Privacy Policy
Management Research Group, Inc. (“MRG”) Privacy Policy
Last Review and Update: June 4, 2024
MRG takes your privacy seriously. This MRG Privacy Policy describes how MRG (“MRG,” “our,” “we,” “us,”) collects and processes personal data that users (“user,” “your,” or “you”) provide to us at any of our web sites where this Policy is posted (the “Sites”). This Privacy Policy also applies to personal data that MRG obtains by other means, as described below.
Individuals Under the Age of 18
The MRG website(s) are not intended for use by individuals under the age of eighteen (18). No one under 18 may provide any personal information on or to the MRG website(s). MRG does not knowingly collect personally identifiable data from individuals under 18 years of age. If you are under 18, do not use or provide any information on this website. In the event that we learn we have collected or received personally identifiable data from an individual who is under the age of 18 without verifiable parental consent, we will remove that information from our database. If you believe we have any information on an individual who is under the age of 18, please contact us immediately at privacy@mrg.com.
1. Agreement to the Policy
By accessing, using, or creating an account on any of our Sites, you agree to be bound by all of the Site’s terms and conditions including this Privacy Policy. If you do not agree to any of the Sites’ terms and conditions or this Privacy Policy, please do not access or use any of our Sites. In the event you believe data was collected without your consent, please see section 18 for instructions on how to contact us.
2. What personal data does MRG Collect:
In the instances and for the reasons outlined in section 4 of this document, MRG collects the following personal data categories:
Name, email address, gender, race (where allowed by law), ethnicity, employer, and your Internet Protocol (“IP”) address. (MRG does not collect race or ethnicity data from residents of the European Union.)
3. How does MRG collect the data:
We collect data when you provide it to us directly or indirectly through a third party and by “cookies” (as described in section 8, below). You may provide certain data to us when you: (a) register for participation in any MRG service; (b) subscribe to marketing materials; (c) send e-mail messages; (d) submit forms; (e) transmit information by telephone or letter; (f) order assessments; (g) access certain forms or request information on our Sites; (h) visit other points on the Sites that state that such information is being collected; or (i) register for or complete a survey, evaluation, or assessment.
When you engage in certain activities on any of our Sites, we may ask you to provide data by filling out and submitting an online form. Depending upon the activity, some of the data may be mandatory, and some may be voluntary. If you do not provide the mandatory data with respect to a particular assessment, you may not be able to engage in that activity.
4. How does MRG use the data:
By entering personal data into MRG Sites or providing it to MRG (directly or indirectly through third parties), you agree to allow MRG to collect and use the data, including any conclusions or assessments derived therefrom, for the following purposes:
a. To register you as an MRG client or assessment taker.
b. To process and administer assessments.
c. To communicate with you: We use personal data to communicate with you about MRG information and related opportunities.
d. To conduct marketing and promotional activities.
e. To process transactions: We use personal data to engage in interactions with you including to communicate with you about your registration status, payment, assessment information, and to process orders.
f. To provide support or other services: We use personal data to provide you with support or other services that you have requested. We may use your data to respond directly to your requests for information, including registering for newsletters, registering as a consultant or test taker, registering for assessments, and any other specific requests you make directly of MRG or our authorized partners. We may pass your data along to the appropriate consultant to respond to your request.
g. Information provided by you in an MRG assessment may be used for research, innovation, case studies, or commercial purposes (such as in speeches, articles, books, etc.) at our discretion. Your assessment data may be aggregated for research, norming, or comparison purposes. Your name and personal information will never be included in these materials. If you are being asked to complete one of MRG’s questionnaires, all information is collected, stored, and transmitted by MRG through our Assessment websites, Quest https://questv2.mrg.com . These websites are restricted access sites that allow our clients to manage their MRG-related projects and administer questionnaires. Data collected via these websites is used to create feedback reports for the purpose of individual and organizational development as well as data analysis and research to support strategic organizational development programs. MRG works solely with authorized partners (agents) who have been trained to facilitate feedback to individuals and organizations based on the results of MRG questionnaires. Your MRG authorized partner (agent), as designated by you or your company, will have access to the data you provide us in your questionnaire and may be involved in collecting, interpreting, and/or reporting on that data.
h. To improve quality and facilitate use of our Sites. MRG may use your personal data, including the information gathered as a result of site navigation and electronic protocols and cookies, to help create and personalize website content, improve website quality, track marketing campaign responsiveness, evaluate page response rates, conduct usability testing, and facilitate your use of our Sites (for example, to facilitate navigation and the login process, enhance security, and preserve information between sessions).
5. How long does MRG retain data:
MRG will retain your data for as long as needed to fulfill the purposes and uses described in this Policy. When we no longer need your data, and there is no need to keep it to comply with our legal obligations or protect our legal rights, we will either delete it from our systems or depersonalize it so we can’t identify you.
If you wish to understand how to request your personal data be deleted, please refer to section 12 for more information.
6. How does MRG share data:
MRG does not rent or sell data to others. We share personal data with authorized MRG partners, vendors, service providers, and other third parties (collectively, “Service Providers”) who are acting on our behalf to help operate our Sites, handle communications, implement, manage or evaluate MRG programs, or complete transactions you request.
Except as otherwise provided in this Privacy Policy, MRG will keep your personal data private and will not share it with third parties, unless such disclosure is necessary to: (a) comply with the law or legal process served on us, including in response to lawful requests by public authorities, and to meet national security or law enforcement requirements; (b) provide you the products, services and/or information that you may have requested; (c) protect our rights or property; (d) enforce our rights; (e) protect the interests of users of the Site or any other person; (f) operate or conduct maintenance and repair of our equipment; (g) detect, prevent and/or otherwise address fraud, security or technical issues, as authorized by law; and/or (h) otherwise comply with applicable laws.
When MRG transfers your data to third parties for legitimate business purposes, we ensure that these partners adhere to stringent data protection standards through comprehensive due diligence and binding Data Processing Agreements. MRG remains liable under the DPF Principles of a third-party processing Personal Data covered by this policy in a manner inconsistent with the DPF Principles, except where MRG is not responsible for the event giving rise to the damage.
7. How does MRG protect information:
MRG uses technical and organizational measures to protect data, including, but not limited to: conducting third-party security audits, firewalls, maintaining security patches on external systems, a log auditing system to identify breaches, and ensuring that all web connections are over HTTPS. Access to personal data is available through your user identification and password selected by you. This password is encrypted. We recommend that you do not divulge your password to anyone and no one at MRG or who represents MRG will ever ask for your password. In addition, your personal data resides on a secure server to which only select MRG personnel and Service Providers have secure access.
8. Cookies:
When you use any of our Sites, we may store cookies on your computer in order to facilitate and customize the experience. A cookie is a small data text file, which a website stores on your computer’s hard drive (if your Web browser permits) that can later be retrieved to identify you to us.
Our cookies store randomly assigned user identification numbers, the country where you are located, and your log-in name to welcome you back to a Site. Our cookies: (a) make your use of our Sites easier; (b) make our Sites run more smoothly; (c) track authenticated users visiting our Sites; and (d) help us to maintain secure Sites. You may decline our cookies, but some parts of our Sites may not work properly as a result. You can, at any time, use your browser setting to delete our cookies from your system. We may use a third party to display information on our Sites. As part of the third-party service, they may place a separate cookie on your computer.
9. Privacy Policies of Third-Party Sites:
We may maintain links to other websites on our Sites. This Privacy Policy only applies to MRG. Other sites accessible through our Site have their own privacy policies and data collection use and disclosure practices. Please consult each site’s privacy policy.
10. How you can rectify incorrect information:
You have the ability to access and edit the personal data you provide to us. Data may be changed by requesting a change in writing. Requests in writing should be sent to privacy@mrg.com.
Please include your name, e-mail address, and/or phone number when you contact us regarding an update or correction to data. We reserve the right to confirm your identity before updating or correcting personal data. We encourage you to promptly update your personal data if it ever changes by logging-in to your MRG accounts.
11. How you can object to certain uses of your data:
MRG provides you with choices about the ways we will use and share your personal information, and we’ll respect the choices you make. You have the right to limit how your personal data is used for certain purposes, such as direct marketing or sharing with third parties.
If you do not wish to receive email from MRG, you may “opt-out” of receiving these communications by exercising your right to “opt out” by using the unsubscribe feature in the email.
Please contact privacy@mrg.com for comprehensive details on your rights and the available means to exercise them.
12. How you can exercise your right to be forgotten:
You may request that your personal data at MRG be deleted by emailing privacy@mrg.com. You will need to complete a request form and provide information to confirm your identity at the time of your request. We reserve the right to confirm your identity before taking any action to delete your data. MRG will assess each request to be forgotten on a case-by-case basis to determine the extent to which data can be deleted. MRG will comply with all requests to be forgotten except where MRG has a legal obligation to retain your data.
13. How you can exercise your right to data portability:
You have the right to receive a copy of the personal data you have provided to MRG by emailing privacy@mrg.com.
14. Transfer of data to other countries:
MRG and its programs operate internationally. However, MRG is a United States based organization with headquarters in Portland, Maine, United States of America. MRG stores data in the United States of America. When you transfer data to MRG, it will be primarily transferred to, stored and processed in one of these locations.
MRG may need to share your personal data with authorized MRG consultants in other countries in order to carry out the activities specified in this Policy. Your data will only be shared with the authorized MRG consultant that you are directly working with. By submitting your personal data to MRG, through MRG Sites, or in connection with your interactions with MRG offline, you consent to such transfers and to the processing of this information in any country where MRG operates.
15. Special Notification for California Residents:
Users who reside in California and have provided their personal data to us may request information about our disclosures of certain categories of personal identifiable information to third parties for direct marketing purposes. Such requests must be submitted to us at privacy@mrg.com. Within thirty days of receiving such a request, we will provide a list of the categories of personal identifiable information disclosed to third parties for use in direct marketing purposes during the immediately preceding calendar year, along with the names and addresses of these third parties. This request may be made no more than once per calendar year.
16. Data Privacy Framework Program (DPF):
MRG complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. MRG has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. MRG has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
17. Changes to this Privacy Policy:
We reserve the right to change this Privacy Policy at any time. Such changes, modifications, additions, or deletions shall be effective immediately upon notice thereof, which may be given by means including, but not limited to, posting the revised Privacy Policy at any of our Sites. You acknowledge and agree that it is your responsibility to review the Site you are using and this Policy periodically and to be aware of any modifications. Your continued use of a Site after any such modifications will constitute your; (a) acknowledgment of any modified Policy; and (b) agreement to abide and be bound by any modified Policy. To the extent that any modifications to this Policy materially alter how MRG will use information collected under prior version of the Policy, MRG will provide you notice by email using your email on file and, where required by law, will obtain your consent.
18. How to contact us and how to lodge a complaint:
MRG has a Data Governance Team who represents MRG and will lead investigative action, complaint handling, and data breach notification. If you have any questions about this Privacy Policy, the practices of any of our Sites, or your dealings with any of our Sites, contact us via email privacy@mrg.com or by sending a letter to:
Management Research Group
14 York Street, Suite 301
Portland, ME, United States, 04101
Or you may call us at (207) 775-2173
19. Alternative Dispute Resolution
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, MRG commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to International Centre for Dispute Resolution (ICDR-AAA), an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.adr.org/Support for more information or to file a complaint. The services of ICDR-AA are provided at no cost to you.
20. Binding Arbitration
To ensure a fair and efficient resolution process, MRG offers the option of binding arbitration under certain conditions as set forth in Annex I of the DPF Principles. Binding arbitration may be evoked under the following conditions:
- You have first attempted to resolve the dispute through our standard customer service channels without success.
- The dispute involves a claim related to our data privacy practices or the collection, use, or sharing of your personal information.
- Both parties agree to the arbitration process.
To invoke binding arbitration, you must deliver the notice of the dispute to our Data Privacy Officer at privacy@mrg.com and adhere to the procedures and conditions set forth in Annex I of the DFP Principles.
21. FTC Investigatory and Enforcement Powers
MRG is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). This means that the FTC has the authority to investigate our data privacy practices and take enforcement actions if necessary to ensure compliance with privacy laws and regulations.
For our clients that require Data Processing Agreements, Standard Contractual Clauses:
The European Commission’s SCCs, otherwise known as model contracts or clauses, are contract terms developed and approved by the European Commission ensure adequate protection for data subjects in accordance with the EU Data Protection Directive 95/46/EC when transferring personal data from the EEA to the U.S. Please note UK clients will require a different set of SCCs, so please contact us. If you are an MRG client or partner transferring personal data in connection with MRG products and services, please promptly complete, sign and return a copy of the MRG Standard Data Processing Addendum to privacy@mrg.com.