BCG Solutions Privacy Statement

Introduction

This is the Solutions Privacy Statement (“Privacy Statement”) for The Boston Consulting Group, Inc. and its subsidiaries and affiliates (“BCG”, “we”, “us”, or “our”). This Privacy Statement was last updated in November 2024. For more details on BCG’s international operations, please see https://www.bcg.com/offices/default.

If you are a U.S. resident, please see the U.S. Addendum at the end of this Privacy Statement for further details about how we handle your personal information and how to exercise your rights.

Applicability of This Privacy Statement

This Privacy Statement applies only to the personal information we obtain from your access to and use of our tools and solutions, including, but not limited to, those described at https://www.bcg.com/x/product-library (“Solutions”) and the research and development thereof.

If you are accessing or using Solutions in connection with services that BCG is providing to the organization with whom you are associated (“Your Organization”), BCG has executed an agreement for the provision of professional services, and that agreement and Your Organization’s privacy practices control personal information processed on behalf of Your Organization. This Privacy Statement supplements any notice that you may receive from Your Organization, and it applies only to BCG’s use of your personal information for its own purposes as described in this Privacy Statement.

Our Solutions may contain links to external sites or services, to which this Privacy Statement does not apply. We encourage you to review the privacy policies of any such sites or services before you submit information there.

Changes to This Privacy Statement

BCG may, in its discretion, amend this Privacy Statement from time to time. To ensure you can remain informed, changes to this Privacy Statement will be reflected here.

Personal Information We Collect

The personal information we collect will vary depending on the Solution accessed or used, but our Solutions may collect, use, store, transfer, and otherwise process the following personal information about you: first name, last name, email address, employee number or ID, geolocation, skills and proficiencies and sets of skills relevant to your job, IP address, information about user activity and completion of users’ tasks, and cookies (as described further below).

Cookies

When accessing or using our Solutions, we may utilize cookies, which will vary depending on the Solution you access or use. A “cookie” is a small amount of data sent from a web server to your browser and stored on your computer’s hard drive. These cookies enable you to move around the Solution and use its core features and functionality. Without these cookies, the core features and functionality of the Solution may not be able to be provided. These cookies are also used to remember choices you make (such as your username, language, or the region you are in), recognize the device from which you access the Solution, and to ensure secure, accurate session management, the IP address of your device may be recorded for the period of time that you visit the Solution. Lastly, these cookies may be used for combatting fraud and other security purposes. With most internet browsers, you have a number of controls to limit the cookies stored on your device. Please refer to your browser instructions or you can visit https://www.aboutcookies.org/, which will give you more information.

Authentication Through Okta

To access some of our Solutions, you may need to authenticate with the third-party provider Okta Inc. (301 Brannan St Ste 300, San Francisco, CA 94107) with your personal username and a personal password. To do this, download the Okta Verify app and perform the authentication process. The regulations and data protection declaration of Okta, Inc. apply. We have no influence on and are not responsible for data collection by Okta Inc. Your data will be processed exclusively for the purpose of authentication. After successful authentication, you will receive access to our Solutions.

Purposes for Use of Your Personal Information

BCG processes your personal information described above for the following purposes:

Provision, operation, and improvement of BCG’s services and Solutions: We may process your personal information to provide our services or Solutions to our clients. This includes managing access to the Solution, monitoring usage of the Solution and providing support related to accessing and using the Solution, informing you about updates to the Solution, and tailoring your experience at the Solution with relevant materials, and we process such personal information on the basis of provision of the contract. In addition, we may process personal information to improve BCG’s services and Solutions. This includes understanding the Solution’s user population, identifying subject areas of interest, and determining whether the Solution is designed to work with the device settings of a majority of our visitors, and improving our Solution content and navigation. We process such personal information according to our legitimate interest.
Security and Solutions performance: We may process personal information from your use of our services and Solutions to analyze user activity to fix errors, monitor usage, and improve the security and performance of our services and Solutions. We process such personal information according to our legitimate interest.
Compliance with laws, and to exercise legal actions: We may process personal information to comply with applicable laws and regulations, exercise legal actions and defense, prevent fraud, and enforce our agreements. We process such personal information as necessary to comply with a legal obligation to which we are subject.
Aggregation, anonymization, and de-identification of your data: Subject to our agreement with Your Organization, we may aggregate, anonymize, or de-identify data, and collect, use, and share such data for any purpose.

How We May Disclose Your Personal Information

We may disclose your personal information to our third-party service providers who process information on behalf to help run some of our internal business operations and provide you with the Solution, such as to provide IT and hosting services, IT infrastructure, cloud storage capabilities, administer surveys, assist with analysis, or external translation or transcription providers.

When using our Solutions on behalf of Your Organization, subject to your agreement with Your Organization, we may disclose your personal information with Your Organization.

We may also disclose your personal information to our advisors or law enforcement bodies, courts, or other government authorities, to comply with any legal obligation or order.

We may also disclose your personal information to a third party in the event of any reorganization, financing transaction, merger, sale, joint venture, partnership, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).

Because BCG is a global organization, we may need to transfer personal information across the BCG group of companies (http://www.bcg.com/about/offices/default) or to third parties listed above to help operate our business efficiently. These arrangements may involve your personal information located in various countries around the world where BCG and such third parties maintain and store personal information in systems and applications where data privacy laws differ. The personal information is only accessible by authorized persons or service providers who are bound by privacy requirements, and we only make these arrangements or transfers where we are satisfied that adequate levels of protection are in place to protect personal information held in that country.

Retention of Your Personal Information

Your personal information will only be kept as long as is reasonably necessary to fulfil the purpose for which it was collected. We may retain your personal information for longer if there is a legal obligation to which we are subject, we may be the subject of a legal claim, or may otherwise be relevant for future litigation.

Data Security

BCG has in place appropriate technological and operational security processes designed to protect personal information. Only authorized employees and contractors will have access to any personal information provided by you, and that access is limited by need. Each employee or contractor having access to any personal information is obligated to maintain its confidentiality. Although we take steps that are generally accepted as industry standard to protect your personal information, BCG cannot guarantee that your personal information will not become accessible to unauthorized persons.

Your Rights

Depending on where you reside, you may have the following rights in accordance with applicable data privacy laws. You have a right to access your personal information and details of how we use that information. If any of the personal information held about you is incorrect or out of date, you have the right to amend or rectify such personal information. You also have the right to request that we erase your personal information, stop processing your personal information, restrict the processing of your personal information, the right of portability of your personal information, and the right not to be subject to automated decision-making, including profiling. Where processing of personal information is based on your consent, you may withdraw your consent to such processing. This may not apply if there are other legal justifications to continue processing. You also may have a right to lodge a complaint with a relevant supervisory authority.

If you are accessing or using Solutions in connection with services that BCG is providing to Your Organization, we are typically a data processor with respect to the personal information provided by Your Organization. In order to exercise your data protection rights with respect to such personal information, please contact Your Organization directly.

If you would like to exercise any of your data protection rights where we are acting as your data controller, please contact us at one of our points of contact below. Please note that we may need you to prove who you are (including providing additional information from you) before we can act on your request.

Children

BCG understands the importance of protecting children’s privacy. Our Solutions are not designed for and do not intentionally target or solicit to children 18 years of age and younger.

Contact Us

For further questions, or to exercise your data privacy rights, you may contact the appropriate data protection point of contact:

Data Protection Office
Boston Consulting Group Inc.
200 Pier Four Boulevard
Boston, MA 02210
Contact Us

Germany
Data Protection Officer (Der Datenschutzbeauftragte)
Boston Consulting Group GmbH
Ludwigstrasse 21
80539 Munich Germany
Contact Us

U.S. Addendum

This U.S. Addendum applies solely to U.S. residents and supplements the information provided above in the Privacy Statement. This U.S. Addendum provides U.S. residents with certain information under U.S. state data privacy laws, including, but not limited to, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (the “CPRA”).

Collection and Disclosure of Personal Information

The following list details which categories of personal information we collect and process both online and offline, as well as which categories of personal information we disclose to third parties, in connection with our Solutions, including within the 12 months preceding the date this Privacy Statement was last updated.

We may disclose the following information with our affiliates and subsidiaries; third-party service providers; external legal, financial, and other professional advisors; or legal authorities for operational business purposes:

Identifiers, such as name, email address, IP address, online identifiers, account name, and other similar identifiers
Characteristics of protected classifications under law, such as racial or ethnic origin
Commercial information, including purchasing or consumer histories or tendencies
Internet or network activity information, such as browsing history, search history, and information regarding your interactions with our Solutions
Geolocation data, such as approximate location derived from IP address
Audio, electronic, visual, and similar information
Professional or employment-related information
Inferences drawn from any of the personal information listed above to create a profile about, for example, an individual’s preferences or characteristics or for statistics and user tracking
Sensitive personal information, such as racial or ethnic origin

When using our Solutions on behalf of Your Organization, subject to your agreement with Your Organization, we may disclose the categories of personal information listed above with Your Organization.

We may also disclose any of the categories of your personal information listed above to a third party in the event of any reorganization, financing transaction, merger, sale, joint venture, partnership, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).

Sale or Sharing of Personal Information and Targeted Advertising

We do not “sell” or “share” your personal information or conduct targeted advertising in connection with our Solutions. Accordingly, we do not knowingly “sell” or “share” the personal information of minors under 16 years of age.

Categories of Sources of Personal Information

We collect this personal information directly from you, from your devices, or from Your Organization.

Purposes for the Collection of Personal Information

We collect personal information to operate, manage, and maintain our business, to provide our products and services, and to accomplish our business purposes and objectives, including to:

Develop, improve, operate, repair, and maintain our products and services, including provide the Solutions
Provide support and respond to requests for information
Conduct research, analytics, and data analysis, and personalize user experiences
Undertake quality and safety assurance measures, and conduct security control and monitoring
Detect and prevent fraud and perform identity verification
Facilitate and implement any reorganization, financing transaction, merger, sale, joint venture, partnership, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings)
Maintain records, comply with law, legal process, and internal policies, and exercise and defend legal claims

Personal Information Retention

The criteria used to determine how long we retain your personal information is set forth in the “Retention of Your Personal Information” section of our Privacy Statement.

Use or Disclosure of Sensitive Personal Information

We do not use or disclose your sensitive personal information outside of the following purposes: (1) performing our services, (2) detecting security incidents, (3) resisting malicious, deceptive, fraudulent, or illegal actions, (4) ensuring physical safety, (5) for short-term transient use, including certain non-personalized advertising, (6) maintaining or servicing accounts, providing customer service, or providing similar services, and (7) verifying and maintaining the quality or safety of a service or product or improving, upgrading, or enhancing a service or product. Accordingly, we do not provide the right to limit the use or disclosure of your sensitive personal information under the CPRA.

Privacy Rights

If you are a U.S. resident, you, subject to applicable law of the state in which you reside, have the following rights regarding your personal information:

The right to know:
- Whether we are processing your personal information
- The categories of personal information we collected about you
- The categories of sources from which we collected such personal information
- The business or commercial purpose for collecting, selling, or sharing your personal information
- The categories of third parties to whom we disclose your personal information
- The specific pieces of personal information we have collected about you
The right to have your personal information deleted, subject to certain exemptions
The right to correct inaccuracies in your personal information
The right to obtain a copy of your personal information
The right to opt-out of: (1) the “sale” or sharing” of your personal information; (2) targeted advertising; or (3) profiling in furtherance of decisions that produce legal or similarly significant effects; although please note BCG does not engage in such activities in connection with its Solutions
The right to not receive discriminatory treatment for exercising your privacy rights

If you are accessing or using Solutions in connection with services that BCG is providing to Your Organization, we are typically a data processor or service provider with respect to the personal information provided by Your Organization. In order to exercise your privacy rights with respect to such personal information, please contact Your Organization directly.

If you are a U.S. resident, and we are acting as a data controller or business, to exercise your rights regarding your personal information, contact us via datasubjectrights@bcg.com or, if you are a California resident, you may also call 1-866-I-OPT-OUT (1-866-467-8688) and enter service code 837# to leave us a message. We will verify and respond to your request consistent with applicable law, taking into account the type and sensitivity of the personal information subject to the request. We may need to request additional personal information from you in order to verify your identity and protect against fraudulent requests. If you make a request to delete, we may ask you to confirm your request before we delete your personal information.

Authorized Agents

If an agent would like to make a request on your behalf as permitted under applicable law of the state in which you reside, the agent may use the submission methods noted in the section entitled “Privacy Rights”. As part of our verification process, we may request that the agent provide, as applicable, proof concerning their status as an authorized agent. In addition, we may require that you verify your identity as described in the section entitled “Privacy Rights” or confirm that you provided the agent permission to submit the request.

Appeal Process

If you have made a privacy rights request to BCG and believe your request was denied by BCG, you can exercise your right to appeal the results of your request by using the submission methods noted in the section entitled “Privacy Rights”. Please use the same email address that you used to submit the initial privacy rights request when you submit your request to appeal, and please add “Request to Appeal” in the subject line of the email. If you do not use the same email address, we cannot link your request to appeal to your initial privacy rights request. If your appeal is unsuccessful, depending upon the state in which you reside, you may have the right to raise a concern or lodge a complaint with your state attorney general or other applicable authority.

Aerospace and Defense

Automotive Industry

Consumer Products Industry

Within Consumer Products Industry

Education

Within Education

Energy

Within Energy

Financial Institutions

Within Financial Institutions

Health Care Industry

Within Health Care Industry

Industrial Goods

Within Industrial Goods

Insurance Industry

Within Insurance Industry

Principal Investors and Private Equity

Within Principal Investors and Private Equity

Public Sector

Within Public Sector

Retail Industry

Within Retail Industry

Technology, Media, and Telecommunications

Within Technology, Media, and Telecommunications

Transportation and Logistics

Within Transportation and Logistics

Travel and Tourism

Within Travel and Tourism

Artificial Intelligence

Within Artificial Intelligence

Business and Organizational Purpose

Business Resilience

Business Transformation

Within Business Transformation

Climate Change and Sustainability

Within Climate Change and Sustainability

Corporate Finance and Strategy

Within Corporate Finance and Strategy

Cost Management

Customer Insights

Within Customer Insights

Digital, Technology, and Data

Within Digital, Technology, and Data

Diversity, Equity, and Inclusion

Within Diversity, Equity, and Inclusion

Innovation Strategy and Delivery

Within Innovation Strategy and Delivery

International Business

Within International Business

Manufacturing

Within Manufacturing

Marketing and Sales

Within Marketing and Sales

M&A, Transactions, and PMI

Within M&A, Transactions, and PMI

Operations

Within Operations

Organization Strategy

Within Organization Strategy

People Strategy

Within People Strategy

Pricing and Revenue Management

Within Pricing and Revenue Management

Risk Management and Compliance

Within Risk Management and Compliance

Social Impact

Within Social Impact

Zero-Based Budgeting

Within Latest Thinking

Leadership

People and Culture

Within People and Culture