PRIVACY POLICY

Mission & Data

Effective Date: October 1, 2020 | Last Updated: May 1, 2026

EU-U.S. DATA PRIVACY FRAMEWORK NOTICE

Mission & Data ("Company," "we," "us," or "our") complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. The Company has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF, and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Our adherence to the EU-U.S. DPF Principles extends to personal data received from the United Kingdom and Gibraltar under the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the UK Extension Principles, the Principles shall govern.

 

1.  Introduction

This Privacy Policy describes how Mission & Data ("Company," "we," "us," or "our"), a company incorporated under the laws of Delaware, USA, collects, uses, discloses, and protects personal data of individuals in the European Union (EU), the European Economic Area (EEA), the United Kingdom (UK), Switzerland, and other jurisdictions, in connection with our strategy consulting for organizations.

We are committed to protecting the privacy and security of your personal data and to processing it in a transparent, fair, and lawful manner, consistent with applicable data protection laws including, where applicable, the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), and the EU-U.S. Data Privacy Framework.

 

2.  Scope and Covered Data

This Privacy Policy applies to personal data we receive from:

•       Individuals located in the European Union and European Economic Area;

•       Individuals located in the United Kingdom and Gibraltar under the UK Extension to the EU-U.S. DPF;

•       Individuals located in Switzerland under the Swiss-U.S. DPF; and

•       Other individuals whose personal data we process in connection with our products, services, or business activities.

 

"Personal data" means any information that relates to an identified or identifiable natural person. This includes, but is not limited to, names, contact details, identification numbers, online identifiers, location data, and any other information that could directly or indirectly identify an individual.

 

3.  EU-U.S. Data Privacy Framework and UK Extension

3.1  Commitment

Our adherence to the EU-U.S. DPF Principles expressly extends to personal data received from the United Kingdom and Gibraltar in reliance on the UK Extension to the EU-U.S. DPF. The same level of protection afforded to EU personal data under the EU-U.S. DPF Principles is applied to UK personal data received under the UK Extension.

3.2  DPF Principles Governing Our Practices

As required under the EU-U.S. DPF and the UK Extension, we adhere to the following Principles with respect to all covered personal data:

•       Notice — We provide clear notice of our data practices, the types of personal data collected, the purposes of processing, and your rights;

•       Choice — We offer individuals the opportunity to opt out of disclosures of their personal data to third parties (other than agents) or uses for a materially different purpose than originally collected;

•       Accountability for Onward Transfer — We take responsibility for transfers of personal data to third parties and ensure they provide the same level of protection as required by the Principles;

•       Security — We implement reasonable and appropriate technical and organizational measures to protect personal data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction;

•       Data Integrity and Purpose Limitation — We collect and process personal data only to the extent it is relevant for the purposes of processing and take reasonable steps to ensure it is accurate, complete, current, and reliable;

•       Access — We provide individuals the right to access their personal data and to correct, amend, or delete it where it is inaccurate or has been processed in violation of the Principles;

•       Recourse, Enforcement, and Liability — We provide effective mechanisms to address complaints and disputes, and are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

3.3  Supervisory Authority

The U.S. Federal Trade Commission (FTC) has jurisdiction over Mission & Data's compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

 

4.  Personal Data We Collect

Depending on how you interact with us, we may collect the following categories of personal data:

4.1  Information You Provide Directly

•       Identity data: name, ID numbers, date of birth, gender, race/ethnicity

•       Contact data: email address, postal address, telephone number;

 

4.2  Information We Collect Automatically

•       Technical data: IP address, browser type, device identifiers, operating system;

•       Usage data: pages visited, features used, clickstream data, referring URLs;

4.3  Information from Third Parties

•       Data from business partners, service providers, analytics providers, and publicly available sources;

•       Employment or professional information where relevant to providing services.

 

5.  Purposes of Processing and Legal Basis

We process your personal data for the following purposes:

•       To provide, maintain, and improve our products and services;

•       To fulfill contractual obligations;

•       To send marketing communications where you have provided consent or where we have a legitimate interest;

•       To comply with legal obligations, including applicable EU, UK, and U.S. laws and regulations;

•       To protect the rights, property, and safety of the Company, our customers, and others;

•       To detect, prevent, and address fraud, security breaches, and technical issues;

•       To conduct analytics and improve our business operations.

 

Where required by applicable law (including the GDPR and UK GDPR), we will identify an appropriate legal basis for processing, including consent, contractual necessity, compliance with legal obligations, or our legitimate interests, considering your interests and rights.

 

6.  Onward Transfers to Third Parties

6.1  General

We may share your personal data with third parties as described below. Before transferring personal data received under the EU-U.S. DPF or the UK Extension to a third-party agent or service provider, we will:

•       Enter into a written contract with the recipient that limits the use of personal data to the purposes consistent with the instructions of the relevant data subject and this Privacy Policy;

•       Require the recipient to provide at least the same level of protection as required by the DPF Principles;

•       Take reasonable and appropriate steps to ensure the recipient is processing personal data consistent with our obligations under the DPF Principles;

•       Require the recipient to notify us if it determines it can no longer meet its obligations; and

•       Upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing.

6.2  Third Parties with Whom We Share Data

•       Service Providers & Agents: Companies that provide services on our behalf (e.g., hosting, analytics, payment processing, customer support);

•       Business Partners: Third parties with whom we collaborate to offer products or services;

•       Legal and Regulatory Authorities: Law enforcement, regulators, courts, and other authorities where required by law;

•       Corporate Transactions: In connection with mergers, acquisitions, or sales of business assets;

•       With Your Consent: Other third parties to whom you have consented to disclosure.

6.3  Liability for Onward Transfers

In cases of onward transfers to third parties, Mission & Data may be liable under the EU-U.S. DPF Principles and the UK Extension if such a third party processes personal data in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event giving rise to the damage.

 

7.  Your Rights

7.1  Rights Under the DPF Principles

Individuals whose personal data we hold under the EU-U.S. DPF and the UK Extension have the following rights:

•       Access: The right to access personal data we hold about you and to know how it is processed;

•       Correction: The right to correct inaccurate or incomplete personal data;

•       Deletion: The right to request deletion of your personal data in certain circumstances;

•       Restriction: The right to request that we limit processing of your personal data;

•       Objection: The right to object to processing of your personal data in certain circumstances;

•       Portability: The right to receive a copy of your personal data in a structured, machine-readable format;

•       Opt-Out: The right to opt out of the use of your personal data for direct marketing purposes and, where applicable, to opt out of disclosures to third parties.

7.2  Sensitive Personal Data

Sensitive personal data (e.g., data revealing racial or ethnic origin, political opinions, religious beliefs, health data, biometric data) will only be processed where we have obtained your express affirmative consent (opt-in), or as otherwise permitted by the EU-U.S. DPF Principles and applicable law.

7.3  How to Exercise Your Rights

To exercise any of the above rights, please contact us using the details in Section 12. We will respond to your request within a reasonable timeframe and in accordance with applicable law. We may need to verify your identity before processing your request. We do not charge a fee for reasonable requests, but may charge for manifestly unfounded or excessive requests.

 

8.  Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information when you visit our website or use our services. You may control the use of cookies through your browser settings and our consent management tools. For more information, please see our [Cookie Policy].

 

9.  Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. When determining the appropriate retention period, we consider the nature and sensitivity of the data, the purposes for which it is processed, and applicable legal obligations.

When personal data is no longer required, we will securely delete or anonymize it in accordance with our data retention schedule.

 

10.  Data Security

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are reviewed and updated regularly. However, no method of transmission over the internet or method of electronic storage is 100% secure.

In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the relevant supervisory authorities and, where required, affected individuals, in accordance with applicable law.

 

11.  Dispute Resolution, Recourse, and Enforcement

11.1  Internal Complaints

If you have a question or complaint regarding our processing of your personal data, please contact us at the address provided in Section 12. We will investigate and attempt to resolve your complaint within 45 days.

11.2  Independent Recourse Mechanism — EU and UK Individuals

In compliance with the EU-U.S. DPF Principles and the UK Extension Principles, Mission & Data commits to resolve DPF Principles-related complaints about our collection and use of your personal data. EU and UK individuals with inquiries or complaints should first contact Mission & Data at the address in Section 12.

 

Mission & Data has further committed to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and UK Extension to UK Information Commissioner’s Office (ICO), an alternative dispute resolution provider located in the United Kingdom. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://ico.org.uk/ for more information or to file a complaint. The services of the dispute resolution provider are provided at no cost to you.

11.3  Arbitration

As a last resort, and under certain conditions, EU and UK individuals may invoke binding arbitration before the Data Privacy Framework Panel pursuant to Annex I of the EU-U.S. DPF Principles. This option is available after other dispute resolution mechanisms have been exhausted. For more information, please visit https://www.dataprivacyframework.gov/.

11.4  FTC Enforcement

Mission & Data is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) with respect to its DPF certifications. The FTC has jurisdiction to hear complaints and take enforcement action against the Company for failure to comply with the EU-U.S. DPF Principles or the UK Extension Principles.

11.5  Government Requests

When required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, we will comply with applicable law. We will make reasonable efforts to notify individuals of such disclosures where permitted by law.

 

12.  Contact Information

For questions, concerns, or to exercise your rights under this Privacy Policy or the DPF Principles, please contact our Privacy/Data Protection Officer:

 

Mission & Data

Attn: Privacy Officer / Data Protection Officer

PO Box #857

Richboro, PA 18954

Email: contact@missionandddata.com

Telephone: (866) 422-8473

 

If you are located in the EU/EEA or the UK, you also have the right to lodge a complaint with the relevant data protection supervisory authority in your country of residence or place of work. A list of EU supervisory authorities is available at https://edpb.europa.eu/. The UK supervisory authority is the Information Commissioner's Office (ICO), which can be reached at https://ico.org.uk/.

 

13.  Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons. We will notify you of material changes by posting the updated policy on our website with a new effective date, and, where required by law, by providing direct notice to affected individuals.

Your continued use of our services after the effective date of the revised Privacy Policy constitutes your acceptance of the updated terms, to the extent permitted by applicable law.

 

This Privacy Policy is consistent with the EU-U.S. Data Privacy Framework Principles and the UK Extension to the EU-U.S. Data Privacy Framework. Mission & Data's adherence to the EU-U.S. DPF Principles expressly extends to personal data received from the United Kingdom and Gibraltar under the UK Extension to the EU-U.S. DPF.

© 2025 Mission & Data. All rights reserved.