Privacy and Cookies Notice

Introduction

We are Ricondo & Associates, Inc. You can find further details about us and how to contact us in section 10. In this notice, "we", "us" and "our" refer to Ricondo & Associates, Inc.

This notice explains how we handle the personal data we obtain about our website visitors and our clients. For the purposes of EU data protection law, we are the ‘controller’ of this personal data (meaning that we determine why and how it is processed).

How we use your personal data

Types of personal data we process

The types of personal data we process in the normal course of our business are:

Usage data: data about website visitors’ use of our website and services, such as IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths. This data is collected automatically by our analytics tracking system.
Contract data: data relating to personnel and representatives of clients with whom we enter into contracts that we obtain in connection with entering into and performing contracts, such as individuals executing the contracts, involved in the project and/or who act as client contacts in relation to contracts. This data may be included within the contract documents themselves and/or our records relating to the contracts and includes names and job titles and work phone numbers, email addresses and postal addresses. We might obtain this data from you directly and/or from other personnel or representatives of your organization.
Correspondence data: information contained in or relating to any communications between us such as via email or our website contact form, including any personal data contained in the communication content, address and contact details and any metadata associated with the communication (such as the date and time of your communication or information automatically collected about your device and browser when you use our website contact form).
Marketing data: data relating to personnel and representatives of our current clients, prospective clients and organizations we have identified as potential clients, such as the name and job title of those individuals, the name of the organization they work for and their work phone number, email address and postal address, and any information we obtain in connection with marketing subscriptions or opt-out requests, such as email addresses and marketing preferences.

Core processing purposes

The purposes for which we use personal data in the normal course of our business, the types of personal data we use for those purposes, and our legal bases for doing so are summarized in the table below. An explanation of what the different legal bases mean can be viewed here.

Type of Personal Data	Purpose of Processing	Legal Basis
Usage data	Analyzing use of our website	Our legitimate interests in monitoring, improving and protecting our website, network, systems and data
Contract data	Entering into contracts and communicating and sharing information and documents with clients and their personnel or representatives in connection with performing contracts	If you are a representative or staff of a client of ours, the relevant legal basis is the legitimate interests of us and our clients in entering into and performing contracts for providing and receiving our services
Correspondence data	Communicating with you, for example in response to an enquiry or complaint	Our legitimate interests in communicating with clients, potential clients, website users and others who contact us
Marketing data	Sending marketing communications (see more on this in the ‘Using personal data for marketing purposes’ section below	Our legitimate interests in promoting our business and services to drive sales and sustain and grow our business

Using personal data for marketing purposes

We may use business contact data comprised in marketing data for the purposes of sending marketing communications in the following circumstances:

If you are a representative or personnel of a client of ours
If you are a representative or personnel of an organization we have identified as a potential client
If you have requested marketing communications from us

You can opt-out of receiving these communications at any time by emailing dataprotection@ricondo.com.

Other processing purposes

In addition to the core processing activities set out above, we may also process personal data if and to the extent necessary for the following purposes:

Purpose	Legal Basis
Establishing, exercising or defending legal claims	Our legitimate interests in defending legal claims brought against us, enforcing claims against others and protecting and asserting our legal rights and the legal rights of you and others
Obtaining or maintaining insurance coverage, managing risks or obtaining professional advice	Our legitimate interests in protecting our business against risks
Compliance with a legal obligation such as a statutory or regulatory obligation or an order of a court, government body or regulator	Compliance with a legal obligation
In order to protect your vital interests or the vital interests of another natural person	Protection of vital interest

Explanation of legal bases

Under EU data protection law, it is only lawful to process personal data if there is a legal basis for doing it, and those legal bases are prescribed by the law. Below is an explanation of the legal bases referred to in this notice.

Legitimate interests: processing of personal data is necessary for the purposes of the legitimate interests of us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms

Compliance with a legal obligation: processing of personal data is necessary for compliance with a legal obligation

Protection of vital interests: processing is necessary in order to protect the vital interests of you or another individual

Recipients of Personal Data

We may share the personal data described in this notice with the following categories of recipients, where and to the extent necessary for the purposes described in this notice:

Insurers
Professional advisers: such as lawyers, accountants, consultants
Service providers: such as providers of datacentre, IT infrastructure, banking, payment, accounting, billing and Google website analytic services
Organisations or individuals engaged by us in the course of providing our services
- such as individual consultants or their personal service companies and subcontractor companies
Prospective buyer: if we propose to sell or do sell any business or assets

There may also be circumstances in which we need to share personal data with other organizations or individuals, such as where disclosure is necessary for the purposes set out in the ‘Other processing purposes’ section above.

In all cases, we will only share personal data with such recipients where and to the extent reasonably necessary for the relevant processing purpose and in accordance with applicable data protection law.

International Transfers of Personal Data

The personal data described in this notice is stored on servers situated in the United States and is accessed and used by our staff in offices in the United States, United Kingdom and Abu Dhabi. Due to our IT infrastructure, any personal data described in this notice that relates to you will be transmitted to the United States (if you are not already based in the United States) and potentially to our United Kingdom and Abu Dhabi offices.

The recipients of personal data described in section 3 are mostly based in the United States but are sometimes based in other countries.

When our processing of personal data described in this notice is subject to EU data protection law (either because it takes place in the context of the activities of our UK office or relates to us offering services to, or monitoring the behaviour of, individuals in the EU or EEA) we will comply with EU data protection law in relation to that processing, including with regard to onward transfer to any third party recipients.

When we work with clients based in the EU or EEA, any transmission of personal data from the client to us that would be a ‘restricted transfer’ under EU data protection law will either be subject to the EU Commission’s Standard Contractual Clauses or to the consent of the individuals to whom the transferred personal data relate.

Our data storage and infrastructure providers--Microsoft Corporation and Amazon Web Services--both self-certify to the EU-U.S. and Swiss Privacy Shield Frameworks.

Microsoft’s certificate can be viewed here.

Amazon’s certification can be viewed here.

In addition to the above, it may become necessary to transfer personal data described in this notice to other organisations based in various countries around the world, including countries outside the EEA, in connection with the purposes described in the ‘Other processing purposes’ section above. If this happens, we would ensure that such a transfer complies with the conditions for international transfers stipulated by applicable data protection law.

Explanation of terminology

Standard Contractual Clauses

These are standard contractual clauses governing the transfer and subsequent processing of personal data outside of the European Economic Area (“EEA”), adopted by the European Commission pursuant to Decision 2004/915/EC of 27 December 2004. The European Commission considers that these standard contractual clauses provide adequate protection for personal data that is transferred outside of the EEA from a controller in the EEA to a controller outside the EEA.

Privacy Shield Frameworks

These are adequacy decisions of the European Commission and Swiss Government in respect of the transfer and subsequent processing of personal data to and by organisations in the U.S. who self-certify their compliance with the principles set out in those decisions – known as the ‘Privacy Shield Framework Principles’. To learn more about the Privacy Shield Frameworks, see https://www.privacyshield.gov/ .

Retention of Personal Data

We will only retain the personal data described in this notice for as long as necessary to fulfil the processing purposes described in this notice.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process it and whether we can achieve those purposes through other means and applicable legal requirements.

We will apply the following general retention periods and/or retention criteria to the personal data described in this notice:

Usage data: 26 months

Contract data: Minimum of 10 years from the end of the term of the controlling contract plus any additional retention period outlined in the controlling contract.

Correspondence data: Minimum of 10 years from the end of the term of the controlling contract plus any additional retention period outlined in the controlling contract.

Marketing data: We will continue to use this data until we receive an opt-out request, after which time we will retain the email address and marketing preference information to ensure that we do not send marketing to the unsubscribed email address.

These retention periods are subject to any longer retention periods that may be necessary for compliance with a legal obligation, establishing, exercising or defending legal claims or in order to protect someone’s vital interests.

Security of personal data

We will take appropriate technical and organizational precautions to secure the personal data we process and prevent accidental or unlawful destruction, loss or alteration and unauthorised disclosure of, or access to, that personal data.

We will notify you and any applicable regulator of any personal data breach where we are legally required to do so.

Your Rights

You have a number of different rights you might be able exercise against us in relation to personal data about you that we process. These are rights to:

access, obtain rectification or erasure, restrict processing and object to processing of your personal data,
have your personal data ‘ported’ to you or another organisation,
complain to a supervisory authority about our processing of your personal data, and/or
withdraw consent to our processing of your personal data (where you have given consent).

The availability of these rights varies depending on the legal basis that we rely on for processing the relevant personal data. Below we have summarized these rights and explained how you can request to exercise them.

Access: You have the right to receive confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing that the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.

Rectification: You have the right to have any inaccurate personal data about you corrected and, taking into account the purposes of the processing, to have any incomplete personal data about you completed. We may need to verify the accuracy of the new data you provide to us.

Erasure: You have the right to the erasure of your personal data without undue delay if the personal data are no longer necessary in relation to the purposes for which we collected or otherwise processed them, you successfully object to our processing, you object to our use of your personal data for direct marketing purposes, we have processed your personal data unlawfully, or an applicable law requires the relevant personal data to be erased. However, there are exclusions to the right to erasure, including where we have overriding legitimate grounds to continue processing the relevant personal data or are required to do so by applicable law or where we need it to establish, exercise or defend a legal claim.

Restriction: You have the right to restrict our processing of your personal data where you contest the accuracy of the personal data, our processing is unlawful, we no longer need the personal data for our purposes but you require it to establish, exercise or defend a legal claim, or you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it to establish, exercise or defend a legal claim, to protect the rights of another natural or legal person or for reasons of important public interest or with your consent.

Object: You have the right to object to our processing of your personal data where we rely on legitimate interests as the legal basis for the processing. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.

Object to processing for direct marketing purposes: You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes).

Data portability: Where our processing of your personal data is based on your consent or performance of a contract and is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format.

However, this right does not apply where it would adversely affect the rights and freedoms of others.

Complain to an EU supervisory authority: If you consider that our processing of your personal data infringes EU data protection laws, you have a legal right to lodge a complaint with an EU supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.

Withdraw consent: Where any of our processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.

How to exercise these rights against us: You can exercise any of your rights in relation to your personal data that require any action by us by emailing your request to dataprotection@ricondo.com, in addition to any other methods specified in this policy.

How to complain to an EU supervisory authority: To make a complaint to an EU supervisory authority, you may contact the supervisory authority of your choice using contact details made available by that supervisory authority. A list of the EU supervisory authorities can be found here. Relevant contact details for the UK supervisory authority, the Information Commissioner’s Office (ICO), can be found here: https://ico.org.uk/concerns/ .

Updating your personal data

Please let us know if any of the personal data that we hold about you needs to be corrected or updated.

Our use of cookies

What is a cookie?

A cookie is a file containing an identifier (a string of letters and numbers) that is sent by our web server to your web browser when you visit our website and is stored by your browser. The identifier is then sent back to our server each time your browser requests a page from our server.

Cookies are either ’persistent’ cookies or ’session’ cookies: a persistent cookie will be stored by your web browser and remain valid until its set expiry date, unless deleted by you before the expiry date; a session cookie, on the other hand, will expire when you close your web browser.

Cookies do not typically contain any information that personally identifies a website user, but we might theoretically be able to identify individuals by linking any personal data we already have with information stored in and obtained from cookies.

Cookies that we use on our website

Category	Purpose	Relevant Cookies	Expiry
Analytics Cookies	These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.	_gid _ga collect	1 day 2 years Session
Functional	If you send us a message using our web contact form, a SSESS… cookie will be placed on your browser to enable our website to generate an email to the contact and our marketing team. The Cookie-agreed cookie records your acceptance of cookies so that you are not prompted to accept or reject cookies when you return to our website.	SSESS... Cookie-agreed	23 days 100 days

Category

Purpose

Relevant Cookies

Expiry

Analytics Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

_gid

_ga

collect

1 day

2 years

Session

Functional

If you send us a message using our web contact form, a SSESS… cookie will be placed on your browser to enable our website to generate an email to the contact and our marketing team.

The Cookie-agreed cookie records your acceptance of cookies so that you are not prompted to accept or reject cookies when you return to our website.

SSESS...

Cookie-agreed

23 days

100 days

Cookies used by Vimeo and LinkedIn

If you click on the Vimeo (‘V’) or LinkedIn (‘in’) links on our website, you will navigate to the Vimeo or LinkedIn websites and Vimeo or LinkedIn will place cookies on your browser when you arrive on their websites. We have no control over these cookies. You can view Vimeo’s cookie policy and LinkedIn’s cookie policy for further information.

Managing cookies

Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can, however, obtain up-to-date information about blocking and deleting cookies via these links:

Blocking all cookies will have a negative impact upon the usability of many websites, and if you block cookies, you will not be able to use all the features on our website.

Our details

This website is owned and operated by Ricondo & Associates, Inc. We are incorporated in Illinois, U.S.A., under registration number 5565-007-01, and our registered office is at 20 N. Clark Street, Suite 1500, Chicago, IL 60602.

You can contact us using any of the email addresses, postal addresses or telephone numbers published on our website from time to time.

For inquiries relating to this notice or our processing of your personal data, please contact dataprotection@ricondo.com, which is a dedicated contact address for this purpose.

Changes to this notice

We may update this notice from time to time by publishing a new version on our website and, where any changes materially affect you, we will also make reasonable efforts to notify you.

Privacy and Cookies Notice