Privacy Statement

Effective Date: March 12, 2024

Related Information:

 

ICF International, Inc. and its affiliates, subsidiaries, trusted business partners or alliances, agents, subcontractors, third-party vendors or newly acquired companies (collectively, “ICF,” "we", "us" and "our") is a privacy-conscious organization and strongly committed to respecting, protecting and processing personal data responsibly in compliance with applicable data protection laws and this Privacy Statement.

This Privacy Statement and its sub-pages describe our general privacy and data processing practices, where we collect personal data gathered (1) through use of our websites or mobile apps that post, display, or link to this Privacy Statement (“Sites”), (2) through downloadable applications accessed from mobile devices with respect to which this Privacy Statement is posted or linked ("Mobile Apps"), (3) from individuals who engage regarding our or our clients services or individuals within our clients’, business partners’, suppliers’ and other organizations with which we have or contemplate a business relationship (“Services”), or (4) by any other mode of interacting with you relating to our communications, such as online or offline newsletters and magazines (“Communication”) as referenced in this Privacy Statement.

This Privacy Statement also explains the choices and rights individuals have regarding their personal data. We also have implemented global policies, along with standards and procedures, as part of our Global Data Protection & ePrivacy Program for our consistent handling, sharing, and protecting personal data. Some of our other websites may include additional or different privacy statements, and if a different privacy statement applies, we will disclose this to you.

ICF may process personal data when providing services under client assignments. In such instances, personal information is collected and processed in accordance with the client privacy policies, not this statement. The relevant client organization privacy statement will describe the collection, handling, rights associated with your processing of personal data and client organization contact details.

This Privacy Statement covers the following areas:


1. Information collection 9. Children's privacy protection
2. Information sources 10. California residents' special notices
3. Purpose, legal basis, and use 11. European Economic Area and Canadian residents’ special notices
4. Information recipients 12. Retention
5. International information transfers 13. Personal data accuracy, privacy, and security
6. Direct marketing 14. Your rights and choices
7. Cookies, beacons, tags, and other technologies 15. Notification of our privacy statement changes
8. Third-party websites and links 16. Privacy questions and how to contact us

1. Information collection

1.1 We may collect information, including personal data, that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with our existing or potential employees, clients, client constituents, or customers, business contacts, strategic alliances, suppliers, shareholders, and Site users.

1.2 Generally, we collect the below-mentioned information and personal data categories. If the data we collect is not listed in this Privacy Statement, we will give individuals, when required by law, appropriate notice of which other data will be collected and how they will be used.


Category Examples Collected

Information and personal data collected directly
We may collect—directly from you—personal data about you such as your:

A. Identifiers
  • contact details such as name, address, telephone number, fax number, e-mail address, country of residence, etc.
  • signatures.
  • contact preferences and interests.
  • dietary restrictions, accommodations, and other event-related preferences requested when participating in our events.
  • social media account profile pictures, profile information, username, birthday, and any information or content you have permitted a social media network to share with us.
  • provided postings on blogs, forums, wikis, and other social media applications and services.
  • photographs and videos submitted by you or taken at one of our conferences or similar events.
  • reviews about our tools or services.
  • details you share when contacting us, including through emails or recordings of telephone calls with prior notice.
  • shared details or information concerning other individual. If you provide us with personal data of another person (for instance, a potential employee/referral), you are responsible for ensuring that such person is made aware of the information contained in this Privacy Statement and represent that the person has given you his/her documented authority or consent for sharing the information with us and permitting us to use the information in accordance with this Privacy Statement.
Yes
B. Professional or employment-related information
  • current or past job history or performance evaluations.
  • education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
Yes
C. Commercial information
  • records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  • company name, company size and sector, company individuals’ contact names and job titles, postal addresses, telephone and fax numbers, and e-mail addresses.
  • financial information about clients, vendors, and end users from third parties in certain circumstances to enable ICF to assess related risks.
Yes
D. Personal information inferences
  • profiles reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
  • relationship insights inferred from the review of the patterns and frequency of email traffic between ICF staff and their clients and business contacts. (Should you wish to opt-out of this feature, please contact us through the methods identified below).
Yes
E. Sensitive, special treatment, or protected characteristics We do not usually seek to collect the below sensitive personal data through this Site or from users. In the limited situations that we collect sensitive personal data, we will obtain your explicit consent before we collect, use, or otherwise process the below sensitive personal data in accordance with applicable data protection and ePrivacy regulatory requirements
  • General Race or ethnic origin, religious or philosophical or similar beliefs, trade union membership, political opinions, physical, medical or health conditions, biometric or genetic data, or sexual life or sexual orientation, or actual or suspected criminal convictions, offenses, or activities
  • California: Age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, biometric or genetic data processed to identify an individual, sexual orientation or sex life, financial account details in a combination that gives access to an account, government-issued numbers, health data, philosophical or religious beliefs, precise geolocation, racial or ethnic origin, and union membership.
  • European Economic Area: Race or ethnicity, political opinions, religion or beliefs, trade- union membership, physical or mental health or sex life
Yes
F. Non-public education information
  • Grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
Yes
G. Inferences drawn from other personal information
  • Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Yes

Automatically-collected information
In some instances, we and our trusted services providers use cookies, web beacons, log files, pixel tags, local storage objects, and other tracking technologies to automatically collect certain types of information such as your

F. Computer, network, or Internet activity
  • computer, operating system, IP address, browser type and language, general location information, domain name, a date/time/access stamp, Internet service provider ("ISP"), referring/exit URLs, clickstream data, and other information about pages you view and resources you access or download, including but not limited to, the links clicked, traffic data, weblogs and other communication data, features used, size of files uploaded, streamed or deleted, and similar device and usage information when users access or use the services or visit our Site for system administration, to filter traffic, to look up user domains and to report on statistics. Please see the “Cookies, beacons, tags and other technologies”, Section 7 or our Cookie Policy for more information.
Yes
G. Geolocation
  • physical location or movements.
Yes
H. Cookies or similar activity
  • cookies (small text files stored in a user's browser), beacons (electronic images that allow us to count users who have accessed particular content and to access certain cookies), and tags through the Site and through cookies and other tracking technology and use the same technologies for marketing purposes (including Customer Relationship Management (CRM) Databases, Targeted E-mail & Combining and Analyzing Personal Data) to provide individuals with a personalized online experience. Please see the below “Cookies, beacons, tags and other technologies”, Section 7, or our Cookie Policy for more information.
Yes
I. Mobile information
  • mobile device, including your device model/type, operating system, browser type, unique device identifier, IP address, phone number, network carrier, location, and the way you are using the mobile application.

Please see the below “Cookies, beacons and other technologies”, Section 7, or our Cookie Policy for more information.

Yes
J. Email traffic
  • email traffic patterns and the frequency of communications, including the number and timing of your email communications with us, and the ICF team members with whom you communicate. (Should you wish to opt-out of this feature, please contact us through the methods identified below).
Yes
Other sources – collected information:
K. Social network information
  • When you use a social network login to access our services, you will share certain personal data from your social media account with us, for example, your name, email address, photo, list of social media contacts, and any other information that may be or you make accessible to us when you connect your social media account to your services account. The specific information transferred depends on your security settings and the privacy policy of your social media network.
Yes
L. Joint marketing information
  • When joint marketing partners share personal data or other information with us.
Yes
M. Publicly available information
  • Publicly available database information.
Yes

1.3 Except for certain information that is required by law, your decision to provide any personal data to us is voluntary. You will therefore not be subject to adverse consequences if you do not wish to provide us with your personal data. However, please note that if you do not provide certain information, we may not be able to accomplish some or all of the purposes outlined in this Privacy Statement, and you may not be able to use certain tools and systems which require the use of such personal data.

1.4 Personal data excludes: publicly available information from government records, deidentified or aggregated information, and automated non-identifiable data that cannot be linked back to an individual.

Back to top

2. Information sources

2.1 Personal data may be collected either directly from you or indirectly from certain third parties (e.g., affiliates, public authorities, public websites, and social media, suppliers, and vendors) when you:

  • a. access our Services.
  • b. provide personal data by filling in Site forms (e.g., registering an online account, subscribing to Services, newsletters and alerts, registering for a conference, or requesting further information).
  • c. submit our online forms or communicate with us by email.
  • d. submit reviews or participate in surveys.
  • e. upload or post any comments or other content to our Sites, on social media, or blogs.
  • f. interact with us on social media.
  • g. sign up for our mailing lists, register for events we host or sponsor, submit information as part of certain online Services, or otherwise provide us information through the Sites.
  • h. participate in a prize promotion or contest, or related event.
  • i. use the Site for online career resources.
  • j. are an individual employee or constituent of our clients and other companies with which we have an existing business relationship.
  • k. have information on public sources, including, for example, content made public on social media websites.

Back to top

3. Purposes, legal basis, and use

3.1 We may use, sell or disclose the personal data we collect only where one or more of the below outlined principal legal grounds and specific business purpose justifications exist.


Our Processing Purposes Our Legal Basis
Consent. Where you have consented in a documented manner to our processing of your personal data.
Performing under our contract with you. To fulfill your request for orders, support, or Services under an existing or potential contract with you; facilitate you conducting business with us or perform a transaction with you; contact employees of our clients, partners and suppliers. For example, where a transaction involves our suppliers or strategic alliances, this may include sharing information with other parts of ICF, ICF's business partners or alliances, clients, financial institutions, and postal or government authorities involved in fulfillment (subject to any confidentiality obligations that may exist). It also may be used to administer and develop our relationship with you.
Managing and internally coordinating our relationship with our clients and business contacts Automated review of email traffic, frequency, and patterns to facilitate and coordinate our relationship with you and provide you with information or Services; improve our relationship management insights and capabilities; help ensure business continuity in the event of ICF staffing changes; and enhance data accuracy. (Should you wish to opt-out of this feature, please contact us through the methods identified below).
Facilitating communication with you to provide you with information or Services requested by you. Facilitating communication with you to provide you with information or Services requested by you.
General business management and operations. To ensure the proper functioning of our business operations and administration of our general business, accounting, record-keeping, and legal functions.
Monitoring your use of our systems (including monitoring the use of our Site and any apps and tools you use). To monitor user activities on our systems to ensure users are complying with applicable laws and regulations and aren’t performing activities that would negatively affect our reputation.
Social media environment. To enable online sharing and collaboration among members who have registered to use them; protect our and/or our client assets and our brand on social media; understand sentiment, intent, mood and market trends and our stakeholders’ needs to improve our Services through key-word searches, conversation stream monitoring and analysis; and gain insights in conversation trends over a specified period, but not to identify an individual.
Protecting or improving the security and functioning of our Site, networks and information. To ensure that you receive an excellent user experience and/or maintain the safety, security, and integrity of our Site, Services, information, tools, systems, databases, and other technology assets and business.
Audit the downloading of information or documents from our Site. To get to know our Site visitors’ preferences better and improve services accordingly.
Analytics and improving our Sites. To better understand how users access and use our Sites and Services, and for research analytical purposes to evaluate our Services; ensure the proper functioning of our business operations; improve our Services, business operations, develop services and features; and provide a better user experience.
Anonymous and de-identified information. To assess, improve and develop our business, products, and services, and for similar research and analytics purposes.
Historical, statistical, or scientific research and development. To analyze personal data in order to better understand historical, statistical, or scientific trends subject to appropriate data protection safeguards.
Online account registration or administration. To administer online accounts as part of a contract, authenticate your account and keep it - and our services – secure; enable certain account features; customize your view of the Site or tailor or personalize the information you receive from us; register you for a service or program; or help prevent spam, fraud, and abuse.
Marketing communications. To keep you informed about our Services, updates, offers, events, programs, products, tools, and solutions by post, email, SMS, phone, and fax; develop aggregate analysis and business intelligence and, where required by law, we will ask for your consent at the time we collect your data to conduct any of these types of marketing. We will provide an option to unsubscribe or opt-out of further communication on any electronic marketing communication sent to you or you may opt-out by contacting us as set out below in Section 14.
Event, conference, or similar communications (unless you objected to such processing). Facilitate your participation in your requested private or public forum, event or conference.
Contest or prize administration. To fulfill or meet the reason you provided information as part of your participation in prize promotions, contests, and other promotional offers that we administrate.
Content creation / production activities. To use your personal data for video, TV, film, marketing, advertising, or other related content creation, production, and distribution activities where you are involved with our content / production activities based on prior consent and model releases.
Recruitment. To ensure that we recruit appropriate employees, send relevant information about careers and opportunities, and analyze the effectiveness of our recruitment efforts and resources in connection with a job application or inquiry. More information about how we may use your data during the recruitment process will be provided as part of the recruitment process.
Managing our employment contract or relationship with you. To initiate or take steps at the request of our employees before entering into a contract; ensure contract execution; and assess the performance of, or terminating an employment contract to which our employees are a party.
Automated Processing of Employee Data. Where automatic processing concerns our employment relationship or automation of the evaluation of Sensitive Personal Data is part of personnel selection, in compliance with legal requirements and established corporate protocols.
Vital interests. To protect the vital interests of any natural person or ensure proper communication and emergency handling within our organization.
Complying with legal obligations. To comply or fulfill our legal obligations (e.g., law or legal proceedings, employment, labor, tax, or similar legal requirements).
Law enforcement requests and harm prevention. To comply with a law, regulation, legal process, order of a court or by any rule of law or governmental request; protect the safety of any person; protect property or the rights or property of those who use our services; prevent or detect crime; apprehend or prosecute offenders. However, nothing in this Privacy Statement is intended to limit any legal defenses or objections that you may have to a third party’s, including a government’s, request to disclose your personal data.
Protect our legal rights and prevent misuse. To protect the Sites and our business operations; to enforce our Terms of Use; to prevent and detect fraud, unauthorized activities and access, and other misuse; establish, exercise or defend legal claims; where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety or legal rights of any person or third party; or violations of our Terms of Use or this Privacy Statement.
Investor Relations. To provide shareholders with necessary or useful services with respect to their investment, such as record keeping, processed trades, and mailing information; and send shareholders company relevant information such as invitations to the annual general meeting, annual reports, proxy statements, or other information about the company.
Affiliates and Change of Ownership. To facilitate a merger, acquisition, reorganization, sale of assets, or similar function.

3.2 Where the above table states that we rely on our legitimate interests for a given purpose, it is our understanding that our legitimate interests are not overridden by your interests, rights or freedoms, given (i) the transparency we provide on our data processing activities, (ii) our data protection by design and default approach, (iii) our routine data protection reviews, and (iv) the rights you have in relation to our data processing activities.

3.3 We will process your personal data for the above-referenced purposes based on your prior consent, to the extent such consent is mandatory under applicable laws.

3.4 To the extent you are asked to click on/check "I accept", "I agree" or similar buttons/checkboxes/functionalities in relation to a privacy statement, we will consider this step as you providing your consent for us to process your personal data, only in the countries where such consent is required by regulations. In all other countries, such action will be considered as a mere acknowledgment. The legal basis of the processing of your personal data will not be your consent but any other above-applicable legal basis.

3.5 We will not collect or use additional personal data categories we collect for materially different, unrelated, or incompatible purposes without providing you notice or, as applicable, your consent; unless it is required or authorized by law, or it is in your own or another person’s vital interest (e.g. in case of a medical emergency) to do so.

Back to top

4. Data recipients

4.1 Personal data collected in the course of our activities, including in connection with some client services, as well as on the Sites may be shared with:
  • a. our subsidiaries or affiliates, clients, and strategic alliances on a need-to-know and authorized basis.
  • b. our trusted suppliers or service providers, professional advisors, or other third parties on a need-to-know and authorized basis that is necessary for the purposes for which such access is granted and in connection with an existing or potential corporate or commercial transaction. For example, to provide services related to the Sites, our business activities, including in connection with some client services, in the manner agreed upon in our client services agreements, or supporting our interactions with you, including, for example, processing recruitment materials, administering surveys or contests, or communicating with you. When disclosing personal data to third parties, we take into account third parties’ data handling processes and require these third parties to maintain privacy and security processes designed to ensure that their personal data processing activities are consistent with this Privacy Statement and safeguard the confidentiality, availability, and integrity of personal data they process on our behalf.
  • c. with prospective or actual purchasers, or sellers on a need-to-know and authorized basis in the event of a sale, merger, joint venture, reorganization, assignment, or other transfer or disposition of all or any portion of our business. It also is our practice to require appropriate protection for personal data under each commercial transaction.
  • d. with government agencies pursuant to a judicial proceeding, court order, or legal process.

4.2 We may make certain non-personal data available to third parties for various purposes, including for business or marketing purposes or to assist third parties in understanding our users’ interests, habits, and usage patterns for certain programs, content, services, advertisements, promotions, and functionality available through the Service. We will not intentionally disclose (and will take reasonable steps to prevent the unauthorized or accidental disclosure of) your personal data to any third parties for their own direct marketing use.

Back to top

5. International transfers

5.1 As a global organization offering a wide range of Services, with business processes, management structures and technical systems that cross borders, some of our disclosures may involve the transfer of personal data to countries or regions where the local law may grant you fewer rights than you have in your own country. We have designed this Privacy Statement and our practices to provide a globally consistent level of protection for personal data all over the world. This means that before we transfer personal data to those areas, we will take the necessary steps to ensure that your personal data will be given adequate protection as required by applicable data protection, the below Section 11.2 (“EEA, Switzerland, and UK special notices”) and our Global Data Protection framework.

Back to top

6. Direct marketing

6.1 As noted, we may send periodic promotional emails to you, and where required by law, we will obtain your consent to do so. You may opt-out of such communications at any time by following the opt-out instructions contained in the email or the instructions in Section 14. If you opt-out of receiving emails about recommendations or other information we think may interest you, we may still send you emails about your account or any Services you have requested or received from us.

Back to top

7. Cookies, beacons, tags, and other technologies

7.1 We use cookies, web beacons and other technologies on our Sites in order to collect the information described above in “Automatically-collected Information” under above Section 1.2, and also to remember your settings and for authentication.

  • a. Cookies. Cookies are alphanumeric identifiers that we transfer to your computer's hard drive through your web browser for record-keeping purposes. Some cookies allow us to make it easier for you to navigate our Site, while others are used to enable a faster log-in process or to allow us to track your activities while using our Site. Most web browsers automatically accept cookies, but, if you prefer, you can edit your browser options to block them in the future. The Help portion of the toolbar on most browsers will tell you how to prevent your computer from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether.
  • b. Clear GIFs, pixel tags, and other technologies. Clear GIFs are tiny graphics with a unique identifier, similar in function to cookies. In contrast to cookies, which are stored on your computer's hard drive, clear GIFs are embedded invisibly on web pages. We may use clear GIFs (also referred to as web beacons, web bugs, or pixel tags), in connection with our services to, among other things, track the activities of users of our services, help us manage content, and compile statistics about usage of our services. We and our third-party service providers also use clear GIFs in HTML emails to our customers, to help us track email response rates, to identify when our emails are viewed, and to track whether our emails are forwarded.
  • c. Log files. Most browsers collect certain information, such as your IP address, device type, screen resolution, operating system version, and Internet browser type and version. This information is gathered automatically and stored in log files.
  • d. Third party analytics. We also use automated devices and applications, such as Google Analytics (more info here) to evaluate the use of our services. We use these tools to gather non-personal data about users to help us improve our services and user experiences. These analytics providers may use cookies and other technologies to perform their services, and may combine the information they collect about you on our Sites with other information they have collected for their own purposes. This Policy does not cover such uses of data by third parties.
  • e. Global Privacy Controls (GPC). While older "Do Not Track" initiatives are not currently recognized by Our Site, it does respond to GPCs. For more information about GPCs, please click here. Please see our Cookie Policy for more information.

7.2 You can manage the use of cookies through your browser. You may still use our Site if you reject cookies, but it may limit your ability to use some areas of our Site or otherwise diminish your experience of the Site. You can learn more about cookies at our Cookie Policy.

Back to top

8. Third-party websites and links

8.1 Our Sites may contain links or embed third-party applications to third party websites that are governed by their own terms and privacy statements. We may provide links to these third-party sites for your convenience and informational purposes only. For example, these links may allow you to interact with sites on which you may have accounts (such as Facebook and other social media sites) or join communities on sites that allow you to log in, post content, or join communities from our Sites.

8.2 Third-party apps and websites have their own privacy statements and disclosures, which we encourage you to read before interacting with such third-party websites or providing information on or through them. If you follow a link to any of those third-party websites, please note that we do not accept any responsibility or liability for their policies, or processing of your personal data. ICF is not responsible for the content, accuracy of, or cookies set by any third-party linked site that is not operated by or on behalf of ICF or for any other links contained in such third-party sites. The inclusion of any link to a website not owned by ICF is not an endorsement by ICF of the site or its contents or accuracy and does not suggest that the opinions expressed on a third-party site are representative of the views or opinions of ICF.

8.3 ICF assumes no responsibility or liability for any links to our Sites from another party's website. You may post a link to any portion of the Site without prior written permission. However, any such links must not use framing techniques or in any way represent the Site or its content as being connected with another organization. In addition, you may not use any meta tags or hidden text in your website that incorporate the ICF name or the names of any ICF affiliate, subsidiary, business, program, or service.

Back to top

9. Children’s privacy protection

9.1 ICF is committed to protecting children's privacy online.

9.2 Our Sites are not intentionally designed for or directed at children under the age of 13 in the U.S. and 16 in California or EEA, and require no such information be submitted to us. ICF will not knowingly or intentionally collect, store, use, or share, personal data of children anyone children under the age of 13 in the U.S. and 16 in California or EEA without prior documented parental or guardian consent.

9.3 If you are under the age of 13 in the U.S. and 16 in California or EEA, please do not provide any personal data, even if prompted by the Site to do so. If you are under the age of 13 in the U.S. and 16 in California or EEA and you believe you have provided personal data to us, please ask your parent(s) or guardian(s) to notify us and we will delete all such personal data.

9.4 If we become aware that we have inadvertently received personal data from a user under the age of 13 in the U.S. and 16 in California or EEA, we will delete these data from our records.

Back to top

10. Additional information for California residents 

In addition to the information provided in this Privacy Statement, the below information applies if you are a California resident.

10.1 Disclosures of California Residents’ Personal Information for a Business Purpose. In the preceding twelve (12) months, we have disclosed the following categories of Personal Information for a business purpose:


Categories Disclosed
A. Identifiers Yes, to affiliates, service providers, and other vendors
B. Personal information categories listed in the California Customer Records Statute (available here) Yes, to affiliates, service providers, and other vendors
C. Protected legal characteristics Yes, to affiliates, service providers, and other vendors
D. Commercial information Yes, to affiliates, service providers, and other vendors
E. Biometric information No
F. Internet activity Yes, to affiliates, service providers, and other vendors
G. Geolocation data Yes, to affiliates, service providers, and other vendors
H. Sensitive Personal Information Yes
I. Audio, electronic, visual, thermal, olfactory, or similar information Yes, to affiliates, service providers, and other vendors
J. Employment or professional information Yes, to affiliates, service providers, and other vendors
K. Non-public education information Yes, to affiliates, service providers, and other vendors
L. Inferences about personal preferences and attributes drawn from profiling or other personal information (e.g. via cookies) Yes, to affiliates, service providers, and other vendors

10.2 Sales of Personal Information. Please note that we don’t sell (as “sell” is traditionally defined) your personally identifiable information to anyone else. However, we may use personal information in a manner, such as for cross-context behavioral advertising, which constitutes a “sale” under California’s CCPA. For an overview of your rights, please see section 14 below.

10.3 Information excluded from the CCPA's scope, like:

  • a. health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
  • b. personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994.

Back to top

11. EEA, Switzerland, and UK residents’ special notices

In addition to the information provided in this Privacy Statement, the below information applies if you are located in the EEA, Switzerland, or UK.

11.1 In addition to the information provided in this Privacy Statement, where we transfer personal data from inside the European Economic Area (EEA) to outside the EEA, we are required to take specific measures to safeguard the relevant personal data.

11.2 Unless you are otherwise notified, any transfers of your personal data from within the European Economic Area (EEA) to third parties outside the EEA will be based on applicable data protection legislation, an adequacy decision (see the full list here ), or are governed by the model contractual clauses approved by the EU Commission, or similar contractual clauses in other jurisdictions to provide appropriate safeguards and an adequate level of protection for personal data. This includes transfers to suppliers or other third parties. You can request a copy of the EU model contractual clauses here. Any other non-EEA-related transfers of your personal data will take place in accordance with the appropriate international data transfer mechanisms and standards.

11.3 Please contact us as set out below in Section 16 if you would like to see a copy of the specific safeguards applied to the export of your personal data or to obtain a copy of our Data Protection Policy.

11.4 For data subject requests (DSR), we kindly ask you to contact us through the methods identified below.

Back to top

12. Retention

12.1 We retain relevant personal data in each category identified in Section 10.1 only as long as necessary to meet the criteria outlined in above Section 1.2.

Categories Retention Period
A. Identifiers Only as long as necessary to meet the criteria outlined in 1.2
B. Personal information categories listed in the California Customer Records Statute (available here)
C. Protected legal characteristics
D. Commercial information
E. Biometric information
F. Internet activity
G. Geolocation data
H. Sensitive Personal Information
I. Audio, electronic, visual, thermal, olfactory, or similar information
J. Employment or professional information
K. Non-public education information
L. Inferences about personal preferences and attributes drawn from profiling or other personal information (e.g. via cookies)

12.2 We retain personal data about unsuccessful candidates/applicants for 12 months following submission in the U.S., Canada, and Brazil, and for 6 months in Europe and Asia.

Back to top

13. Personal data accuracy, privacy, and security

13.1 We intend to maintain personal data accuracy, completeness, current status, and security. In the event of changes in your personal data, you may inform us to make sure that our information is up-to-date.

13.2 We implement commercially reasonable physical, administrative and technical safeguards to help us protect the confidentiality, security, and integrity of your personal data and prevent the loss, misuse, unauthorized access, unauthorized interception, or information alteration. For example, ICF takes appropriate measures to make sure that the personal data you provide is stored on computer servers in controlled, secure environments.

13.3 All of our partners, employees, consultants, workers, and data processors (i.e., those who process your personal data on our behalf, for the purposes listed above), who have access to, and are associated with the processing of personal data, are obliged to respect the confidentiality of such personal data.

13.4 Your choice to disclose personal data in an email submission or online form is voluntary. Unfortunately, no data transmission over the Internet is 100% secure. While we strive to protect your personal data, we cannot ensure or warranty the security of any such personal data or fully ensure that your private communications and other personal data will not be inadvertently disclosed to third parties by ICF or its business partners, agents, subcontractors, or other third-party vendors. Although we take commercially reasonable precautions to maintain the security of our Sites and servers, third parties may unlawfully intercept or access transmissions or private communications.

Back to top

14. Your rights and choices

14.1 Global Data Subject Rights

Laws across the globe grant individuals certain rights in connection with our data processing. These rights are identified in the table 14.7. together with a non-exhaustive explanation.

Please note that legal conditions, exceptions, or limitations apply to your rights (e.g., to protect third parties or trade secrets or due to our professional obligation of confidentiality). We reserve the right to redact copies or to supply only excerpts for reasons of data protection or confidentiality.

ICF complies with localized legal requirements for your personal data. Even if you do not see your own region listed in this section, please reach out to ICF’s Data Protection Team if you wish to exercise your rights and we will respond to your request in accordance with applicable laws.

Before we respond to a request, we may take certain steps and request such additional information as we deem necessary to satisfy ourselves of your identity and authenticity of your request.

To make an inquiry or to exercise your rights, please use our Data Subject Request Form or contact us via one of the methods identified below.

14.2 U.S. Residents of Certain States

U.S. Residents of California (CL), Colorado (CO), Connecticut (CT), Nevada (NV), Oregon (OR), Utah (UT), Texas (TX), and Virginia (VA), have certain specific rights regarding their personal data. Depending on your state of residence, these rights may differ. Please see the table contained within Table 14.7 to see what rights you may have.  

a. We may deny your deletion request if any of the below exceptions require that we retain the information for us or our service providers to:
  1. - Complete the transaction for which we collected the personal data, provide Services that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
  2. - Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  3. - Debug products to identify and repair errors that impair existing intended functionality.
  4. - Exercise free speech, ensure the right of other individuals to exercise their free speech rights, or exercise another right provided for by law.
  5. - Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
  6. - Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement if you previously provided informed consent.
  7. - Enable solely internal uses that are reasonably aligned with individual’s expectations based on your relationship with us.
  8. - Comply with a legal obligation.
  9. - Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
  • b. If you are a resident of California, Colorado, Connecticut, Nevada, Utah, or Virginia, and wish to exercise your consumer rights, please contact us through the methods identified below or by visiting Do not sell my personal information | ICF. Please note that we don’t sell (as “sell” is traditionally defined) your personally identifiable information to anyone else. However, we may use personal information in a manner, such as for cross-context behavioral advertising, which constitutes a “sale” under California’s CCPA.

14.3  EEA, UK, and Switzerland (CH) residents

a. Individuals located in the EEA, UK, and Switzerland have additional specific rights regarding their personal data as detailed below in Table 14.7. This section describes your rights and explains how to exercise those rights.

14.4 Residents of Canada (CA), including Quebec (QC)

a. Individuals located in Canada have additional specific rights regarding their personal data as detailed below in Table 14.7. This includes additional rights granted to Canadian residents of Quebec. This section describes your rights and explains how to exercise those rights.

14.5 Residents of India (IN)

a. Individuals located in India have specific rights regarding their personal data, as identified below in Table 14.7. This section describes your rights and explains how to exercise those rights.

14.6 Residents of China (PRC)

a. Individuals located in China have specific rights regarding their personal data, as identified below in Table 14.7., subject to certain exceptions as provided by Chinese laws. If you wish to exercise any of your rights under the PIPL, please contact us. Unless you have arranged otherwise, in the event of your death, a close relative may exercise these rights to your personal information.

14.7 Table of Applicable Rights


Categories Rights Applicable Regions
Access (to know or be informed). If you ask us, we will confirm whether we are processing your personal data and, if necessary, provide you with a copy of that personal data (along with certain other details). If you require additional copies, we may need to charge a reasonable fee. CL, CO, CT, OR, UT, TX, VA
CH, EEA, UK
CA, QC
IN, PRC
Correction (rectification). If the personal data we hold about you is inaccurate or incomplete, you are entitled to request to have it corrected. If you are entitled to have the information corrected and if we have shared your personal data with others, we will let them know about the rectification where possible. If you ask us, we will also tell you, where possible and lawful to do so, with whom we have shared your personal data so that you can contact them directly. CL, CO, CT, OR, TX, VA
CH, EEA, UK
CA, QC
IN, PRC
Erasure (deletion). You can ask us to delete or remove your personal data in some circumstances, such as where we no longer need it or if you withdraw your consent (where applicable). If you are entitled to erasure and if we have shared your personal data with others, we will let them know about the erasure where possible. If you ask us, we will also tell you, where it is possible and lawful for us to do so, with whom we have shared your personal data with so that you can contact them directly. CL, CO, CT, UT, VA
CH, EEA, UK
CA, QC
IN, PRC
Restrict (block) Processing. You can ask us to restrict the processing of your personal data in certain circumstances, such as where you contest the accuracy of that personal data or you object to us. If you are entitled to restriction and if we have shared your personal data with others, we will let them know about the restriction where it is possible for us to do so. If you ask us, we will also tell you, where it is possible and lawful for us to do so, with whom we have shared your personal data so that you can contact them directly. You also have the right to decide on the processing of your Personal Information (PRC). CA
CH, EEA, UK
QC
PRC
Restrict the Sale or Sharing. You have the right to opt-out of the sale or sharing, as defined under the applicable privacy law, of your personal information. CL, CO, CT, OR, NV, UT, TX, VA
QC
Data Portability. You have the right, in certain circumstances, to receive a copy of personal data we've obtained from you in a structured, commonly used and machine-readable format, and to reuse it elsewhere or to ask us to transfer this to a third party of your choice. CL, CO, CT, VA
CH, EEA, UK
QC
PRC
Automated Decision-making and Profiling. You have the right not to be subject to a decision when it's based on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you, unless such profiling is necessary for entering into, or the performance of, a contract between you and us. CL, CO, CT, OR, TX, VA
CH, EEA, UK
QC
PRC
Withdraw Consent. If we rely on your consent (or explicit consent) as our legal basis for processing your personal data, you have the right to withdraw that consent at any time. However, this does not affect the lawfulness of the processing before consent was withdrawn. CL, CO, CT, VA
CH, EEA, UK
CN, QC
IN, PRC
Lodge a complaint with the Supervisory Authority. If you have a concern about any aspect of our privacy practices, including the way we've handled your personal data, you can report it to the relevant supervisory authority. CL, CO, CT, OR, UT, TX, VA
CH, EEA, UK
QC
Shine the Light Request. This is an additional type of access right is available to California residents. You also may have the right to request that we provide you with (a) a list of certain categories of personal information we have disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year and (b) the identity of those third parties. CL
Non-discrimination. You have the right to not be discriminated against for exercising your privacy rights. CL, CO, CT, VA
CH, EEA, UK
QC
Appeal the denial of a DSR. You have the right to appeal Our denial of your request to exercise your rights under the applicable privacy law. CL, CO, CT, VA
CH, EEA, UK
QC

14.5 Exercising Access, Data Portability, and Deletion Rights

  1. a. General. You may, at any time, exercise your right to decline to supply certain information while using our Sites. Please bear in mind that you, however, may not be able to access certain content or participate in some features on our Sites. If you tell us that you do not want us to use your information to make further contact with you beyond fulfilling your request, we will respect your wishes.
  2. b. Marketing. You may, at any time, exercise your right to prevent us from sharing marketing materials with you by checking certain boxes on our forms, utilizing the unsubscribe or opt-out mechanisms in the emails we send you, indicating so when we call you, or use our Data Subject Request Form. For best results, please forward a copy of the mailing you received from ICF. In such cases, we will retain minimum personal data to note that you opted out in order to avoid contacting you again.
  3. c. Newsletters, messages, and mailings. If you have subscribed to one or more of our newsletters or receive information from ICF via email or postal mail and would like to modify or cancel these mailings, please follow the instructions in the mailing, send an email to dataprotection@norwoodbariatric.com, or use our Data Subject Request Form. For best results, please forward a copy of the mailing you received from ICF. In such cases, we will retain minimum personal data to note that you opted out in order to avoid contacting you again.
  4. d. Cookies. If you want to remove existing cookies from your device, you can implement those steps by using your browser options. If you want to block future cookies being placed on your device, you can change your browser settings to do this. When you review your browser settings or options, you can identify the ICF cookies in the name. Unless you have adjusted your browser settings to block cookies, our system will issue cookies as soon as you visit our Sites or click a link in a targeted email we have sent you, even if you have previously deleted our cookies. Please bear in mind that deleting and blocking cookies will have an impact on your user experience as parts of the Site may no longer work. For more information on managing cookies, see www.allaboutcookies.org/manage-cookies.
  5. e. Data Subject Access Requests. You may exercise your rights to access, data portability, and deletion rights by using one of the contact methods indicated below.
  6. f. Legitimate Interest or Legal Obligation Exceptions. Please note that some of the above rights may be limited where we have an overriding legitimate interest or legal obligation to continue to process the personal data, or where the personal data may be exempt from disclosure due to applicable law.
  7. Further information about how you can exercise your rights, including your right to appeal our decision in regards to a consumer right’s request:


U.S. residents of certain states Individuals located in EEA, Canada, Switzerland, or UK
A. Who may make a request. Residents of the regions identified in Table 14.7 or those authorized to act on their behalf may make a verifiable DSAR related to their personal data. For example, an authorized representative can be a parent making a request on behalf of their child.

Note for US residents: You may only make a verifiable DSAR for access or data portability twice within a 12-month period.

B. How you may make a request. You or your representative have the right to exercise any of the rights applicable to you by reaching out to us using the methods indicated at the bottom of this page. Please note that these rights may be subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will carry out your request (and, when applicable, direct our service providers to do so as well), unless an exception applies. However, selecting this option may prevent you from receiving Services, receiving program or similar updates, or accessing certain Site features.

Note: Residents of the US states identified above or those duly authorized to act on their behalf may request that we not sell their personal data by clicking the below “Do Not Sell My Personal Data” button. California residents may also request that we limit Our use of their sensitive personal information by clicking the below “Limit the Use of My Sensitive Personal Information” button. However, selecting these options may prevent you from receiving Services, receiving program or similar updates, or accessing certain Site features.

C. Response Timing and Format. We endeavor to respond to a verifiable consumer request within:
45 days of its receipt for residents of the US states identified above. Any disclosures we provide will only cover the 12-month period preceding the verifiable DSAR receipt. 30 days for individuals located in EEA, Quebec, Switzerland, or UK. Any disclosures we provide will cover appropriate time frames under applicable regulatory requirements.
If we require more time to respond to a DSAR, we will inform you of the reason and extension period in writing before the required response time. If you have an account with us, we will deliver our written response to the registered email associated with the account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. The response also we provide will explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal data that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
D. DSAR Fees
We do not charge California, Colorado, Connecticut, Utah, Virginia, or other residents a fee to process or respond to verifiable DSAR unless it is excessive, repetitive, or manifestly unfounded. We do not charge individuals located in EEA, Quebec, Switzerland, or UK a fee to process or respond to verifiable DSAR unless it is excessive or manifestly unfounded to warrant a “reasonable fee” to cover our administrative costs of complying with the request
If we determine that a DSAR warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing the DSAR.
E. Verified DSAR. We cannot respond to DSARs or provide related personal data if we cannot verify your identity or authority to make the request and confirm the personal data relates to you. Making a verifiable DSAR does not require you to create an account with us. We will only use personal data provided in a verifiable DSAR to verify the requestor’s identity or authority to make the request.
F. Non-Discrimination. We will not discriminate against any individual for exercising any of their respective DSAR rights. Unless permitted by law, we will not deny you the use of our Services or provide you with a different level or quality of Services .
G. Appeals. Where applicable law applies, you may appeal the denial of their DSAR by contacting us as detailed below.

Back to top

15. Notification of our privacy statement changes

15.1 We may make changes to this Privacy Statement from time to time, to reflect changes in our practices. We also may make changes as required to comply with changes in applicable law or regulatory requirements. Where we materially change this Policy, we will take steps to notify you (such as by posting a notice on the Site or via email), and where required by applicable law to obtain your consent.

Back to top

16. Privacy questions and how to contact us

16.1 Please use our Data Subject Request Form or contact us through one of the methods identified below if you:

  • a. have questions about this Privacy Statement or how we process or protect your personal data.
  • b. have questions regarding exercising your personal data rights under, for example, the DSAR as outlined in the above Section 14.3.
  • c. like a copy of the full version of our data protection policy.
  • d. wish to make a complaint about our use of your personal data.
  • e. have questions or concerns about this Privacy Statement or our Sites and email marketing practices, please use any of the above below contact means.

Back to top

Data Subject Request Form

Data Protection Officer: Geraldine Henbest

E-mail:dataprotection@norwoodbariatric.com

Phone (Toll free): 1.800.661.2164

Mail:

Residents of the U.S. and Canada Residents of the EEA, UK, and Switzerland
ATTN: Data Protection Officer
ICF
1902 Reston Metro Plaza
Reston, VA 20190
ATTN: Data Protection Officer
ICF
Riverscape
10 Queen Street Place
London
England
EC4R 1BE

Please note that no permission is granted for you to use ICF's logo, icons, or content. You must obtain our prior written permission to post additional graphic or textual material along with your link to our Sites.