Privacy notice

Last updated and effective: March 17, 2026.

We, McKinsey & Company, United States, and its subsidiaries and affiliates, understand that your privacy is important to you. We are committed to respecting your privacy and protecting your personal data. This privacy notice describes how we handle and protect your personal data (the “Privacy Notice”) when we collect it through McKinsey’s websites, applications, and digital assets (collectively, our “Sites”) and through our externally facing business activities, such as service offerings, events, surveys, and communications, when we interact with you and collect data from you for use by and on behalf of McKinsey (i.e., when McKinsey is acting as a data controller or similar term under applicable privacy law).

Depending upon the nature of your relationship with McKinsey, additional or different privacy notices may apply to you as described below:

• Our Recruiting Privacy Notice, if you are applying for a position with McKinsey.
• Our Alumni Privacy Notice for McKinsey alumni.
• Our Solutions Privacy Notice, if you are using McKinsey solutions on your employer’s behalf.

If you are an employee of a McKinsey client or a McKinsey service provider, we may receive your personal data from your employer. Our use of your personal data is governed by our agreement with your employer.

Please note that the rules and regulations implementing various data privacy laws have not yet been finalized. We are continuously working to better comply with these laws, and we will update our processes, disclosures, and this notice as these rules and regulations are finalized.

If you are a California resident, please see our specific privacy information for you below.

For the purposes of this Privacy Notice, personal data means information about an identified or identifiable individual (collectively, “personal data”), and does not include information that cannot be attributed to an identifiable individual, such as information of an anonymous nature (collectively, “anonymous data”). You are not required to share your personal data with us, but failing to do so may result in McKinsey being unable to properly provide you with our full range of services or a good user experience with our solutions, websites services or newsletters.

By accessing our Sites or utilizing the external facing features or activities described above, you confirm that you have read and understand the terms of this Privacy Notice. If you do not understand or agree with any part of this Privacy Notice, please refrain from using our Sites or our business features or activities and contact us for clarification before proceeding.

See our terms of use for more information about other terms and policies applicable to the use of our Sites.

Contents

1. Data controller

2. How do we collect your personal data?

3. Why and how are we using your personal data?

4. What do we not do when we collect and process your personal data?

5. Who has access to your personal data? Data recipients and international data transfers.

6. Security

7. How long do we keep your personal data?

8. Data collection from children

9. What are your data protection rights, and how can you exercise them?

9.1. Your data protection rights.

9.2. How do you exercise your data protection rights?

9.3. How to unsubscribe to McKinsey newsletters and alerts?

10. Third party websites and apps

11. Changes to this Privacy Notice

12. Contact us

1. Data controller

“McKinsey” refers to the McKinsey & Company family of commonly owned affiliates. While our affiliates engage in a number of business activities and have different entity names, they all share the “McKinsey,” “a McKinsey company,” “by McKinsey,” or “acquired by McKinsey” branding or sub-logo, and they all follow, and are covered by, this Privacy Notice.

When McKinsey collects and processes your personal data in accordance with this Privacy Notice, we do so as authorized under applicable data privacy laws, whether as data controller or joint controller (similar terms may be used under applicable law), which means that we determine and are responsible for how your personal data is collected, used, protected, disclosed, and disposed of.

Depending on the jurisdiction you are located in or made contact with McKinsey, the local McKinsey entity may be your main data controller.

2. How do we collect your personal data?

McKinsey collects personal data in the course of our business activities directly from you and from third parties:

• McKinsey collects personal data about you in the course of our routine business activities:
  • When you interact with our Sites, including when you manage your cookie preferences, as described in our Cookie Notice
  • When you use McKinsey Insights and any other McKinsey mobile apps
  • When you create or log into a user profile in our Sites;
  • When you register to receive McKinsey newsletters and alerts and when you interact with those newsletters and alerts;
  • When you sign up for and participate in McKinsey conferences and events;
  • When you participate in public content posting areas, such as bulletin boards, discussion forums, and McKinsey social media sites;
  • When you participate in a survey, panel discussion, or individual discussion conducted by McKinsey; or
  • When you interact with McKinsey or its employees on its Sites, by email, or telephone, to ask a question, request information, or otherwise seek a response from McKinsey.
• McKinsey may also receive personal data about you from third parties, including service providers and data vendors in the course of our business activities. When we collect personal information from third parties, the data consists primarily of publicly available personal information compiled from business websites, public-facing social media platforms, and other widely used public sources. We also acquire anonymized datasets from certain service providers that we maintain in anonymized form. In each instance, we do our best to confirm that the third party has lawfully collected the data from appropriate sources and is authorized to share the data with McKinsey for the uses intended by McKinsey in accordance with section three below.

Sensitive personal data – We may also collect sensitive personal data directly from you, for instance when you respond to a survey or panel discussion conducted by McKinsey and provide us with demographic or other personal data or when you provide information to permit us to accommodate your specific request at a conference or event. We use sensitive personal data only with your consent unless another legal basis exists (e.g., public health requirements). When we collect and use sensitive personal data for research, data analysis, and statistical purposes, we use it to produce reports and publications based on anonymized datasets.

We may combine personal data that we receive directly from you with personal data that we receive from third parties, to the extent that all such collection and use of personal data and sensitive personal data is consistent with this Privacy Notice and with the purposes and data access as described in section three below. When we combine anonymized data with personal data, we treat the combined information as personal data.

3. Why and how are we using your personal data?

McKinsey uses your personal data for different purposes and may combine data from multiple sources to accomplish those purposes. We strive to uphold data minimization principles and only seek to collect personal data from you for the purposes described in this Privacy Notice. The table below summarizes the purposes for which we process your personal data, the categories of personal data that we use for each purpose, and the legal grounds on which each data processing activity is based, along with who has access to the personal data.

Managing our business relationship with you

• Purpose: As an employee of a McKinsey client, you receive information regarding our services and solutions, including proposals, invoices, etc.
• Categories of personal data: Name, pronouns, email, location, professional or employment related information like job title, position, or employer.
• Legal basis for use: Legitimate interest for the provision of services.
• Data access: McKinsey subsidiaries and affiliates and third-party service providers as disclosed in section five of this Privacy Notice.

McKinsey.com account

• Purpose: If you create an account in Mckinsey.com, you receive access to newsletters, alerts, unlimited articles download and personalized content in our application.
• Categories of personal data: User ID, password; name, pronouns.
• Legal basis for use: Your consent, when creating a user profile.
• Data access: McKinsey subsidiaries and affiliates and third-party service providers as disclosed in section five of this Privacy Notice.

Newsletters and alerts

• Purpose: If you register for McKinsey newsletters and alerts, you receive business, management, or industry-specific information.
• Categories of personal data: User ID, pronouns, name and email address, phone number.
• Legal basis for use: Legitimate interest for the provision of our services.
• Data access: McKinsey subsidiaries and affiliates and third-party service providers as disclosed in section five of this Privacy Notice.

Conferences and events

• Purpose: Sign up for and process your requests to participate in conferences and events, including webcasts.
• Categories of personal data: Name, pronouns, email, location, professional or employment-related information like job title, position, employer, dietary information, or health-related information to accommodate for any special requirements, including disabilities, or authorizations for audio and video material if we are taking pictures or videos.
• Legal basis for use: Legitimate interest to provision you access to our conferences and events and based on your consent, where legally required, when signing up for conferences and events with regards to participating in audio or video, webcasts or other media events.
• Data access: McKinsey subsidiaries and affiliates and third-party service providers as disclosed in section five of this Privacy Notice.

Public user posts and surveys

• Purpose: Participate in public user posting areas, including bulletin boards and discussion forums, and participate in surveys for research or other business-related purposes. For each survey, we provide you with specific information concerning which personal data is collected and how the processing activity is carried out.
• Categories of personal data: Your personal preferences and information you provide about you, comments, statements, or posts.
• Legal basis for use: Your consent provided when posting in such forums and participating in surveys.
• Data access: McKinsey subsidiaries and affiliates and third-party service providers as disclosed in section five of this Privacy Notice.

Benchmarking and analytics

• Purpose: Conduct benchmark and data analytics activities, such as analysis of recruiting practices across an industry, detecting fraud patterns in connection with financial transactions, and consumer traffic in retail environments.
• Categories of personal data: Specific business information related to you, location, behavioral data, etc.
• Legal basis for use: Our legitimate interest in doing research and analytics activities as part of our business and, when needed, your consent to McKinsey or the third parties that provide us with the information.
• Data access: McKinsey subsidiaries and affiliates and third-party service providers as disclosed in section five of this Privacy Notice.

Maintain and provide McKinsey’s services

• Purpose: Provide our services or products to our clients, including benchmarking products.
• Categories of personal data: Access data, email, and your name for communication with you, preferences on website or app use, etc.
• Legal basis for use: Legitimate interest in promoting and protecting McKinsey, provision of our services and building and maintaining relationships.
• Data access: McKinsey subsidiaries and affiliates and third-party service providers as disclosed in section five of this Privacy Notice.

Legal compliance and legal actions

• Purpose: Comply with all applicable regulations, exercise legal actions and legal defense at courts, prevent fraud, and enforce McKinsey’s agreements, this Privacy Notice, the Cookie Notice, and our terms of use, as well as complying with corporate reporting obligations.
• Categories of personal data: Data will depend upon specific legal requirement.
• Legal basis for use: Compliance with all applicable laws and regulations.
• Data access: McKinsey subsidiaries and affiliates and third-party service providers as disclosed in section five of this Privacy Notice.

Applications security and data analytics.

• Purpose: Collect data from your use of our applications, websites, and services to analyze user activity, fix errors, monitor usage, and improve the security and performance of our websites, service, & mobile applications. For example, McK receives reports on some of our mobile applications’ aggregate usage and browsing patterns. McKinsey also receives reports on errors occurring within mobile applications.
• Categories of personal data: Aggregated data on browsing patterns and mobile app usage, including information about the type of device used, articles accessed, and other events occurring within our apps.
• Legal basis for use: Legitimate interest to improve functionality and ensure security of users’ data and our business.
• Data access: McKinsey may use third-party service providers as disclosed in section five below.

McKinsey Insights app

• Purpose: Offer, via McKinsey Insights app a personalized list of recommendations (called “Insights for you”) directing you to McKinsey content that we think you will find interesting.
• Categories of personal data: Recommendations are based solely on what you have viewed in the Insights app. A unique user identifier that is generated by the app helps personalize your app experience and tracks the articles that you read in the app.
• Legal basis for use: Legitimate interest for the provision of our services and running our business.
• Data access: We do not share your viewing history or trends through the Insights app with other users or any external third parties (i.e., persons or entities that are not affiliates or third-party service providers of McKinsey).

Aggregation, anonymization, and deidentification of your data

• Purpose: Aggregate, deidentify, or anonymize your personal data so that, depending on and in compliance with applicable law, your data is no longer considered as personal data. We may use anonymized data for the provision of our services, including research or statistical analysis, and may share such data with our clients or other business parties.
• Categories of personal data: All of the categories of personal data listed in this section.
• Legal basis for use: Legitimate interest for the provision of our services and to protect your privacy.
• Data access: See section four below. McKinsey maintains anonymized personal data in anonymized form and does not use or permit others to use anonymized data in any way that would identify or reidentify individuals in the data set.

Marketing and targeted advertising

• Purpose: Based on your preferences and opt in, we may send you targeted advertisements, including newsfeeds or updates about McKinsey in relation to your interests. You can opt out of those communications at any time.
• Categories of personal data: Name, email address, IP address, title, company.
• Legal basis for use: Your consent when accepting the cookie banner or when signing up for newsletters, events, and similar activities.
• Data access: McKinsey subsidiaries and affiliates, advertising partners, and third-party service providers, as disclosed in section five of this Privacy Notice.

Whenever the legal ground is our legitimate interest, McKinsey only processes your personal data after assessing the adequacy, proportionality, and legitimacy of the data-processing activity.

If consent is the legal basis for processing and you have subsequently withdrawn it, we may not be able to properly provide you with our full range of services and good user experience.

McKinsey does not use automated decision making to make decisions that have a legal impact on you or that significantly affect your rights and liberties. All automated processing activities are conducted with appropriate human supervision and review.

McKinsey’s use of cookies and other tracking technologies. McKinsey may use first- and third-party cookies, pixel tags, web beacons, and other similar technologies, to gather information on our digital properties. This information is used for a variety of purposes, such as to manage our Sites and services, collect analytics about how you use our Sites and Services, or to provide targeted advertisements on our Sites or on other websites that may be of interest to you. The use of these technologies and tools for advertising may be considered a “share” and/or “targeted advertising” under certain US state laws. McKinsey may also collect information about whether you open or click any links in the knowledge, research, or event communications that we send you. You have options regarding our use of cookies and other tracking technologies. Please refer to our Cookie Notice and “Your data protection rights” section below for more details and to manage your choices. There is no industry standard for how Do Not Track consumer browser settings should work on commercial websites and therefore, due to the lack of such standards, our Sites and services do not currently change the way they operate upon detection of a Do Not Track setting.

In addition, we use tools and applications that reduce security threats and reduce the risk of access by bots and automated devices, but we do not use those tools and applications for non-security purposes.

4. What do we not do when we collect and process your personal data?

We do not use personal data for the purpose of profiling that produces significant effects.

We do not acquire, use, or allow others to use anonymous data with the intent of identifying or reidentifying individuals. When we receive anonymous data or transform personal data that we have collected into anonymous data, we make the following commitments:

• McKinsey will maintain anonymous data in anonymized form.
• Except to the extent necessary to confirm that personal data has been transformed into anonymous data, McKinsey will not attempt to identify or reidentify specific individuals within a anonymized dataset or otherwise use anonymous data to attempt to associate specific individuals with individual characteristics and will not permit any entity or individual acting on McKinsey’s behalf to do so.
• To the extent, if any, that McKinsey provides access to or otherwise discloses a anonymized dataset to a non-McKinsey recipient, for example, a service provider or a client, it will require each such recipient to agree to maintain the anonymous data in its anonymized form and not attempt, or permit others to attempt, to identify or reidentify specific individuals within the anonymized dataset or otherwise use anonymous data to attempt to associate specific individuals with individual characteristics.

5. Who has access to your personal data? Data recipients and international data transfers

We do not sell personal data to third parties for monetary or other valuable consideration, but we may share your personal data with third parties for targeted advertising and cross-context behavioral advertising.

Personal data collected in the course of McKinsey business activities may be transferred and made available to McKinsey entities, service providers, and third parties as necessary to accomplish the specific business purposes for which the personal data were collected and to support our interactions with you, and otherwise as required to comply with applicable law. The McKinsey entity that collects your personal data may provide access to and transfer your data to the following categories of data recipients, for the business purposes described in section three, above:

• To McKinsey’s subsidiaries and affiliates and personnel across our global organization.
• To McKinsey’s service providers and personnel.
• To McKinsey’s advertising vendors and partners that support our marketing efforts, including for purposes of behavioral and targeted advertising.
• To McKinsey’s legal and professional advisors.
• To third parties in the following circumstances:
  • If we are required to do so by law or legal process;
  • To law enforcement authorities or other government officials pursuant to lawful request;
  • When we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity;
  • If disclosure is necessary to protect the vital interests of a person;
  • To enforce our terms of use
  • To protect our property, services, and legal rights;
  • To prevent fraud against McKinsey, our subsidiaries, affiliates and/or business partners;
  • To aid in McKinsey’s investigation of an actual or suspected security incident, such as a breach involving confidential information or personal information or a violation of McKinsey policy;
  • To support auditing, compliance, and corporate governance functions;
  • To comply with any and all applicable laws.
• To a successor or different business entity in the event of a reorganization, merger, sale, joint venture, assignment, or other transfer or disposition of all or any portion of our business.

Since McKinsey is a global organization, the affiliates and service providers to which we transfer your personal data may be located in countries which may have different data protection laws than those in your country of residence. To protect personal data that is transferred internationally, McKinsey complies with all applicable data transfer laws and will implement safeguards to protect your personal data across McKinsey’s global operations. Where required by law, McKinsey has put in place legal mechanisms, which include EU’s Standard Contractual Clauses, that are designed to ensure appropriate data protection of your personal data that is processed by McKinsey subsidiaries, affiliates, and third-party service providers.

6. Security

McKinsey protects and safeguards your personal data globally, in accordance with applicable law, our privacy and data security policies, and this Privacy Notice. We use generally accepted standards of technical and operational security to protect your personal data against accidental or unlawful loss, misuse, alteration, or destruction, in consideration of the risks associated with the personal data and its processing, and we require the same level of protection and safeguarding from our subsidiaries and affiliates, our service providers, and third parties. Only authorized personnel of McKinsey and of our service providers are permitted to access personal data, and these employees and service providers are required to treat this information as confidential. Despite these precautions however, McKinsey cannot guarantee that unauthorized individuals will not obtain access to your personal data.

7. How long do we keep your personal data?

McKinsey keeps your personal data only as long as necessary to accomplish the business purposes for which it was collected, to meet our legal or contractual obligations, and in compliance with McKinsey’s data-retention policy. We will securely delete your personal data promptly after the purposes described above cease to apply in accordance with the prevailing market practice for such destruction.

If you request that we delete your personal data, McKinsey will comply with applicable law and will make reasonable attempts to delete all instances of the personal data, subject to our right to keep a copy of such data for the purposes mentioned above. For requests for access, corrections, or deletion, especially where the processing is based on your consent, please refer to section nine of this Privacy Notice.

8. Data collection from children

McKinsey does not intentionally use its Sites and business content to collect or maintain personal data from children or individuals under the age of 16. To the extent that any of our non-site business activities may involve collecting or maintaining personal data from or about children or individuals under the age of 16, we would do so only with the required legal consent from the parent, guardian, or individual and in accordance with applicable law. Individuals who are children or those under the age of 16 should not attempt to provide us with any personal data. If you think we have received personal data from children or those under the age of 16, please contact us immediately.

9. What are your data protection rights, and how can you exercise them?

9.1. Your data protection rights.

Subject to the local data privacy laws in your jurisdiction, including exceptions, you may have the following rights with regard to the personal data that we collect about you:

• Right to request information about the personal data that we hold about you, including information about how we use your personal data, who has access to it, and the terms under which third parties have access to your personal data;
• Right to request a copy of the personal data that we hold about you;
• Right to request portability of your data to permit you to provide a copy of your personal data in a structured, commonly used, and machine-readable format and to transmit that personal data to another controller;
• Right to request that we correct or otherwise amend your personal data if it is not correct or otherwise not complete, timely, and accurate for the purposes for which we are using it;
• Right to request deletion of your personal data;
• Right to request that we cease processing or restrict or limit the processing of your personal data;
• Right to withdraw your consent to our processing of your personal data where the basis of our processing is your consent;
• Right to opt out of the processing of your personal data for targeted advertising/sharing of your personal data for purposes of cross-context behavioral advertising;
• Right to not be discriminated against for exercising your individual rights regarding your personal data;
• Right to request review by McKinsey’s Global Protection Officer and, if applicable, McKinsey’s data protection officer for your jurisdiction, of our response to your request to exercise your individual data protection rights; and
• Right to seek additional legal remedies regarding our response to your request to exercise your individual data-protection rights, depending upon your jurisdiction, by lodging a complaint with your data-protection authority or initiating a legal proceeding

Certain US residents also have the right to appeal our decision to your request regarding your personal data. We respond to all appeal requests as soon as we reasonably can, and no later than legally required. See the appendix below for our appeal process.

9.2. How do you exercise your data protection rights?

You can contact the Data Protection Officer for your jurisdiction at Privacy@mckinsey.com.

If you would like to exercise your data protection rights regarding your personal data, you can do so by:

• Completing the data-subject request form.
• Emailing your request to us at: DataSubjectRights@mckinsey.com
• For requests from US residents, call us at +1 (844) 582-3015.
• For opt out requests, please click the “Your Privacy Choices” link on the applicable homepage. We also recognize Global Privacy Control (GPC) signals and other user-enables opt-out preference signals as valid opt-out requests where required by applicable law. Please note that your opt-out preference signal will be applied only to your current browser and device. To learn more about the GPC, you can visit its website here.

Upon receipt of your request to exercise your data-protection rights, we will acknowledge receipt within the time period required by applicable law and provide you with information about the next steps in the process and the timing. Depending upon the nature of your request, we may take reasonable steps to verify your identity before acting on certain data protection rights, in accordance with applicable law. This process may require us to request additional personal data from you, including, but not limited to, your email address, mailing address, and/or date of last interaction with us. In certain circumstances, we may decline a request to exercise a privacy right, particularly where we are unable to verify your identity.

You may designate an authorized agent to submit a request on your behalf. To designate an authorized agent, you must (1) verify your own identity directly with us; and (2) provide the authorized agent with written documentation of their authority to act on your behalf, such as a power of attorney or sufficient evidence to show that you have provided the authorized agent signed permission to act on your behalf. We may request further evidence of the agent’s right to act on your behalf, including contacting you to verify the request. We may deny a request from an authorized agent that does not submit proof that they have been authorized by you to act on your behalf.

Please note that applicable laws include exceptions to assertions of data protection rights that may prevent us from providing access to your personal data or otherwise fully complying with your request. If we believe exceptions apply, we will respond to your request to the extent we are able to do so, and we will provide an explanation of the basis for not complying wholly or partially with your request.

9.3. How to unsubscribe to McKinsey newsletters and alerts?

If you receive McKinsey newsletter or alerts, or if you receive invitations to surveys or events from McKinsey and if you would prefer not to receive future email communications from us, you may unsubscribe by:

• Clicking on the link in an email you have received from us.
• If you have an account on McKinsey.com, editing the communications preferences in your account;
• Emailing us at Global_Unsubscribes@mckinsey.com

10. Third party websites and apps

Our Sites and services may contain links to other websites or apps operated by third parties. Please be advised that the practices described in this Privacy Notice do not apply to information gathered through these third-party websites and apps. We have no control over, and are not responsible for, the actions and privacy policies of third parties and other websites and apps.

11. Changes to this privacy notice

McKinsey reserves the right to modify this Privacy Notice as required by changes to our business processes or applicable law. We will post any changes to our Privacy Notice on this page. Please check this page regularly to keep up-to-date.

12. Contact us

We welcome questions, comments, and feedback on this Privacy Policy and our management of personal data. If you have questions, concerns, or feedback, you can always contact us using the information below. For your protection, we may need to verify your identity before assisting with your questions, comments, or feedback.

• Email: Privacy@mckinsey.com
• Phone: +1 (844) 582-3015
• Mail:
  • McKinsey & Company
    Attn: Privacy
    1200 19th St NW STE 1000
    Washington, DC 20036

Your California Privacy Rights Appendix

This appendix seeks to provide additional information to residents of California and supplements the information provided in the Privacy Notice.

As disclosed above, we do not “sell” personal data as that term is defined under California privacy law, but we may share personal data with third parties for cross-context behavioral advertising. However, we do not share personal data with third parties for their own direct marketing purposes without your consent. We do not purposefully “sell” or “share” the personal data of individuals under the age of 16. California residents under 18 years old, in certain circumstances, may request and obtain removal of personal data or content that you have posted on our Sites. Please be mindful that this would not ensure complete removal of the content posted by you on our Sites.

To learn more about the categories of personal data we collect, how we collect it, why it is collected, with whom we share it, and how long we retain it, please see the items below. Please see the instructions provided above in order to submit a privacy right request.

US Privacy Rights Appeal Appendix

Certain US residents have the right to appeal our decision regarding their privacy rights if they have submitted a request (e.g., to access, delete, or correct your information) and we have denied it, either in whole or in part. We are committed to addressing appeals in a transparent and timely manner.

We encourage you first to discuss relevant issues with our legal team, who may resolve the issue so that you do not have to formally initiate the appeals process. Our legal team will consider your perspective and seek to address your concerns in accordance with our company policies and applicable law. To contact our legal team, please email privacy@mckinsey.com.

Appeal Process

1. Submit your appeal

• Email the following information to datasubjectrights@mckinsey.com with the subject line “Notice of Appeal”:
• Your name and contact information.
• A copy of the original request you submitted.
• Any correspondence or communications related to your original request.
• The remedy that you seek by appealing.
• The reason for your appeal (e.g., why you believe the decision should be reconsidered).
• Please also provide any documentation necessary to validate the claims you are making in the appeal.

2. Acknowledgement of appeal

• You will receive a confirmation email acknowledging receipt of your appeal within ten (10) business days.
• This acknowledgement may contain requests for additional information to help us properly investigate or adjudicate the appeal. Your failure to provide substantive responses to our requests may materially impact our ability to investigate and/or adjudicate the relevant issue.

3. Investigation

• Your appeal will be reviewed and investigated by members of our Privacy Legal Team who were not involved in the original decision, based on the information and documentation you have provided.
• We will evaluate all relevant facts and applicable laws during the review process.

4. Notification of outcome

• Following the investigation, we will reach a determination of your appeal, which may include modifying or upholding the original decision.
• We will notify you of our determination in writing within sixty (60) days of receipt of your written notice of appeal, and we will include the explanation for our determination of your appeal. If we deny your appeal, you may file an appeal with the relevant regulator.

Scope of Appeal

The appeal will review whether the decision made by the privacy team that you appealed was fair and consistent with applicable privacy law. You may only appeal a decision that applies to your personally unless you are otherwise authorized to act on another person’s behalf, in which case you must provide evidence that you are authorized by the person on whose behalf you have submitted an appeal.

The appeal will focus exclusively on the decision being appealed. Broader issues related to our company policies, management style, or other issues will not be considered as part of the appeal.

Withdrawal of Appeal

You may withdraw or end your appeal at any time by providing us with written notice.

No Discrimination

We do not discriminate against any person who initiates an appeal.

Record Keeping

We will retain a record of your appeal, including the final determination, in accordance with applicable laws and our record retention policies.