Global Privacy Policy

Introduction

Regulatory Intelligence Compliance Solutions Inc. (together with its subsidiaries and affiliated entities, hereinafter referred to collectively as “RICS” “we” or “us”) are committed to respecting your privacy. RICS has developed this Global Privacy Notice (this “Notice”) to advise you of the ways in which RICS collects, uses, shares and protects information you share with RICS, including through (a) RICS’s website,www.regulatoryintelligence.com; (b) RICS’s Software-as-a-Service (“SaaS”) products including RICS Branch Audit Platforms and its Global Artificial Intelligence Auditor (“GAIA”); (c) RICS’s retention of you or your services as an employee, independent contractor, or vendor; (d) receipt of information from RICS clients or their employees; and (e) through any other website or application where this Notice is posted (each is shared individually, a “Site”). Any person accessing, browsing, or otherwise using a Site, either manually or via an automated device or program, is a “User” for purposes of this Notice.

This Notice also explains how we comply with applicable privacy statutes, rules, and regulations, potentially including, but not limited to: (a) California Consumer Privacy Act of 2018 (“CCPA”), including, the California Privacy Rights Act, or (“CPRA”); (b) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation, or “GDPR”); (c) the Data Protection Acts of the EEA Member States; (d) the GDPR as saved into UK law by virtue of section 3 of the UK’s European Union (Withdrawal) Act 2018 (“UK GDPR”) and the UK Data Protection Act 2018; (e) Swiss Federal Act on Data Protection of June 19, 1992, and its corresponding ordinances (“Swiss DPA”); (f) Brazilian Law 13,709/2018 (General Personal Data Protection Law, or “LGPD”); (g) other Data Protection Laws that may be applicable based on your location or residency; and (h) regulations or other laws that implement or amend (a)-(h).

This Notice sets forth how we handle personal information we collect via a Site (a) when individuals engage with us or use our technology products, including SaaS products (our “Technology Services”); (b) in connection with providing Technology Services to our clients; (c) as part of a current or former employment relationship; (d) from applicants for employment opportunities with us; (e) as part of a current or former independent contractor, or vendor, relationship through use of our website; or (f) through any other interaction with a Site.

For the purposes of this Notice, “personal information” and “personal data” may be used interchangeably, and both mean information relating to or being capable of being associated with an identified or identifiable person, consumer, or household.

Your privacy rights may vary based on your location or your relationship to RICS. Certain sections of this Notice, as indicated and noted below, may or may not apply to you.

User Consent to Notice

By accessing, browsing, or using a Site, or following links through a Site for any reason, each User acknowledges that they have read, understand, agree, and consent to the terms and conditions of this Notice. Each User consents to the collection, use, and disclosure of their information, including personal information, non-personal information, personal data, and anonymous browsing information (“Information”), pursuant to the terms of this Notice. If you do not consent to these terms and conditions, you should not access, browse, or use any Site or otherwise provide any Information to RICS.

Individuals Located in (as Residents) the European Union, European Economic Area, United Kingdom, and Switzerland

A. Cross-Border Data Transfers

We will transfer the personal data we collect about you to the United States, where our servers are located, and also may transfer your personal data to the United Kingdom in order to perform Technology Services or as part of an employment policy or procedure. We will only transfer data for the purposes discussed in this Privacy Notice. The United States may not be deemed to provide the same level of data protection as your home country.

B. Rights of Access, Correction, Erasure, Restriction, Portability, and Objection

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes, including personal data provided to RICS in the course of your employment or engagement with us, if any. By law, you may have the right to request access to, correct, and erase the personal data that we hold about you, or object to the processing of your personal data under certain circumstances. Please note that U.S. regulations may prohibit us from erasing your personal data. You may also have the right to request that we transfer your personal data to another party. If you want to review, verify, correct, or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact us at privacy@regulatoryintelligence.com. Any such communication must be in writing (email is sufficient). We may request specific information from you to help us confirm your identity and your right to access, and to provide you with the personal data that we hold about you or make your requested changes. Applicable law may allow or require us to refuse to provide you with access to some or all of the personal data that we hold about you, or we may have destroyed, erased, or made your personal data anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your personal data,

Individuals Located in (as Residents) California

California Consumer Rights

The CCPA empowers California residents with the following rights:.

A. Right to Know: Consumers have the right to know what personal information RICS collected about the consumer, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom RICS discloses personal information, and the specific pieces of personal information RICS has collected about the consumer. RICS’s use of personal information is found within this Notice.

B. Right to Opt-Out: Consumers have the right to direct businesses to stop the sale or sharing of their personal information to third parties. RICS does not engage in the sale or sharing of personal information it holds.

C. Right to Limit the Use and Disclosure of Sensitive Information: Consumers have the right to request that RICS limit the use and disclosure of sensitive personal information. However, RICS only uses and discloses sensitive personal information for purposes which are necessary for providing products or services to consumers.

D. Right to Correct: The right to request that RICS rectify your Personal Data if it is inaccurate, outdated, or incomplete.

E. Right to Request Deletion: Consumers have the right to request deletion of personal information, but only where that information was collected from the consumer. There are exceptions to what RICS is obligated to delete including, but not limited to, detecting security incidents, exercising free speech, for legal claims, or for internal uses reasonably aligned with consumer expectations.

F. Right to Equal Services and Prices: RICS is prohibited from discriminating against consumers by denying goods or services, charging different prices for identical services, or providing a lower quality of goods or services.

Exercising your California Consumer Rights

To exercise any of your rights set forth in this Notice, please submit a request by sending an email to privacy@regulatoryintelligence.com.

Information Collected by RICS

A. Personal Information/Personal Data

We may collect personal information directly from you, including through your use of a Site, when you contact us or request information from us, when you apply for an employment opportunity with us, when you engage us for Technology Services, or as a result of your attendance at industry conferences or digital marketing events. With respect to personal information or personal data collected directly by RICS, including through a Site, we may be the data controller responsible for your personal information or personal data. The information we collect directly from you typically consists of your contact information, including your name, address, business affiliation, business title, email address, and telephone number.

We only use, disclose, or otherwise process personal information or personal data when we have a lawful basis for doing so under applicable law, including fulfilling our contractual obligations, complying with legal obligations, protecting the vital interests of a person, furthering our legitimate interests as a company and employer, and otherwise for reasons you have consented to such processing. The categories of personal information collected and disclosed within the past twelve (12) months can be found in the California Collection Notice.

For example, we use the personal information you provide directly to us to provide you with the information you requested (such as RICS’ demos, license information, or other informational materials) or to evaluate your application for employment. To the extent required by law, by providing personal information or personal data to us, you consent to our use of such personal information or personal data as explained herein.

We also may obtain personal information or personal data indirectly from or on behalf of our clients, in which case RICS would be considered a processor or sub-processor. We typically are retained by corporate entities, primarily in the financial services industry, but also across multiple industries. In connection with providing Services pursuant to contracts with our corporate clients, we often obtain personal information or personal data of our clients’ customers, employees, agents, or other individuals that have supplied such information to our clients. The personal information and personal data collected varies based on the Services provided, but may include names, contact information, account numbers, and other similar financial data. With respect to personal information that we receive from or on behalf of our clients in connection with providing Services, our client is the data exporter and RICS acts as the data importer as a processor or sub-processor of such personal information.

B. Non-Individually Identifying Browsing Information

Users can browse a Site without revealing personal information or personal data. In this context, RICS’s servers may collect certain non-individually identifying (i.e., anonymous) browsing information, such as your Internet Protocol address, device screen size, device type (unique device identifiers), browser information, geographic location (country only), the preferred language used to display our website, your computer’s operating system, the name of the domain you used to access the Internet, the website you came from, and the website you visit next. This information is collected passively by using certain electronic technologies, such as cookies, web beacons, pixels, clear GIFs, or other technologies, examples of which are explained further in Section C below. Anonymous browsing information is not used, nor is it intended to be used, by RICS to personally identify an individual.

C. Passive Gathering of Information Electronically

RICS and any third parties that may advertise or provide other services on a Site may automatically and passively collect certain types of anonymous information whenever you use a Site, or certain Site services, or click on advertisements on a Site. If RICS or such third parties collect this anonymous information, it will be done passively by using certain electronic technologies, such as cookies, web beacons, pixels, clear GIFs, and similar technologies as explained below.

How RICS Uses the Information

RICS uses Information collected from Users to respond to Users’ inquiries and/or comments, market, develop, or provide products, services or information to Users, process Users’ purchases, evaluate applications for employment with RICS, or provide related account status to the applicable User. Personal information, non-personal information, and anonymous browsing information may be used to gather broad demographic information used in marketing, promotion, analytics, or similar activities. This information may be aggregated to measure the number of visits, average time spent, page views and other statistics about Users of a Site. RICS also may use this Information to monitor Site performance and to make a Site easier and more convenient to use. RICS also may use Information collected from its Users to enforce its agreements with Users, prevent fraud and other prohibited or illegal activities, for other legally permissible purposes and generally to ensure that RICS complies with applicable law.

Cookie Notice

RICS utilizes cookies for certain of its Sites. This Cookie Notice provision provides you with clear and comprehensive information about the cookies we use and purpose for using cookies.

Definition of “Cookies”: Cookies are small pieces of text used to store information on web browsers. Cookies are widely used to store and receive identifiers and other information on computers, phones, and other devices. We also use other technologies, including data we store on your web browser or device, identifiers associated with your device, and other software, including web beacons and pixel tags, for similar purposes.

Types of Cookies: We use cookies to provide, protect, and improve our products and services, such as by personalizing content, offering and measuring advertisements, understanding user behavior, and providing a safer experience. We describe below the various types of cookies we use and the purposes they perform.

Browsing or session (essential) cookies: These cookies are strictly necessary to provide you with our websites and services and to enable essential features. If you disable these cookies, we will not be able to fulfill your requests.
Performance and functionality cookies: These cookies collect information about how you use our websites and services and allow us to remember the choices you make while browsing. The information these cookies collect allows us to optimize our websites and make them easier for you to use, and it does not personally identify you.
Analytics and customization cookies: These cookies collect information we use in aggregate form to help us understand how our websites, applications and services are being used and how effective our marketing campaigns are, and to help us customize our websites.
Advertising (profiling) cookies: These cookies collect information about your browsing or shopping history and are used to make advertising messages more relevant to you. We may share this information with third parties to help create and deliver advertising personalized to you and your interests.
Social networking cookies: These cookies are used to enable you to share pages and content on our websites and services through third-party social networking and other websites. These cookies may also be used for advertising purposes.

Cookies Placed by Third Parties: You may also encounter cookies on our Sites that are placed by third parties. This Cookie Notice does not apply to the cookies, applications, technologies, or websites that are owned and/or operated by third parties, or such third parties’ practices, even if they use or access our technology to store or collect information.

Changing Your Cookie Settings: Please note that internet browsers allow you to change your cookie settings. These settings are usually found in the ‘options’ or ‘preferences’ menu of your internet browser.

Opting out of Cookies: If you wish to withdraw your consent at any time, you will need to delete your cookies using your internet browser settings.

Do Not Track: Some browsers include the ability to transmit “Do Not Track” signals. We do not process or respond to “Do Not Track” signals. Instead, we adhere to the standards described in this Privacy and Cookie Notice.

RICS Sharing of Your Information

RICS will only share Information, including personal information, that it collects or receives with third parties under the following circumstances:

A. RICS Lawful Basis: If RICS has a lawful basis to share Information, it may do so.

B. RICS Agents Lawful Basis: RICS may utilize other companies and individuals to assist with RICS’s business, and such third parties have access to Information needed to perform their functions but may not use it for other purposes. Such third parties may include the following:

Our professional advisers, including our attorneys and accountants.
Sub-contractors we have engaged in connection with providing Services.
Third-party service providers or sub-processors that assist us with analytics.
Third parties to which we outsource certain services to assist with operating our business, such as document shredding services, software providers, information storage providers and other related service providers.
Third parties to which our clients have directed us to share information in connection with our Services, such as our clients’ attorneys and accountants.
Third-party postal or courier providers that assist us with delivering marketing and other documents to you.
Our insurers and insurance brokers.

C. Aggregate Anonymous Information: RICS may provide to others the aggregate statistics about our Users’ Site activity for purposes of marketing, promotion, analytics, or similar activities. None of these statistics will identify Users personally. Once anonymized and aggregated the information no longer qualifies as personal information/personal data.

D. Protection of RICS or Others: RICS may disclose Information about our Users to others if RICS has a good faith belief that it is required or permitted to do so by law or legal process to respond to claims, to protect the rights, property or safety of RICS or others, or take action regarding illegal activities or suspected fraud, or in response to national security or law enforcement requests.

E. Business Transfers: If RICS decides to sell all or part or its assets, RICS reserves the right to include Information among the assets transferred to the acquiring company.

F. Affiliates: RICS may share Information among its affiliates.

G. Conference and Digital Marketing Event Attendees: RICS may provide the names, titles, company names, addresses, phone information, and email addresses of conference, roundtable, and digital marketing event attendees to current, past, or prospective conference or roundtable attendees, exhibitors, sponsors, or co-sponsors.

We do not sell or share personal information with unaffiliated third parties, other than for the lawful reasons stated herein.

Third-Party Sub-Processors

As described above, we may provide certain third parties (“Sub-Processors”) with your personal information for the sole purpose of providing Services. Our Sub-Processors process personal information for us at our direction. We conduct reasonably appropriate due diligence on our Sub-Processors and include in our contracts with our Sub- Processors provisions requiring them to keep the personal information confidential, to process the personal information in accordance with our written instructions, and to maintain reasonably appropriate information security systems, all in accordance with applicable privacy laws based on the individuals/data subjects/consumers. We may be liable for any unauthorized processing of personal information by our Sub-Processors.

We may appoint new Sub-Processors to assist us with providing Services and/or conducting our business. By using our Services or products, you consent to our use of Sub-Processors. Users may opt-in to update alerts for any change or addition to Sub- Processors at the top of the Sub-Processor list.

Where We Transfer Personal Information

RICS is located in the United States. Your personal information could be stored in that jurisdiction, but also in another jurisdiction related to a Sub-Processor.

For transfers of personal information from the European Economic Area (EEA) to the United States (U.S.) or United Kingdom (UK), and for transfers from the UK to the U.S., we rely on the Standard Contractual Clauses (SCCs), as adopted by the European Commission on 4 June 2021, and as it may be amended or updated from time to time, and which includes a UK Addendum to comply with transfers from the United Kingdom. These SCCs are included as part of all service and product agreements where GDPR, or the UK GDPR, is applicable. If GDPR (or UK GDPR) does not apply to your RICS service or product agreement, then the SCCs will not apply.

Period of Retention

RICS retains personal information in compliance with our obligations under applicable law and any applicable internal policies. We may destroy personal information without notice or liability.

Confidentiality and Information Security

RICS is committed to keeping your personal information secure. We have taken reasonably designed steps to protect personal information from unauthorized access, use or disclosure. We also require our vendors to maintain reasonably appropriate information security policies and procedures and to maintain personal information confidentially.

Accessing, Changing, or Deleting Your Personal Information

RICS allows you to make a request to correct inaccuracies in or make other changes or delete your Information by sending an email to: privacy@regulatoryintelligence.com.RICS will use commercially reasonable efforts to promptly accommodate such requests.

Please note that RICS may follow a different process in accommodating your request based on whether RICS collected the personal information from you directly, or from another entity (likely your employer) as part of RICS’s Services to an RICS client. If RICS is not the data controller for your personal information, it will assist in relaying your request to the data controller.

Data Integrity

Users are responsible for the accuracy of the Information they provide to RICS. RICS will use reasonable efforts to maintain the accuracy and integrity of such Information based on the input received from Users.

Choices for Use or Sharing of Certain Information

RICS values your concerns about the privacy of your Information. Therefore, RICS offers you the opportunity to choose how certain of your Information is used by RICS.

Any emails sent by RICS that are subject to the U.S. CAN-SPAM Act will include an option to unsubscribe from further correspondence. Please note that even if you opt-out from receiving certain emails from RICS, you may continue to receive transactional and/or relationship messages, such as messages confirming a product purchase or your registration for an event.

As stated above, RICS may share names, titles, company names, addresses, phone information, and email addresses of conference and roundtable attendees with current, past, or prospective conference or roundtable attendees, exhibitors, sponsors, or co- sponsors. If you do not wish to receive further communications from these persons, you must contact them directly and make such a request. RICS is not responsible for how such third parties handle such Information.

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to privacy@regulatoryintelligence.com.

Linked Internet Websites

Each Site may provide hyperlinks, which are highlighted words or pictures within a hypertext document that, when clicked, take you to another place within the document, to another document altogether, or to other websites not controlled by RICS. These hyperlinked websites may contain privacy provisions that are different from those provided herein. RICS is not responsible for the collection, use, or disclosure of information collected through these websites, and RICS expressly disclaims any and all liability related to such collection, use, or disclosure.

Children’s Privacy Protection

No Site or Service is directed towards children under 13 years of age, and RICS does not knowingly collect any Information from children under 13 years of age through any Site or Service. If you are under 13 years of age, you are not permitted to submit any Information to RICS through any Site or Service. If RICS becomes aware that it has collected Information from children under 13 years of age, RICS will take commercially reasonable efforts to promptly purge such Information from its systems.

Security

RICS wants you to feel confident using each Site; however, no system can be completely secure. Therefore, RICS makes no representations or warranties regarding the sufficiency of any Site’s security measures. RICS shall not be responsible for any damages, including without limitation consequential damages, resulting from a lapse in compliance with this Notice as a result of a security breach or technical malfunction. Certain information may be transmitted to you by email. Although it is illegal to intercept or disclose such messages under U.S. Federal law, such transmissions are not necessarily secure. In addition, Users’ communications through each Site are, in most cases, viewed only by you and anyone to whom you address your message. As the operator of each Site, RICS may need to review or monitor your electronic mail and other communications through each Site from time to time as may be required by law or as part of the Services. Therefore, you should not expect to have a right to privacy in any of your electronic communications through any Site.

In the event of a breach of the confidentiality or security of your personal information, RICS will notify you if reasonably possible and as reasonably necessary under applicable law so that you can take appropriate protective steps. RICS may notify you under such circumstances using the email address or addresses that it has on record for you.

Amendments to Privacy Notice

RICS may occasionally update this Notice, as noted by the “updated date” at the beginning of this Notice. RICS encourages you to periodically review this Notice to stay informed about its collection, use, and disclosure of your Information. Your continued use of any Site constitutes your agreement to this Notice and any updates.

Enforcement and Dispute Resolution

If you have any questions, complaints, or disputes regarding how RICS handles or protects your Information, please bring it to RICS’s attention. RICS commits to resolve complaints about your privacy and our collection or use of personal information. Individuals with inquiries or complaints regarding this Notice should first contact RICS (see “How to Contact RICS” below).

RICS retains sole and absolute discretion in resolving all questions relating to the administration, interpretation and application of this Notice, except as required by law or regulation. This authority includes construing the terms of this Notice, including any disputed or doubtful terms.

No Third-Party Rights

This Notice does not create rights enforceable by third parties.

How to Contact RICS

If you have any questions about this Notice, email: privacy@regulatoryintelligence.com

California Notice of Collection

This Notice of Collection for California Residents supplements the information contained in RICS’s Global Privacy Notice set forth above and applies solely to residents of the State of California (“California Notice”). We have adopted this California Notice in order to comply with the CCPA as amended and expanded by the CPRA.

This California Notice is intended to fulfill CCPA’s objectives of providing California consumers with a comprehensive disclosure of the collection, sharing, disclosure, and sale of their personal information by particular businesses (as CCPA defines those terms), and of the rights that California consumers have regarding their personal information (“California Privacy Rights”).

This California Notice specifically sets forth how we handle personal information we collect via a Site (a) when individuals engage with us or use our products or services, including SaaS products or services (our “Services”); (b) in connection with providing Services to our clients; (c) as part of a current or former employment relationship; (d) from applicants for employment opportunities with us; (e) through use of our website; or (f) through any other interaction with a Site.

RICS collects and processes the following types of Personal Information, as described in the table below. RICS does not sell or share your personal information.

We also collect, or may collect, sensitive personal information such as the following personal information that consists of:

A. Government Identifiers, such as Social Security Numbers and driver’s license umbers;
B. Account log-in information (e.g., financial account or credit card numbers potentially in combination with any required access codes or passwords);
C. Racial or ethnic origin, religious or philosophical beliefs, or union membership;and
D. Contents of postal mail, email, and/or text messages.

We do not use or disclose personal information for purposes other than those disclosed below.

Purpose

We use the personal information you provide directly to us for a legitimate purpose and to:

provide requested information;
evaluate your application for employment;
maintain employment records; and/or
provide Services;
other authorized and lawful legitimate purposes; and
as otherwise provided in this Notice or by written agreement.

Retention

RICS retains personal information in compliance with our obligations under applicable law and any applicable internal policies. We may destroy personal information without notice or liability.