Privacy Policy
of The Band Consultancy LLC
The Band Consultancy LLC
Sacramento, CA 95816
United States of America
Email: kristin@thebandconsultancy.com
This Privacy Policy describes how The Band Consultancy LLC (“Company,” “we,” “us,” or “our”) collects, uses, stores, and protects personal data in connection with our research consulting services. This Policy applies to all research participants, clients, and visitors and is designed to comply with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
1. Definitions
For the purposes of this Privacy Policy, the following definitions apply:
GDPR – General Data Protection Regulation
The EU regulation (2016/679) governing the protection of natural persons with regard to the processing of personal data and the free movement of such data.
CCPA/CPRA – California Consumer Privacy Act / California Privacy Rights Act
California state law grants California residents rights over their personal information, including the right to know, delete, opt out of sale, and non-discrimination.
Data Controller
The natural or legal person who determines the purposes and means of processing personal data. For this Policy, The Band Consultancy LLC is the Data Controller.
Data Processor
Any natural or legal person who processes personal data on behalf of the Data Controller, such as third-party research platforms or transcription services engaged by us under appropriate data processing agreements.
Data Subject / Consumer
Any living individual whose personal data is processed by the Company, including research participants and clients.
Personal Data / Personal Information
Any information relating to an identified or identifiable natural person. This includes, but is not limited to, name, email address, phone number, and any other information that could reasonably be used to identify an individual.
Research Data
Aggregated, anonymized, or de-identified insights, findings, patterns, and analyses derived from research activities. Research Data does not constitute Personal Data and does not identify any individual.
2. Principles for Processing Personal Data
The Band Consultancy LLC processes personal data in accordance with the following principles, as required under GDPR Article 5:
• Lawfulness, Fairness, and Transparency. We collect and process personal data only through lawful, fair, and transparent means.
• Purpose Limitation. Personal data is collected for specified, explicit, and legitimate research purposes and is not further processed in a manner incompatible with those purposes.
• Data Minimisation. We collect only the minimum personal data necessary to conduct our research engagements.
• Accuracy. We take reasonable steps to ensure personal data we hold is accurate and, where necessary, kept up to date.
• Storage Limitation. Personal data is retained for no longer than 180 days from the date of collection, after which it is securely deleted or anonymized. See Section 6 for details.
• Integrity and Confidentiality. We implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
3. Personal Data We Collect
In connection with our research consulting services, The Band Consultancy LLC may collect the following categories of personal data from research participants:
• Email address
• First name and last name
• Phone number
• Address, city, state/province, ZIP/postal code, and country
• Responses to research questions, surveys, or interviews
• Demographic information relevant to research objectives (e.g., age range, professional role), where voluntarily provided
We do not collect sensitive special-category data (e.g., health, race, religion, financial account data) unless explicitly required for a specific research engagement and only with your explicit consent.
4. How We Use Personal Data
Personal data collected from research participants is used solely for the following purposes:
• To recruit, screen, and communicate with research participants
• To conduct interviews, surveys, focus groups, or other research activities
• To verify participant eligibility and provide agreed compensation or incentives
• To fulfill our contractual obligations to clients
• To comply with applicable legal obligations
We do not use personal data for marketing, advertising, or any purpose unrelated to the specific research engagement for which it was collected. Any data collected, such as video, audio, or images, during the research will only be used for future sharing in whitepapers or other formats at the approval of the participant on a case by case bases.
5. Data Sharing and Confidentiality
What We Share With Clients
The Band Consultancy LLC shares only aggregated, anonymized Research Data and insights with clients. We do not disclose, sell, rent, or otherwise transfer any personal identifying information — including names, contact details, or any other data that could identify an individual — to clients or any third party outside of the research team.
Access Within the Research Team
Access to personal data is strictly limited to members of The Band Consultancy LLC’s research team who require such access to perform their research duties. All team members are bound by confidentiality obligations.
Third-Party Service Providers
We may engage trusted third-party vendors (e.g., video conferencing platforms, transcription services, research software providers) to support research activities. Any such vendors are contractually required to process personal data only on our documented instructions and in compliance with applicable data protection laws, including GDPR Article 28 processor requirements where applicable.
No Sale of Personal Information
The Band Consultancy LLC does not sell, share for cross-context behavioral advertising, or otherwise monetize the personal information of any individual, including research participants. This applies to all individuals, including California residents under the CCPA/CPRA.
Legal Disclosures
We may disclose personal data if required to do so by law, court order, or regulatory authority, or where necessary to protect our legal rights or the safety of individuals.
6. Data Retention
The Band Consultancy LLC retains personal data for a maximum of 180 days from the date of collection. At the end of this retention period, all personal data is securely and permanently deleted or irreversibly anonymized, unless a longer retention period is required by applicable law or necessary to resolve a dispute or enforce an agreement.
Research Data (aggregated, anonymized findings and insights) does not contain personal identifiers and may be retained beyond 180 days for legitimate business and research purposes.
Participants may request early deletion of their personal data at any time by contacting us at kristin@thebandconsultancy.com. See Section 7 for full details of your rights.
7. Your Rights
Rights Under GDPR (EEA Residents)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the GDPR:
• Right of Access. You may request a copy of the personal data we hold about you.
• Right to Rectification. You may request correction of any inaccurate or incomplete personal data.
• Right to Erasure (“Right to be Forgotten”). You may request deletion of your personal data, subject to applicable legal obligations.
• Right to Restriction of Processing. You may request that we restrict processing of your personal data in certain circumstances.
• Right to Object. You may object to processing based on legitimate interests or for direct marketing.
• Right to Data Portability. You may request a machine-readable copy of your data and ask us to transmit it to another controller where technically feasible.
• Right to Withdraw Consent. Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint. You have the right to lodge a complaint with your local data protection supervisory authority.
Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you have the following rights under the CCPA/CPRA:
• Right to Know. You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, our business or commercial purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete. You may request deletion of your personal information, subject to certain exceptions.
• Right to Correct. You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing. You have the right to opt out of the sale or sharing of your personal information. The Band Consultancy LLC does not sell or share personal information.
• Right to Non-Discrimination. You have the right not to be discriminated against for exercising your privacy rights.
To exercise any of these rights, please contact us at kristin@thebandconsultancy.com. We will respond to verifiable requests within the timeframes required by applicable law (within 30 days under GDPR; within 45 days under CCPA, extendable by an additional 45 days where reasonably necessary).
8. Legal Basis for Processing (GDPR)
Our legal basis for collecting and processing personal data under GDPR Article 6 includes:
• Consent (Article 6(1)(a)). Research participants provide explicit informed consent prior to participation in any research activity.
• Contractual Necessity (Article 6(1)(b)). Processing may be necessary to perform our contractual obligations to research participants (e.g., scheduling, compensation).
• Legal Obligation (Article 6(1)(c)). Processing may be necessary to comply with a legal obligation applicable to us.
• Legitimate Interests (Article 6(1)(f)). Processing may be necessary for the purposes of the legitimate interests pursued by us or our clients, provided such interests are not overridden by the interests or fundamental rights of data subjects.
9. Data Security
The Band Consultancy LLC implements appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. These measures are reviewed and updated on an ongoing basis. However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required under GDPR Article 33, and will notify affected individuals where required.
10. International Data Transfers
The Band Consultancy LLC is based in the United States. If you are located in the EEA or another jurisdiction with data transfer restrictions, please be aware that your personal data may be transferred to and processed in the United States. We take appropriate safeguards to ensure such transfers comply with applicable law, including entering into standard contractual clauses approved by the European Commission where required.
11. Children’s Privacy
Our research services are not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected personal data from a minor without verified parental consent, we will take steps to delete that information promptly.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. We will notify participants and clients of any material changes by posting the updated Policy on our website or by direct communication. We encourage you to review this Policy periodically.
13. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact us:
The Band Consultancy LLC
United States of America
Email: kristin@thebandconsultancy.com
Sacramento, CA 95816
For EEA residents, you also have the right to contact your local data protection supervisory authority. A list of EEA supervisory authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en