EU GDPR and UK GDPR Notice

This notice explains how W.S. Darley & Co. handles personal data for Darley Data under the EU General Data Protection Regulation and the UK General Data Protection Regulation.

This notice supplements the existing Terms & Privacy Policy. The existing privacy policy remains available.

This notice applies to personal data processed through Darley Data for site visitors, portal users, data-subject requesters, data-correction submitters, newsletter and marketing users, advertisers and shared-dashboard recipients, and visitors whose browsers load embedded Darley Data widgets on third-party pages.

Darley Data applies its cookie preference and data-rights workflow broadly rather than relying only on location-based gating.

• Identity and contact data, such as name, email address, phone number, organization, department, and portal account details.
• Account and authentication data, such as portal account status, password-reset metadata, login events, and security records.
• Request and rights-workflow data, such as DSAR type, details, request ID, verification notes, status, and audit history.
• Cookie and consent data, such as optional category choices, timestamps, version, and expiration.
• Technical data, such as request metadata, minimized IP address, minimized user-agent, referring page, device/browser category, and coarse country or region.
• Marketing and newsletter data, such as email address, submitted HubSpot form fields, consent status, and campaign metadata.
• Advertising and shared-dashboard data, such as ad IDs, ad slots, campaign assets, impression/click events, shared report access controls, and aggregate performance reporting.
• Embedded-widget data, such as FDID, selected widget, embed URL, minimized request metadata, and aggregate usage metrics.

Darley Data does not intentionally use the data-subject request form to collect browser cookies or localStorage contents.

The table below summarizes the main processing activities, data involved, lawful bases, and current retention model.

Darley Data shares personal data only where needed for the purposes described in this notice, subject to appropriate access controls and contracts.

• Hosting, database, infrastructure, and storage providers.
• Email delivery providers, including Brevo SMTP.
• Analytics, recorder, advertising measurement, and marketing-form providers, including HubSpot where marketing forms are enabled.
• Darley personnel, contractors, professional advisors, and service providers who need access for operations, security, support, compliance, or legal purposes.
• Advertisers or shared-dashboard recipients where Darley provides campaign reporting or share-link access.
• Courts, regulators, law enforcement, or other authorities where disclosure is required or permitted by law.

The table below lists processors and providers that support Darley Data services, along with their roles and the personal data they process.

W.S. Darley & Co. is located in the United States. Darley Data and its service providers may process personal data in the United States and other countries that may not provide the same level of data protection as the European Economic Area or the United Kingdom.

Where EU GDPR or UK GDPR transfer rules apply, Darley relies on approved transfer mechanisms, such as European Commission standard contractual clauses, the UK International Data Transfer Agreement or UK addendum, Data Privacy Framework participation where applicable, adequacy decisions, or another lawful safeguard.

The following items document current EU and Germany-specific compliance assumptions and review statuses for Darley Data.

Darley Data keeps personal data only as long as needed for the purposes described in this notice, unless a longer period is required for legal holds, disputes, investigations, security incidents, regulatory inquiries, or compliance obligations.

Darley reviews or deletes records according to these retention periods unless a longer period is required for legal holds, disputes, investigations, security incidents, regulatory inquiries, or compliance obligations.

Depending on your location, the processing activity, and applicable limits or exemptions, you may have the following rights under the EU GDPR or UK GDPR:

• Access: ask for confirmation that personal data is processed and request a copy of eligible personal data.
• Rectification: ask us to correct inaccurate personal data or complete incomplete personal data.
• Erasure: ask us to erase personal data where the law allows.
• Restriction: ask us to restrict processing where the law allows.
• Objection: object to processing based on legitimate interests, including profiling based on those interests, where applicable.
• Portability: request a portable copy of eligible personal data processed by automated means based on consent or contract.
• Withdraw consent: withdraw consent at any time for consent-based processing. Withdrawal does not affect processing that happened before withdrawal.
• Complaint: lodge a complaint with an EU or UK supervisory authority.

Some requests may be limited where Darley must retain data for legal obligations, security, fraud prevention, legal claims, compliance, audit, or other documented legitimate reasons.

Use the data-subject request form to submit an access, correction, restriction or erasure, objection, portability, or consent-withdrawal request. Use the cookie preferences page to update or withdraw optional cookie consent.

Darley may ask for information needed to verify your identity, confirm your authority to act for someone else, understand the request, or determine whether an exception applies.

Where processing is based on consent, you may withdraw consent at any time. For optional cookies and similar technologies, turn off the relevant category on the cookie preferences page and save your choices. For marketing communications, use any unsubscribe method provided or submit a consent-withdrawal request.

Withdrawal does not affect processing that occurred before consent was withdrawn, and it does not prevent Darley from keeping records needed for legal, security, compliance, suppression-list, or audit purposes.

Darley Data collects some personal data directly from you and obtains some data from other sources.

• You, when you browse the site, submit forms, manage cookie preferences, use the portal, request data rights, or submit corrections.
• Your organization, account administrator, advertiser, or shared-dashboard sponsor when they provision access, campaign information, or report sharing.
• Your browser, device, and network request metadata, including cookie preference records and minimized technical data.
• Embedded pages that load Darley widgets, through referrer and request metadata associated with the widget request.
• Public fire, EMS, incident, department, and official-source datasets used for analytics. These datasets are not intended to identify individual site visitors.
• Service providers and vendors that provide delivery, authentication, analytics, form, email, security, or operational metadata.

Some data is necessary to provide requested services or comply with legal obligations. For example, portal account details are needed to provide portal access, security records are needed to protect the service, and request details are needed to process privacy-rights requests.

If required data is not provided, Darley may be unable to create or maintain an account, provide portal features, verify a data-rights request, respond to a correction request, deliver marketing communications, or provide requested support. Optional cookie categories are not required to use the core site, although declining them may limit optional functionality, analytics, marketing, or advertising measurement.

Darley Data does not currently use personal data for automated decision-making or profiling that produces legal or similarly significant effects for individuals.