McKinsey Solutions Privacy Notice

Last updated and effective: April 2026

This Solutions Privacy Notice explains how McKinsey & Company, Inc. United States and its subsidiaries and affiliates process personal data that we obtain from your access to and use of our proprietary data- and analytics-driven tools, employee trainings and workshops, digital learnings, surveys, and solutions, including those described at https://www.mckinsey.com/solutions (the “Solutions”), to perform benchmarking, research, development, and related activities, and as authorized under applicable data privacy laws (the “Privacy Notice”). This Privacy Notice also applies to any personal data we collect through surveys or feedback you provide in relation to the Solutions.

If you are accessing these Solutions in connection with services that McKinsey is providing to the organization with whom you are associated with or employed by (“Your Organization”), McKinsey has executed a licensing or consultancy agreement for the provision of professional services (the “Solution Agreement”), and those contract terms and Your Organization’s privacy practices control the personal data processed on behalf of Your Organization. This Privacy Notice supplements any notice that you may receive from Your Organization, and it applies solely to McKinsey’s use of your personal data for its own purposes as described in this Privacy Notice.

If you are a California resident, please see our specific privacy information for you below.

For the purposes of this Privacy Notice, personal data means information about an identified or identifiable individual (collectively, “personal data”), and does not include information that cannot be attributed to an identifiable individual, such as information of an anonymous nature (collectively, “anonymous data”). You are not required to share your personal data with us, but failing to do so may result in McKinsey being unable to properly provide you with our full range of services or a good user experience with our Solutions.

By accessing our Solutions, you confirm that you have read and understand the terms of this Privacy Notice. If you do not understand or agree with any part of this Privacy Notice, please refrain from using our Solutions and contact us for clarification before proceeding.

“McKinsey,” “Firm,” or “we” refers to the McKinsey & Company group of commonly owned affiliates. While our affiliates engage in a number of business activities and have different entity names, they all share the “McKinsey,” “a McKinsey company,” “by McKinsey,” or “acquired by McKinsey” branding or sub-logo, and they all follow, and are covered by, this Privacy Notice.

Depending upon the nature of your relationship with McKinsey, additional or different privacy notices may apply to you as described below:

Our McKinsey.com Privacy Notice, if you using or accessing our websites, applications, digital assets, events, surveys, or communications.
Our Recruiting Privacy Notice, if you are applying for a position with McKinsey.
Our Alumni Privacy Notice for McKinsey alumni.
Our Forward Privacy Notice, if you are participating in the Forward program.

1. How do we collect your personal data when we are acting as a processor?

We may collect and process personal data about you for the purpose of providing services to, and on behalf of, Your Organization (our client), either from Your Organization, from a third party identified by Your Organization, or directly from you, including via surveys, questionnaires or other information-gathering tools supplied by Your Organization or by us. If we do so, McKinsey acts as a data processor on behalf of Your Organization. This personal data may include, without limitation, business contact information such as your name, professional email address, or employee ID, job role, department, or reporting line, (“Business Contact Information”); demographic and other professional information such as work history and education; finance-related information such as compensation and benefits, performance ratings; progress and proficiency data such as assessment scores, course completion rates and performance metrics, course evaluations, survey and discussion responses; technical information related to systems and devices, such as IP address information, log-in information, account information, usage metrics, browser telemetry (e.g., type, version), time stamps; and other personal data similar to the foregoing. Please note that McKinsey is not be responsible or liable for the use of such information by Your Organization (e.g., making certain of your personal data visible to other members of Your Organization or third parties (such as other participants in your learning session)), and such use is subject to Your Organization’s policies (including privacy policies) that are applicable to you.

2. How and what categories of personal data do we collect when we act as a data controller, for what purpose(s) and who has access to your personal data?

McKinsey may act as a data controller to the extent that we process your personal data in connection with your use of the Solutions or your participation in McKinsey’s surveys or questionnaires, including log-in and Business Contact Information to allow you to set up a user account to use and access the Solutions; personal data that we collect for security purposes (e.g., device information, IP address, and log data) to provide technical support and maintenance support; and to improve our services and Solutions, such as your usage data while using the Solutions.

As a data controller, we use this personal data for our own business purposes, including (subject to our obligations to Your Organization) for providing our services to our clients, benchmarking, impact tracking and analysis (e.g., counting in and across Solutions the number of total users who have taken a course or used a Solution), research and reporting, product or business development purposes, and further developing, improving, securing and optimizing Solutions usage, performance, features, and functionality. In certain situations, we may collect sensitive personal data (e.g., biometric data, health related information, sexual orientation, data about ethnicity, race, religion or philosophical beliefs, political opinion, trade union membership) directly from you, for instance when you respond to a survey conducted by McKinsey and provide us with demographic or other personal data, for research, data analysis or statistical purposes. We use sensitive personal data only with your consent unless another lawful basis exists (e.g., public health requirements). We may combine personal data that we receive directly from you with personal data that we collect through your use of McKinsey’s website or other client services (including your use of other Solutions) or that we receive from third parties, including Your Organization. When we combine anonymized data with personal data, we treat the combined information as personal data. All collection and use of personal data and sensitive personal data will be based on our privacy notices and with the purposes and access described therein, unless otherwise stated to you in a supplementary notice at the time of the collection.

The table below summarizes the purposes for which McKinsey processes your personal data as a data controller, the categories of personal data that we use for each purpose, and the legal grounds on which each data processing activity is based, along with who has access to the personal data. We strive to uphold data minimization principles and only seek to collect personal data from you for the purposes described in this Privacy Notice.

Purpose		Categories of personal data	Legal basis for use	Data access
Benchmarking and analytics	We do benchmark, data analytics, and reporting activities, such as the analysis of inputs, usage, and performance metrics of our Solutions across industries, users, and our clients, including Your Organization. This may include analyzing the change in certain metrics for the users or our clients of the Solutions. Where we provide analytics or reports, we only do so after we have sanitized or aggregated the data, except for the data provided to Your Organization at their direction.	Specific business information related to you, your professional background and role, location, access, inputs, usage, and behavioral data or similar information (like your productivity, progress, and proficiency data).	Legitimate interest in doing research, analytics, improving our services, and reporting activities as part of our business and, when needed, your consent to McKinsey or to the third parties that provide us with the information (such as Your Organization).	McKinsey subsidiaries and affiliates, our clients, including Your Organization, and third party service providers as disclosed in our McKinsey.com Privacy Notice.
Provision, operation, and improvement of McKinsey’s services and Solutions	Provide our services or products to our clients, including benchmarking products. This includes the operation, maintenance, and improvement of the services and Solutions, and if you use multiple Solutions, combining your usage and behavioral data from those Solutions to improve our services or products. This may include identifying other courses, services, or offerings of McKinsey that may be of interest to you or current or prospective users or clients.	Access, inputs, usage data, including behavioral data, email, name for communication with you, preferences on website or app use, or similar information (e.g., your productivity, progress, and proficiency data).	Legitimate interest in promoting and protecting McKinsey, provision and improvement of our services and building and maintaining relationships.	McKinsey subsidiaries and affiliates, our clients, including Your Organization, and third party service providers as disclosed in our McKinsey.com Privacy Notice.
Compliance with laws, and exercise legal actions	Comply with all applicable regulations, exercise legal actions and legal defenses, prevent fraud, enforce McKinsey’s agreements, this Privacy Notice, the Cookie Notice and our terms of use and comply with our corporate reporting obligations.	Categories of data will depend on the particular regulation or request coming from a competent authority.	Compliance with all applicable laws and regulations.	McKinsey subsidiaries and affiliates and third party service providers as disclosed in our McKinsey.com Privacy Notice.
Applications, security, and Solutions performance	McKinsey may collect personal data from your use of our applications, websites and services to analyze user activity to fix errors, monitor usage, and improve the security and performance of our websites, services and Solutions and mobile applications. For example, McKinsey receives reports on some of our mobile applications’ aggregate usage and browsing patterns. McKinsey also receives reports on certain errors occurring within mobile applications.	Data on browsing patterns and mobile app usage, User ID/Name/Business email address and IP address including information about the type of device used, articles accessed, and other events occurring within our apps.	Legitimate interest to improve functionality and ensure security of users data and our business.	McKinsey subsidiaries and affiliates and third party service providers as disclosed in our McKinsey.com Privacy Notice.
Aggregation, anonymization, and deidentification of your data	McKinsey may aggregate, de-identify or anonymize your personal data so that, depending on the law, your data is no longer considered as personal data. We may use this anonymous data for the provision and improvement of our services, including training and improving artificial intelligence and other data models, building benchmark databases or creating reports on sanitized or aggregate trends and metrics, as well as tracking impact or usage of our Solutions like total number of users, assessing completion rates and/or analyzing assessment scores.	Access, inputs, usage data including behavioral data, productivity, progress, and proficiency data, or similar information.	Legitimate interest for the provision and improvement of our services and to protect your privacy.	McKinsey maintains anonymized personal data in anonymized form and does not use or permit others to use anonymized data in any way that would identify or reidentify individuals in the data set.

Please note that we may also process your personal data and transform it into anonymized or aggregated data, and we may use such data for our own legitimate business purposes.

Whenever the legal ground is our legitimate interests, McKinsey only processes your personal data after assessing the adequacy, proportionality, and legitimacy of the data processing activity. If legitimate interest is not a lawful basis in your particular jurisdiction, we process your personal data under another basis in accordance with applicable law.

If consent is the legal basis for processing, as required in certain jurisdictions, and you have subsequently withdrawn your consent, it may impact the functionality and may affect your experience with or ability to use our Solutions.

McKinsey does not use automated decision making to make decisions that have a legal impact on you or that significantly affect your rights and liberties. All automated processing activities are conducted with appropriate human supervision and review.

McKinsey’s use of cookies and other tracking technologies. McKinsey may use first- and third-party cookies, pixel tags, web beacons, and other similar technologies, to gather information on our digital properties. This information is used for a variety of purposes, such as to manage our websites and services, collect analytics about how you use our websites and services, or to provide targeted advertisements on our websites or on other websites that may be of interest to you. The use of these technologies and tools for advertising may be considered a “share” and/or “targeted advertising” under certain US state laws. You have options regarding our use of cookies and other tracking technologies. Please refer to our Cookie Notice and “Your data protection rights” section below for more details and to manage your choices. There is no industry standard for how Do Not Track consumer browser settings should work on commercial websites and therefore, due to the lack of such standards, our websites and services do not currently change the way they operate upon detection of a Do Not Track setting.

In addition, we use tools and applications that reduce security threats and reduce the risk of access by bots and automated devices, but we do not use those tools and applications for non-security purposes.

3. Data collection from children

McKinsey does not intentionally use its Solutions to collect or maintain personal data from children or individuals under the age of 16 and McKinsey does not knowingly provide services to anyone under the age of 16. To the extent that any of our Solutions may involve collecting or maintaining personal data from or about children or individuals under the age of 16, we would do so only with the required legal consent from the parent, guardian, or individual and in accordance with applicable law. Individuals who are children or those under the age of 16 should not attempt to provide us with any personal data. If you think we have received personal data from children or those under the age of 16, please contact us immediately.

4. What do we not do when we collect and process your personal data?

We do not use personal data for the purpose of profiling that produces significant effects.

We do not acquire, use, or allow others to use anonymous data with the intent of identifying or reidentifying individuals. When we receive anonymous data or we transform personal data that we have collected into anonymous data, we make the following commitments:

McKinsey will maintain anonymous data in anonymized form.
Except to the extent necessary to confirm that personal data has been transformed into anonymous data, McKinsey will not attempt to identify or reidentify specific individuals within a anonymized data set or otherwise use anonymous data to attempt to associate specific individuals with their individual characteristics and will not permit any entity or individual acting on McKinsey’s behalf to do so.
To the extent, if any, that McKinsey provides access to or otherwise discloses a anonymous data set to a non-McKinsey recipient, for example, a service provider or a client, McKinsey will require each such recipient to agree to maintain the anonymous data in its anonymized form and not attempt, or permit others to attempt, to identify or reidentify specific individuals within the anonymized dataset or otherwise use anonymous data to attempt to associate specific individuals with their individual characteristics.

5. Who has access to your personal data? Data recipients and international data transfers

We do not sell personal data to third parties for monetary or other valuable consideration, but we may share your personal data with third parties for targeted advertising and cross-context behavioral advertising.

Personal data collected in the course of McKinsey business activities may be transferred and made available to McKinsey entities, service providers, and third parties as necessary to accomplish the specific business purposes for which the personal data were collected and to support our interactions with you, and otherwise as required to comply with applicable law. The McKinsey entity that collects your personal data may provide access to and transfer your data to the following categories of data recipients, for the business purposes described section two above:

To McKinsey’s subsidiaries and affiliates and personnel across our global organization.
To McKinsey’s service providers and personnel.
To McKinsey’s advertising vendors and partners that support our marketing efforts, including for purposes of cross-context behavioral and targeted advertising.
To McKinsey’s legal and professional advisors.
To third parties in the following circumstances:
- If we are required to do so by law or legal process;
- To law enforcement authorities or other government officials pursuant to lawful request;
- When we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity;
- If disclosure is necessary to protect the vital interests of a person;
- To enforce our Solutions Agreement or applicable terms of use;
- To protect our property, services, and legal rights;
- To prevent fraud against McKinsey, our subsidiaries, affiliates and/or business partners;
- To aid in McKinsey’s investigation of an actual or suspected security incident, such as a breach involving confidential information or personal information or a violation of McKinsey policy;
- To support auditing, compliance, and corporate governance functions; and
- To comply with any and all applicable laws.
To a successor or different business entity in the event of a reorganization, merger, sale, joint venture, assignment, or other transfer or disposition of all or any portion of our business.

Since you are using our Solutions on behalf of Your Organization, we may share your personal data with Your Organization, as agreed between Your Organization and us as in the Solution Agreement.

Since McKinsey is a global organization, affiliates, and service providers to which we transfer your personal data collected via the Solutions may be located in countries which may have different data protection laws than those in your country of residence. To protect personal data that is transferred internationally, McKinsey complies with all applicable data transfer laws and will implement safeguards to protect your personal data across McKinsey’s global operations. Where required by law, McKinsey has put in place legal mechanisms, which include Standard Contractual Clauses, that are designed to ensure adequate data protection of your personal data that is processed by McKinsey subsidiaries, affiliates, and third party service providers.

6. Security

McKinsey protects and safeguards your personal data globally, in accordance with applicable law, our privacy and data security policies, and this Privacy Notice. We use generally accepted standards of technical and operational security to protect your personal data against accidental or unlawful loss, misuse, alteration, or destruction, in consideration of the risks associated with the personal data and its processing, and we require the same level of protection and safeguarding from our subsidiaries and affiliates, our service providers, and third parties. Only authorized personnel of McKinsey and of our service providers are permitted to access personal data, and these employees and service providers are required to treat this information as confidential. Despite these precautions however, McKinsey cannot guarantee that unauthorized individuals will not obtain access to your personal data.

7. How long do we keep your personal data?

McKinsey keeps your personal data only as long as necessary to accomplish the business purposes for which it was collected, to meet our legal or contractual obligations (including those with Your Organization), and in compliance with McKinsey’s data retention policy. We will securely delete your personal data promptly after the purposes described above cease to apply in accordance with the prevailing market practice for such destruction.

8. What are your data protection rights and how can you exercise them with us as the data controller?

8.1. What are your data protection rights?

Subject to the local data privacy laws in your jurisdiction, including exceptions, you may have the following rights with regard to the personal data that we collect about you:

Right to request information about the personal data that we hold about you, including information about how we use your personal data, who has access to it, and the terms under which third parties have access to your personal data.
Right to request a copy of the personal data that we hold about you.
Right to request portability of your data to permit you to provide a copy of your personal data in a structured, commonly used, and machine-readable format and to transmit that personal data to another controller.
Right to request that we correct or otherwise amend your personal data if it is not correct or otherwise not complete, timely, and accurate for the purpose(s) for which we are using it.
Right to request deletion of your personal data.
Right to request that we cease processing or restrict or limit the processing of your personal data
Right to withdraw your consent to our processing of your personal data where the basis of our processing is your consent.
Right to opt out of the processing of your personal data for targeted advertising/sharing of personal data for purposes of cross-context behavioral advertising.
Right to not be discriminated against for exercising your individual rights regarding your personal data.
Right to request review by McKinsey’s Global Privacy Officer and, if applicable, McKinsey’s data protection officer for your jurisdiction, of our response to your request to exercise your individual data protection rights.
Right to seek additional legal remedies regarding our response to your request to exercise your individual data protection rights, including, depending upon your jurisdiction, by lodging a complaint with your data protection authority or initiating a legal proceeding.

Certain US residents also have the right to appear our decision to your request regarding your personal data. We respond to all appeal requests as soon as we reasonably can, and no later than legally required. See the appendix below for our appeal process.

8.2. How do you exercise your data protection rights?

You can contact the Global Privacy Officer or the Data Protection Officer for your jurisdiction, at privacy@mckinsey.com.

If you would like to exercise your data protection rights regarding your personal data, you can do so by

completing the data-subject request form
Emailing your request to us at datasubjectrights@mckinsey.com;
For requests from US residents, call us at +1 (844) 582 3015.
For opt out requests, please click the “Your Privacy Choices” link on the applicable homepage. We also recognize Global Privacy Control (GPC) signals and other user-enables opt-out preference signals as valid opt-out requests where required by applicable law. Please note that your opt-out preference signal will be applied only to your current browser and device. To learn more about the GPC, you can visit its website here.

Upon receipt of your request to exercise your data protection rights, we will acknowledge receipt within the time period required by applicable law and provide you with information about the next steps in the process and the timing. Depending upon the nature of your request, we may take reasonable steps to verify your identity before acting on certain data protection rights, in accordance with applicable law. This process may require us to request additional personal data from you, including, but not limited to, your email address, mailing address, and/or date of last interaction with us. In certain circumstances, we may decline a request to exercise a privacy right, particularly where we are unable to verify your identity.

You may designate an authorized agent to submit a request on your behalf. To designate an authorized agent, you must either (1) provide the authorized agent with a power of attorney that shall accompany the initial request; or (2) provide the authorized agent with any other written documentation of their authority to act on your behalf, provided that is sufficiently evidences that you have provided the authorized agent signed permission to act on your behalf, and verify your own identity directly with us. We may deny a request from an authorized agent that does not submit proof that they have been authorized by you to act on your behalf.

Please note that applicable laws include exceptions to assertions of data protection rights that may prevent us from providing access to your personal data or otherwise fully complying with your request. If we believe exceptions apply, we will respond to your request to the extent we are able to do so, and we will provide an explanation of the basis for not complying wholly or partially with your request.

9. Third party websites and apps

Our Solutions may contain links to other websites or apps operated by third parties. Please be advised that the practices described in this Privacy Notice do not apply to information gathered through these third-party websites and apps. We have no control over, and are not responsible for, the actions and privacy policies of third parties and other websites and apps. In addition, such links do not constitute or imply an endorsement, sponsorship, or recommendation by McKinsey of the third party, the third-party website, or the information contained therein.

10. Mobile platform providers

In addition, where you use the Solution through a website, application, or platform (“Platform") operated by a third-party (a "Mobile Platform Provider") where, for the purpose of your access to the Platform, you are required to share data to the Mobile Platform Provider, for example, to create user credentials allowing you to use their platform to access the Mobile Offering (e.g., logging into an app store), that personal data is stored outside of McKinsey's control and will be subject to the relevant Mobile Platform Provider’s own terms and privacy policies.

11. Changes to this privacy notice

McKinsey reserves the right to modify this Privacy Notice as required by changes to our business processes or applicable law. We will post any changes to our Privacy Notice on this page. Please check this page regularly to keep up-to-date.

Please note that the rules and regulations implementing various data privacy laws have not yet been finalized. We are continuously working to better comply with these laws, and we will update our processes, disclosures, and this notice as these rules and regulations are finalized.

12. User responsibilities and content guidelines

As part of your use of the Solutions covered by this Privacy Notice, you covenant that you shall not post or otherwise upload into the Solution any materials or content that (a) are illegal, threatening, libelous, defamatory, or obscene; (b) would constitute, or that encourage conduct that would constitute, a criminal offense, give rise to civil liability, or otherwise violate law; (c) infringe the intellectual property, privacy, or other rights of any third parties; (d) contain a computer virus or other destructive element; (e) contain advertising; (f) constitute or contain false or misleading statements; or (g) violates this Privacy Notice and/or Solution Agreement you entered into to access the Solution.

McKinsey does not, and cannot, review all of the content that has been posted, uploaded, and/or transmitted to a Solution by you (“Uploaded Content”). McKinsey reserves the right to modify and/or delete any Uploaded Content that violates this Privacy Notice and/or Solution Agreement. Further, McKinsey reserves the right to restrict or deny you access to a Solution if it is found that the Uploaded Content violates this Privacy Notice and/or Solution Agreement. At all times you remain solely responsible for any Uploaded Content.

If you become aware of any Uploaded Content that violates this Privacy Notice and/or your Solution Agreement or you wish to contest the removal of any Uploaded Content, you can reach out to McKinsey by emailing Privacy@mckinsey.com. Please make sure the subject line contains the following, “Improper Content Identification” or “Contesting Content Removal”. Failure to include one of those two phrases in the subject line will greatly increase the time it takes for McKinsey to respond to your request.

13. Contact us

We welcome questions, comments, and feedback on this Privacy Notice and our management of personal data. If you have questions, concerns, or feedback, you can always contact us using the information below. For your protection, we may need to verify your identity before assisting with your questions, comments, or feedback.

Email: Privacy@mckinsey.com
Phone: +1 (844) 582-3015
Mail: McKinsey & Company Attn: Privacy 1200 19th St NW STE 1000 Washington, DC 20036

Your California Privacy Rights Appendix

This appendix seeks to provide additional information, when we act as a business or data controller, to residents of California and supplements the information provided in the Privacy Notice.

As disclosed above, we do not “sell” personal data as that term is defined under California privacy law, but we may share personal data with third parties for cross-context behavioral advertising. However, we do not share personal data with third parties for their own direct marketing purposes without your consent. We do not purposefully “sell” or “share” the personal data of individuals under the age of 16. California residents under 18 years old, in certain circumstances, may request and obtain removal of personal data or content that you have posted on our websites. Please be mindful that this would not ensure complete removal of the content posted by you on our websites.

To learn more about the categories of personal data we collect, how we collect it, why it is collected, with whom we share it, and how long we retain it, please see the items below. Please see the instructions provided above in order to submit a privacy right request.

Category of Personal Data	Data We Collect	Sources	Purposes	Disclosures for a Business Purpose	Disclosures for Targeted Advertising	Retention
Identifiers	Name, mailing address, email address, phone number, and other contact information.	Collected online or offline when you directly provide it to us, by visiting our Solutions or through your use of our features or services, or from third parties.	We collect this data for the purposes listed in section two above.	Shared with our affiliates, subsidiaries, partners, vendors, and service providers as described in section five above.	Shared with our advertising networks and third parties that provide marketing and data analytics services, such as social media platforms used to deliver our ads.	We keep personal data only as long as necessary to accomplish the business purposes for which it was collected and to meet our legal or contractual obligations as described in section seven above.
Protected classification characteristics under California or federal law	Not collected.	N/A	N/A	N/A	N/A	N/A
Commercial information	Services or features utilized or usage histories or tendencies.	Collected online or offline when you directly provide it to us, by visiting our Solutions or through your use of our features or services, or from third parties.	We collect this data for the purposes listed in section two above.	Shared with our affiliates, subsidiaries, partners, vendors, and service providers as described in section five above.	None	We keep personal data only as long as necessary to accomplish the business purposes for which it was collected and to meet our legal or contractual obligations as described in section seven above.
Biometric information	Not collected.	N/A	N/A	N/A	N/A	N/A
Internet or other similar network activity	Information on interactions with our Solutions and features including applications or advertisements.	Collected online when you directly provide it to us, by visiting our Solutions or through your use of our features or services, or from third parties.	We collect this data for the purposes listed in section two above.	Shared with our affiliates, subsidiaries, partners, vendors, and service providers as described in section five above.	Shared with our advertising networks and third parties that provide marketing and data analytics services, such as social media platforms used to deliver our ads.	We keep personal data only as long as necessary to accomplish the business purposes for which it was collected and to meet our legal or contractual obligations as described in section seven above.
Geolocation data	Imprecise location data generated from IP address.For more information, please see section two above.	Collected online when you directly provide it to us, by visiting our Solutions or through your use of our features or services, or from third parties.	We collect this data for the purposes listed in section two above.	Shared with our affiliates, subsidiaries, partners, vendors, and service providers as described in section five above.	Shared with our advertising networks and third parties that provide marketing and data analytics services, such as social media platforms used to deliver our ads.	We keep personal data only as long as necessary to accomplish the business purposes for which it was collected and to meet our legal or contractual obligations as described in section seven above.
Sensory data (audio, video, etc.)	Not collected.	N/A	N/A	N/A	N/A	N/A
Professional or employment-related information	Job title and employer.	Collected online or offline when you directly provide it to us, by visiting our Solutions or through your use of our features or services, or from third parties.	We collect this data for the purposes listed in section two above.	Shared with our affiliates, subsidiaries, partners, vendors, and service providers as described in section five above.	Shared with our advertising networks and third parties that provide marketing and data analytics services, such as social media platforms used to deliver our ads.	We keep personal data only as long as necessary to accomplish the business purposes for which it was collected and to meet our legal or contractual obligations as described in section seven above.
Non-public education information	Not collected.	N/A	N/A	N/A	N/A	N/A
Inferences drawn from other personal information	Inferences used to create a profile reflecting a person's preferences, characteristics predispositions, behavior, and attitudes.	Collected online or offline when you directly provide it to us, by visiting our Solutions or through your use of our features or services, or from third parties.	We collect this data for the purposes listed in section two above.	Shared with our affiliates, subsidiaries, partners, vendors, and service providers as described in section five above.	Shared with our advertising networks and third parties that provide marketing and data analytics services, such as social media platforms used to deliver our ads.	We keep personal data only as long as necessary to accomplish the business purposes for which it was collected and to meet our legal or contractual obligations as described in section seven above.
Sensitive personal information	Solutions account log-in information.For more information, please see section two above.	Collected online or offline when you directly provide it to us, by visiting our Solutions or through your use of our features or services, or from third parties.	We collect this data for the purposes listed in section two above.We do not use sensitive personal information for purposes other than those listed in Cal. Civ. Code § 7027(m) and we do not “sell” or “share” this information.	Shared with our affiliates, subsidiaries, partners, vendors, and service providers as described in section five above.	None	We keep personal data only as long as necessary to accomplish the business purposes for which it was collected and to meet our legal or contractual obligations as described in section seven above.

US Privacy Rights Appeal Appendix

Certain US residents have the right to appeal our decision regarding their privacy rights if they have submitted a request (e.g., to access, delete, or correct your information) and we have denied it, either in whole or in part. We are committed to addressing appeals in a transparent and timely manner.

We encourage you first to discuss relevant issues with our legal team, who may resolve the issue so that you do not have to formally initiate the appeals process. Our legal team will consider your perspective and seek to address your concerns in accordance with our company policies and applicable law. To contact our legal team, please email privacy@mckinsey.com.

Appeal Process

Submit your appeal
- Email the following information to datasubjectrights@mckinsey.com with the subject line “Notice of Appeal”:
  - Your name and contact information.
  - A copy of the original request you submitted.
  - Any correspondence or communications related to your original request.
  - The remedy that you seek by appealing.
  - The reason for your appeal (e.g., why you believe the decision should be reconsidered).
    
    Please also provide any documentation necessary to validate the claims you are making in the appeal.
Acknowledgement of appeal
- You will receive a confirmation email acknowledging receipt of your appeal within ten (10) business days.
- Investigation
  - Your appeal will be reviewed and investigated by members of our Privacy Legal Team who were not involved in the original decision, based on the information and documentation you have provided.
  - We will evaluate all relevant facts and applicable laws during the review process.
- Notification of outcome
  - Following the investigation, we will reach a determination of your appeal, which may include modifying or upholding the original decision.
  - We will notify you of our determination in writing within sixty (60) days of receipt of your written notice of appeal, and we will include the explanation for our determination of your appeal. If we deny your appeal, you may file an appeal with the relevant regulator.

Scope of Appeal

The appeal will review whether the decision made by the privacy team that you appealed was fair and consistent with applicable privacy law. You may only appeal a decision that applies to your personally unless you are otherwise authorized to act on another person’s behalf, in which case you must provide evidence that you are authorized by the person on whose behalf you have submitted an appeal.

The appeal will focus exclusively on the decision being appealed. Broader issues related to our company policies, management style, or other issues will not be considered as part of the appeal.

Withdrawal of Appeal

You may withdraw or end your appeal at any time by providing us with written notice.

No Discrimination

We do not discriminate against any person who initiates an appeal.

Record Keeping

We will retain a record of your appeal, including the final determination, in accordance with applicable laws and our record retention policies.