CBA Report

←Back

BCG DIGITAL NRL PLATFORM PRIVACY POLICY 

01. Who We Are

 This is the BCG Digital NRL Platform Privacy Policy (“Privacy Policy”) for The Boston Consulting Group, Inc. and its subsidiaries and affiliates (“BCG”, “we”, “us”, or “our”). This Privacy Policy was last updated in April 2025. For more detail on BCG’s international operations please see https://www.bcg.com/offices/default

02. Applicability of This Privacy Policy

This Privacy Policy applies only to your use of the BCG Digital Non-Reliance Letter (“NRL”) Platform (the “Platform”). The Platform is designed as a streamlined process to acknowledge NRLs or access acknowledgement letters and offer an efficient and secure way to grant access to materials, share materials, monitor the activity around the materials, and have the ability to restrict materials for the clients/third parties.

03. Important Information about This Privacy Policy

BCG understands that your privacy is important. This Platform is not intended for and does not intentionally target or solicit to children or anyone of 18 years of age and younger. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

04. Changes to This Privacy Policy

Please note that BCG may, in its discretion, amend this Privacy Policy from time to time. To ensure you are able to remain informed, material changes to this Privacy Policy will be reflected here.

05. Links to Other Sites and Services

The Platform may contain links to external sites or services which are not governed by this Privacy Policy. BCG does not take responsibility for the privacy practices of any third-party sites to which we link. We encourage you to review the privacy policies of any such sites before you submit information there.

06. The Personal Data We Collect about You

The Platform may collect, use, store and transfer the following personal data about you:

First name, last name, business email address, IP address/device identifier, geolocation, information about the completion of users’ tasks, about user activity and standard user logs.

We also collect, use and share aggregated data such as statistical data for any purpose. Aggregated data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate the data relating to details of your use of the Platform to calculate the percentage of users accessing a specific feature. However, if we do ever combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.

We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. Please note BCG does not use or disclose your sensitive personal data outside of the following purposes: (1) performing our services, (2) detecting security incidents, (3) resisting malicious, deceptive, fraudulent, or illegal actions, (4) ensuring physical safety, (5) for short-term transient use, including certain non-personalized advertising, (6) maintaining or servicing accounts, providing customer service, or providing similar services, and (7) verifying and maintaining the quality or safety of a service or product or improving, upgrading, or enhancing a service or product. Accordingly, we do not provide the right to limit the use or disclosure of your sensitive personal data.

07. Authentication through Okta

If you are a BCG user and you are using the Platform, you will need to authenticate with the third-party provider Okta Inc. (301 Brannan St Ste 300, San Francisco, CA 94107) with your personal username and a personal password. To do this, download the Okta Verify app and perform the authentication process. The regulations and data protection declaration of Okta, Inc. apply. We have no influence on and are not responsible for the data collection by Okta Inc. Your data will be processed exclusively for the purpose of authentication. After successful authentication you will receive personal access to our app.

08. How Your Personal Data Is Collected

The personal data processed in the Platform is (i) directly by you form being filled (help or NRL request forms) or by email where you might share more details and/or provided (ii) by your employer, banks/facilitators and BCG clients who are working with you and includes name, e-mail, job title.

We may also collect your personal data when you sign up to request help or access to materials, or by corresponding with us (for example, by email). It includes information you when you register or when you report a problem with the Platform. If you contact us, we will keep a record of that correspondence. 

Cookies and other tracking technologies

When accessing or using this Platform, we may utilize cookies. A “cookie” is a small amount of data sent from a web server to your browser and stored on your computer’s hard drive. These cookies enable you to move around the Platform and use its core features and functionality. Without these cookies, the core features and functionality of the Solution may not be able to be provided. These cookies are also used to remember choices you make, recognize the device from which you access the Solution, and to ensure secure, accurate session management, the IP address of your device may be recorded for the period of time that you visit the Platform. Lastly, these cookies may be used to analyze your usage of the Platform and for combatting fraud and other security purposes. With most internet browsers, you have a number of controls to limit the cookies stored on your device. Please refer to your browser instructions or you can visit https://www.aboutcookies.org/, which will give you more information.

09. Purposes for Use of Your Personal Data

We process your personal data for the following purposes:

  • Managing your access to the Platform;
  • Managing usage of the Platform;
  • Providing you support related to accessing and using the Platform;
  • Corresponding with the user via email and informing the user about updates to the Platform;
  • Improving the Platform content and navigation;
  • Determining whether the tool is designed to work with the device settings of a majority of users; and
  • Collecting your feedback in relation to user experiences of the Platform.

Generally, we process personal data obtained via the Platform according to our legitimate interest. We may also process your personal data to comply with applicable laws and regulations, exercise legal actions and defense, prevent fraud, and enforce our agreements. We process such personal data as necessary to comply with a legal obligation to which we are subject.

10. Disclosure of Personal Data

We may disclose your personal data to our subsidiaries or affiliates, our advisors, or online analytics providers. We may also disclose your personal data to law enforcement agencies, courts, other government authorities or other third parties where we believe necessary to comply with a legal or regulatory obligation. Further, we may disclose your personal data to potential transaction partners, service providers, advisors, and other third parties in connection with a reorganization, financing transaction, merger, sale, joint venture, partnership, assignment, transfer, or disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings)..

Because BCG is a global organization, we need to transfer personal data which is collected by RISE or through other means across the BCG group of companies https://www.bcg.com/offices/default or to third parties listed above to help operate our business efficiently. These arrangements may involve your personal data being located in various countries around the world where privacy laws differ. We only make these arrangements or transfers where we are satisfied that adequate levels of protection are in place to protect personal data held in that country. In addition, the Platform may be viewed and accessed anywhere in the world including countries that may not have laws regulating the use and transfer of personal data.

11. Data Retention

Personal data will only be kept as long as is reasonably necessary to fulfil the purpose for which it was collected. We may retain your personal data for longer if they may be the subject of a legal claim or may otherwise be relevant for future litigation.

In some circumstances we will anonymise and/or aggregate your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

12. Data Security

BCG handles personal data in accordance with BCG procedures designed to protect the integrity and security of the personal data, including conducting periodic reviews of personal data quality, purging obsolete information, and imposing security measures such as industry-standard technical, physical and administrative safeguards. We have taken technical and operational precautions designed to protect your data from accidental or intentional manipulation, loss, destruction, or access by unauthorized persons. Our security procedures are regularly reviewed and adapted to technological progress.

13. Your Rights

Depending on where you reside, you may have the following rights in accordance with applicable data protection laws. You have the right to access your personal data, you have a right to request a copy of the personal data we hold about you and details of how we use that information. If any of the personal data held about you is incorrect or out of date, you have the right to amend or rectify it. You also have the right to require us to erase your personal data, stop processing your personal data, restrict the processing of your personal data, and right of portability of your personal data. Where the processing of your personal data is based on consent, you may withdraw your consent to processing. This may not apply if there are other legal justifications to continue processing. You may also have the right to lodge a complaint with the relevant supervisory authority, state attorney general, or other applicable authority, and the right not to receive discriminatory treatment for exercising your data protection rights. You may also have the right to opt-out of: (1) the “sale” or “sharing” of your personal data; (2) targeted advertising; or (3) automated decision-making or profiling in furtherance of decisions that produce legal or similarly significant effects, although please note BCG does not engage in such activities in connection with the Platform.

If you (or an authorized agent acting on your behalf) would like to exercise any of your data protection rights, or you believe your request was denied by BCG and would like to appeal, please contact us via our point of contact below. Please note that we need you to prove who you (including potentially obtaining additional information from you) before we can act on your request.

14. Contact Us

If you have further questions on the topic of data protection, or to exercise any of your data protection rights, please contact us via:

Data Protection Office
Boston Consulting Group Inc.
200 Pier Four Boulevard
Boston, MA 02210
Contact Us