Legal

Privacy Policy | KLDiscovery

Written by Admin | February 20, 2026

Print/Download to PDF

August 1, 2025

(A) This Policy

This Policy is issued by each of the Controller entities listed in Section P below (together, “KLDiscovery”, “we”, “us” or “our”). This Policy is addressed to individuals outside our organisation with whom we interact, including customers, personnel of corporate customers, visitors to our websites (our “Websites”), partners, suppliers, applicants for employment and other users of our Services (together, “you”). Defined terms used in this Policy are explained in Section (R) below. This Policy also applies to our social media presence (see below).

This Policy may be amended or updated from time to time to reflect changes in our practices with respect to the Processing of Personal Data, or changes in Applicable Privacy Laws. We encourage you to read this Policy carefully, and to regularly check this page to review any changes we might make in accordance with the terms of this Policy.

KLDiscovery operates under the following brands: KLDiscovery, Ontrack, Ibas and Complied.

(B) Processing your Personal Data

Collection of Personal Data: We collect or obtain Personal Data about you from the following sources:

  • Data provided to us: When you contact us via email, telephone or by any other means or when you provide us with your business card, or when you submit a job application.
  • Relationship data: In the ordinary course of our relationship with you (e.g., Personal Data we obtain in the course of providing a Service to you, or to your employer).
  • Data you make public: Personal Data that you manifestly choose to make public, including via social media.
  • Website data: We collect or obtain Personal Data when you visit any of our Websites, register or use any features or resources available on or through a Website.
  • Content and advertising information: If you interact with any third party content or advertising on a Website or third party plugins and cookies) we receive your Personal Data from the relevant third party provider of that content or advertising.
  • Third party information. We collect or obtain Personal Data from third parties who provide it to us (e.g. credit reference agencies or law enforcement agencies).

Creation of Personal Data: In providing our Services, we may also create Personal Data about you, such as records of your interactions with us and details of your order history. We may also combine Personal Data from use of any of our Websites and Services with Personal Data collected from different sources.

Categories of Personal Data: The categories of Personal Data about you that we Process include:

  • Personal details: name(s); gender; date of birth / age; nationality; and photograph.
  • Contact details: correspondence or shipping address (e.g., for returning original media and/or storage devices); telephone number; email address; and social media profile details.
  • Consent records: records of any consents you have given, together with the date and time, means of consent, and any related information (e.g., the subject matter of the consent).
  • Payment details: purchase information, pricing, invoice records, billing address; bank account number or credit card number; cardholder or accountholder name; card or account security details; card ‘valid from’ date; and card expiry date. We do not store full payment card numbers or CVV codes. Payment details are securely processed by PCI-DSS-compliant providers.
  • Views and opinions: any views and opinions that you choose to send to us, or publicly post about us on social media platforms.
  • Application details: all kind of application documents which you may submit (professional history, curriculum vitae, qualifications, certificates, references, etc.)
  • Employer details: where you interact with us in your capacity as an employee of a third party; the name, address, telephone number and email address of your employer, to the extent relevant.
  • Data relating to our Websites: device type; operating system; browser type; browser settings; IP address; language settings; dates and times of connecting to a Website; and other technical communications information (some of which may constitute Personal Data); username; password; security login details; usage data; and aggregate statistical information.

Purposes of Processing and Legal Basis

Purpose Legal Basis

Provision of Websites and Services: communicating with you in relation to those Websites and Services.
  • The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
  • We have a legitimate interest in carrying out the Processing for the purpose of providing our Sites, Apps, products, or services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
  • We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Operating our business: operating and managing our Websites, our Services; providing content to you; displaying advertising and other information to you; communicating and interacting with you via our Websites, or our Services; and notifying you of changes to any of our Websites, or our services.
  • The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
  • We have a legitimate interest in carrying out the Processing for the purpose of providing our Websites, our Services to you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
  • We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Communications and marketing: communicating with you via any means (including via email, telephone, text message, social media, post or in person) to provide information in which you may be interested, subject always to obtaining your prior opt-in consent to the extent required under Applicable Privacy Laws; personalising our Websites, and Services for you; maintaining and updating your contact information where appropriate; obtaining your prior, opt-in consent where required; enabling and recording your choice to opt-out or unsubscribe, where applicable.
  • The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
  • We have a legitimate interest in carrying out the Processing for the purpose of contacting you, subject always to compliance with Applicable Privacy Laws (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
  • We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Management of IT systems: management and operation of our communications, IT and security systems; and audits (including security audits) and monitoring of such systems.
  • The Processing is necessary for compliance with a legal obligation; or
  • We have a legitimate interest in carrying out the Processing for the purpose of managing and maintaining our communications and IT systems (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Health and safety: health and safety assessments and record keeping; providing a safe and secure environment at our premises; and compliance with related legal obligations.
  • The Processing is necessary for compliance with a legal obligation; or
  • We have a legitimate interest in carrying out the Processing for the purpose of ensuring a safe environment at our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
  • The Processing is necessary to protect the vital interests of any individual.

Financial management: sales; finance; corporate audit; and vendor management.
  • We have a legitimate interest in carrying out the Processing for the purpose of managing and operating the financial affairs of our business (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
  • We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Surveys: engaging with you for the purposes of obtaining your views on our Websites, or our Services. 
  • We have a legitimate interest in carrying out the Processing for the purpose of conducting surveys, satisfaction reports and market research (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
  • We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Investigations: detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with Applicable Privacy Laws.
  • The Processing is necessary for compliance with a legal obligation; or
  • We have a legitimate interest in carrying out the Processing for the purpose of detecting, and protecting against, breaches of our policies and Applicable Privacy Laws (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Legal compliance: compliance with our legal and regulatory obligations under Applicable Privacy Laws.
  • The Processing is necessary for compliance with a legal obligation.

Improving our Websites and Services: identifying issues with and planning improvements to our Websites and creating new Websites or Services.
  • We have a legitimate interest in carrying out the Processing for the purpose of improving our Sites, our Apps, our products, or our services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
  • We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Fraud prevention: Detecting, preventing and investigating fraud.
  • The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment law); or
  • We have a legitimate interest in carrying out the Processing for the purpose of detecting, and protecting against, fraud (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Establishment, exercise and defence of legal claims: management of legal claims; establishment of facts and claims, including collection, review and production of documents, facts, evidence and witness statements; exercise and defence of legal rights and claims, including formal legal proceedings.
  • The Processing is necessary for compliance with a legal obligation;
  • We have a legitimate interest in carrying out the Processing for the purpose of establishing, exercising or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
  • The Processing is necessary for the establishment, exercise or defence of legal claims.

 

Sensitive Personal Data

We do not seek to collect or otherwise Process Sensitive Personal Data but where we do so, it is on the following basis.

Lawful basis for Processing Sensitive Personal Data: In Processing your Sensitive Personal Data in connection with the purposes set out in this Policy, we may rely on one or more of the following legal bases, depending on the circumstances: 

  • we have obtained your prior express consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way);
  • the Processing is necessary in connection with any contract that you may enter into with us to provide you with Services;
  • the Processing is required or permitted by Applicable Privacy Laws; the Processing is necessary for the establishment, exercise or defence of legal claims
  • the Processing is necessary to protect the vital interests of any individual; or
  • we have a legitimate interest in carrying out the Processing for the purpose of managing, operating or promoting our business, and that legitimate interest is not overridden by your interests, fundamental rights, or freedoms.

Voluntary provision of Personal Data and consequences of non-provision: The provision of your Personal Data to us is voluntary and will usually be a necessary requirement in order to enter into a contract with us and to enable us to fulfil our contractual obligations towards you. You are under no statutory obligation to provide your Personal Data to us; however, if you decide not to provide us with your Personal Data, we will not be able to conclude a contractual relationship with you and to fulfil our contractual obligations towards you.

Sale of your data: In accordance with Applicable Privacy Laws, we do not sell your data in exchange for compensation or non-monetary consideration.

(C) Disclosure of Personal Data to third parties

We disclose your Personal Data to other entities within the KLDiscovery group, in order to fulfil our contractual obligations towards you or for legitimate business purposes (including providing Services to you and operating our Websites) in accordance with Applicable Privacy Laws. All intra-group transfers within the KLDiscovery group are governed by data sharing agreements that meet the requirements of the GDPR, UK GDPR and other Applicable Privacy Laws. In addition, we disclose your Personal Data to:

  • you, and where appropriate, your appointed representatives, or if we are providing Services to your employer, your employer;third party Controllers with whom we share Personal Data in order to provide you with a specific Service requested by you. We conduct due diligence and maintain contractual safeguards with all third parties before allowing access to Personal Data;
  • legal and regulatory authorities, upon request, or for the purposes of reporting any actual or suspected breach of applicable law or regulation;
  • accountants, auditors, consultants, lawyers and other outside professional advisors to KLDiscovery, subject to binding contractual obligations of confidentiality;
  • third party Processors (such as payment services providers, channel and retail partners, shipping/courier companies; technology suppliers, customer satisfaction survey providers, operators of “live-chat” services and processors who provide compliance services such as checking government issued prohibited lists, like the US Office for Foreign Asset Control), located anywhere in the world, subject to the requirements noted below in this Section (C);
  • any relevant party, regulatory body, governmental authority, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal rights, or any relevant party for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
  • any relevant third party acquirer(s) or successors in title, in the event that we sell or transfer all or any relevant portion of our business or assets (including in the event of a reorganization, dissolution or liquidation), but only in accordance with the Applicable Privacy Laws;
  • any relevant third party provider where our Websites may use third party content, advertising, plugins or content. If you choose to interact with any such content, your Personal Data may be shared with the third party provider of the relevant third party provider. We recommend that you review that third party’s privacy policy before interacting with its content; and
  • third party Partners, if you sign up for our Services through a referral made by KLDiscovery to such Partner or if you were referred to us by such Partner.

If we engage a third-party Processor to Process your Personal Data, we will conclude a data processing agreement and sufficient guarantees as required by the Applicable Privacy Laws with such third-party Processor so that the Processor will be subject to binding contractual obligations to: (i) only Process the Personal Data in accordance with our prior written instructions; and (ii) use measures to protect the confidentiality and security of the Personal Data; together with any additional requirements under Applicable Privacy Laws. In all cases, KLDiscovery is primarily liable for the acts and omissions of such third parties to whom KLDiscovery has entrusted personal data. KLDiscovery shall ensure that all such third parties maintain security and data handling measures to standards prescribed by KLDiscovery prior to transferring such personal data to the applicable third party.

We may anonymize Personal Data about the use of the Websites (e.g., by recording such data in an aggregated format) and share such anonymized data with our business partners (including third party business partners). In case of anonymisation, we take reasonable steps to ensure that anonymisation is effective and irreversible.

(D) International transfer of Personal Data

Because of the international nature of our business, we may need to transfer your Personal Data within the KLDiscovery Group, and to third parties as noted in Section (C) above, in connection with the purposes set out in this Policy. For this reason, we may transfer your Personal Data to other countries that may have lower standards for data protection than the EU due to different laws and data protection compliance requirements to those that apply in the country in which you are located.

Where we transfer your Personal Data to other countries, we do so where required, on the basis of the applicable European Union Standard Contractual Clauses and, where relevant, the appropriate amendments to incorporate compliance with English and Swiss law. You may request a copy of our Standard Contractual Clauses using the contact details provided in Section (P) below.

Transfers of Personal Data to the United Kingdom on the basis of the Adequacy Decision dated 28 June 2021

On 28 June 2021, the European Commission determined that the United Kingdom, following its withdrawal from the European Union and becoming a “third country” from December 31, 2020, ensures an adequate level of protection within the meaning of Article 45 of the General Data Protection Regulation 2016/679 (“GDPR”) (the “Adequacy Decision”) and that the United Kingdom benefits from such decision in relation to transfers of Personal Data to the United Kingdom.

Where we transfer your Personal Data from the European Union, Switzerland or another member of the EEA to the United Kingdom in connection with the purposes set out in this Policy, from the date of the Adequacy Decision, we will do so on the basis of the Adequacy Decision.

(E) Specific Accreditation from U.S. Department of Commerce

KLDiscovery Ontrack, LLC and KLDiscovery Holdings, Inc comply with the EU-U.S. Data Privacy Framework (the “EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (the “Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. KLDiscovery Ontrack, LLC and KLDiscovery Holdings, Inc have certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (the “EU-U.S. DPF Principles”) with regard to the processing of Personal Data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. KLDiscovery Ontrack, LLC and KLDiscovery Holdings, Inc have certified to the U.S. Department of Commerce that each adheres to the Swiss-U.S. Data Privacy Framework Principles (the “Swiss-U.S. DPF Principles”) with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (collectively, the “DPF Principles”), the DPF Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Pursuant to the Data Privacy Framework Principles, KLDiscovery Ontrack, LLC and KLDiscovery Holdings, Inc attest to the following:

  • We are subject to the jurisdiction and enforcement authority of the U.S. Federal Trade Commission;
  • We remain liable in the onward transfer of Personal Data to agent third parties unless we can prove we were not a party to the event giving rise to the damages;
  • We may be required release Personal data in response to lawful requests by public authorities including to meet national security and law enforcement requirements; and
  • We acknowledge the right of European Union, United Kingdom and Swiss individuals to access their information that is transferred into the United States and to update, amend or correct inaccurate or outdated information. Furthermore, said individuals can delete Personal Data that has been handled in violation of the DPF Principles. To exercise your DPF rights or opt out of further processing of your Personal Data under the DPF, please contact us at the contact details provided in Section (P) below.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, KLDiscovery Ontrack, LLC and KLDiscovery Holdings, LLC commit to resolve complaints about our collection or use of your Personal Data transferred to the U.S. pursuant to the EU-U.S. DPF, the UK extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. European Union, United Kingdom and Swiss individuals with inquiries or complaints should first contact the applicable KLDiscovery entity using the contact details provided in Section (P) below.

KLDiscovery Ontrack, LLC and KLDiscovery Holdings, Inc have further committed to refer unresolved DPF Principles-related complaints to PrivacyTrust, a U.K.-based independent dispute resolution mechanism. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.privacytrust.com/drs/kldiscovery for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf.gov/s/article/ANNEX-I-introduction-dpf.

(F) Data Security & Confidentiality

We have implemented appropriate technical and organizational security measures designed to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, and other unlawful or unauthorised forms of Processing, in accordance with Applicable Privacy Laws. Further, as required under Applicable Privacy Laws, we only process your Personal Data subject to all contractual requirements of confidentiality, imposing equivalent measures upon employees and subcontractors with access to such Personal Data.

Because the internet is an open system, the transmission of information via the internet is not completely secure. Although we will implement all reasonable measures to protect your Personal Data, we cannot guarantee the security of your data transmitted to us using the internet – any such transmission is at your own risk and you are responsible for ensuring that any Personal Data that you send to us are sent securely. However, we do take measures to secure data in transit using encryption protocols (e.g., TLS/SSL), and access controls once data reaches our environment.

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to your Personal Data, we will respond according to the requirements of Applicable Privacy Laws in the jurisdictions where we operate, as follows:

European Union, EEA and United Kingdom Notification Requirements

We will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to your rights and freedoms. We will also notify [you] promptly if the breach is likely to result in a high risk to your rights and freedoms.

United States Notification requirements

We will comply with state breach notification laws applicable to you. Please note that notification timeframes vary by state but generally range from 30 to 60 days. We will also notify relevant regulatory authorities as required by the applicable state laws.

Canada Notification requirements

We will notify the Privacy Commissioner of Canada and you of breaches that pose a real risk of significant harm. We will maintain records of all breaches as required by PIPEDA.

Australia

We will comply with the Notifiable Data Breaches scheme for breaches likely to result in serious harm. We will notify the Office of the Australian Information Commissioner and you.

In other jurisdictions in which we operate, we will report breaches according to Applicable Privacy Law.

(G) Data Accuracy

We take every reasonable step to ensure that:

  • your Personal Data that we Process are accurate and, where necessary, kept up to date; and
  • any of your Personal Data that we Process that are inaccurate (having regard to the purposes for which they are Processed) are erased or rectified without delay.

From time to time, we may ask you to confirm the accuracy of your Personal Data. You may also request a correction by contacting us at the contact details provided in Section (P) below.

(H) Data Minimisation

We take every reasonable step to ensure that your Personal Data that we Process are limited to the Personal Data reasonably required in connection with the purposes set out in this Policy (including the provision of Services to you).

(I) Data Retention

We take every reasonable step to ensure that your Personal Data is only Processed for the minimum period necessary for the purposes set out in this Policy. We will retain copies of your Personal Data in a form that permits identification only for as long as:

  • we maintain an ongoing relationship with you (e.g., where you are a user of our services, or you are lawfully included in our mailing list and have not unsubscribed);
  • your Personal Data are necessary in connection with the lawful purposes set out in this Policy, for which we have a valid legal basis (e.g., where your personal data are included in a contract between us your employer, and we have a legitimate interest in processing those data for the purposes of operating our business and fulfilling our obligations under that contract); or
  • we receive your consent to store the data for a longer period of time (e.g. in the case of application documents for a later job offer).

Additionally, we will retain Personal Data for the duration of:

  • any applicable limitation period under Applicable Privacy Laws (i.e., any period during which any person could bring a legal claim against us in connection with your Personal Data, or to which your Personal Data may be relevant); and
  • an additional two (2) month period following the end of such applicable limitation period (so that, if a person brings a claim at the end of the limitation period, we are still afforded a reasonable amount of time in which to identify any Personal Data that are relevant to that claim).

In the event any relevant legal claims are brought, we may continue to Process your Personal Data for such additional periods as are necessary in connection with that claim.

During the periods noted above in relation to legal claims, we will restrict our Processing of your Personal Data to storage of, and maintaining the security of, the Personal Data, except to the extent that the Personal Data needs to be reviewed in connection with any legal claim, or any obligation under applicable law.

Once the periods above, each to the extent applicable, have concluded, we will either: (i) permanently delete or destroy the relevant Personal Data; or (ii) anonymize the relevant Personal Data. In the case of anonymization, we ensure such data cannot be re-identified using reasonable technical and organizational measures.

(J) Your legal rights

Subject to Applicable Privacy Laws, you may have a number of rights regarding the Processing of your Personal Data. These rights vary by jurisdiction, but generally include:

  • the right not to provide your Personal Data to us (however, please note that we will be unable to provide you with the full benefit of our Websites or Services, if you do not provide us with your Personal Data – e.g., we might not be able to process your requests without the necessary details);
  • the right to request access to, or copies of, your Personal Data that we Process or control, together with information regarding the source, purpose and nature of processing and disclosure of those Personal Data;
  • the right to request rectification of any inaccuracies in your Personal Data that we Process or control;
  • the right to request, on legitimate grounds:
    • erasure/deletion of your Personal Data that we Process or control; or
    • restriction of Processing of your Personal Data that we Process or control;
  • the right to object, on legitimate grounds, to the Processing of your Personal Data by us or on our behalf;
  • the right to have your Personal Data that we Process or control transferred to another Controller, to the extent applicable and technically feasible, in a structured, commonly used and machine-readable form;
  • the right to know the Personal Data held by KLDiscovery and details of the collection of the same, no more than twice in any 12 (twelve) month period;
  • the right to withdraw your consent to Processing, where the lawfulness of processing is based on consent (noting that such withdrawal does not affect the lawfulness of any Processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the Processing of your Personal Data in reliance upon any other available legal bases);
  • the right to opt out of disclosure of your Personal Data to third parties in compliance with this Policy (however please note that we will be unable to provide you with the full benefit of our Websites or Services if such an opt-out request is made); and
  • the right to opt out of your Personal Data being used for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by You and which purpose is set out in this Policy.

Additional rights by jurisdiction:

European Union, EEA and the United Kingdom: Under the GDPR and UK GDPR, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects concerning you.

California, United States: Under the CCPA/CPRA, you have the right to opt-out of the sale or sharing of your Personal Information, limit the use of your Sensitive Personal Information, and the right to non-discrimination for exercising your privacy rights.

Other US States: Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws may have additional rights, including the right to opt out of targeted advertising and profiling in certain contexts.

Canada: Under Canada's Personal Information Protection and Electronic Documents Act (commonly referred to as "PIPEDA") and provincial privacy laws, you have the right to challenge the accuracy and completeness of your information and have it amended as appropriate.

Australia: Under the Privacy Act 1988, you have the right to request access to and correction of your Personal Information and to complain to the Office of the Australian Information Commissioner.In other jurisdictions in which we operate, we will comply in regard to your legal rights with Applicable Privacy Law.

This does not affect your statutory rights. We do not discriminate against you for any exercise of your rights provided for under Applicable Privacy Laws. We reserve our rights for verification of your identity in the event that you exercise any such rights under Applicable Privacy Laws.

IMPORTANT NOTICE

Subject to Applicable Privacy Law, you may also have the following additional rights regarding the Processing of your Personal Data:

  • the right to object, on grounds relating to your particular situation, to the Processing of your Personal Data by us or on our behalf, where such processing is based on Articles 6(1)(e) (public interest) or 6(1)(f) (legitimate interests) of the GDPR; and
  • the right to object to the Processing of your Personal Data by us or on our behalf for direct marketing purposes.

To exercise one or more of these rights, or to ask a question about these rights or any other provision of this Policy, or about our Processing of your Personal Data, please use the contact details provided in Section (P) below. We will respond to verifiable requests within the timeframe required by Applicable Privacy Law (generally 30-45 days, depending on jurisdiction).

If we are providing you with Services based on orders, such provision of Services is regulated by contractual terms provided to you. In case of discrepancies between such terms and this Policy, this Policy is supplementary.

(K) Cookies and Similar Technologies

A cookie is a small file that is placed on your device when you visit a website (including our Websites). It records information about your device, your browser and, in some cases, your preferences and browsing habits. We may Process your Personal Data through cookie technology, in accordance with our Cookie Policy, which also describes how our Consent Tool works. Using our Consent Tool, you are able to approve or reject the setting of cookies that are not strictly necessary. Where required by Applicable Privacy Law (e.g., EU or UK), we do not set non-essential cookies (e.g., analytics or advertising cookies) unless you have given your prior consent.

We recognize Global Privacy Control (“GPC”) signals and other legally required browser-based opt-out mechanisms where applicable, including under California’s Privacy Rights Act (“CPRA”) and other US state privacy laws.

(L) Analysis Tools and Tools by Third-Party Providers

There is a possibility that your browsing patterns will be statistically analysed when you visit this website. Such analyses are performed primarily with what we refer to as analysis programs. You can find detailed information about these different analysis programs here: Use of Third-Party Tools.

Where required by Applicable Privacy Law, these tools are only activated based on your consent. You may opt out using our Consent Tool or browser settings as described in our Cookies Policy.

(M) Use of Social Media

We do not use Social Media plug-ins on our Website. Social Media websites can only be reached via links from our Website. Therefore, no Personal Data is transmitted to any Social Media website when visiting our Website.  You can find detailed information about our use of Social Media here: Use of Social Media.

(N) Terms of Use

All use of our Websites is subject to our Terms of Use.  We recommend that you review our Terms of Use regularly, in order to review any changes we might make from time to time.

(O) Direct Marketing

Subject to applicable law, where you have provided explicit consent in accordance with the applicable law or where we are sending you advertising and marketing communications relating to our similar products and services, we may Process your Personal Data to contact you via email, telephone, direct mail or other communication formats to provide you with information or Services that may be of interest to you. If we provide Services to you, we may send information to you regarding our Services, upcoming promotions and other information that may be of interest to you, using the contact details that you have provided to us and always in compliance with applicable law.

You may unsubscribe from our promotional email list or newsletters at any time by simply clicking on the unsubscribe link included in every email or newsletter we send. After you unsubscribe, we will not send you further emails, but we may continue to contact you to the extent necessary for the purposes of any Services you have requested.

We do not engage in profiling for marketing purposes that produces legal or similarly significant effects unless permitted by, and in accordance with, Applicable Privacy Law or based on your prior consent.

(P) Details of Controllers

The Controllers in respect of whom this policy is issued are as follows:

Country Corporate Name Registered Address and Contact

UK

KLDiscovery Ontrack Limited

UK Data Privacy Queries, Nexus, 25 Farringdon Street, London, EC4A 4AB Data-protection@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

KLDiscovery Limited

UK Data Privacy Queries, Nexus, 25 Farringdon Street, London, EC4A 4AB Data-protection@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

Ireland

KLDiscovery Limited

Irish Data Privacy Queries, 25–28 North Wall Quay, Dublin 1, D01 H104 Email: Data- protection@kldiscovery.com or our external data protection officer: Mauro Narduzzo mauro.narduzzo@privacytrust.com

Denmark

Ibas Ontrack ApS

Danish Data Privacy Queries, C/O Regus Center Christians Brygge 28, 1559 København V Danmark-data-beskyttelse@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

Finland

Ibas Ontrack Oy

Finnish Data Privacy Queries, Mannerheimintie 12 B, 00100 Helsinki Datan-suojelu@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

Netherlands

KLDiscovery Ontrack B.V.

Dutch Data Privacy Queries, De Brand 22, 3823 LJ Amersfoort Gegevensbescherming@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

Sweden

Ibas Ontrack AB

Swedish Data Privacy Queries, Box 1005, 751 40 Uppsala Dataskydd@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

Norway

Ibas Ontrack AS

Norwegian Data Privacy Queries, Fjellgata 2, 2212 Kongsvinger Data-beskyttelse@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

Germany

KLDiscovery Ontrack GmbH

German Data Privacy Queries, Hanns-Klemm-Str. 5, 71034 Böblingen Datenschutz@kldiscovery.com or our external data protection officer: Edmund Hilt ehilt@hilt-evolution.com

Italy

KLDiscovery Ontrack Srl

Italian Data Privacy Queries, Gallarte (VA) Via Marsala 34/A CAP 21013 Protezione-dati@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

Poland

KLDiscovery Ontrack Sp. z o.o

Polish Data Privacy Queries, Katowice (40-082), ul. Jana III Sobieskiego 11 Ochrona-danych@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

Singapore

KLDiscovery Ontrack Pte Ltd

Singapore Data Privacy Queries, 10 Collyer Quay 10 - 01, Ocean Financial Centre, 049315 Singapore-data-protection@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

China

KLDiscovery Ontrack Information Technology Service (Shanghai) Co., Ltd

Chinese Data Privacy Queries, Room 1004, Floor 10, Jing'An Kerry Centre Building 1 (North Building), No. 1515, West Nanjing Road, Jing'an District, Shanghai China-data-protection@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

Japan

KLDiscovery Ontrack K.K.

Japanese Data Privacy Queries, 2-2-3 Uchisaiwaicho Chiyoda-ku, Tokyo 100-0011 Japan-data-protection@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

Hong Kong

KLDiscovery Ontrack (HK) Limited

Hong Kong Data Privacy Queries, Room 1702, 17/F Central Plaza, 18 Harbour Road, Wanchai Hongkong-data-protection@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

Spain

KLDiscovery Ontrack SL

Spanish Data Privacy Queries, Pº del Club Deportivo, 1, edif. 4, 1ª planta, Pozuelo de Alarcón, Madrid, 28223 Proteccion-de-datos@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

France

KLDiscovery Ontrack Sarl

French Data Privacy Queries, 2, impasse de la Noisette, 91371 Verriéres-le-Buisson Cedex 413 Protection-des-donnees@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

Switzerland

KLDiscovery Ontrack (Switzerland) GmbH

Swiss Data Privacy Queries, Hertistrasse 25, 8304 Wallisellen Datenschutz@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

Australia

KLDiscovery Ontrack Pty Ltd

Australian Data Privacy Queries, 9/28 Donkin St, West End QLD 4101 Australia-data-privacy@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

USA

KLDiscovery Ontrack, LLC

American Data Privacy Queries, Attn: Andy Southam, 9023 Columbine Road, Eden Prairie, MN 55347 Data-privacy@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

KLDiscovery Inc

American Data Privacy Queries, Attn: Andy Southam, 9023 Columbine Road, Eden Prairie, MN 55347 Data-privacy@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

KLDiscovery Holdings, Inc

American Data Privacy Queries, Attn: Andy Southam, 9023 Columbine Road, Eden Prairie, MN 55347 Data-privacy@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

Canada

KLDiscovery Ontrack Canada Co

Canadian Data Privacy Queries, 600-1741 Lower Water Street, Halifax, Nova Scotia, B3J 0J2 Data-privacy@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

Greece

KLDiscovery Ontrack Single Member Private Company

Greek Data Privacy Queries, 15 Theanos Street, 11854 Athens Data-privacy@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

India

KLDiscovery India Technology Services Private Limited

India Data Privacy Queries, No. 8, Perungudi Industrial Estate, Perungudi, Chennai, Tamil Nadu – 600096 Data-privacy@kldiscovery.com or our external data protection officer: Mauro Narduzzo, mauro.narduzzo@privacytrust.com

Please note that, where a Controller is listed outside the European Union, you may contact the entity in your jurisdiction.

In certain circumstances, multiple KLDiscovery entities may act as joint controllers when providing services. Where this occurs, we have established arrangements determining our respective responsibilities. A summary of these arrangements is available upon request using the contact details in this Section (P).

(Q) Representatives

Each of the controllers established outside the EEA and listed in Section (P) above has appointed KLDiscovery Ontrack GmbH, Hanns-Klemm-Str. 5, 71034 Böblingen, Germany to be its representative the purposes of Article 27 of the GDPR.

Each of the controllers established outside the UK and listed in Section (P) above has appointed KLDiscovery Limited, Nexus, 25 Farringdon Street, London, EC4A 4AB to be its representative the purposes of Article 27 of the UK GDPR.

These representatives may be contacted for inquiries related to your rights under GDPR and UK GDPR.

(R) Definitions

  • ‘Applicable Privacy Laws’ means, jointly, the GDPR, UK GDPR, California’s Consumer Privacy Act as subsequently amended by the CPRA (commonly referred to as “CCPA”), the Virginia Consumer Data Protection Act (commonly referred to as “VCDPA”), the Colorado Privacy Act (commonly referred to as “CPA”), the Utah Consumer Privacy Act (commonly referred to as “UCPA”), the Connecticut Data Privacy Act (commonly referred to as “CTDPA”), Iowa Consumer Data Protection Act (commonly referred to as “ICDPA”), Montana Consumer Data Privacy Act (commonly referred to as “MCDPA”), Nebraska Data Privacy Act (commonly referred to as “NDPA”), New Hampshire Senate Bill 255, New Jersey Senate Bill 332, Oregon Consumer Privacy Act (commonly referred to as “OCPA”), Texas Data Privacy Act (commonly referred to as “TDPA”) and other applicable federal and state laws, regulations, and binding legal requirements governing the processing, security, and protection of personal data within the United States; Canada's PIPEDA and provincial privacy laws; Australia's Privacy Act 1988 and Australian Privacy Principles; Singapore's Personal Data Protection Act (commonly referred to as "PDPA"); Hong Kong's Personal Data (Privacy) Ordinance (commonly referred to as "PDPO"); Japan's Act on the Protection of Personal Information (commonly referred to as "APPI"); and other similar laws, regulations, and binding legal requirements governing the processing, security, and protection of Personal Data in the jurisdictions where we operate.
  • ‘Controller’ means the entity that decides how and why Personal Data is Processed. In many jurisdictions, the Controller has primary responsibility for complying with applicable data protection laws.
  • ‘Data Protection Authority’ means an independent public authority that is legally tasked with overseeing compliance with applicable data protection laws.
  • ‘EEA’ means the European Economic Area.
  • ‘GDPR‘ means the General Data Protection Regulation (EU) 2016/679.
  • ‘Personal Data’ means information that is about any individual, or from which any individual is directly or indirectly identifiable in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
  • ‘Process’, ‘Processing’ or ‘Processed’ means anything that is done with any Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • ‘Processor’ means any person or entity that Processes Personal Data on behalf of the Controller (other than employees of the Controller).
  • ‘Services’ means any services or products provided by KLDiscovery.
  • ‘Sensitive Personal Data’ means Personal Data about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, biometric data, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, national identification number, or any other information that may be deemed to be sensitive under applicable law.
  • ‘Standard Contractual Clauses’ means template transfer clauses adopted by the European Commission or adopted by a Data Protection Authority and approved by the European Commission.
  • ‘UK GDPR’ means the GDPR as it forms part of the laws applicable in the UK by virtue of section 3 of the European Union (Withdrawal) Act 2018, and as applied and modified by Schedule 2 of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) or as modified time to time by other laws applicable in the UK).

August 1, 2025
View full post