Our Commitment to Privacy.

Last Updated July 23, 2023

The Kreller Group Family of Companies includes Kreller Business Information Group, Inc. (dba Kreller Group), Kreller Solutions, Inc. (dba Kreller Credit), The Kreller Consulting Group, Inc. and Kreller Smith Brandon, Inc. (dba Smith Brandon International). As a global company which conducts business in the electronic marketplace, we believe that it is our responsibility to set industry‐leading standards in our approach to the protection of Personal Information. Not only do we strive to collect, use and disclose Personal Information in a manner consistent with the laws of the countries in which we do business, but we also aim to uphold the highest ethical standards in our business practices.

We comply with the Fair Credit Reporting Act (FCRA) and all federal, state and country specific legal requirements. As part of our commitment to privacy, Kreller complies with the EU General Protection Regulation (‘GDPR’) in respect of any personal data we process on behalf of our clients who are subject to the GDPR as data controllers. See our GDPR policy below for details.

Data Privacy Framework Policy

With the adoption of the Adequacy Decision on July 10, 2023, by the EU and the finalization of the EU-US Data Privacy Framework, Kreller has updated its privacy policy and policies with regards to how we process data in order to be compliant. Kreller will continue to utilize and maintain Standard Contractual Clauses with Data Controllers at their request.

Kreller complies with the EU-U.S. Data Privacy Framework program (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-U.S. Data Privacy Framework program (Swiss-US DPF) as set forth by the U.S. Department of Commerce.  Kreller has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-US DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-US DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-US DPF.  Kreller has certified to the U.S. Department of Commerce that it adheres to the Swiss-US Data Privacy Framework Program Principles (Swiss-US DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-US DPF.  If there is any conflict between the terms in this privacy policy and the EU-US DPF Principles and/or the Swiss-US DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

The “Notice, Choice & Accountability for Onward Transfer” section of this Data Privacy Policy will also apply to California residents who visit our website (See CalOPPA Section below).

Definitions of Terms Used

“Personal Information” means information that is transferred from the EU, UK or Switzerland to the U.S.; is recorded in any form; and pertains to a specific individual or can be used to identify an individual, either directly or indirectly.

“Sensitive Personal Information” means Personal Information specifying medical or health conditions, racial or ethnic origin, political opinions or philosophical beliefs, trade union memberships or information concerning the sex life of the individual.

“Agent” means any third party that uses Personal Information provided by Kreller to perform tasks on behalf of or at the instruction of Kreller and who is bound by a Confidentiality Agreement.

“Processing” of Personal Information means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

Notice, Choice & Accountability for Onward Transfer

‍Kreller does not collect Personal Information about individuals through its websites except when such individuals specifically provide such information on a voluntary basis such as through our subscription registration for news or blog updates, a request for samples or Whitepapers, employment submissions via the website or via an email sent to us through our website.

Kreller uses cookies on its websites. A “Cookie” is a small text file created by a website you visit that is stored on your computer either temporarily or permanently. Cookies do not store Personal Information about you, unless you knowingly provide it. Cookies provide a way for the website to recognize you and keep track of your preferences. For example, cookies allow our websites to recognize your browser as a previous visitor, and thus save and remember any preferences that may have been set while you were previously browsing our websites. You have control over the use of cookies. Most Web browsers are set to accept cookies by default. If you prefer, you can choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect your Internet experience, disabling certain functions. You can also erase cookies that are already on your computer. Currently, various browsers offer a “do not track” or “DNT” option that relies on a technology known as a DNT header, which sends a signal to websites visited by the user about the user’s browser DNT preference setting. At this time, Kreller does not respond to DNT signals, whether that signal is received on a computer or on a mobile device. It should be noted that if you click on a link to a third-party website or service provided on our website, a third party may transmit cookies to you. This Privacy Policy does not cover the use of cookies by any third parties, and we aren’t responsible for their privacy policies and practices. Please be aware that cookies placed by third parties may continue to track your activities online even after you have left our Services, and those third parties may not honor “Do Not Track” requests you have set using your browser or device.

Kreller enters into agreements with client organizations that provide us with individuals’ Personal Information in order for us to provide investigative or business credit services in a manner consistent with and limited to the purpose for which the data subject provided their Personal Information. Kreller is committed to safeguarding our client confidences, including any Personal Information received from or about our clients or from or about their third-party business associates, including information which is hosted on KOL (Kreller’s risk management system) and Kreller’s Case Management System. Kreller will not share Personal Information with third parties for purposes other than those in support of Kreller’s business operations and as necessary to facilitate the purpose for which it was provided. Kreller personnel, third party agents and third-party administrators are required to treat this information confidentially and to use and disclose it only to provide the services for which Kreller was retained. Accordingly, Kreller has in place written agreements with client organizations using our services, as well as our third-party agents and administrators which require, amongst other things, that parties safeguard Personal Information, and abide by all applicable laws.  For our clients who are subject to the GDPR, the agreements will set forth a permissible basis for the onward transfer of Personal Information from the EU, EEA, UK or Switzerland to the United States. Except as set forth in this privacy statement, Kreller does not disclose Personal Information received from its clients to third parties without its clients’ consent. To the extent permitted by the DPF, the FCRA and other applicable laws, Kreller reserves the right to process Personal Information in the course of our internal business operation without the knowledge of the individuals involved. Kreller does not provide Personal Information to third parties for their marketing purposes.  In cases of onward transfer of EU Personal Data, Kreller has the responsibility for the processing of personal data it receives under the DPF and subsequently transfer to a third party acting as an agent on its behalf.  Kreller shall remain liable if the agents we engage to process such personal information do so in a manner inconsistent with the DPF Principles, unless Kreller proves that it is not responsible for the event giving rise to the damage.

Kreller will offer individuals the opportunity to choose (opt out) whether their Personal Information is (a) to be disclosed to a non-Agent or non-third-party administrator or (c) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. For Sensitive Personal Information, we will give individuals the opportunity to affirmatively and explicitly (opt in) consent to the disclosure of the information to a non-Agent third party or non-third-party administrator or the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual.

In the event you decide that you want to opt out from Kreller’s use of your Personal Information that you previously provided to Kreller, notify us by email at: privacy@kreller.com.

We may also be required to disclose your Personal Information in response to lawful requests by public authorities having jurisdiction over Kreller, including to meet national security or law enforcement requirements. We may also use or disclose your Personal Information, if necessary, to protect and defend the rights or interest of Kreller or others.

Kreller may, as a result of a sale, merger, consolidation, change in control, transfer of assets, reorganization or liquidation of our company, transfer, sell or assign your Personal Information to third parties involved in the aforementioned events.

Security, Data Integrity and Purpose Limitation

Kreller combines technical and physical safeguards with employee policies and procedures to protect your Personal Information from loss, misuse, unauthorized access, disclosure, alteration and destruction. Kreller employs Secure Socket Layer (SSL) data encryption when data is transmitted over the Internet to our Website. We have installed layered firewalls and other security technologies to help prevent unauthorized access to our systems. The servers used to store Personal Information are maintained in a secure environment with appropriate security measures. Password protection protocols are utilized on all computers.

Furthermore, only employees and agents who need the information to perform a specific job are granted access to Personal Information and all employees and agents undergo a thorough background screening and/or vetting process and are trained to ensure that information is handled responsibly and in accordance with this Privacy Policy.

Kreller will use your Personal Information only in a manner that is compatible with the purpose for which it was collected or authorized by the individual or our client. Kreller will take commercially reasonable measures to ensure that Personal Information is accurate, complete, current, and otherwise reliable with regard to its intended use. Data will be retained only for as long as it serves its relevant purpose and in consideration of correlated compliance and legal considerations.


Kreller acknowledges that EU individuals have the right to access the personal information that we maintain about them. Upon request, and with proof of identity, we will grant individuals reasonable access to their Personal Information that Kreller holds about them in response to a lawful request by public authorities having jurisdiction over Kreller. Under such circumstances, Kreller will allow individuals to correct, amend, or delete that information that is demonstrated to be inaccurate or incomplete except where providing such access would be unreasonably burdensome or expensive in the circumstances or where the rights of persons other than the individual would be violated as a result. Additionally, access to Personal Information will be granted under the terms of the Fair Credit Reporting Act when information is processed or obtained related to a request which qualifies under the Fair Credit Reporting Act. Although we make every effort to ensure that the data we collect and store about you is as accurate as possible, we cannot guarantee that third parties are accurate in information that they transmit and therefore we are not responsible for the accuracy of the data that may be supplied by any third-party sources of information or our clients.

Recourse, Enforcement and Liability

Kreller is subject to the investigatory and enforcement powers of the Federal Trade Commission in connection with the processing of your Personal Information under the DPF Framework.

In compliance with the EU-US Data Privacy Framework Principles, Kreller commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles.  European Union, Swiss and United Kingdom individuals with DPF inquiries or complaints should first contact our Privacy Officer, Harvey Rosen, at privacy@kreller.com.

Dispute Resolution for EU and Swiss Individuals

Kreller has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers  for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2.

EU GeneralData Protection Regulation (GDPR) Policy

This section only applies if we collect Personal Information from you pursuant to our contract with a client who is subject to the GDPR and if you are an individual residing in the European Union or European Economic Area or we collect the Personal Information from you while you are in the EU.

For purposes of the GDPR, our client will act as data “controller” and we will act as the data “processor” under the GDPR. Some of the provisions set forth in this GDPR Privacy Policy (namely, Categories of Personal Information Collected; Sharing your personal information; and Access) will also apply to California resident consumers who visit our website (See CalOPPA Section below).

Kreller Business Information Group, Inc. provides comprehensive business investigative services to help clients mitigate risk and maintain their stock value and corporate reputation.

As a global company which conducts business in the electronic marketplace, we believe it is our responsibility to set industry-leading standards in our approach to the protection of your personal data.  Not only do we strive to collect, use and disclose information in a manner consistent with the laws of the countries in which we do business, but we also aim to uphold the highest ethical standards in all our business practices.

In the context of both Kreller and our clients complying with GDPR in relation to personal data relating to people in the EU / EEA, this section explains:

  • What information we collect and why
  • How we use the information
  • What choices you have with respect to the information

What information do we collect?

"Personal information" is any information that can be used to identify you or that we can link to you.

We may collect and process personal information about you in the course of our business:

  • through your use of our website;
  • if you apply for employment or become employed by us;
  • if you are a supplier/partner;
  • if you are a client;
  • when we are engaged for investigative services;
  • when we are engaged for our 3rd party compliance platform (KOL); or
  • as a result of your relationship with one or more of our staff or clients.

The following categories of personal information may be collected and processed:

  • Contact information: your name, position, role, company or organization, telephone, email and postal address
  • Business information: data identifying you in relation to matters on which you instruct us or in which you are involved
  • Your logon ID and password: for access to Kreller's KOL platform
  • Supplier/partner data: contact details and other information about you or your company or organization where you provide products or services to Kreller
  • Social media: posts, Likes, tweets and other interactions with our social media presence
  • Technical information: when you visit our website and other platforms—information collected through cookies and other tracking technologies such as IP address, URL, browser type and version, time zone setting, traffic data, location data, browser plug-in types and versions, operating system you are using, device type, hardware model, unique identifiers and mobile network information, web logs, and the resources that you access
  • Information from public sources: such as LinkedIn and other professional networks, online directories, internet publications, etc.
  • Identity data: first name, maiden name, last name, username, marital status, title, date of birth, ID number, photograph, gender, etc.
  • In relation to candidates and employees: CV/resume, certifications, licenses, references, education, criminal record, driver record, employment history
  • In connection with investigative services: where this is necessary to conduct the investigation or services
  • In relation to candidates and employees: CV/resume, certifications, licenses, references, education, criminal record, driver record, employment history
  • In connection with investigative services: where this is necessary to conduct the investigation or services
  • Special categories of personal data: information on memberships in political parties and trade unions and media reports regarding political candidacy, political positions held or membership in trade unions, specifically as it relates to being a Politically Exposed Person or having political or other types of influence
  • Criminal record data; where permitted by national law and appropriate to do so

What information do we collect?

Kreller and its clients may process your information because:

  • Processing is necessary for the performance of a contract with you or to take steps to enter into a contract
  • You have given explicit permission (consent) to do so
  • Processing is necessary for compliance with a legal or regulatory obligation
  • Processing is necessary in order to protect your vital interests or those of another person
  • Processing is necessary for our legitimate interest or a third party's legitimate interest in carrying out business

The following are examples of how we and our clients may use your personal information:

  • Providing investigative services such as: 3rd party anti-bribery due diligence, pre-M&A and JV due diligence, litigation support, pre-charitable contributions due diligence, franchise due diligence, conflict of interest investigations, and ethics investigations
  • Providing our 3rd party compliance platform services
  • Managing our business and relationship with you or your company or organization
  • Understanding and responding to inquiries and client feedback
  • Understanding how our clients use our services and websites
  • Improving our services and offerings
  • Ensuring our systems and premises are secure
  • Managing our supply chain
  • Direct marketing
  • Fraud prevention

Where does the information we collect come from?

Personal information may be provided to us by you, your employer, a company or organization who is our client or our suppliers.

Information may come from:

  • Information you provide to us - such as contact details that you provide when you request sample reports or request other services or when you respond to our communications or apply for a job
  • Information we may collect automatically-such as browser cookies and similar technologies
  • Information we collect from other sources, for example, we may receive your personal information on a questionnaire provided by our client in connection with our provision of investigative services and/or client management platform services or we may obtain your personal data from information held in the public domain such as at a corporate registry or courthouse

Your rights about your personal information

Under certain circumstances, and subject to local law, you may have the following rights under data protection laws with relation to the personal data we and our clients hold about you:

  • Right to be informed - you have the right to be informed about the collection and use of your personal data
  • Right of access-you have the right to request a copy of the information that we hold about you.
  • Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete
  • Right to erasure – in certain circumstances, you can ask for the data we hold about you to be erased from our records
  • Right to restrict processing – where certain conditions apply, you have the right to restrict the processing
  • Right to data portability – you have the right to have the data we hold about you transferred to another organization
  • Right to object – you have the right to object to certain types of processing such as direct marketing
  • Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling
  • Right to withdraw consent–if we rely on your consent as our legal basis for processing your personal information, you have the right to withdraw that consent at any time
  • Right to complain –If you are not satisfied with our use of your personal information for our response to any request by you to exercise your data protection rights, or if you think that we have breached any relevant data protection laws, then you have the right to complain to the authority that supervises our processing of your personal information

Sharing your personal information

Kreller will not share any personal information with third parties unless required by law, required to enable the fulfilment of the purpose for which the personal information was originally supplied or as otherwise set out in this policy.

We may share certain types of personal data with our affiliated companies, but only for the purposes set out in this privacy policy and we remain responsible for the management and security of your personal information.

Lastly, we may permit select third parties to access your personal information for the purposes outlined in this privacy policy. Kreller remains liable to you in respect of our obligations concerning your personal data in cases of onward transfers to third parties. Any transfer of your personal information will be compliant with applicable data protection law.

In submitting personal information to our website, the user is giving explicit consent for such usage. In the circumstances of a merger or sale of part or all of our business, personal information held by us will be one of the transferred assets.

Protection and storage of the information we collect

We use a combination of administrative,technical, personnel and physical measures designed to comply with applicablelegal requirements to safeguard the Personal Data in our possession againstaccidental, unlawful or unauthorized loss, use, access, disclosure ormodification. In addition, we limit access to your personal data to thoseemployees, agents, contractors and other third parties who have a business needto know such data. They will only process your personal data on our instructions,and they are subject to a duty of confidentiality. Although we will do our bestto protect your personal information, we cannot guarantee the absolute securityof your personal information and any transmission is at your own risk. Once wereceive your personal information, we use strict procedures and securityfeatures to try to prevent unauthorized access. We have put in place proceduresto deal with any suspected personal data breach and will notify you and anyapplicable regulator of a breach where we are legally required to do so.

We will retain your Personal Data for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or allowed by law.

International data transfers

We are headquartered in the United States, and we will process your personal information in the United States. Your personal information will be transferred to and stored in the United States. When we transfer personal information from the European Union (EU) or the European Economic Area (EEA) to the United States, we will implement appropriate and suitable safeguards to ensure that such data will be protected as required by applicable data protection law. Our Data Privacy Framework certification confirms this.

Processor Obligations

The GDPR places certain obligations on Processors of Personal Data. As a Processor of Personal Data, Kreller will:

  • Only process Personal Information to the extent and for the purpose authorized by our client (the “Controller”)
  • Inform Controller, without undue delay, if any instructions provided by Controller may infringe upon GDPR law
  • Implement appropriate technical and organizational measures to protect the security of data
  • Inform the Controller without undue delay upon learning of a breach
  • Ensure all individuals authorized to process the data have committed to confidentiality agreements
  • Assist Controller in handling data subject access rights requests
  • Assist Controller with obligations around security and requests from supervisory authorities
  • Be available and able to assist Controller with compliance obligations
  • Delete or return all data upon Controller request or requirement
  • Outline any data transfers outside EEA and describe safeguards which will protect the data
  • Assist Controller with audits
  • Ensure any engagement of sub-processors meet same obligations required by the Controller
  • Only engage sub-processors upon approval of Controller

How can you contact us?

The Kreller Business Information Group, Inc. (Kreller) is registered in the state of Ohio, USA under Charter Number 801410. If you have any questions about this Privacy Policy or regarding any other privacy matters, please contact us at:

The Kreller Business Information Group, Inc.
817 Main Street, Suite 700
Cincinnati, Ohio 45202 USA
Phone: +1 513-723-8900
Email: privacy@kreller.com

Links to Other Sites

This website may contain links to third party sites which operate independently of Kreller. We provide these links merely as a convenience and the inclusion of such links does not necessarily imply an endorsement or warranty of those links or their associated websites. These sites have established their own privacy and security policies. For the best online experience, we encourage you to review these policies before submitting any Personal Information through these sites.

Children’s Online Privacy Protection Rule (COPPA)

Kreller does not knowingly collect information from children under the age of 13 and does not target its websites to children under 13. Please contact us at privacy@kreller.com if you believe we have inadvertently collected Personal Information of a child under 13 without proper parental consent so that we may delete such data as soon as possible.

California Consumer Privacy Act of 2018 (CCPA)

We are not subject to the California Consumer Privacy Act of 2018 because we do not meet the definition of “business” under Section 1798.140 of the California Civil Code. In the event we receive Personal Information from a client or third party who is subject to the CCPA, we agree to the following restrictions on our use or disclosure of this Personal Information, and we hereby certify that we understand these restrictions and will comply with them. We are prohibited from:

(i) Selling the Personal Information;

(ii) Retaining, using, or disclosing the Personal Information for any purpose other than for the specific purpose of performing the services specified in our contract with our client, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract; and

(iii) Retaining, using, or disclosing the information outside of the direct business relationship between us and our client.

California Online Privacy Protection Act (CalOPPA)

CalOPPA is the first state law in the nation to require commercial websites and online services to post a privacy policy. The law’s reach stretches well beyond California to require a person or company in the United States (and conceivably the world) that operates websites collecting personally identifiable information from California resident consumers to post a conspicuous privacy policy on its website stating exactly the information being collected and those individuals with whom it is being shared, and to comply with this policy. Learn more about CalOPPA at the Consumer Federation of California’s website. The GDPR and Data Privacy Framework sections of this Privacy Policy listed below will apply to California resident consumers covered by the CalOPPA.

In compliance with CalOPPA, we certify to the following:

  • We created a privacy policy and added a link to it on our home page.
  • Our privacy policy link includes the word “privacy,” and can easily be found on this page.
  • Users can view any privacy policy changes by re-visiting this web page.
  • Users are able to change their Personal Information by emailing us.
  • We do not collect Personal Information about your online activities over time and across third-party websites or online services.
  • For information about the categories of Personal Information we collect see GDPR Policy: Categories of Personal Information Collected.
  • For information about the identities of third-party entities with whom we may share your Personal Information see GDPR Policy: Sharing your personal information.
  • For information about the process by which you may review and request changes to any of your Personal Information, see GDPR Policy: Access.
  • For information about our response to “do not track” signals or other mechanisms that provide you with the ability to exercise choice regarding the collection of Personal Information, see our Data Privacy Framework Policy: Notice, Choice & Accountability for Onward Transfer.

Updates to this Privacy Policy

Kreller reserves the right to amend this Privacy Policy at any time without notice. However, if we change how we use your Personal Information, we will post the policy change notification on the website and we will update this Privacy Policy accordingly. We encourage you to periodically review this Privacy Policy for the latest information on our privacy and security policies.

Contact Us

If you have any concerns regarding the collection and use of your Personal Information or any other privacy matters, please contact us at:

The Kreller Group Family of Companies

817 Main Street, Suite 700 Cincinnati, Ohio 45202 USA


The foregoing policy is effective as of March 1, 2020.