Privacy Policy

The Myers-Briggs Company is committed to protecting and respecting your privacy. We work diligently to protect the privacy, confidentiality, and security of the Personal Information (also known as “personal data”, defined below) that we receive and to act in compliance with current data protection legislation as applicable to our offices, including the California Consumer Privacy Act of 2018 (“CCPA”), UK Data Protection Act 2018 (“UK DPA”), UK GDPR (as incorporated into UK law pursuant to the European Union (Withdrawal) Act 2018), EU GDPR (the General Data Protection Regulation (EU) 2016/ 679) and the Privacy Act 1988 (Cth) ("Australian Privacy Act"), together with any applicable enacting, successor, supplementing, or amending legislation.

This Privacy Policy describes the principles and practices that apply to the Personal Information that we collect from individuals (“you”), online or offline, such as individuals who browse through our Sites (all terms as defined below in Section 3 (Definitions)); register on our Sites; use the Products and/ or Services provided on our Sites or otherwise; use our Assessments; provide services to us; interact with our Sites; communicate with us through telephone, email, text, or other communications means; participate in our interviews, surveys, or promotions; read or receive our newsletters; or apply for employment with us.

This Privacy Policy sets out how and why we collect, store, and use Personal Information; our legal bases for processing Personal Information; information on transfers to third parties and international transfers; as well as your rights as a data subject. This Privacy Policy covers Personal Information processed by any company within The Myers-Briggs Company group of companies.

Our approach to privacy

We adopt a layered approach to privacy and data protection. Specifically:

• This Privacy Policy sets out in detail how we handle Personal Information, in accordance with the Privacy Principles set forth below.
• We also use Privacy Notices at various points on our Sites where Personal Information is collected. These Privacy Notices appear as statements, pop-ups, or instructions within forms for completion, at particular data collection points.
• Our Data Protection Statement summarizes our commitment to privacy and data protection, and gives an overview of how we approach privacy, data protection and information security generally, including the technical and organizational measures we use to keep data secure.
• Our Data Processing Terms set out our contractual rights and obligations with our EU and UK customers with respect to processing of EU Personal Information and UK Personal Information.
• Our Acceptable Use Policy sets out how we ensure user-generated content on our Sites is acceptable and not inappropriate.
• Our Cookies Statements set out information relating to our use of cookies and you can manage your cookie preferences via our “Manage your Cookie Preferences” pages on our Sites.
• You can manage your marketing and other preferences via our Manage your Preferences pages on the respective Sites, which also enable you to opt-out of marketing and other communications on our Sites.

1. Who we are and other important information
2. Privacy Principles
3. Definitions
4. Your Agreement to this Privacy Policy
5. Links to External Sites
6. What Personal Information We Collect and How
7. How and Why We Use Personal Information
8. To Whom We Disclose Personal Information
9. International Transfers
10. Cookies and Other Technologies
11. How We Retain Personal Information
12. How We Protect Personal Information
13. Your Rights
14. Governing law; Complaints and Disputes
15. Changes to this Privacy Policy
16. Contact Us

This Section explains where this Privacy Policy is applicable and who we are and other important information including information about our relevant supervisory authorities and group companies.

1.1 This is the Privacy Policy of The Myers-Briggs Company group of companies. It sets out how we collect and process Personal Information through use of our Products and Services, use of our Sites, completion of our Assessments, and other collection of Personal Information related to our business as provider of products and services relating to individual and organizational development, receiver of goods and services, and employer. Our Products, Services, and Sites are designed for adults and therefore they are not intended for Children (all terms as defined in Section 3 (Definitions)).

1.2 This Privacy Policy covers all operations of The Myers-Briggs Company group of companies, including The Myers-Briggs Company, a California benefit corporation; The Myers-Briggs Company Limited, a company registered in England and Wales; The Myers-Briggs Company Pte. Ltd, a company registered in Singapore; and The Myers-Briggs Company Pty Ltd, a company registered in Australia; and includes the European branch offices of The Myers-Briggs Company Limited (including The Myers-Briggs Company - France, The Myers-Briggs Company - Netherlands and The Myers-Briggs Company – Germany, and its European operations in Belgium and Ireland). For the avoidance of doubt, this Privacy Policy covers all Products, Services, and Sites of The Myers-Briggs Company except for VitaNavis which has its own Privacy Policy, a copy of which is made available on the VitaNavis site.

1.3 Any translated versions of this Privacy Policy are available for informational purposes only. The English language version of this Privacy Policy shall prevail.

1.4 The Myers-Briggs Company has a Chief Operations Officer (COO) and The Myers-Briggs Company Limited has voluntarily appointed a Data Protection Officer (DPO), each of whom is responsible for overseeing privacy and data protection matters. Section 16 (Contact Us) tells you how you can contact The Myers-Briggs Company, our COO, and our DPO. Our COO and DPO are supported by multi-disciplinary and cross-jurisdiction data protection teams.

The Myers-Briggs Company Limited is registered under registration number Z7311902 with the UK Information Commissioner’s Office (ICO) which is the UK supervisory authority for UK data protection purposes. The Commission Nationale de l'Informatique et des Libertés (CNIL) is the EU supervisory authority for EU data protection purposes. The Australian Information Commissioner is responsible for complaints relating to Australian data subjects’ Personal Information. Section 14 (Governing Law; Complaints and Disputes) tells you how you can contact the ICO, the CNIL and the Australian Information Commissioner.

We have appointed an EU Representative in respect of our obligations under EU GDPR. Section 14 (Governing Law; Complaints and Disputes) tells you how you can contact the EU Representative.

This Section explains the guiding principles of this Privacy Policy and how we operate in relation to privacy matters.

2.1 This Privacy Policy is based on the following privacy principles:

• Access - In those instances where we control your data, we will provide you with (i) the opportunity to confirm whether we are processing your Personal Information; (ii) a way to obtain a copy of your Personal Information that we process; (iii) the ability to restrict or object to processing of your Personal Information; and (iv) the ability to correct, amend, or delete Personal Information that is inaccurate; all within a reasonable amount of time from the time you submit such a request.
• Accountability for Onward Transfer - We will not disclose your Personal Information to third parties other than as described in this Privacy Policy or our written agreements with you, and our agreements with third parties with whom we share Personal Information will reflect our privacy principles.
• Accuracy - We take reasonable steps to ensure that the Personal Information we have is accurate or rectified without delay if it is determined to be inaccurate.
• Choice - In those instances where we control your data, we will provide you with mechanisms that will allow you to opt out of (i) our direct marketing campaigns; (ii) our research or other surveys; (iii) the disclosure of your Personal Information to third parties who are not necessary to provide services to you; and (iv) the use of your Personal Information for purposes that are materially different from the purpose for which we originally collected the Personal Information.
• Data Integrity - In those instances where we control your data, you will be able to (i) view the Personal Information that we have about you; (ii) correct or modify your Personal Information if it is inaccurate or incomplete; and (iii) limit the collection of data to such data that is relevant to the Products and Services we provide to you or on your behalf.
• Data Minimization - We process only that Personal Information which is adequate, relevant, and necessary to achieve the purposes for which it is collected.
• Confidentiality, Integrity and Accessibility - We take reasonable measures to protect the confidentiality, integrity, security and accessibility of your Personal Information, and our agreements with third parties with whom we share Personal Information require similar protections.
• Lawfulness, Fairness, and Transparency - We will process your Personal Information only when we have a legal basis for doing so, and we will process your Personal Information in a manner that is fair and transparent to you.
• Non-Discrimination – We will not discriminate against you if you choose to exercise your privacy rights.
• Notice - We will not collect or transfer your Personal Information without your knowledge. We inform you of such collection and transfer through this Privacy Policy, our written agreements with you, and other disclosures we make available on the Sites.
• Purpose Limitation - We collect Personal Information only for specific, explicit, and legitimate purposes, and refrain from further processing that Personal Information in any manner that is incompatible with those purposes (subject to our reasonable archive, backup, and scientific research and product development practices).
• Recourse, Enforcement, and Liability - We have processes for handling complaints relating to use of your Personal Information (see Section 14 Governing Law; Complaints and Disputes).
• Storage limitation - We keep data in personally-identifiable form (Personal Information) only for as long as necessary to achieve the purposes for which it is being processed (subject to our reasonable archive, backup, and scientific research and product development practices).

This Section explains the meaning of certain terms used within this Privacy Policy.

3.1 In this Privacy Policy, the following terms are defined as set forth in this Section:

• “Assessment” means an instrument, questionnaire, or series of tests that are completed by one or more Respondents to provide information about a Respondent to the Respondent, to the Company, and to the associated Practitioner(s) and/or Customer, usually with the aim of generating one or more Reports.
• “Certified Practitioner” means an individual who: (i) has successfully completed one or more of our certification programs for certain Assessments; (ii) provides one or more Assessments to one or more Respondents; and (iii) interprets the Reports (or other output generated by the Company) to provide feedback to the Respondent(s) on the Reports following completion of the Assessment.
• “Child” or “Children” means those individuals who are: (i) in the United States and under age 13; (ii) in the European Union and under age 16; or (iii) in other countries or territories and under the minimum applicable age threshold to be considered an adult in that jurisdiction.
• “Controller” or “Data Controller” means the natural or legal person, public authority, agency or body which alone, or jointly with others, determines the purposes and means of the processing of Personal Information. “Customer” means an individual, business, or other entity that purchases the Company's Products or Services, or with which the Company has a contractual relationship to provide Products or Services.
• “Legal Basis” means the lawful purposes for which we may process Personal Information.
•  “Legitimate Interest” as a Legal Basis means the interest of our business in conducting and managing our business to enable us to give you the best service and/or product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your Personal Information for our legitimate interests. We do not use your Personal Information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
• “Performance of Contract” as a Legal Basis means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
• “Consent” as a Legal Basis means processing your Personal Information having received your explicit, informed consent.
• “Compliance with a legal or regulatory obligation” as a Legal Basis means processing your Personal Information where it is necessary for compliance with a legal or regulatory obligation to which we are subject.
• “Personal Information” means any information, recorded in any form, about an identified or identifiable individual natural person (data subject) and includes “personal data” as referred to under the UK DPA, UK GDPR, and EU GDPR and "personal information" as referred to under the CCPA and Australian Privacy Act. An identifiable individual natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Personal Information includes, for example, name, email address, mailing address, telephone number, billing information, account information, and other information incidental to providing or receiving Products or Services or which you may choose to provide to the Company. It also includes other information, such as IP address, device information, or other Session Data (as defined below) that can reasonably be linked to a specific individual, computer, or other device. Where we talk specifically about Personal Information of European Union data subjects, we refer to “EU Personal Information” and where we talk specifically about Personal Information of UK data subjects, we refer to “UK Personal Information,” and where we refer to “Personal Information” generally, this includes all personal information and personal data from any jurisdiction, including EU Personal Information and UK Personal Information, as applicable. “Special Category” means, in the context of data, Personal Information which is, by its nature, particularly sensitive in relation to fundamental rights and freedoms, including those revealing racial or ethnic origin, political opinions or trade union membership, genetic data, biometric data, data concerning health or a person’s sex life or sexual orientation; Special Category Personal Information is sometimes referred to as “sensitive personal information”.
• “Practitioner” means an individual who administers one or more Assessments to one or more Respondents and who interprets the Reports (or other output generated by the Company) to provide feedback to the Respondent(s).
• “Processor” or “Data Processor” means a natural or legal person, public authority, agency or other body which processes Personal Information on behalf of the Controller; and “Processing” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• “Products or Services” means the products and/or services promoted, sold, available for sale, or available for use on the Sites by us, such as our Assessments, Reports, web applications, mobile apps, and supplemental materials and “Products” or “Services” shall be construed accordingly.
• “Reports” means an analysis of the scoring and responses provided in connection with an Assessment, which a Practitioner, Respondent, or Customer may use to interpret a Respondent’s responses to an Assessment. Some Reports, such as those generated on www.mbtionline.com, do not require an interpretation from a Practitioner.
• “Respondent” means an individual who takes, will take, or has taken an Assessment.
• “Session Data” means, as applicable, usage information about how you use our Sites, Products and Services, and other systems and technologies made available by us, and technical data such as internet protocol (IP) address, unique identifier of an individual’s mobile device, login data, the type of browser and version, type of operating system, referring URL, date, time and duration of a visitor’s visit, the number of visits to a Site, the pages viewed, order of pages viewed, time spent on a particular page, the number of cookies accumulated, bytes sent, bytes received, protocol version, user agent, method, URI stem, URI query, or MAC address.
• “Site(s)” means any websites, Assessment platforms or mobile applications that we may develop or have developed from time-to-time and includes, without limitation: elevate.themyersbriggs.com (“Elevate"), www.oppassessment.eu.com (“OPPAssessment”) and www.mbtionline.com (“MBTIonline”), our main web-based Assessment scoring and delivery platforms (together, “Platforms”); www.themyersbriggs.com, www.mbtitype.com, and the Myers-Briggs mobile app (“App”), together with any successor platforms, websites or applications.

This Section explains your relationship to us and your agreement to this Privacy Policy.

4.1 By creating an account with us, using the Site(s) or our Products or Services, or submitting Personal Information to us, you agree to the practices described in this Privacy Policy, and you agree that we may collect, use, disclose, store, transmit, and/or process such Personal Information in accordance with this Privacy Policy or as required by law.

4.2 If you reside in a country or territory that restricts the transfer of Personal Information out of that country or territory, please do not submit Personal Information to us. If you nevertheless choose to, you agree to the transfer, storage, and processing of your Personal Information to countries that may not have data protection laws that provide the same level of protection as those that exist in your country of residence. Please see further Section 9 (International Transfers) for further information on where we transfer Personal Information internationally and how.

4.3 Children (as defined in Section 3 (Definitions) are not permitted to use the Sites. We do not knowingly collect Personal Information relating to Children. Should we discover that a Child has sent Personal Information directly to us, we will use that Personal Information only to respond directly to that Child to inform them that we will not continue to process their Personal Information and that we cannot provide Products or Services to them.

This Section explains about links to sites not operated by us.

This Privacy Policy applies only to information collected by The Myers-Briggs Company group of companies. The Sites may link to websites, plug-ins, and applications that are operated by third parties. Because such websites, plug-ins, and applications are not operated by the Company, they are not subject to this Privacy Policy. We recommend that you read the privacy statements that are posted on these third-party websites, plug-ins, and applications to understand their procedures for collecting, using, and disclosing Personal Information. We are not responsible or liable for those policies and procedures.

This Section explains what types of personal data we might collect from you and the classification of this data (Sections 6.1 to 6.3). It includes information on any Special Category Personal Information (that which you might consider particularly sensitive) (Section 6.4) that might be collected.
It also explains the legal bases for the data we collect (Section 6.2).

6.1 Whether you are a Customer, service provider or other business contact, Respondent, Practitioner, or personnel affiliated with the aforementioned, a candidate or employee, we may collect and use your Personal Information in the manner and for the reasons set out in this Privacy Policy. We collect most Personal Information directly from you; however, if we collect Personal Information indirectly, we refer to this practice explicitly in this Privacy Policy.

We collect only such Personal Information as necessary to (i) provide our Products and Services to you, including administration of accounts and Assessments; (ii) inform you about our Products and Services; (iii) continue our scientific research and product development in the field of our expertise, including, producing statistics of the type described in our technical product manuals; and producing data to statistically evaluate the fairness, validity, and reliability of our Assessments to ensure our Assessments remain ethical and neutral and are fair in terms of differing nationalities, races, and cultures, in support of our commitments to diversity, equity, and inclusion; and (iv) improve our Sites, Products or Services, and your experience interacting with us. We describe in Section 6.3 the different ways in which we collect or obtain Personal Information.

6.2 We may process your Personal Information for more than one Legal Basis depending on the specific purpose for which we are using each element of data, including Legitimate Interest, Performance of Contract and in limited circumstances, Consent. Further information can be provided on request. Generally, the purposes for which we process your Personal Information (commonly referred to as the Legal Basis for our processing) is our Legitimate Interest in: (i) providing the Sites, Products, or Services to you, via our website, by telephone or by email, including responding to enquiries by you prior to us providing Products or Services to you; or (ii) contacting or considering you as a candidate for employment with us, or Performance of Contract as a Legal basis, performing the contractual obligations that we owe to our Customers and others. Generally, we do not rely on Consent as a Legal Basis for processing your Personal Information other than in relation to sending marketing communications to certain potential customers and where Special Category Personal Information is collected from Respondents on an optional basis for our scientific research and product development purposes. Where Consent is used as the Legal Basis for processing, you may withdraw Consent at any time. Section 13 (Your Rights) has more information on withdrawing Consent and Section 6 (What Personal Information We Collect and How), Section 7 (How and Why we Use Personal Information), and Section 11 (How we Retain Personal Information) have more information on why and how we collect Personal Information for scientific research and product development purposes.

6.3 We collect or obtain Personal Information as follows, according to the relationship that the person providing the data has with us. While the Company collects data as set out herein, and while we may disclose your Personal Information for the business purposes set out in Section 8 (To Whom we Disclose Personal Information), the Company does not sell your Personal Information to third parties.

6.3.1 If you visit the Sites—If you simply visit the Sites, you are not required to reveal Personal Information but we automatically collect the related Session Data. Session Data is provided to us by your browser, by third-party integrations on our Sites, and through our log files, which record your activities while browsing our Sites, such as when you click on a link. We may record some of this data in one or more cookies or other similar technologies that we send to your browser (see Section 10 (Cookies and Other Technologies). If, however, you ask us for information, engage in “chat” functions on any of our Sites, register with us, sign up to attend any of our events, receive our marketing material or otherwise express an interest in our Products or Services, or report a problem, we collect any Personal Information you submit to us which may involve collection of the following, where provided:

• Identity Data (including full name, username or similar identifier, job title, title, gender)
• Contact Data (including email address, telephone numbers)
• Session Data (as defined in Section 3)
• Marketing and Communications Data (including your preferences in receiving marketing from us and your communication and cookie preferences)

6.3.2 If you register or create an account—If you register for our Products or Services, including subscribing to our emails or newsletters, or create an account with us, or ask us for information, or sign up to attend any of our events or virtual offerings to receive our marketing material or otherwise express an interest in our Products and Services or report a problem on our Sites and technologies made available by us, we may collect any Personal Information submitted to us at that time and require that you provide certain Personal Information during account registration or subscription. In such circumstances, we collect the following information, and may ask you for other optional information that helps us serve you better:

• Identity Data (including full name, username or similar identifier, title, gender, job title, role, seniority)
• Contact Data (including billing address, delivery address, email address, telephone numbers)
• Session Data (as defined in Section 3)

6.3.3 If you are a Customer or other business contact—If you are a Customer or other business contact, or if you are an employee or agent of a Customer or business contact, we may collect your business contact data as follows in the regular course of our interaction with you:

• Identity Data (including full name, username or similar identifier, title, gender, job title, role, seniority)
• Contact Data (including billing address, delivery address, email address, telephone numbers)
• Financial Data (including bank account, payment card details)
• Transaction Data (including details about payments to and from you and/or your organisation and other details of products and services you have purchased from us)
• Session Data (as defined in Section 3)
• Profile Data (including username, password, purchases or orders made by you, your interests, preferences, feedback and survey responses)
• Marketing and Communications Data (including your preferences in receiving marketing from us and your communication and cookie preferences)

We collect such data to enable you to receive our Products and Services, to manage contractual relationships on an ongoing basis, for account administration, to personalize our Products and Services offered to you, to enable you to participate in interactive features of our Products and Services, for technical administration of our Sites, and to provide updates and news about our Products and Services, events and other information that we think may be of interest to you. We also collect data through the use of cookies. You can find more information on cookies and other similar technologies in Section 10 (Cookies and Other Technologies).

We also collect data you share with us on blogs, chat forums, or similar platforms at the time of submission of such data. This may be accessible to others and you should refer to our Acceptable Use Policy.

6.3.4 If you complete an Assessment—If a Respondent completes an Assessment, we may collect the following Personal Information:

Mandatory data:

• Identity Data (including full name, username or similar identifier, title, gender, region)
• Contact Data (including email address)
• Assessment responses (Item Responses as defined below)
• Session Data (as defined in Section 3)

Non-mandatory data:

• where provided within responses to optional demographic questions on our Platforms:
  • age
  • qualification
  • nationality
  • ethnic origin
  • employment status
  • occupational level
  • job type

For the mandatory data described above, we collect Respondent Identity Data, Respondent Contact Data, Respondents’ responses to Assessments including multiple choice or other answers to questions in our assessments (“Item Responses”), and Personal Information contained in Reports (together, “Respondent Assessment Data”), and use such Respondent Assessment Data to provide Products and Services as set out in Section 7.1.2.

For the non-mandatory data described above, we ask the demographic questions in order to collect non-mandatory data relating to Respondents (“Demographic Data”) where such is optionally submitted to us. These fields are identified as optional and are presented prior to completion of any Assessment. The presentation of these optional demographic questions may be disabled by the Practitioner prior to inviting Respondents to complete Assessments. In some instances, these optional demographic questions on our Platforms, may involve collection of Special Category Personal Information, such as information regarding your racial or ethnic origin, together with other Demographic Data. You are free to not respond to these optional questions in which case no Demographic Data will be collected for the questions you leave unanswered. For all optional questions, our Legal Basis for processing your Personal Information is your Consent.

We collect Item Responses and Demographic Data and use these together in non-personally identifiable form (together, “Research Data”) for our scientific research and product development purposes as further set out in Section 7.1.4. Please see Section 7 (How and Why We Use Personal Information) for further information on how and why we use Respondent Assessment Data and Research Data and Section 11 (How We Retain Personal Information) for information on how long we retain Respondent Assessment Data and Research Data.

We may also collect data from your associated organization. Where feedback is given and/or you participate in an assessment center, development center, or consultancy engagement run by our Professional Services team, additional data to that set out above may be provided by you to the Practitioner and/or associated organization and/or our Professional Services team, at the time of such feedback, assessment, or engagement. In some instances, data collected within such assessment centers or other consultancy engagements run by our Professional Services team may also involve the collection of Special Category Personal Information. Collection of such Special Category Personal Information is optional and is only provided directly by the data subject to which it relates under Consent. See Section 6.4 for more information on Special Category Personal Information and Section 7 (How and Why We Use Personal Information) and Section 11 (How We Retain Personal Information) for information on how long we retain Personal Information.

6.3.5 If you choose to participate in a survey—If you choose to participate in one of our surveys, including: (i) those Respondents on our Platforms who opt-in to be contacted for, and to participate in, future research opportunities including surveys; and/or (ii) any customer or advisory board survey or studies we invite you to engage in (together, “Survey Participants”), participation in surveys is optional, and we give you the ability to opt-out of being contacted for surveys at any time. You can manage your preferences on our respective Sites.

(i) If you are a Respondent who chooses to participate in future research opportunities, we may collect Personal Information from you, including:

• Identity Data (including full name, username or similar identifier, title, gender, region)
• Contact Data (including email address)
• Assessment responses (Item Responses as defined above)
• Session Data (as defined in Section 3)

• where provided within responses to optional demographic questions on our Platforms:
  • age
  • qualification
  • nationality
  • ethnic origin
  • employment status
  • occupational level
  • job type

any such Respondent Assessment Data and Demographic Data as above collected from you being referred to as “Research Survey Participant Data".

(ii) If you are responding to a customer or advisory board or other survey, we may collect Personal Information from you, including:

• Identity Data (including full name, username or similar identifier, title, gender, region)
• Contact Data (including email address)
• Session Data (as defined in Section 3)
• Other data and information you might choose to submit to us

any such data as above collected from you being referred to as “General Survey Participant Data”.

See Section 7 (How and Why We Use Personal Information) for further information on how we use Research Survey Participant Data and General Survey Participant Data and Section 11 (How We Retain Personal Information) for information on how long we retain such.

6.3.6 If you sign up to receive marketing communications—If you sign up to receive our marketing communications, we may collect the following information:

• Identity Data (including full name, username or similar identifier, title, gender, job title, role, seniority) where provided
• Contact Data (including billing address, delivery address, email address, telephone numbers) where provided
• Session Data (as defined in Section 3)

Our marketing communications contain instructions on how to opt-out of receiving future marketing communications if you no longer wish to receive them.

6.3.7 If you are a service provider—If you are a service provider, or if you are an employee or agent of a service provider, we may collect your business contact data as follows, and other contact information in the regular course of our interaction with you. We collect such information to manage our contractual relationship on an ongoing basis; for service provider administration (including retention of correspondence if you contact us); and to provide updates and news about our business as such may be relevant to you.

• Identity Data (including full name, username or similar identifier, title, gender, job title, role, seniority)
• Contact Data (including billing address, service provider address, email address, telephone numbers)
• Financial Data (including bank account, payment card details)
• Transaction Data (including details about payments to and from you and/or your organization and other details of products and services we have purchased from you)

We also collect data through the use of cookies and other similar technologies. You can find more information on these in Section 10 (Cookies and Other Technologies).

6.3.8 If you interact with third parties regarding our Products or Services—We may receive Personal Information about you from third parties, such as from Customers, websites where we advertise, business partners, and service providers. Some of this information pertains to a specific individual; other information can only be linked to an access point or a device.

6.3.9 If you apply for employment or are employed by us—If you choose to apply for an open position of employment we have designated as available, we may collect Personal Information as follows in connection with your application:

• Identity Data (including full name, title, gender, job title, role, seniority, qualifications, education)
• Contact Data (including address, email address, telephone numbers)
• Session Data (as defined in Section 3)
• Other data and information where provided by the applicant in applications and communications

We use this information only to consider you as an applicant for the position for which you are applying and to contact you for legitimate purposes relating to that application. Where the application is not made online, the data may only include Identity Data and Contact Data, plus other information an applicant provides. If you are employed by us in the US or elsewhere outside the UK/EU, an employee privacy policy is provided to staff (employees and consultants) at commencement of employment or provision of services. If you are employed by us in the UK or any of our EU offices, a Privacy Statement is provided to staff (employees and consultants) at commencement of employment or provision of services, which sets out the types of Personal Information, collection, uses, transfers to third parties and internationally, and data subject rights. Applicants for positions in the US office may request, from the HR department of The Myers-Briggs Company, a copy of the employee privacy policy and applicants for positions in the UK and EU offices may request, from the HR department of The Myers-Briggs Company Limited, a copy of our Privacy Statement. Further information for staff will not be provided in this Privacy Policy; instead, please contact your relevant HR department.

6.3.10 If you use our App—We may collect certain additional Personal Information from you as follows, if you use our mobile App:

• Identity Data (including full name, username or similar identifier, title, gender, region)
• Contact Data (including email address)
• Session Data (as defined in Section 3)
• Other data and information where provided by you

We may also collect Personal Information relating to your third-party contacts, including any additional information you choose to add regarding such contacts, but only if you choose to make use of the App’s feature(s) that require or utilize this information.

6.3.11 If you participate in our virtual training programs—We may use the following data to monitor and limit the registration and attendance of participants in the program, in addition to any data you may provide if you are also a Customer and/or Respondent:

• Contact Data (including email address)
• Session Data (as defined in Section 3)

6.4 Special Category Personal Information— We may collect from Respondents Special Category Personal Information (on ethnicity) where optionally provided, together with other optional Demographic Data, for scientific research and product development purposes, in order to produce statistics of the type described in our technical product manuals, e.g. psychometric norms and validity data for the necessary purpose of statistically evaluating the fairness, validity and reliability of our Assessments. Such statistics assist in ensuring our Assessments remain ethical and neutral, and are fair in terms of differing nationalities, race, and cultures, supporting diversity and equity. For further information on the research data we collect and why, please see Section 7.1.4 and our Explaining Demographics page. Other than for Research Survey Participant Data (see Section 6.3.5), such data is only used in non-personally identifiable form for scientific research and product development purposes (see Section 7 (How and Why We Use Personal Information) for information on how we use Research Survey Participant Data and Section 11 (How We Retain Personal Information) for information on how long we retain Personal Information).

Other than in respect of Respondents and Survey Participants, and The Myers-Briggs Company staff, as each set out herein, we do not collect Special Category Personal Information.

6.5 If you fail to provide Personal Information—Where we need to collect Personal Information by law or under the terms of a contractual arrangement for provision of Products or Services, and you fail to provide that Personal Information when requested as being mandatory, we may not be able to fulfil the terms of the contract or relationship that we have with you or your sponsoring organization.

This Section explains how and why we use your personal data (Section 7.1) and how you may opt-out of marketing communications (Section 7.2).

7.1 We use Personal Information in order to provide and enhance the Products or Services that we offer as explained below:

7.1.1 To facilitate the use of the Sites—We use Session Data to ease navigation throughout the Sites, to enhance navigation, keep track of login name and password in order to avoid requesting Identity Data when the visitor moves from page to page, and in general to enhance the quality of our Sites and the content provided on the Sites. We also use cookies and other similar technologies. You can find more information on these in Section 10 (Cookies and Other Technologies).

7.1.2 In connection with Assessments—We use Respondent Assessment Data in personally identifiable form generally to provide Products and Services to our Customers. More specifically, we use the Item Responses to score the Assessments and to generate Reports and other data related to the Respondents to those Assessments. We also use Identity Data and Contact Data to personalize Reports and to provide these Reports to Respondents, Practitioners, and our Customers. We sometimes combine data from multiple Respondents (for example, in team reports). We may also combine Item Responses and Demographic Data with our general Research Data, or compare or associate one individual’s Respondent Assessment Data with other Respondents’ Assessment Data for statistical analysis for scientific research and product development purposes, as further set out in Section 7.1.4. With the exception of General Survey Participant Data and Research Survey Participant Data (each as defined in Section 6.3.5), we only use Respondent Assessment Data and Demographic Data for scientific research and product development purposes in non-personally identifiable form as further set out in Section 7.1.5. Certain subsets of this data are made available to our Customers, but your Personal Information is only shared with a Customer if you complete an Assessment that has been sponsored by that Customer.

In relation to Respondent Assessment Data and any Demographic Data, Customer is the Controller and the Company is the Processor. Where Customers and/or Practitioners and Respondents provide Personal Information to the Company, the Company will process that Personal Information in accordance with the Controller’s documented instructions, unless required to do otherwise by applicable law and in accordance with this Privacy Policy.

7.1.3 To validate certification status—If you are or become a Certified Practitioner, we may share Identity Data and Contact Data and other information regarding your certification, such as the instruments in which you are certified/qualified, the date(s) of your certification/qualification, and the current status of your certification/qualification with individuals who inquire about such information.

7.1.4 For general research purposes—We may use aggregated Session Data to better understand how our Sites are navigated, how many visitors arrive at specific pages, which pages or content attract more viewers, the length and frequency of stays at our Sites, the different types of searches of our Sites’ content and databases, the types of browsers and computer operating systems that our visitors use, and the IP addresses from which visitors connect to our Sites, in order to improve our Sites, maintain the security of our Sites, and enhance our content. We may use IP addresses to gather broad demographic information—information that is not associated with any individual, and is therefore anonymous. We may use your General Survey Participant Data (as defined in Section 6.3.5) to contact you in relation to any customer, advisory board or other surveys or participation that we might invite you to engage in, where you have opted-in to participate in participate in such surveys. We may use such General Survey Participant Data for marketing and product development purposes, to improve and enhance our Products and Services. Participation in such surveys is optional, and we give you the ability to opt-out of being contacted for such surveys at any time. You can manage your preferences on our respective Sites. See Section 11 (How We Retain Your Personal Information) for information on how long we retain Research Survey Participant Data.

7.1.5 For scientific research and product development purposes— As set out in Section 6.3.5, we use data collected through our Platforms for scientific research and product development purposes and statistical analysis, in order to produce statistics of the type described in our technical product manuals, e.g. psychometric norms and validity data, to statistically evaluate the fairness, validity, and reliability of our Assessments.

This use of Research Data (as defined in Section 6.3.4) for scientific research and product development purposes is a necessary part of our business and a legitimate purpose in providing us with statistical data to assist us in ensuring our Products and Services remain valid, reliable, and up to date, with technical enhancements, as well as ensuring our Assessments remain ethical, neutral and fair in terms of differing nationalities, races, and cultures, in support of our commitments to diversity, equity, and inclusion. For further information on why we collect this demographic information, please see Explaining Demographics.

Research Data is used in our research databases only in non-personally identifiable form and such use is subject to restricted access controls, and other technical control measures. Research Data is used only for scientific research and product development purposes to improve our Products and Services as set out above. See Section 11 (How We Retain Your Personal Information) for information on how we retain Research Data.

Notwithstanding the above, we also use Research Survey Participant Data (as defined in Section 6.3.5) in our research databases in personally identifiable form for the period set out in Sections 11.4.2 and 11.4.3, and such Research Survey Participant Data is collected and used on the Legal Basis of Consent as set forth in Section 6.3.5 with a specific opt-in mechanism for being contacted for future research opportunities. Such Research Survey Participant Data is used in our research databases and such use is subject to restricted access controls, and other technical control measures. Research Survey Participant Data is used only to contact you in relation to future research survey participation and for scientific research and product development purposes to improve our Products and Services as set out above. Participation in surveys is optional, and we give you the ability to opt-out of being contacted for surveys at any time. You can manage your preferences here. See Section 11 (How We Retain Your Personal Information) for information on how long we retain Research Survey Participant Data.

We may also use location information gathered from our mobile application(s) for scientific research and product development purposes as set forth in Section 6.3.4 and Section 11 (How we Retain Personal Information).

7.1.6 For survey analysis—The information that we collect through our surveys is not used other than to garner survey results, and for the purposes of statistical analysis, to improve and enhance our Products and Services as further explained in Sections 6.3.5, 7.1.4 and 7.1.5 above.

7.1.7 For marketing purposes—We may use Identity Data and Contact Data to send mailings, newsletters, and other marketing communications regarding product information and releases and to contact you by phone for marketing purposes. We may use Session Data to better understand your use of our Sites, and Marketing and Communication Data including tracking tags to monitor the open rate of our communications. This helps us understand the effectiveness of the communications that we send. We give you the ability to opt out of marketing communications at any time.

7.1.8 For use of our App or other interactive features made available to you—We may use Session Data including location information gathered from our mobile application(s) to better understand how our App is navigated, how many visitors arrive at specific pages, which pages or content attract more viewers, the length and frequency of stays on our App, the different types of searches of our Sites’ content and databases, the types of browsers and computer operating systems that our visitors use, and the IP addresses from which visitors connect to our App, in order to improve our App and enhance our content. We may also use your Identity Data, Contact Data, Profile Data and Marketing and Communications Data to provide you with information about our Products and Services, together with any third-party Contact Data for third party contacts you may provide to us for the purposes of enabling features of the App.

7.1.9 For security and maintenance purposes—We may use IP addresses and Session Data to diagnose problems with our server, and to administer and protect our Sites.

7.2 You can manage your marketing and other contact preferences through our Manage your Preferences page or the manage your preferences page on our respective Sites. You may also opt-out of research participation where you have previously agreed to participate in future research opportunities or other surveys participation. You will receive marketing communications from us if you have requested information from us or purchased Products or Services from us or if you provided us or one of our service providers (including event organizers and third-party video-conference facility providers) with your details and, in each case, you have not opted out of receiving marketing. Where you opt-out of receiving marketing messages, we may need to communicate with you for administrative or operational reasons and therefore whilst you use our Products and Services and continue to wish to do so, it is not possible to opt-out of all communications with us. Therefore, an opt-out may not apply to Business Contact Personal Information (for example Identity Data and Contact Data) provided to us as a result of purchase of Products or Services or other associated activities or transactions.

This Section explains who we might share your data with including where we transfer Personal Information internationally and/or to third parties for processing purposes.

8.1 From time to time, we may disclose Personal Information to someone other than the individual who provided the Personal Information, as further described in Section 8.3. These are generally Processors that we necessarily make use of in order to provide our Products and Services to you. We may also share your Personal Information with Controllers. In general, our Customers are Controllers of Respondent Personal Information (as further set out in Section 11.3 and comprising Respondent Assessment Data and any Demographic Data), except in respect of MBTIonline where we are Controller. Our Customers may be Practitioners or organizations. We are the Controller in respect of business contact data we receive in relation to Customers, service providers, and other third parties, and their employees and agents, including in respect of Practitioners’ certification/qualification data. We undertake data protection impact assessments (DPIAs) and enter into data processing agreements (DPAs) with both Processors and Controllers, as applicable when required by applicable law.

8.2 We undertake a selection process and periodic review in relation to third-party Processors and sub-Processors to whom we might transfer Personal Information, including conducting DPIAs and data transfer impact assessments (DTIAs) where applicable. We require all third-party service providers to respect the security of your Personal Information and to treat it in accordance with the law. We do not allow our service providers to use your data for their own purposes, and we require that processing of Personal Information is in accordance with our instructions. We enter into written DPAs with service providers that receive Personal Information from us, together with appropriate safeguard mechanisms, including standard contractual clauses (SCCs) and International Data Transfer Agreements/ Addendums (IDTAs) as may be required.

Pursuant to written agreements between the Company and these service providers, each of these service providers: only has access to such Personal Information as necessary to fulfil its obligation to the Company; is not permitted to use Personal Information for any purposes other than those directed by the Company; and is required to act in a manner consistent with the privacy principles articulated in this Privacy Policy, and applicable law.

8.3 We may disclose Personal Information to third parties as follows:

8.3.1 Customers—The Company provides its Customers with the information that they need to properly administer or interpret Assessments. If you take an Assessment at the direction of one of our Customers, that Customer will receive from the Company one or more Reports based on the Assessment you took and the responses you provided to that Assessment so that the Customer may properly counsel or advise you or provide you with other services. Customer’s uses of this data are controlled by Customers, not by us.

8.3.2 Gift Recipients—If you purchase Products or Services for use by another individual (for example, as a gift), then we may provide the recipient of such Products or Services with your Personal Information.

8.3.3 Service providers—We may engage certain third parties to perform functions and provide services to us, or partner with us to provide services, including, without limitation, customer relationship management, contract management, order fulfilment, mass mailing, hosting and maintenance, database storage and management, business analytics, and direct marketing campaigns. As of the effective date of this Privacy Policy, the current list of third party sub-processors to whom we, as Processor, might disclose Personal Information is set forth in Annex 1, Parts 1 and 2. We update these as required and notify you through the update of Annex 1.

In addition to these, we, as Controller, might disclose business contact Personal Information and other data with business services providers, including (without limitation) Act-On; Adobe Inc.; Arkadin, Inc.; Barracuda Networks, Inc.; BlackTab Solutions; CIENCE Technologies, Inc.; Credly; Epignosis LLC; FedEx Corporation; FinePrint (Services) Limited; Google Analytics; Joynson and Gordon Limited; Microsoft Corporation; Mimecast Services Limited/ Mimecast North America, Inc.; PayPal, Inc.; Salesforce.com, Inc.; SendGrid, Inc.; Square, Inc.; Tieva; United Parcel Service; Vena Solutions USA Inc.; Worldpay; Zendesk, Inc.; Zoho Corporation Pvt. Ltd.; ZoomInfo; Zoom Video Communications, Inc.

8.3.4 Group affiliates—We may provide Personal Information to companies in our group of companies including parent company, The Myers-Briggs Company, in the US, which provides resources in relation to IT, legal, HR, finance, marketing and Professional Services functions, shared IT and system administration services and to fulfil internal reporting requirements, together with subsidiaries, The Myers-Briggs Company Limited in the UK, The Myers-Briggs Company Pte. Ltd in Singapore, and The Myers-Briggs Company Pty Ltd in Australia, and including the European branch offices of The Myers-Briggs Company Limited in France, The Netherlands and Germany, and its European operations in Belgium and Ireland.

8.3.5 Foreign Distributors— We may provide Personal Information to our distributors in foreign markets. We only do so when we believe that providing such Personal Information will permit us to improve the Products or Services provided to Customers in that distributor’s territory, and only when the distributor’s use of such Personal Information is in accordance with the privacy principles described in this Privacy Policy. As of the effective date of this Privacy Policy, the Company’s distributors in foreign markets include those listed in Annex 2, Parts 1 and 2.

8.3.6 To defend or enforce our rights—The Company may use Personal Information to protect itself or to protect the Sites, to respond to a breach of our various terms and conditions (or other applicable legal terms), to prevent fraudulent activity, or where it is necessary to pursue available remedies. If a Customer neglects to pay amounts due and owing to the Company, the Company may send that Customer’s name, contact information, and account information to a third-party service provider for collection of overdue payments.

8.3.7 Co-Marketing Partners—We may collaborate with other companies to offer you additional Products or Services. We may share Personal Information that is necessary for these other companies to provide the Products or Services that you have requested. This Privacy Policy does not cover the use of your Personal Information by these companies. We encourage you to read a third-party’s Privacy Policy before requesting any affected Products or Services.

8.3.8 Mergers & Acquisition; Bankruptcy—If any or all of the Company's assets are acquired by or merged with those of another entity, or in the unlikely event of a bankruptcy, we may disclose, share or transfer some or all of our users’ Personal Information to or with this entity in preparation of the transaction, as part of the due diligence, or after the transaction has been consummated, so that the successor entity can continue providing our Products and Services to our users. If the recipient of the Personal Information has privacy practices that do not meet the substance of this Privacy Policy, you will be given the opportunity to exercise your rights with respect to your Personal Information.

8.3.9 Law Enforcement; Litigation—Certain federal, state, local, or other government regulations may require that we disclose information that we hold. In such cases, we will use reasonable efforts to disclose only the Personal Information required under applicable law, such as in response to a facially valid court order, warrant or subpoena issued or made by a court, person or body. We may use or disclose Personal Information: (i) if we believe in good faith that a law, regulation, rule or guideline requires it; or (ii) to a person who needs the information because of an emergency that threatens the life, health or security of an identified group or person.

8.3.10 Aggregated data—Other than as stated above, if the Company provides a third-party with Personal Information, it will be in the form of aggregated data (and therefore in non-personally identifiable form), and used for scientific research and product development, including statistical analysis. Aggregated data are created from records that are stripped of all personal identifiers, and may include: (i) aggregated Research Data; (ii) aggregated Item Responses; (iii) aggregated Demographic Data; (iv) aggregated Survey Participant Data, each for the purposes of scientific research and product development; and (v) cookies data. Data used within our scientific research and product development functions is derived from your Personal Information but is used in non-personally identifiable form (except for any Research Survey Participant Data in accordance with Sections 7.3.5 and 11.4.3) and no Personal Information will be published or disclosed since it is anonymized and aggregated for the purposes of such publications, and therefore no person is identified or identifiable.

8.3.11 Analytics data—We perform analytics, such as trends, sales intelligence, marketing effectiveness (such as click and open rates), uptake and progress, with analytics providers. Such third party providers use cookies and other similar technologies. You can find out more about how we use cookies and other similar technologies in Section 10 Cookies and Other Technologies. You can manage your cookie preferences through our Manage your Cookie Preferences center on our respective Sites.

8.3.12 The Public—Certain of our Sites offer publicly-accessible blogs or community forums and any Personal Information you provide on these blogs or forums may be read, collected, and used by others who access those Sites. We encourage you to be thoughtful of what Personal Information you choose to provide on such Sites and to comply with our Acceptable Use Policy.

This Section explains where we transfer data internationally, including outside the European Economic Area (EEA), and what safeguards are in place for such transfers of Personal Information.

9.1 Our processing of your Personal Information with third parties as set out in Section 8 may require transfer of your Personal Information to countries outside of the country in which you reside (including outside the European Economic Area (EEA)) or to an international organization, as follows, to:

• other companies in our group of companies including our affiliates, one of which is our parent company and licensor, The Myers-Briggs Company, which is based in the US as set out in Section 8.3.4
• other European offices other than our UK headquarters of our European operations, including our European branch offices and operations in France, The Netherlands, Germany, Belgium and Ireland as set out in Section 8.3.4
• third-party service providers who provide IT, database and system administration services, based in the US and elsewhere, as set forth in Section 8.3.3, or
• third-parties as otherwise set out in Section 8.3.

9.2 Where we transfer Personal Information to third parties internationally, including outside the EEA, we will only do so when we can ensure that the level of protection of your Personal Information will not be undermined. To achieve this level of protection, we rely on a variety of data transfer mechanisms.

9.3. In relation to transfers of Personal Information generally, we ensure that that the recipients to which it is sent are: (i) within countries deemed adequate with respect to their data protection laws, (ii) covered through the entering into of data processing agreements (DPAs) and appropriate safeguards such as standard contractual clauses (SCCs) or international data transfer agreements and/or addendums (IDTAs) for transfers of Personal Information, and monitoring such protections to ensure the adequacy of such measures. We conduct data processing impact assessments (DPIAs) and data transfer impact assessments (DTIAs) where appropriate and as required by applicable law.

9.4 Specifically in respect of EU Personal Information:

9.4.1 all such EU Personal Information processed by The Myers-Briggs Company Limited is processed in the UK, the headquarters of our UK and European operations, and where such constitutes a transfer outside the EEA to the UK (in the case of transfers for example from our European offices in France, The Netherlands, Belgium and Germany, and in respect of transfers otherwise from a country within the EEA to the UK) it is covered by the European Commission’s 2021 decision on adequacy of the UK data protection regime; and 

9.4.2 in relation to transfers of any UK Personal Information and EU Personal Information to the United States, including (without limitation) to our parent company, The Myers-Briggs Company in the US, The Myers-Briggs Company complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) (covering EU transfers to the U.S.), the UK Extension to the EU-U.S. DPF (covering UK transfers to the U.S.) and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) (covering Swiss transfers to the U.S.) as set forth by the U.S. Department of Commerce. The Myers-Briggs Company has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of Personal Information received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. The Myers-Briggs Company has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of Personal Information received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the EU-U.S. DPF Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

9.5. Lists of sub-processors to whom we transfer Personal Information, internationally, including outside the EEA, is at Annex 1. Annex 1, Part 2 details the list of parties to whom UK Personal Information and EU Personal Information specifically may be transferred internationally.

This Section provides information on what cookies and tracking tags are (Section 10.1), how we use cookies (Section 10.2) and how to manage cookies (Section 10.3).

10.1 A cookie is a small text file that is stored on a visitor’s browser and records data such as user IDs and session IDs (for example, to determine if a visitor is logged in or is a new or returning visitor. The website places the cookie on a visitor’s browser and verifies that information with respect to that visitor in certain instances. A cookie assigns each visitor a unique identification number that identifies the visitor’s browser, and in some instances the visitor. Cookies can be accepted, rejected, or identified by configuring a browser’s preferences or settings. Third party tracking scripts using javascript code or clear gifs, which are tiny graphics with a unique identifier that is embedded invisibly on a webpage, are used to track a visitor’s actions on a website.

10.2 We use the information gathered by javascript code and/or clear gifs (“tracking tags”) to help us better manage content on the Sites. Cookies and tracking tags are used to help customize the visitor’s online experience. Unless a visitor specifically informs us of their identity (e.g., by registering with us), we will not know who the individual visitor is.

The Sites use cookies and tracking tags as follows:

• to collect Session Data and other session information;
• to process orders and to store order and shopping cart information;
• to store user authentication status so that users do not have to re-enter this information each time they log in;
• to track activity to our Sites from marketing communications and event communications; and
• to collect analytics relating to use of the Site.

The Sites do not respond to “do not track” signals or other similar mechanisms.

10.3 For more information about our use of specific cookies on the Sites, and how to manage cookies, please visit the “Cookies” Section on the relevant Site(s).

This Section explains how long we retain data for (Section 11.1) including specific information on respondent data retention periods (Section 11.2) and where we may anonymize data and retain it in the form of aggregated data (Section 11.3).

11.1 As a general principle, we keep data in personally-identifiable form only for as long as necessary to achieve the purposes for which it is being processed (subject to our reasonable archive and back-up practices). In practice, that generally means we may retain your Personal Information

• (i) for as long as your account with us remains active;
• (ii) for as long as you continue to do business with us; or
• (iii) for as long as we are required or permitted to by applicable law, including for the purposes of satisfying any legal, accounting or reporting requirements.

We also keep data in non-personally identifiable form as further set out in this Section 11. We may store data in electronic form, physical form and any other media and use appropriate organizational and technical controls as set out in Section 12 (How we Protect Personal Information).

11.2 The periods that we retain data for are set out in our internal records retention and destruction policies. These policies, along with this Privacy Policy, set out the types of data that The Myers-Briggs Company collects and the retention periods and destruction methods for such data.

To determine the appropriate retention periods for Personal Information, we consider the amount, nature and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the Personal Information and whether we can achieve those purposes through other means, together with applicable legal requirements, including certain statutory retention periods. In summary:

• (i) in respect of active accounts on Elevate, and including MBTIonline Teams on Elevate, we retain Respondent Personal Information (as further set out in Section 11.3 and comprising Respondent Assessment Data and any Demographic Data) for a period determined by the Customer, the data controller, via data retention settings within the Customer’s Elevate account. These settings range from eighteen (18) months to an indefinite period, and the Customer is able to set and change the selection via the data retention settings within the Customer’s Elevate account at any time (“Customer Retention Period”).
  
  If the Customer does not set a retention period within the Customer’s Elevate account, we will retain Respondent Personal Information for a period from collection to twenty (20) years after completion of applicable Assessment(s) by a Respondent (“Default Retention Period”), as further set forth in Section 11.3, and provided the Customer’s Elevate account remains active; if the Customer’s account becomes inactive (where a subscription to our Services on the Elevate Platform lapses) or if the Customer ceases doing business with us, we may also retain Respondent Personal Information for an additional period for our reasonable archive and back-up purposes, up to six (6) months. For further information specific to Respondents on our Elevate Platform, see Section 11.3;

• (ii) in respect of active accounts on OPPassessment, we retain Respondent Personal Information (as further set out in Section 11.3 and comprising Respondent Assessment Data and any Demographic Data) for a period from collection to eighteen (18) months after completion of applicable Assessment(s) by a Respondent (“OPPa Retention Period”), as further set forth in Section 11.3; and if a Customer ceases doing business with us, we may also retain that Customer’s Personal Information for an additional period for our reasonable archive and back-up purposes, up to six (6) months. For further information specific to Respondents on our OPPassessment Platform, see Section 11.3;

• (iii) in respect of other Sites including MBTIonline.com (but excluding MBTIonline Teams on Elevate), the App, and MBTItype.com, due to the longer-term nature of the learning journey, Personal Information and associated data will be retained for the duration that your use of the relevant Site is active and thereafter removed or anonymized (with no longer active being deemed as eighteen (18) months of inactivity on the applicable Site in the case of MBTIonline.com, the App and mbtitype.com or in relation to other Sites not specified, if you cease doing business with us). Note that activity on one Site, including our website, themyersbriggs.com, will not be deemed activity on our other Sites (including MBTIonline.com, the App and MBTItype.com). We may also retain your Personal Information for an additional period for our reasonable archive and back-up purposes, up to six (6) months.
  
  After such removal and anonymization, it is not possible to order new reports or reprints of previously ordered reports, since the Personal Information from the originating Assessment and the Report will have been deleted;

• (iv) in respect of the Product MBTIComplete, and subject to Sections 11.3.2 and 11.3.3 below, Respondent Personal Information and associated data will be retained for the Customer Retention Period; if the Customer does not set a retention period within that Customer’s Elevate account, then we will retain Respondent Personal Information for the Default Retention Period, provided the associated Practitioner Platform Account remains active in accordance with Section 11.3.5, after which it will periodically be removed from the Practitioner Platform Account or anonymized.
  
  After such anonymization, it is not possible to order new reports or reprints of previously ordered reports, since the Personal Information from the originating Assessment and the Report will have been deleted. If you require a report for any Respondent whose Respondent Personal Information has been deleted or anonymized in accordance with the Customer Retention Period or the Default Retention Period, as applicable, the Respondent must complete a new Assessment and submit it for scoring and report generation in the usual manner;

• (v) in respect of Respondent Data collected through our Certification Programs. Where we process Respondent Personal Information collected through our certification programs (where an individual becomes a certified Practitioner in one of our Assessments and, as part of the certification program, takes an Assessment on one of our Platforms), such Respondent Personal Information will be retained by us for a period of eighteen (18) months after completion of the applicable Assessment and thereafter removed from our Platforms or anonymized. However, the Company must necessarily retain certain Personal Information pertaining to your certification (e.g., certain Contact Data) indefinitely in order to validate, on an ongoing basis, your status as a certified Practitioner of one or more Assessments.

• (vi) in respect of Professional Services and/or Consultancy Engagements. Additional to Respondent Personal Information stored on Platforms, where feedback is given and/or where you participate in an assessment or development center or other consultancy engagement run by our Professional Services or Consultancy team (“Engagement”), additional data will be collected by a Practitioner and/or associated Customer organization or our Professional Services or Consultancy team, respectively, and used for the purposes of provision of Services, and will be retained by us for a period of eighteen (18) months after completion of the Engagement.

• (vii) in respect of our Talent learning management system or other learning management system (“Learning System”), where the nature of the Service is for a specific training purpose with a defined learning journey period, we retain your Personal Information on the Learning System: (i) for a period from registration to completion of the specific learning program (e.g. for the MBTI Self-Guided Certification, completion is within ninety (90) days from registration) plus fourteen (14) days thereafter; or (ii) where a specific learning program is not completed, for a period from registration to eighteen (18) months thereafter; and

• (viii) in respect of Scoring Bureau services. In those instances where we, or one of our international distributors or training partners (as set forth in Annex 2) (“Partners”), actively administer and manage the administration of Assessments to Respondents on behalf of the Customer (and excepting such arrangements arising through our Professional Services team and/or Consultancy team by the Company) (the “Scoring Bureau”) , Respondent Personal Information (as set out in Section 11.3) shall be retained as follows:
  
  (a) where we administer and manage Assessments through the Scoring Bureau, we will retain Respondent Personal Information for a period of eighteen (18) months after completion of Assessment(s) after which it will periodically be removed from the Practitioner Platform Account or anonymized.
  
  (b) where our Partner(s) administer and manage Assessments through the Scoring Bureau, Respondent Personal Information will be retained for the data retention period they select in their Elevate account under which they manage their Scoring Bureau services; if Partners do not select a retention period in their Elevate account, then we will retain Respondent Personal Information for the Default Retention Period (as set forth in Section 11.2), provided in each case the associated Partner account remains active, after which it will periodically be removed from the applicable Partner account on Elevate or anonymized.
  
  In each case, after such anonymization, it is not possible to order new reports or reprints of previously ordered reports because the Personal Information from the originating Assessment and the Report will have been deleted. If you require a report for any Respondent whose Respondent Personal Information has been deleted or anonymized, in accordance with our retention periods set forth above or in accordance with the Customer Retention Period or the Default Retention Period, as applicable, the Respondent must complete a new Assessment and submit it for scoring and report generation in the usual manner.

• (ix) in respect of Third-Party Assessments and Your Rights in respect of Personal Information, where we provide third parties’ assessments and tools (“Third-Party Assessments”) and certification programs in such, these Third-Party Assessments are provided via the Third-Party Assessment licensor provider and their assessment platforms or processes. Respondent Personal Information processed in relation to such Third-Party Assessments is retained as follows:
  
  (a) in respect of any Respondent Personal Information we process (which in this case is usually limited to Respondent name and email address), such will be retained for a period of eighteen (18) months after completion of the applicable Third-Party Assessment and thereafter removed from our systems. However, where we conduct certification programs in any Third-Party Assessment, the Company must necessarily retain certain Personal Information pertaining to any certification in such Third-Party Assessment (e.g., certain Contact Data) indefinitely in order to validate, on an ongoing basis, your status as a certified practitioner of that Third-Party Assessment; and
  
  (b) in respect of Respondent Personal Information processed by such Third-Party Assessment provider (as further set out in Section 11.3 and which may comprise Respondent Assessment Data and any Demographic Data), such will be subject to those Third Parties’ Assessment providers’ data retention processes, information on which should be sought from such Third-Party Assessment providers (as set forth in Annex 3).  See Section 11.6 for further details on your rights in respect of Respondent Personal Information on Third Party Assessment providers platforms.

• (x) by law, we must keep: (i) certain Customer and service provider information for seven (7) years for tax and audit requirements (this period is 10 years in relation to The Myers-Briggs Company - France and The Myers-Briggs Company - Germany); (ii) Practitioner certification/ qualification records indefinitely; (iii) statutory, corporate records indefinitely; and (iv) any applicable records in respect of certain jurisdictions in accordance with such local requirements.
  
  If you require further information on specific retention periods other than what has been set forth in the remainder of this Section 11, please contact us (see Section 16 (Contact Us)).

11.3 This Section 11.3 applies specifically to Personal Information on our Elevate and OPPassessment Platforms. Use of such Platforms, for the administration of Assessments, involves several types of data, including (without limitation): (i) Customer business contact data comprising Identity Data and Contact Data of Customers and Practitioners (together, “Customer Personal Information”); and (ii) Personal Information collected through our Platforms, comprising Respondent Assessment Data (as defined in Section 6.3.5 as including Respondent Identity Data, Respondent Contact Data, and Item Responses) and Demographic Data (as defined in Section 6.3.5) together with Personal Information contained in Reports (together, “Respondent Personal Information”).

11.3.1 As set out in Section 7.1.2, in relation to Respondent Personal Information, the Customer is the Controller and the Company is the Processor. Where Customers and/or Practitioners and Respondents provide Personal Information to the Company, the Company will process that Personal Information in accordance with the Controller’s documented instructions, unless required to do otherwise by applicable law and in accordance with this Privacy Policy.

11.3.2 Specifically, in respect of Customer Personal Information, we will retain Customer Personal Information during any subscription period to our Elevate or OPPassessment Platforms and any applicable renewal periods. If a Customer/ Practitioner’s subscription period terminates or expires, the Company will store associated Elevate or OPPassessment Platform account data for ninety (90) days after such termination or expiration to allow the Customer and/or Practitioner the opportunity to renew their subscription without losing access to their data. If the Customer and/or Practitioner does not renew their applicable subscription within that ninety (90) day period, the Company will remove or anonymize the associated account and its associated data and the Customer and Practitioner will permanently lose access to that account and its associated data. Any Customer Personal Information (including Identity Data, Contact Data, Financial Data and Transaction Data) required to be retained under relevant legislation shall be retained according to applicable laws;

11.3.3 Specifically in respect of Respondent Personal Information processed on Elevate, and including MBTIonline Teams on Elevate, we will retain Respondent Personal Information for the Customer Retention Period; if you do not set a retention period within your Elevate account, then we will retain Respondent Personal Information for the Default Retention Period, provided an associated Practitioner’s account on the applicable Platform (“Platform Account”) remains active, after which it will periodically be removed from the Practitioner Platform Account or anonymized.

11.3.4 Specifically in respect of Respondent Personal Information processed on OPPassessment, we will retain Respondent Personal Information for the OPPa Retention Period, provided an associated Practitioner’s Platform Account remains active, after which it will periodically be removed from the Practitioner Platform Account or anonymized.

11.3.5 If a Practitioner’s Platform Account terminates or expires prior to the expiry of such Retention Period, the Company will store all Respondent Personal Information for ninety (90) days after such termination or expiration to allow the Customer and/or Practitioner the opportunity to renew their subscription without losing access to the relevant Platform Account and Respondent Personal Information. If a Customer and/or Practitioner does not renew their Platform Account subscription, where applicable, within that ninety (90) day period, the Company will remove or anonymize such Respondent Personal Information (and any other account and its associated data as set out above), and Practitioners will permanently lose access to their Platform Account and such Respondent Personal Information. Note: there are no subscription requirements on OPPassessment.

11.3.6 For the avoidance of doubt, in respect of each Respondent on the Elevate or OPPassessment Platforms, where a Respondent’s Personal Information comprises more than one (1) Report generated from the same Assessment within any defined period, the retention period after which the Company will remove the data associated with that Assessment from Elevate, including Item Responses, Demographic Data and all Reports, will still be the Customer Retention Period (or the Default Retention Period if no Customer Retention Period has been designated). Where your account comprises data, in respect of each Respondent, from more than one Assessment, the applicable retention period will apply separately for each Assessment the Respondent completes.

11.3.7 Notwithstanding Section 11.3.5, where a Platform Account comprises more than one (1) Assessment for the same Respondent, the Company will store such data associated with that Respondent in terms of their name and email address, for the duration of which all Assessment data remains on the Platform and therefore for the Customer Retention Period (or Default Retention Period if no Customer Retention Period has been designated) after the date the latest Assessment is completed. 

11.3.8 After such removal and anonymization, it is not possible to order new reports or reprints of previously ordered reports, because the Personal Information from the originating Assessment and the Report will have been deleted. If you require a report for any prospective Respondent who completed an Assessment outside the Customer Retention Period (or Default Retention Period if no Customer Retention Period has been designated) on Elevate, or the OPPassessment Retention Period on OPPassessment, then the prospective Respondent must complete a new Assessment and submit it for scoring and report generation in the usual manner.

11.4 Specifically in respect of retention and use of Customer Personal Information and Respondent Personal Information by the Company, the Company shall retain and use Customer Personal Information and Respondent Personal Information in personally identifiable form and/or non-personally identifiable form in the provision of our Services as follows.

11.4.1 For the Customer Retention Period (or Default Retention Period if no Customer Retention Period has been designated) on Elevate or the OPPassessment Retention Period on OPPassessment, the Company reserves the right to retain and use all Customer Personal Information and Respondent Personal Information, and other data generated via the Platforms in personally identifiable form for the purposes of providing the Products and Services to Customers, Practitioners and Respondents as further set out in Section 11.3, 11.4 and 11.5.

11.4.2 Furthermore, at all times, including whilst any Platform Account is active and thereafter, the Company reserves the right to retain and use all Research Data in non-personally identifiable form for the Company’s scientific research and product development purposes as set forth in Section 7.1.4, even after applicable Platform Accounts and associated data are removed and anonymized. This data retained by us is not Personal Information because it is only retained in our systems in non-personally identifiable form, and therefore no longer represents Personal Information. Such non-personally identifiable data may be used indefinitely by us for scientific research and product development purposes without further notice to you.

11.4.3 In addition, if a Respondent has opted-in to be contacted for, and to participate in, future research opportunities, including surveys, the Company reserves the right to retain and use their Research Survey Participant Data in personally identifiable form for a period of eighteen (18) months for the purposes of the Company’s scientific research and product development purposes, including contacting such Respondent for further research opportunities. Thereafter, any such Research Survey Participant Data will be retained and used by the Company in non-personally identifiable form as set forth in Section 11.4.2. Respondents can manage their research and communication preferences using the pertinent functions on our Sites.

11.4.4 Where a Customer or other individual has agreed to participate in customer or advisory board or other surveys and the Company has collected General Survey Participant Data (as defined in Section 6.3.5), the Company reserves the right to retain and use such General Survey Participant Data in personally identifiable form for such period until opt-out of such participation, for the purposes of the Company’s marketing and scientific research and product development purposes, including contacting such individuals for further surveys. Such general Survey Participants can manage your communication preferences using the pertinent functions on our Sites.

11.5 Your rights in respect of Respondent Personal Information on our Sites. In some circumstances, Customers, Practitioners and Respondents can ask us to delete your data (see Section 13.3 on your right to erasure). Notwithstanding Section 11.3, in the event that a Respondent requests that we delete their Personal Information, and such request is authorized by the applicable Controller, then any relevant Personal Information will be removed from our Platforms and other systems, and if such Respondent has opted-in to be contacted for future research opportunities, from our research and development databases.

11.6 Your rights in respect of Respondent Personal Information on Third-Party Assessment Provider sites. In some circumstances, Customers, Practitioners and Respondents can ask Third-Party Assessment providers to delete Respondent Personal Information from their sites (also known as your right to erasure). This is subject to the authorization of the applicable data controller. In the event that a Respondent wishes to exercise their right to erasure, the Respondent should contact the relevant Third-Party Assessment provider, and their processes will apply.

This section explains how we keep your data secure (Sections 12.1-12.4 and 12.6). It also explains how you can help keep your own data secure by not sharing your username and passwords with others (Section 12.5).

12.1 We are committed to ensuring the security of processing and the ongoing confidentiality, integrity, availability and resilience of systems and services as such relate to Personal Information that we hold, in order to prevent accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access. We follow generally-accepted industry standards to protect Personal Information, both during transmission and once we receive it. In our roles as both Controller and Processor, we use appropriate administrative, physical, and technical controls and measures designed to protect the safety and security of Personal Information, from unauthorized access, loss, misuse, disclosure, alteration, or destruction.

Technical and organizational measures we take include:

• information security management systems and data protection systems detailing policy, governance, process, and procedures; delineation of roles and responsibilities; assurance processes; risk assessment processes; and remedial and improvement plans
• physical security measures at data centres, our own premises, and in respect of our hardware and software, as well as our data stores and back-ups
• access controls measures including password and log-in management policies, as well as monitoring for account compromise and suspicious activity
• security and privacy technologies including anti-virus scanning
• awareness training and security checks in relation to personnel at induction, on an ongoing basis, and in the event of any specific incident or training need
• incident and response management and business continuity policies including security incident monitoring and training, business continuity plans, testing and review, and
• audit controls and due diligence including ensuring that appropriate security audit arrangements are in place.

We use industry-standard technological means to protect Personal Information and our IT infrastructure and software applications are built to provide secure deployment of services, encrypted storage of back-up data with end-user privacy safeguards, encrypted communications between services and while in transit through the Internet, and safe operation by customers. The encryption processes we use include a comprehensive authentication protocol to provide reasonable security. No method of transmission over the Internet, or method of electronic storage, is fully secure, however. Therefore, while we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.

12.2 Respondent Personal Information is only accessible by certain The Myers-Briggs Company staff that support and administer the scoring and report-generation systems, including our Platforms. Respondent Personal Information access is based on a need-to-know basis.

12.3 Additionally, our staff, associates and consultants are bound to comply with confidentiality provisions and Privacy Statements, in addition to completing mandatory privacy and data protection training. We have various policies that specifically address responsibilities and expected behavior with respect to the protection of confidential information.

12.4 We have procedures for data incident and breach investigation and notification. Where our assessment of the likely risk to the individuals involved concludes a breach of Personal Information may result in risk to the rights and freedoms of individuals, we shall promptly inform individuals (and associated Controllers and the relevant supervisory authority where applicable) of any such breach, as required by law and in accordance with any contractual terms.

12.5 You should note that where we have given you (or where you have chosen) a username and/or password which enables you to access certain parts of our Sites, or use our Products and/or Services, you are responsible for keeping the username and password confidential. You should not share these details with anyone, and you should immediately inform us if you discover your credentials have been made known to a third party.

12.6 For any Customers, Practitioners and Respondents based in the UK or EU, Appendix 1 of our Data Processing Terms provide more detail on the technical and organizational measures that we use to secure and protect Personal Information and other data.

12.7 It is important that the Personal Information we hold about you is accurate. To ensure this, please keep us informed of any changes at any time to the Personal Information we hold about you.

12.8 We comply with privacy laws that are applicable to us, including (without limitation) the California Consumer Privacy Act of 2018 (CCPA), UK Data Protection Act 2018, UK GDPR (as incorporated into UK law pursuant to the European Union (Withdrawal Act) 2018), EU GDPR (the General Data Protection Regulation (EU) 2016/ 679), and the Privacy Act 1988 (Cth) (the Australian Privacy Act) together with any applicable enacting, successor, supplementing or amending legislation.

We respect your rights as a data subject. In those instances when we are a Controller, we provide you with the rights described below. In those instances where we are a Processor, we will reasonably assist the Controller in facilitating your ability to exercise the rights below.

13.1 Right of access—You have the right to obtain confirmation as to whether or not your Personal Information is being processed. If your Personal Information is being processed, you have the right to access your Personal Information and the following information: (i) the purposes of the processing; (ii) the categories of Personal Information concerned; (iii) the recipients or categories of recipients to whom your Personal Information has been or will be disclosed (including international organizations and recipients in other countries); (iv) where possible, the period for which your Personal Information will be stored or the criteria used to determine that period; (v) the existence of your right to request that the Controller rectify or erase your Personal Information, or restrict processing of your Personal Information, or to object to processing of your Personal Information; (vi) your right to lodge a complaint with a supervisory authority; (vii) the source of your Personal Information (if it was not obtained from you directly); and (viii) the existence of any automated decision-making (including profiling) along with meaningful information about the logic of such automated decision-making and its consequences.

If you wish to request access to the Personal Information we hold about you, often referred to as a data subject access request, see Section 13.12.

13.2 Right to rectification—You have the right to rectify inaccurate Personal Information concerning you. Taking into account the purposes of the processing, in some instances you will have the right to have incomplete Personal Information completed by providing supplementary written statements to us.

13.3 Right to erasure—You have the right to request erasure of your Personal Information when one of the following applies: (i) your Personal Information is no longer needed to achieve the purpose(s) for which it was originally collected or processed; (ii) the processing of your Personal Information is based on your consent, you choose to withdraw that consent, and we have no other legal basis for ongoing processing; (iii) you object to the processing and we have no overriding legitimate grounds for ongoing processing; (iv) your Personal Information has been processed unlawfully; or (v) your Personal Information must be erased for compliance with applicable law. In those instances where you exercise this right against the Company as the Controller, we will accommodate your request to the extent practicable, and to the extent that it does not otherwise conflict with any of our other obligations. We reserve the right to retain and use your Personal Information as necessary to comply with our legal obligations, resolve disputes, and enforce our contractual agreements.

13.4 Right to restriction of processing—You have the right to restrict processing of your Personal Information where one of the following applies: (i) you contest the accuracy of your Personal Information, in which case processing will be restricted for a period allowing the Controller to verify or rectify the accuracy of your Personal Information; (ii) processing of your Personal Information is unlawful; (iii) processing of your Personal Information is no longer necessary for the purpose(s) for which it was collected or processed but you require it for the establishment, exercise, or defense of legal claims; or (iv) you object to the processing, in which case processing will be restricted for a period allowing the Controller to demonstrate whether legitimate grounds exist that override your objection.

13.5 Right to data portability—Where technically feasible, and as related to Personal Information you have provided to a Controller based on your consent or a contract with you, you have the right to receive that Personal Information in a structured, commonly-used and machine-readable format and to transmit that Personal Information to another Controller if the processing of that Personal Information is performed by automated means.

13.6 Right to object to processing—In certain instances, you may have the right to object to processing of your Personal Information. Should you so object, the Controller of your Personal Information must stop processing your Personal Information unless the Controller can demonstrate (i) compelling legitimate grounds for ongoing processing of your Personal Information that override your objection; or (ii) the need for the establishment, exercise, or defense of legal claims.

13.7 Right not to be subject to automated decision-making—In certain instances, you have the right not to be subject to decisions based solely on automated processing (including profiling) that produces legal effects concerning you or otherwise significantly affects you. As of the effective date of this Privacy Policy, we do not engage in any such automated decision-making or profiling.

13.8 Right to opt-out of marketing communications—If you are receiving marketing communications from us and you wish to unsubscribe, you may do so by clicking on the “unsubscribe” link provided in the communication or by managing your marketing communication preferences on the Site(s).

13.9 Right to block cookies—You have the right to block pixel tags and certain cookies. Most browsers automatically accept cookies. You can instruct your browser, by editing its options, to stop accepting cookies, or prompt you before accepting a cookie from the Site that you visit. If you decide not to accept our cookies, you may not be able to access portions of our Products or Services. Some cookies are strictly necessary for us to deliver the Sites or Products or Services, and those cookies cannot be disabled.

13.10 Right to Non-Discrimination—You have the right not to be discriminated against if you choose to exercise your privacy rights. As such, if you choose to exercise your privacy rights the Company will not: (i) deny you goods or services; (ii) charge you different prices or rates; (iii) provide a different level of service; or (iv) suggest that you will be provided with a different level of service. In some cases, the nature of the product or service you receive may differ depending on whether (or to what extent) you choose to provide Personal Information; however, in those cases there is a direct relationship between the product/service and the Personal Information you provide (for example, if you refuse to provide us with your email address, then our products and services that depend on delivering materials to you via email will not operate as intended).

13.11 Sharing of Personal Information with third parties for Direct Marketing purposes—Applicable laws require that individuals be informed when their Personal Information is shared with third parties for these third parties’ direct marketing purposes. Other than as described in this Privacy Policy in Section 8, we do not disclose your Personal Information to third parties, we do not share your Personal Information for the direct marketing purposes of third parties and we do not sell any Personal Information to third parties. If our practices change in the future, we will inform you of the change and will provide you with an opportunity to opt out of such information sharing for direct marketing purposes of a third party.

13.12 Data Subject Access Requests—If the Company is the Controller of your Personal Information and you wish to exercise any of the rights described above, please contact us with proof of identity, as provided in Section 16 (Contact Us). In general, you can expect a response to your request within 30 days of verification of identity. However, if your request is complex or involves a high volume of data, the Company may inform you that the request could take up to an additional sixty (60) days. In some instances, fees may apply. If the Company is not the Controller of your Personal Information, we will ask you to direct your request to the Controller, and the Company will reasonably assist the Controller in facilitating the request.

This Section tells you about the laws governing this Privacy Policy and about who to contact if you have a complaint about how The Myers-Briggs Company handles data protection and privacy matters and information on our relevant supervisory authority and how to get in touch.

14.1 This Privacy Policy, and any disputes arising out of or related to this Privacy Policy, shall, subject to Sections 14.2, 14.3 and 14.4, be governed exclusively by the laws of the nation in which the Company contracting with you hereunder is established, namely the State of California in respect of The Myers-Briggs Company; England and Wales in respect of The Myers-Briggs Company Limited (including its European operations); Singapore in respect of The Myers-Briggs Company Pte, Ltd.; and Australia in respect of The Myers-Briggs Company Pty Ltd; without regard to conflicts of laws rules or the United Nations Convention on the International Sale of Goods.

14.2 If you have questions or complaints regarding our Privacy Policy or practices, you should first contact us as indicated in Section 16 (Contact Us). You may also contact our Complaints Officers at complaints.us@themyersbriggs.com (for complaints relating to US, Singapore or Australia operations) or complaints.eu@themyersbriggs.com (for complaints relating to UK and EU operations) regarding any complaints you may have. Furthermore, our Complaints Officers can be contacted in writing as set forth in Section 16 or by telephone at +1 800 624 1765 (toll-free when calling from the United States) or +1 650 969 8901 (for complaints relating to US, Singapore or Australia operations) or +44 1865 404500 (for complaints relating to UK and EU operations). Please see Section 14.7 in relation to contact information for data protection supervisory authorities, specifically in relation to customers in the UK, EU and Australia.

14.3 If our efforts to resolve your complaint through the Company’s internal dispute resolution mechanisms are unsatisfactory, you agree to first attempt to settle in good faith the dispute through mediation administered by JAMS, under its International Mediation Rules, which are accessible on the JAMS website at https://www.jamsadr.com/DPF-Dispute-Resolution. The mediator may propose any appropriate remedy, such as publicity for findings of non-compliance, payment of compensation for losses incurred as a result of non-compliance, or cessation of processing of the Personal Information who has brought the complaint. The mediation will be held online and all documents and other correspondence will be transmitted through email.

14.4 If our efforts to resolve the dispute through mediation are unsuccessful, you agree to binding arbitration administered by JAMS pursuant to its International Arbitration Rules, which are accessible on the JAMS website at http://www.jamsadr.com/international-arbitration-rules. Judgment on the award rendered by the arbitrator may be entered into any court having jurisdiction over the matter. The arbitration will be held online and all documents and other correspondence will be transmitted through email.

14.5 You also have the right to complain to the relevant data protection Supervisory Authority in respect of EU Personal Information or UK Personal Information as follows.

14.6 The Myers-Briggs Company is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

14.7 As related to the Data Privacy Framework, in the context of an onward transfer of personal information, The Myers-Briggs Company has responsibility for the processing of personal information it receives under the EU-U.S. DPF and subsequently transfers to a third party acting as an agent on its behalf. Participating organizations shall remain liable under the Data Privacy Framework Principles if its agent processes such personal information in a manner inconsistent with the DPF Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

UK Personal Information:
The UK Information Commissioner’s Office (ICO) is the relevant Supervisory Authority for The Myers-Briggs Company Limited (our UK-based subsidiary). We would appreciate the chance to deal with your concerns before you approach the ICO. You can however contact the ICO as follows:

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Email: casework@ico.org.uk
Telephone: + 44 303 123 1113
Website: www.ico.org.uk

EU Personal Information
The Commission Nationale de l'Informatique et des Libertés (CNIL) is the relevant Supervisory Authority for the European offices of The Myers-Briggs Company Limited (our UK-based subsidiary) including its French, Dutch, Belgian, German and Irish branch offices and operations. We would appreciate the chance to deal with your concerns before you approach the CNIL. You can however contact the CNIL as follows:

Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy
TSA 80715
75334 PARIS CEDEX 07
FRANCE
Telephone: +33 (0)1 53 73 22 22
Website: www.cnil.fr

For purposes of EU GDPR, the Company’s EU Representative is Aksana Greboval. Please contact dleurep@themyersbriggs.com.

Australian Personal Information
For complaints handling in respect of Personal Information of Australian data subjects or if you are receiving goods and services from The Myers-Briggs Company Pty Ltd, Sections 14.4 and 14.5 are not applicable; instead we will respond to your complaint within a reasonable period of time to acknowledge your complaint and inform you of the next steps we will take in dealing with your complaint. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) via the OAIC website, www.oaic.gov.au.

This Section explains when this Privacy Policy became effective and our right to change it from time to time.

15.1 This Privacy Policy is effective as of the Effective Date as set out at the beginning of this Privacy Policy, and replaces all prior versions. We may change this Privacy Policy from time to time. If we make material changes, we will place a prominent notice on the affected Site(s) or we will send you a notice to the email address associated with your account.

This Section explains how you can get in touch with us if you have any query about data protection or privacy matters, and information about the companies within our group.

16.1 If you have any question about (i) this Privacy Policy, or (ii) the collection, use, management, disclosure or deletion of your Personal Information, or (iii) accessing, modifying, or closing your account, please contact us as indicated below. We will attempt to respond to your questions or concerns promptly after we receive them.

For US enquiries:
The Myers-Briggs Company
Californian Benefit Corporation; registered number C0313971
By email: support.us@themyersbriggs.com
By email: dpo@themyersbriggs.com (specifically for privacy and data protection queries)
By phone: +1 800 624 1765 (toll-free when calling from the United States)
              or:  +1 650 969 8901
By mail: The Myers-Briggs Company
                P.O. Box 60279
                Sunnyvale, CA 94089-9998
                United States of America

For UK and European enquiries:
The Myers-Briggs Company Limited
Registered in England and Wales; registered number 2218212
By email: support.eu@themyersbriggs.com
By email: dpo@themyersbriggs.com (specifically for privacy and data protection queries)
By phone: +44 1865 404500              
By mail: The Myers-Briggs Company Limited
                Sandringham House, First Floor
                Heritage Gate
                East Point Business Centre
                Sandy Lane West
                Oxford, OX4 6LB
                UK

For purposes of EU GDPR, the Company’s EU Representative is Aksana Greboval. Please contact dleurep@themyersbriggs.com.

For Australian enquiries:
The Myers-Briggs Company Pty Ltd
Registered in Australia; registered number ACN 123 828 160
By email: enquiries.ap@themyersbriggs.com
By phone: +61 3 9342 1300              
By mail: The Myers-Briggs Company Pty Ltd
                Level 7, 369 Royal Parade
                Parkville Victoria 3052                 
                Australia

For Singapore enquiries:
The Myers-Briggs Company Pte. Ltd
Registered in Singapore; registered number 200809153E
By email: support.asia@themyersbriggs.com
By phone: +65 6914 1030              
By mail: The Myers-Briggs Company Pte. Ltd
                300 Beach Road
                #29-03 The Concourse                 
                Singapore 199555

Annex 1: Third Party Sub-Processors

Part 1 – Third Party Sub-Processors of The Myers-Briggs Company (US):

• Barracuda Networks, Inc. (for information security services)
• NTT Cloud Communications U.S. (incorporating Microsoft Corporation services) (for telecommunications and platform infrastructure services)
• Microsoft Corporation (for platform and infrastructure services)
• Mimecast Services Limited/ Mimecast North America, Inc. (for email archive services)

Part 2 – Third Party Sub-Processors of The Myers-Briggs Company Limited:

• The Myers-Briggs Company (parent company, for assessment platform services)
• Barracuda Networks, Inc (for information security services)
• NTT Cloud Communications U.S. (incorporating Microsoft Corporation services) (for telecommunications and platform infrastructure services)
• Microsoft Corporation (for platform and infrastructure services)
• Mimecast Services Limited/ Mimecast North America, Inc. (for email archive services)

Annex 2: International Distributors and/or Training Partners

Part 1 - International Distributors and/or Training Partners of The Myers-Briggs Company (US):

Asia Pacific:

• Anahat Organisation Development Consultancy Private Limited (India; Sri lanka, Bangladesh; Nepal)
• Assesta, Ltd. (South Korea)
• JPP Co., Ltd (Japan)
• Potentia Co., Ltd (Thailand; and Vietnam)
• Skill & Will (China)

US:

• Center for Applications of Psychological Type (CAPT)
• GS Consultants

International:

• Ertyad Training Company (Saudi Arabia)
• Fellipelli Consultoria e Diagnosticos (Argentina; and Brazil)
• HDS Diagnostico Y Desarollo de Talento (Mexico)
• Heart to Heart Communication Consulting and Human Development (Egypt);
• Jopie Van Rooyen and Partners (Angola; Benin; Botswana; Burkina Faso; Burundi; Cameroon; Cape Verde; Central African Republic; Chad; Comoros; Republic of the Congo; Democratic Republic of the Congo; Cote d'Ivoire; Djibouti; Equatorial Guinea; Eritrea; Gabon; The Gambia; Ghana; Glorioso Islands; Guinea; Guinea-Bissau; Kenya; Lesotho; Liberia; Madagascar; Malawi; Mali; Mauritania; Mauritius; Mayotte; Mozambique; Namibia; Niger; Nigeria; Reunion Island; Rwanda; Sao Tome and Principe; Senegal; Seychelles; Sierra Leone; Somalia; South Africa; South Sudan; Sudan; Swaziland; Tanzania; Togo; Uganda; Zambia; and Zimbabwe)
• Levy Consulting (Israel)
• PSI Middle East ( Bahrain; Kuwait; Oman; Qatar; Saudi Arabia; and the United Arab Emirates)
• Psychometrics Canada, Ltd. (Canada).

Part 2 – International Distribution and/or Training Partners of The Myers-Briggs Company Limited:

• AMT Performance Management AG (Germany, Austria and Switzerland)
• Assessio International AB (Sweden, Norway and Finland)
• Human House A/S (Denmark)
• FORID (For Inner Development) (Poland)
• Giunti Psychometrics SRL (Italy)
• IDL (Spain)

Part 3 – International Distribution and/or Training Partners of The Myers-Briggs Company Pty Ltd:

• Centre for Creative Leadership (CCL) (Australia, New Zealand)
• Lewis Cadman Consulting Pty Ltd (ebilities) (Global)
• Multi-Health Systems Inc. (MHS) (Asia Pacific)
• Talogy Inc. (Asia Pacific)

Annex 3: Third-Party Assessment Providers