Legal

Privacy Statement

This Privacy Statement (together with our

) describes the policies and procedures of Kroll Bond Rating Agency, LLC, KBRA Analytics, LLC, and its/their affiliates (collectively, "KBRA", "we", "our" or "us") on the collection, use and disclosure of your information in connection with your use of or access to the services, features, content or applications we offer, including but not limited to any credit rating, other permissible service, research or press release (the "Services"), through our websites at

www.krollbondratings.com

www.kbra.com

, or

www.kbraanalytics.com

(collectively, the "Website"), or by any other means. We receive information about you from various sources, including without limitation: (i) if you register for the Website and the Services, through your user account on the Services (your "Account"); (ii) your use of the Services generally; (iii) your purchase of any of the Services; (iv) your contact and/or communication with any of our employees; and (v) from third party websites and services.

When you use the Services, your information is subject to the collection, transfer, manipulation, storage, disclosure and other uses (i.e., processed) as described in this Privacy Statement. Our servers, which hold your Personal Data (defined below) are hosted and operated in the United States and our Services are subject to United States law and all applicable data privacy laws.

For the purpose of applicable data privacy laws, the data controller of your Personal Data is Kroll Bond Rating Agency, LLC of 805 Third Avenue, 29th Floor, New York, NY 10022, USA, Kroll Bond Rating Agency Europe Limited, with a registered address at 6-8 College Green, Dublin 2, Ireland, KBRA UK Limited, with a business and registered address at Second Floor, 1 Connaught Place, London W2 2ET, United Kingdom and/or KBRA Analytics, LLC of 805 Third Avenue, 29th Floor, New York, NY 10022, USA.

Please read the following carefully to understand our use of your Personal Data.

A downloadable version of this Privacy Statement can be accessed

here

What Does This Privacy Statement Cover?

This Privacy Statement covers any data relating to a living individual who can be identified directly from that data or indirectly in conjunction with other information ("Personal Data"), that we process in relation to the Services. The term Personal Data includes “personal information”, as such term is defined under the California Consumer Privacy Act of 2018 ("CCPA") (Civil Code § 1798.100), “private information”, as such term is defined under the New York Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") (N.Y. Gen. Bus. L. §899-bb), and “personal data”, as such term is defined under the European Union General Data Protection Regulation (EU) 2016/679 and the United Kingdom General Data Protection Regulation. This Privacy Statement also covers our treatment of any Personal Data that our business partners share with us or that we share with our business partners.

This Privacy Statement does not apply to the practices of third parties that we do not own or control, including but not limited to any third party websites, services and applications (each a "Third Party Service" and collectively, "Third Party Services") that you elect to access through the Service, for example by clicking on links to those Third Party Services from within the Website, or to individuals we do not manage or employ. While we attempt to facilitate access only to those Third Party Services that share our respect for your privacy, we cannot take responsibility for the content or privacy statements of those Third Party Services. We encourage you to carefully review the privacy statements of any Third Party Services you access.

What Information Do We Collect?

The information we gather enables us to personalize, improve and continue to operate the Services. In connection with certain aspects of the Services, we may request, collect and/or display some of your Personal Data. We collect the following types of information from our users.

Account Information:

When you create an account for the Services ("Account"), you will provide information that could be Personal Data, such as your username, password and email address. We may use your contact information to: (i) send you information about our Services; (ii) send you marketing information; (iii) invite you to conferences or events; (iv) request meetings with you; (v) evaluate your use of the Services and (vi) add you to internal contact and distribution lists. We may contact you when we believe it is necessary, such as for account recovery purposes. You may unsubscribe from marketing messages at any time through your Account settings, via the "unsubscribe" link in an email we have sent you, or by emailing

[email protected]

Cookies, IP Address Information and Other Information Collected Automatically:

We automatically receive and record information from your web browser when you interact with the Services, including your IP address and cookie information. This information is used to: (i) fight spam/malware; (ii) facilitate the collection of data concerning your interaction with the Services (e.g., which links you have clicked on or how many articles you have downloaded); (iii) prevent unauthorized access to and use of the Services; and (iv) track overall website usage.
The Services automatically collect usage information, such as the number and frequency of visitors to the Services. We may use this data in aggregate form, that is, as a statistical measure. This type of aggregate data collection enables us and third parties authorized by us to better understand and operate the Services, such as by helping us figure out how often individuals use parts of the Services so that we can analyze and improve them. We may also collect data regarding individuals' accessing of the Services for sales and marketing purposes. We will never sell this data to third parties.
We may collect some device-specific information if you access the Services using a mobile device. Device information includes unique device identifiers, network information, and hardware model, as well as information about how the device interacts with our Services. This information is used to (i) collect information relating to usage of the Services and (ii) maintain and improve the Services so that it supports the device types used to access the Services.
By ticking the box consenting to the use of cookies in your KBRA account, you consent to our use of cookies as set out herein. If you do not consent to the use of cookies, you may block or disable them using your browser settings or through the opt-out links set out in “Types of Cookies used on the Website” section below. However, blocking cookies may limit your ability to use our Website and access to the Services.

Electronic Communications:

We may track when you open an electronic communication from us. We use this tracking to improve our customer service. We may also monitor and store electronic communications sent to or from us, including emails and text messages. Where we send you marketing or promotional e-mails regarding our products or services from our different divisions and affiliates, we do so based on your consent, if required by applicable law.

Information Collected Using Cookies:

Cookies are pieces of text that may be provided to your computer through your web browser when you access a website. Your browser stores cookies in a manner associated with each website you visit. We use cookies to enable our servers to recognize your web browser and tell us how and when you visit the Website and otherwise use the Services. We may also work with Third Party Services who may use cookies, including first party and third party cookies, in connection with the services they provide to us.

Types of Cookies used on the Website

We and/or our vendors may use the following cookies:

Strictly necessary cookies. These are cookies that are required for the operation of our Website.
Analytical/performance cookies. They allow us to recognize and count the number of visitors and to see how visitors move around our Website when they are using it. This helps us to improve the way our Website works, for example, by helping users find what they are looking for easily.
Functionality cookies. These are used to recognize when you return to our Website. This enables us to personalize content for you and remember your preferences.
Targeting cookies. These cookies record your visit to our Website, the pages you have visited and the links you have followed. We will use this information to make our Website and the advertising displayed on it more relevant to your interests.

Further details are contained in the following table:

Cookie Type	Name	Purpose	Expiry Date	Who Provides the Cookie?	Opt Out Link
Performance Cookie	__utm*	Analytics and user behavior	Remains valid for 2 years	Google, Inc.	https://www.google.com/privacy_ads.html https://tools.google.com/dlpage/gaoptout/ http://optout.networkadvertising.org/
Performance Cookie	_ga*	Analytics and user behavior	Remains valid for 2 years	Google, Inc	https://www.google.com/privacy_ads.html https://tools.google.com/dlpage/gaoptout/ http://optout.networkadvertising.org/
Performance Cookie	__cf*	Maximize network resources and manage traffic	Remains valid for 30 days	Cloudflare, Inc	None
Performance Cookie	cf*	Maximize network resources and manage traffic.	Remains valid for 30 days	Cloudflare, Inc	None
Performance Cookie	_dd*	Analytics and user behavior	Remains valid for 15 mins	Datadog, Inc	None
Functionality cookie	_crsf	User access and authorization	Remains valid for 10 days	Auth0, Inc.	None
Functionality cookie	auth0	User access and authorization	Remains valid for 3 days	Auth0, Inc	None
Functionality cookie	did	User access and authorization	Remains valid for 6 hours	Auth0, Inc	None
Functionality cookie	legacy_auth0*	User access and authorization	Remains valid for 1 day	Auth0, Inc.	None
Functionality cookie	access_token	KCP user access and authorization	Remains valid for 30 days	KBRA	None
Functionality cookie	kcp_session_id	KCP user access and authorization	Remains valid for 30 days	KBRA	None
Functionality cookie	refresh_token	KCP user access and authorization	Remains valid for 30 days	KBRA	None
Strictly necessary cookie	PHPSESSID	Stores state, user selections, searches, etc.	Remains valid for 30 days	KBRA	None
Strictly necessary cookie	PHPREDIS_SESSION	Stores state, user selections, searches, etc.	Remains valid for 30 days	KBRA	None
Functionality	appSession*	Authentication & Authorization	1 day	KBRA	None
Various	See description of Squarespace cookies here	See description of Squarespace cookies here	See description of Squarespace cookies here	Squarespace, Inc.	See description of Squarespace cookies here

We may combine cookies with Personal Data. We also use cookies to identify that your web browser has accessed aspects of the Services and may associate that information with your Account if you have one.

How to Manage and Disable Cookies

Most browsers have an option for turning off the cookie feature, which will prevent your browser from accepting new cookies, as well as (depending on the sophistication of your browser software) allowing you to decide on acceptance of each new cookie in a variety of ways. We strongly recommend that you leave cookies active, because they enable you to take advantage of the most attractive features of the Services. www.allaboutcookies.org provides instructions on how to manage cookies on the different types of web browsers. Locations of the cookie settings for all major web browsers are below:
- Internet Explorer - Tools > Internet Options > Privacy tab.
- Mozilla Firefox - Tools > Options > Privacy & Security.
- Safari Users - Edit > Preferences > Privacy menu.
- Chrome Users - Settings > Privacy > Privacy and Security.
- Edge Users - Settings > Privacy > Privacy & Security.
To block Google Analytics cookies specifically, you can install the "Google Analytics Opt-out Browser Add-on" provided by Google.

User Generated Data

Data generated by you in your use of the Services and your Account settings will be visible to necessary KBRA employees and will remain visible to such employees until you disable your Account.

Automated Decision Making

We use software to help us better understand how you like us to communicate with you and whether you may be interested in our products and services. For example, based on our records that you have recently shown an interest in a certain product, our software helps us identify related products and services that may interest you. We may then use this to contact you about these by post or telephone.

Where Is My Information Stored?

As a global business, the information that we collect from you may be transferred to, and stored at, any of our locations which may be inside or outside the European Economic Area or United Kingdom including, in particular, the United States for the purposes described above. Our primary servers are in the United States. Some countries may not provide an adequate level of protection in relation to processing your data.

We have in place requirements relating to such international data transfers, for transfers both: (i) among our legal entities; and (ii) to third parties. We use specific contractual clauses designed to cause those third parties to respect the confidentiality of your Personal Data and use it only in connection with providing their services to us and in compliance with applicable data privacy laws. Please contact us at

[email protected]

if you wish to obtain information concerning such safeguards.

We will not retain your Personal Data for longer than is necessary for the purposes for which it was collected, as required by law, and for the exercise or defense of any legal claims.

How, and With Whom, Is My Information Shared?

Some of the information collected through or in connection with the Services is shared with third parties.

Downloading CUSIP Data:

When you register for an Account, you accept additional terms which constitute an agreement with CUSIP Global Services ("CGS") on behalf of the American Bankers Association. You acknowledge therein that the following information will be provided to CGS in connection with your download of any CUSIP data: your username, firm name downloaded by you, email address and IP address. This information will be used for purposes of monitoring compliance with your agreement with CGS and will be stored securely in the United States. It may be reviewed and corrected by contacting

[email protected]

. For additional information about CUSIP customer privacy practices, please visit www.CUSIP.com.

Websites Hosted by Squarespace:

Some of our Websites are hosted via Squarespace, and for such Websites your Personal Data is processed by Squarespace, including for protection and improvement of Squarespace's services, as further described in Squarespace's

IP Address Information:

While we collect and store IP address information, that information is not made public. We do at times, however, share this information with third parties that provide us with certain services (each a "Service Provider" and collectively, "Service Providers"), including Google Analytics, and as otherwise specified in this Privacy Statement.

Aggregate Information:

We collect statistical information about how both unregistered and registered users, collectively, use the Services ("Aggregate Information"). Some of this information is derived from Personal Data. We may use this Aggregate Information for any purpose in connection with our business and may share Aggregate Information with our partners, Service Providers and other persons with whom we conduct business. We share this type of statistical data for purposes such as helping our partners and Service Providers to understand how and how often people use our Services and their services or websites, which facilitates improving both their services and how our Services interface with them. In addition, these third parties may share with us non-private, anonymized, aggregated or otherwise non Personal Data about you that they have independently developed or acquired.

Information Shared with Our Service Providers:

We may need to share Personal Data with our Service Providers in order for them to perform their services. Unless we tell you differently, our Service Providers do not have any right to use Personal Data or other information we share with them beyond what is necessary to assist us.

Information Disclosed Pursuant to Business Transfers:

In some cases, we may choose to buy or sell assets. In these types of transactions, user information is typically one of the transferred business assets. Moreover, if we, or substantially all of our assets, were acquired, or if we go out of business or enter bankruptcy, user information would be one of the assets that is transferred or acquired by a third party.

Information Disclosed for Our Protection and the Protection of Others:

We also reserve the right to access, read, preserve, and disclose any information as we reasonably believe is necessary to (i) satisfy any applicable law, regulation, legal process or governmental request, (ii) enforce this Privacy Statement and our Terms of Use, including investigation of potential violations hereof, (iii) detect, prevent, or otherwise address fraud, security or technical issues, (iv) respond to user support requests, or (v) protect our rights, property or safety, our users and the public. This includes exchanging information with other companies and organizations for fraud protection and spam/malware prevention.

Information We Share:

Except as set forth herein, you will be notified when your Personal Data may be shared with third parties, and will be able to prevent the sharing of this information.

Is Information About Me Secure?

Your Account information will be protected by a password for your privacy and security. You need to prevent unauthorized access to your Account and Personal Data by selecting and protecting your password appropriately and limiting access to your computer and browser by signing off after you have finished accessing your Account.

We seek to protect your information, including your IP address information, to keep it private; however, as no data transmission over the internet can be guaranteed as 100% secure, we cannot guarantee or warrant the security of any information that you transmit to us. Unauthorized entry or use, hardware or software failure, and other factors, may compromise the security of user information at any time.

Our Legal Basis for Processing Your Personal Data

We will only process your Personal Data for the purposes set out below, to the extent necessary:

In order for your contract with us to be performed;
In order to comply with any legal or regulatory obligations; and
For our legitimate business interest in managing our business including legal, information technology, marketing, sales, administrative and management purposes and for the prevention and detection of crime and/or unauthorized use of the Services, provided our interest are not overridden by your interest.

Generally, we do not rely on consent as a legal basis for processing your Personal Data although we will get your consent before sending direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us and as set out below.

What Information of Mine Can I Access?

If you are a registered user, you can access profile information associated with your Account by logging into the Services. Registered and unregistered users can access and delete cookies through their web browser settings.

What Choices Do I Have Regarding My Information?

You can use some of the informational and marketing features of the Services without registering, thereby limiting the type of information that we collect.
You can always opt not to disclose certain information to us, even though it may be needed to take advantage of some of our features.
You can disable your Account. If you decide to do this, email
[email protected]
. If you disable your Account, any association between your Account and information we store will no longer be accessible through your Account. However, any activity on your Account prior to disabling the Account and your contact information will remain stored on our servers. Any public comments you have made through the Services will remain accessible to the public. Please note that we will need to verify that you have the authority to disable the Account.

Additional Provisions in Respect of Individuals in the European Union and United Kingdom

You can object to the processing of your Personal Data where our legal basis for processing your Personal Data is our legitimate interests.
You can request access to a copy of your Personal Data held by us and details of the processing of your Personal Data by us. In the European Union (“EU”) and United Kingdom (“UK”), an initial copy of your Personal Data is provided free of charge, but we may charge a reasonable fee, based on administrative costs, for any further copies that you request.
You can ask to have your Personal Data corrected if it is inaccurate or incomplete.
You can request us to delete your Personal Data in certain circumstances.
You can restrict our processing of your Personal Data in certain circumstances, including where the processing is unlawful or no longer necessary.
You can ask us not to process your Personal Data for marketing purposes. If you do not want to receive newsletters, announcements, or other communications and/or services from us, please do not opt-in for those communications or services at the time of registration. If you have opted-in and, at a later time, wish to opt-out, please click on the unsubscribe link inserted in our communications or amend your preferences at
https://www.kbra.com/account-preferences/
. Along with every marketing email communication sent to you, we provide you the opportunity to discontinue receiving future communications (i.e., unsubscribe). Simply follow the unsubscribe process or directions provided in the email. You can also exercise the right at any time by contacting us at
[email protected]
.
You can object to any decision about you based solely on automated processing (including any profiling) that produces legal effects or otherwise significantly affects you.
You can complain to the relevant data protection supervisory authority, if you think that we are not complying with our obligations in relation to our processing of your Personal Data.
We may, from time to time, ask for your consent to our use of your Personal Data for a specific purpose. If you are an individual in the EU or UK, you have the right to withdraw your consent to that use at any time.

However, these rights may not be exercised in certain circumstances, such as when the processing of your Personal Data is necessary to comply with a legal obligation or for the exercise or defense of legal claims. If you wish to exercise any of your rights in this regard please email

[email protected]

. All requests will be dealt with promptly and any information to which you are entitled will be provided within a reasonable timeframe as required by applicable law, subject to the exemptions stipulated in applicable data privacy laws. We may request proof of identification to verify your request.

Additional Provisions in Respect of California Residents

If you are a resident of California, the CCPA provides you with specific rights regarding your Personal Data. These include:
1. The right to request a copy of the Personal Data we collected from you.
2. The right to request information about our collection and use of your Personal Data: (i) the categories of Personal Data we collected about you in the preceding twelve (12) months, (ii) the categories of sources from which your Personal Data was collected, (iii) the business or commercial purpose(s) for which your Personal Data was collected, (iv) the categories of third parties with whom we shared your Personal Data, and (v) the categories of Personal Data we disclosed for a business purpose in the preceding twelve (12) months and, for each category identified, the categories of third parties to whom we disclosed that particular category of Personal Data.
3. The right to request that we delete your Personal Data, subject to certain exceptions.
To exercise the rights described above, it may be necessary for us to verify your identity or authority to make the request and confirm the Personal Data relates to you. Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your Personal Data. If you are making the request yourself, we will verify your identity through our existing authentication practices for your password-protected account. We will not discriminate against you for exercising any of your privacy rights under the CCPA or applicable law.
During the past twelve (12) months, we collected from California residents the categories of Personal Data described above under “What Information Do We Collect?” and disclosed such Personal Data to third parties for the purposes specified above under “How, and With Whom, Is My Information Shared?”.
We do not sell your Personal Data.
You may exercise any of the rights described in this section by (i) clicking
here
and completing the form at such link; (ii) submitting a written request to (a) Legal Department at Kroll Bond Rating Agency, 805 Third Avenue, 29th floor, NY, NY 10022 or (b)
[email protected]
, or (iii) calling
(646) 731-1240
.

What Happens When There Are Changes to this Privacy Statement?

We may amend this Privacy Statement from time to time. Use of information we collect now is subject to the Privacy Statement in effect at the time such information is collected. If we make any material changes in the way we collect or use Personal Data, we will notify you by posting an announcement on the Services or sending you an email.

What If I Have Questions or Concerns?

If you have any questions or concerns regarding privacy using the Services, please send us a detailed message to

[email protected]

. We will make every effort to resolve your concerns.

Effective Date: June 29, 2022