026