- Home
- Legal
Legal
Privacy Statement
This Privacy Statement describes how each of KBRA Holdings, LLC and its affiliates and/or subsidiaries (collectively, "KBRA", "we", "our" or "us") collect, use and disclose information about you as a data controller when:
- you use or access to the services, features, content or applications we offer, including but not limited to any credit rating, other permissible service, research or press release (the "Services"), through our websites (individually and collectively, the "Website"), or by any other means or when your data is provided to us by a third party in connection with the provision of any of our Services;
- you register for, speak at or attend events which we host or sponsor,
- you tender for, provide services to or are employed or engaged by a third party tendering to provide goods or services to KBRA
- we interact with you in the course of our business; and/or
- you apply for a job with KBRA.
This Privacy Statement also sets out certain data subject rights and our obligations under applicable privacy laws.
A downloadable version of this Privacy Statement can be accessed here.
What Data Does This Privacy Statement Cover?
This Privacy Statement covers any data relating to a living individual who can be identified directly from that data or indirectly in conjunction with other information ("Personal Data"), that we process in relation to the Services and includes "personal information", as such term is defined under the California Consumer Privacy Act of 2018 ("CCPA") (Civil Code § 1798.100) (as amended or supplemented from time to time), "private information", as such term is defined under the New York Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") (N.Y. Gen. Bus. L. §899-bb), and "personal data", as such term is defined under the European Union General Data Protection Regulation (EU) 2016/679, the United Kingdom General Data Protection Regulation and the Virginia Commonwealth Data Protection Act ("CDPA").
How we collect your Personal Data:
We receive your Personal Data from various sources, including without limitation: (i) if you register for the Website and the Services, through your user account on the Services (your "Account"); (ii) your use of the Services generally; (iii) your purchase of any of the Services; (iv) your or your employer's contact and/or communication with any of our employees either in relation to our Services or services which are to be provided to KBRA; (v) from you directly when you register or attend an event which we sponsor or host or when you apply for a job with us (or from a recruiter where they contact us on your behalf) or where you send communications to our employees (vi) from publicly accessible sources where relevant to the provision of our Services and (vii) from third party websites and services.
For details on the data controller of your Personal Data, please see the section entitled Data Controller Information below.
What Personal Data Do We Collect?
Account Information:
When you create an account for the Services ("Account"), you will need to provide information such as your username, password and email address and we will associate a unique user ID with your account. We may use your contact information to: (i) send you information about our Services; (ii) send you marketing information; (iii) invite you to conferences or events; (iv) request meetings with you; (v) evaluate your use of the Services and (vi) add you to internal contact and distribution lists. We may contact you when we believe it is necessary, such as for account recovery purposes. You may unsubscribe from marketing messages at any time through your Account settings, via the "unsubscribe" link in an email we have sent you, or by emailing [email protected].
Information Collected Automatically:
Due to how the internet operates, when you visit any of our Websites, we automatically receive and record information from your web browser when you interact with it and the Services, including your IP address, type and version of browser and device.
We then use that information to provide the Services to you and from that information, we use your IP address, type and version of browser and device for the following additional purposes:
(i) fight spam/malware; (ii) facilitate the collection of data concerning your interaction with the Services (e.g., which links you have clicked on or how many articles you have downloaded); (iii) prevent and identifying unauthorized access to and use of the Services; and (iv) track overall website usage. We collect usage information, such as the number and frequency of visitors to the Services. We may use this data in aggregate form, that is, as a statistical measure. This type of aggregate data collection enables us and third parties authorized by us to better understand and operate the Services, such as by helping us figure out how often individuals use parts of the Services so that we can analyze and improve them. Where permitted by applicable law, we may also collect data regarding individuals' accessing of the Services for sales and marketing purposes. We will never sell this data to third parties.
We use that data for our legitimate interest in in managing our business including protecting and improving our Services, protecting your account and account details, and to comply with applicable laws and regulations.
Electronic Communications:
We monitor and store electronic communications sent to or from us, including emails and text messages sent and received by our corporate phones and devices, to comply with legal and regulatory obligations, and for our legitimate interest in managing our business including legal, personnel, administrative and management purposes, to protect our systems, information and property, for the purposes of monitoring and evidencing discussions in relation to business activities, namely communications between KBRA employees and with third parties relating to credit rating activities, including to avoid non-compliance with legal and regulatory obligations outside of the EU/UK (as applicable), and for the prevention and detection of crime. Where we send you subscriber marketing or promotional e-mails regarding our products or services from our different divisions and affiliates, we do so based on your consent, if required by applicable law, which you may withdraw at any time. When you subscribe to alerts emails, we may also send you emails about our and/or KBRA affiliates events, services and products.
Unsubscribing from emails
If you wish to opt-out of receiving marketing or alert subscription emails from us, please update your preferences at https://www.kbra.com/account-preferences or click the link in the email footer at any time and delete any emails that you have received from us. You can also unsubscribe at any time by contacting us at [email protected].
Information Collected Using Cookies and Tracking Technologies:
With your consent, in alerts emails and any marketing emails you have subscribed to, or webforms relating to any of events we host or sponsor which you RSVP to, we use tracking pixels. We also use cookies and tracking technologies on our websites. For details on how we use these, please see our Cookie Policy here.
User Generated Data
Data generated by you in your use of the Services and your Account settings will be visible to necessary KBRA employees and will remain visible to such employees until you disable your Account.
Automated Decision Making
We use software to help us better understand how you like us to communicate with you and whether you may be interested in our products and services. For example, based on our records that you have recently shown an interest in a certain product, our software helps us identify related products and services that may interest you. Subject to applicable laws, we may then use this information to contact you about these services.
Where Is My Information Stored?
As a global business, the information that we collect from you may be transferred to, and stored at, any of our locations which may be inside or outside the European Economic Area or United Kingdom including, in particular, the United States for the purposes described above. Our primary servers are in the United States. Some countries may not provide an adequate level of protection in relation to processing your data.
We have in place requirements relating to such international data transfers, for transfers both: (i) among our legal entities; and (ii) to third parties. We use specific contractual clauses designed to cause those third parties to respect the confidentiality of your Personal Data and use it only in connection with providing their services to us and in compliance with applicable data privacy laws. Please contact us at [email protected] if you wish to obtain information concerning such safeguards.
We will not retain your Personal Data for longer than is necessary for the purposes for which it was collected, as required by law, and for the exercise or defense of any legal claims.
How, and With Whom, Is My Information Shared?
Some of the information collected through or in connection with the Services is shared with third parties.
Downloading CUSIP Data
When you register for an Account, you accept additional terms which constitute an agreement with CUSIP Global Services ("CGS") on behalf of the American Bankers Association. You acknowledge therein that the following information will be provided to CGS in connection with your download of any CUSIP data: your username, firm name downloaded by you, email address and IP address. This information will be used for purposes of monitoring compliance with your agreement with CGS and will be stored securely in the United States. It may be reviewed and corrected by contacting [email protected]. For additional information about CUSIP customer privacy practices, please visit www.CUSIP.com.
Websites Hosted by Squarespace
Some of our Websites are hosted via Squarespace, and for such Websites your Personal Data is processed by Squarespace, including for protection and improvement of Squarespace's services, as further described in Squarespace's Privacy Policy.
IP Address Information:
While we collect and store IP address information, that information is not made public. We do at times, however, share this information with third parties that provide us with certain services (each a "Service Provider" and collectively, "Service Providers"), and as otherwise specified in this Privacy Statement.
Aggregate Information:
We collect statistical information about how both unregistered and registered users, collectively, use the Services ("Aggregate Information"). Some of this information is derived from Personal Data. We may use this Aggregate Information for any purpose in connection with our business and may share Aggregate Information with our partners, Service Providers and other persons with whom we conduct business. We share this type of statistical data for purposes such as helping our partners and Service Providers to understand how and how often people use our Services and their services or websites, which facilitates improving both their services and how our Services interface with them. In addition, these third parties may share with us non-private, anonymized, aggregated or otherwise non Personal Data about you that they have independently developed or acquired.
Information Shared with Our Service Providers:
We may need to share Personal Data with our Service Providers in order for them to perform their services. Unless we tell you differently, our Service Providers do not have any right to use Personal Data or other information we share with them beyond what is necessary to assist us.
Information Disclosed Pursuant to Business Transfers:
In some cases, we may choose to buy or sell assets. In these types of transactions, user information is typically one of the transferred business assets. Moreover, if we, or substantially all of our assets, were acquired, or if we go out of business or enter bankruptcy, user information would be one of the assets that is transferred or acquired by a third party.
Information Disclosed for Our Protection and the Protection of Others:
We also reserve the right to access, read, preserve, and disclose any information as we reasonably believe is necessary to (i) satisfy any applicable law, regulation, legal process or governmental or regulator request, (ii) enforce this Privacy Statement and our Terms of Use, including investigation of potential violations hereof, (iii) detect, prevent, or otherwise address fraud, security or technical issues, (iv) respond to user support requests, or (v) protect our rights, property or safety, our users and the public. This includes exchanging information with other companies and organizations for fraud protection and spam/malware prevention.
Information We Share:
Except as set forth herein (such as to regulators or as otherwise required by legal process), you will be notified when your Personal Data may be shared with third parties, and will be able to prevent the sharing of this information.
Security Measures
We have in place appropriate technical and security measures to protect your personal data from unauthorized access, destruction, loss or misuse and require that our service providers do the same. We restrict access to your personal data to those who need to know it to carry out their function and any access is subject to an obligation of confidentiality. Neither the internet nor any electronic or physical system is ever fully secure and many factors outside our or our service providers' control may impact the security of your data, including unauthorized entry or use, hardware or software failure and we cannot guarantee its security when being transmitted. If you are a KBRA accountholder, you must take measures to protect the confidentiality of any password and/or login details we provide to access our Website, log out when you are not using the Website and limit access to your device. You should be aware that your transmission of your data is at your own risk. Once we receive it, we will use appropriate measures to protect it, but we cannot guarantee or warrant the security of any information that you transmit to us.
Our Legal Basis for Processing Your Personal Data
We will only process your Personal Data for the purposes set out below, to the extent necessary:
- In order for your contract with us to be performed;
- In order to comply with any legal or regulatory obligations; and
- For our legitimate business interest in managing our business including legal, information technology, marketing, sales, administrative and management purposes and for the prevention and detection of crime and/or unauthorized use of the Services, provided our interest are not overridden by your interest.
Generally, we do not rely on consent as a legal basis for processing your Personal Data although we will get your consent before sending direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us and as set out below.
What Information of Mine Can I Access?
If you are a registered user, you can access profile information associated with your Account by logging into the Services.
What Choices Do I Have Regarding My Information?
- You can use some of the informational and marketing features of the Services without registering, thereby limiting the type of information that we collect.
- You can always opt not to disclose certain information to us, even though it may be needed to take advantage of some of our features.
- You can disable your Account. If you decide to do this, email [email protected]. If you disable your Account, any association between your Account and information we store will no longer be accessible through your Account. However, any activity on your Account prior to disabling the Account and your contact information will remain stored on our servers. Any public comments you have made through the Services will remain accessible to the public. Please note that we will need to verify that you have the authority to disable the Account.
Your Rights
Under applicable data protection law you have the rights set out below. If you wish to exercise any of your rights please email [email protected], but please note these rights are not absolute and may not be exercised in certain circumstances, such as when the processing of your personal data is necessary to comply with a legal obligation or for the exercise or defense of legal claims. We will respond to any request in accordance with applicable data protection law, other applicable laws and regulatory guidance. All requests will be dealt with promptly and any information to which you are entitled will be provided within a reasonable timeframe as required by applicable law, subject to the exemptions stipulated in applicable data privacy laws. We may request proof of identification to verify your request.
If you are a European Union ("EU") / United Kingdom ("UK") Citizen
If you are a citizen of the EU or UK, the GDPR/UK GDPR provides you with specific rights with respect to your personal data, as follows:
- The right to request access to a copy of your personal data and details of the processing. (An initial copy of your personal data is provided free of charge, but we may charge a reasonable fee, based on administrative costs, for any further copies that you request.)
- The right to ask us to correct any inaccurate or incomplete personal data we hold about you.
- The right to request that we delete your personal data in certain circumstances, including: (i) the personal data are no longer needed for the purpose for which they were collected; (ii) you withdraw your consent (where the processing was based on consent); (iii) you object to the processing and there are no overriding legitimate grounds justifying us processing the personal data (see further your right to object below); (iv) the personal data has been unlawfully processed; or (v) to comply with a legal obligation. This right does not apply where, for example, the processing is necessary (a) to comply with a legal obligation; or (b) for the establishment, exercise or defense of legal claims.
- The right to ask us to restrict or suspend our processing of your personal data in certain circumstances, including where you query the accuracy of the data, where the processing is unlawful or no longer necessary or where you have objected.
- The right to object to the processing of your personal data where our legal basis for processing your personal data is our legitimate interests (or those of a third party). In such a case, we will stop processing your personal data unless we can demonstrate compelling legitimate interests which override your interests, and you have a right to request information on the balancing test we have carried out. You also have the right to object where we are processing your personal data for direct marketing purposes. To do this, please refer to the sub-section entitled Unsubscribing from emails above.
- The right to request that we provide the personal data you provided to us in a structured, commonly used and machine-readable format or to transmit the personal data to a third party without hindrance, where technically feasible.
- The right to withdraw your consent at any time where we are relying on consent to process your personal data. The withdrawal of your consent will not invalidate any processing we carried out prior to your withdrawal and based on your consent.
- You have the right to lodge a complaint with the relevant data protection supervisory authority if you think that we are not complying with our obligations in relation to our processing of your personal data.
- We use automated decision making and profiling as follows: in respect of marketing email subscribers, we use software to help us better understand how you like us to communicate with you and whether you may be interested in our products and services. For example, based on our records that you have recently shown an interest in a certain product, our software helps us identify related products and services that may interest you. We may then use this to contact you about these by post or telephone. You can object to any decision about you based solely on this automated processing (and profiling) that produces legal effects or otherwise significantly affects you.
Additional Provisions in Respect of California Residents
If you are a resident of California, the CCPA provides you with specific rights regarding your Personal Data including the following:
- You may request that we delete any personal data that we have collected about you. This right is limited in a number of circumstances, for example, where it is reasonably necessary for us to maintain your personal data in order to comply with a legal obligation.
- You may request that we correct inaccurate personal data we hold about you.
- You have the right to know what personal data is being collected about you and the to request us to provide the following information: (i) the categories of personal data we collected about you in the preceding twelve (12) months; (ii) the categories of sources from which your personal data was collected; (iii) the business or commercial purpose(s) for which your personal data was collected; (iv) the categories of third parties with whom we shared your personal data; and (v) the categories of personal data we disclosed for a business purpose in the preceding twelve (12) months and, for each category identified, the categories of third parties to whom we disclosed that particular category of personal data.
- The right to exercise your data subject rights without having to endure any form of retaliation or loss in your user experience.
- The right to direct us to only use your sensitive personal information (as defined under CCPA) (for example, your social security number, financial account information, your precise geolocation data, or your genetic data) for limited purposes, such as providing you with the services you requested.
- The right to direct us not to sell or share your personal data with third parties.
During the past twelve (12) months, we collected the categories of Personal Data described above under "What Information Do We Collect?" from California residents, and disclosed such Personal Data to third parties for the purposes specified above under "How, and With Whom, Is My Information Shared?".
We do not sell your Personal Data.
You may exercise any of the rights described in this section by (i) clicking here and completing the form linked; (ii) submitting a written request to (a) Legal Department at Kroll Bond Rating Agency, 805 Third Avenue, 29th floor, NY, NY 10022 or (b) [email protected]; or (iii) calling (646) 731-1240. To exercise any of the rights above, it may be necessary for us to verify your identity or authority to make the request and confirm the Personal Data relates to you. Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your Personal Data. If you are making the request yourself, we will verify your identity through our existing authentication practices for your password-protected account. We will not discriminate against you for exercising any of your privacy rights under the CCPA or applicable law.
Data Controller Information
For the purpose of applicable data privacy laws, the data controller of your personal data is:
- for visitors to the Services generally (excluding KBRA Analytics Services and emails): KBRA Holdings LLC;
- for customers of and subscribers to KBRA Analytics products or visitors to KBRA Analytics products Services or content: KBRA Analytics, LLC;
- for customers of KBRA: Kroll Bond Rating Agency, LLC;
- for customers of KBRA Europe: Kroll Bond Rating Agency Europe Limited; and
- for customers of KBRA UK: Kroll Bond Rating Agency UK Limited.
In respect of any processing of personal data described in 2-5 above, KBRA Holdings, LLC acts as a joint data controller with the data controller identified.
You are entitled to exercise your rights as a data subject against any or all of these joint controllers to the extent that it or they act as a joint controller of your personal data by directing any such requests to [email protected].
In limited circumstances (such as our use of social media and advertising on third party websites), we may also act as a joint controller with another non-KBRA party. In such circumstances, upon your request to exercise any of the above rights we will advise you if there is another controller who you should contact. Please note that any other such joint controller will also have its own privacy policy and cookie policy.
Links to Other Websites
This Privacy Statement does not apply to the practices of third parties that we do not own or control, including but not limited to any third party websites, services and applications, social media platforms and media providers (each a "Third Party Service" and collectively, "Third Party Services") that you elect to access through the Service, for example by clicking on links to those Third Party Services from within the Website, or to individuals we do not manage or employ. While we attempt to facilitate access only to those Third Party Services that share our respect for your privacy, we cannot take responsibility for the content or privacy statements of those Third Party Services. We encourage you to carefully review the privacy statements of any Third Party Services you access.
What Happens When There Are Changes to this Privacy Statement?
We may change this Privacy Statement from time to time. If we make any changes, we will post those changes in this document and update the "Last Updated" date at the bottom of this Privacy Statement. However, if we make material changes to this Privacy Statement, we will notify you by means of a prominent notice through our Service prior to the change becoming effective.
What If I Have Questions or Concerns?
If you have any questions or concerns regarding privacy using the Services, please send us a detailed message to [email protected]. We will make every effort to resolve your concerns.
In accordance with applicable laws, you may lodge a complaint with the data protection supervisory authority for your country or region, or where an alleged infringement of applicable data privacy law occurs.
Effective Date: August 20th, 2024