We collect and use this data to:

• Evaluate, respond to, and fulfill your requests or submissions
• Provide consulting, diagnostics, and strategy services
• Operate and improve our Sites, tools, and service delivery
• Administer employment, contracting, or vendor relationships
• ‍Comply with legal obligations and regulatory frameworks in applicable jurisdictions

We do not collect demographic or health-related sensitive personal data unless such collection is directly relevant to a specific engagement and provided voluntarily.

We do not sell or license your personal data.

Use of cookies on the Sites

The Sites use cookies and similar technologies to enhance functionality, measure site performance, and understand usage patterns. Depending on your jurisdiction, you may be prompted to manage cookie preferences. You may also manage cookies through your browser settings. Where required, we present a cookie banner to allow users to manage consent preferences.

‍

Who we share your personal data with

We may share personal data internally with authorized employees, contractors, or advisors who require access to fulfill their duties. We also use trusted third-party service providers ("processors") to support operational needs, including project delivery, communication, analytics, file storage, and systems hosting.

Processors are contractually bound to use the data only in accordance with our instructions and to implement appropriate security safeguards. We do not share your data with unrelated third parties for marketing or commercial purposes.

‍

Links to other websites

Our Sites may contain links to third-party websites or platforms. These are provided for convenience only. Harms does not control and is not responsible for the privacy practices of external sites. We encourage you to review the privacy policies of those websites before submitting any personal data.

‍

Security of your personal data

We retain personal data only for as long as necessary to fulfill the purposes described in this Notice, or as required by law, regulation, or contract. When data is no longer required, it is securely deleted or anonymized.

We implement reasonable administrative, technical, and physical security measures to protect personal data from unauthorized access, loss, misuse, alteration, or disclosure. These include role-based access controls, encryption in transit and at rest, and secure file storage protocols. Internal access to data is restricted based on role necessity.

A data breach response protocol is in place and will be executed in accordance with the timelines required under applicable laws.

Your rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Correct or update inaccurate or outdated data
• Request deletion or anonymization of your data
• Restrict or object to certain types of processing
• Withdraw consent where processing is based on your consent
• Request a copy of your data in a portable format
• ‍Lodge a complaint with a supervisory authority

How to Exercise Your Rights

To exercise your rights, contact us at info@harmsadvisorygroup.com. We may request verification of your identity before processing your request. Requests will be handled within the timeframes required by law.

Do Not Track / Opt-Out Preference Signals

We do not sell or share your data in the manner defined by California law. However, if you have configured your browser or device to send a Global Privacy Control (GPC) signal, we recognize and honor such signals where required by applicable legislation.

Job applicants

If you apply for a position at Harms, we collect and process your personal data as part of our recruitment process. This may include information contained in your resume, cover letter, references, or work samples. Applicant data is retained only as long as necessary to complete the hiring process or to comply with applicable laws.

Children

Our Sites and services are not intended for individuals under the age of 16. We do not knowingly collect personal data from minors. If we become aware that data has been collected from a minor, we will delete it promptly.

Use of Harms tools (SaaS tools)

In the course of service delivery, we may provide access to proprietary or partner-developed tools. These tools may collect user-generated inputs, usage patterns, or embedded file data. Where applicable, they may include automated processing or profiling to support diagnostics and decision-making. No legal or similarly significant decisions are made solely through automated processing without human oversight. All data processed through such tools is handled in accordance with this Notice and relevant laws.

Country-specific information

USA – California

If you are a resident of California, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). These include the right to request disclosure of:

• The categories of personal data we have collected about you
• The categories of sources from which such data was collected
• The business or commercial purpose for collecting such data
• The categories of third parties with whom we share your personal data
• The specific pieces of personal data we have collected about you

You may also request that we delete your personal data, subject to legal exceptions.
To submit a request, please use our Data Subject Request form or email us using the information provided in the Contact section.

Harms does not discriminate against users who exercise their rights under the CCPA or CPRA.

Canada

If you are located in Canada, including Quebec, you are entitled to rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and, in Quebec, Law 25. These rights include:

• Transparent disclosure of the purpose of data collection
• Access and correction of your data
• The right to withdraw consent at any time
• The right to be informed of any use of your data for profiling or automated decision-making

Harms complies with these obligations and will respond to inquiries within the timeframes prescribed by law. You may also contact the Office of the Privacy Commissioner of Canada or the Commission d'accès à l'information (Quebec) with complaints.

European Union / EEA

If you are a resident of the EU or EEA, Harms processes your data in accordance with the General Data Protection Regulation (GDPR). You may exercise rights as outlined above under "Your Rights." Harms relies on Standard Contractual Clauses and other approved safeguards for cross-border data transfers out of the EU.

Definitions

1. A data controller is the entity that determines the purposes (why) and means (how) of processing personal data.
2. Personal data is any information that relates to an identifiable individual, including names, contact details, identification numbers, or digital identifiers.
3. Standard Contractual Clauses are European Commission-approved agreements that provide legal safeguards for data transfers outside the EU.
4. Anonymizing means rendering data unidentifiable and no longer linked to any individual.
5. Pseudonymizing means altering data so it cannot be attributed to a person without additional information, which is stored separately.