Client Data Privacy Policy

BDO USA Client Data Privacy Policy

Last Updated: August 30, 2023

This Privacy Policy ("Privacy Policy") describes how BDO USA1 and its subsidiaries (except as described below) (together, "BDO USA" or "we" or "us" or “our”) collect, use, and disclose the Personal Information we collect from or about you in the context of your client relationship with BDO USA, including when you:

  • Use the services that are located in our Client Center (www.bdo.com/client-center), including our client portals;
  • Pay for services using our online payment portal;
  • Transmit Personal Information to us through other online systems and platforms, whether hosted by you, us, or our service providers (together, with the online portals and services listed above, the “Sites”); and
  • Otherwise provide Personal Information to us, whether online or offline, in the context of your client relationship.

Before engaging with BDO USA and submitting Personal Information to us or using our Sites, please review this Privacy Policy carefully.  

Certain BDO USA services or subsidiaries may use different privacy policies to provide notice to you about how your Personal Information is used and disclosed in the context of your client relationship with each subsidiary. To the extent that BDO USA services or subsidiaries post or reference a different privacy policy, that different privacy policy, not this Privacy Policy, will apply to your Personal Information collected in the context of those services or by that subsidiary.

Please note that this Privacy Policy does not apply to information collected when you visit www.bdo.com or other BDO USA-operated websites when you are not logged into a client-specific account.  Information collected on these websites (when you are not logged in) is governed by the BDO USA Privacy Policy


Your Agreements with BDO USA

As a client of BDO USA, you may have entered into a contract, engagement letter or other agreement with BDO USA that governs the relationship between you and BDO USA and the services we provide to you (“Agreement”). If any provision in your Agreement with BDO USA conflicts with any provision in this Privacy Policy, the provision in your Agreement will control to the extent of such conflict.

Note about Client Data: We may receive Personal Information contained in the files, documents, data, and other materials we receive in connection with the Agreement (“Client Data”). We use and disclose this Client Data as described in our Agreements with you.


BDO USA as a Service Provider

Most of our clients are businesses, and we may receive and process Personal Information when we provide services to those clients. When this happens, we process your Personal Information pursuant to our contract with our client. That client’s privacy policy applies to your Personal Information, not ours.


How We Collect and Use Your Personal Information

"Personal Information" is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household, such as your name, email address, IP address, telephone number, and broader categories of information such as your professional, educational or health information, commercial information and internet activity.

We may collect Personal Information directly from you and automatically through our use of cookies and other data collection technologies on our Sites. We may also collect your Personal Information from third-party sources, such as social media platforms (if you interact with us through your social media account), background check providers, and third parties to whom you direct us to collect your Personal Information.  We will treat Personal Information collected from third-party sources in accordance with this Privacy Policy.  

The categories of Personal Information that we collect from you depends on your interactions and engagement with us. For example, we may collect:

  • Identifiers, such as your name, address, email address, phone number, IP address, online identifiers, payment card or financial account numbers and related information required to process payments, and other similar identifiers. We may collect this information to verify your identity and information, communicate with you, process your payments, and provide you with access to your BDO USA client account (“Account”).
  • Customer Records, such as your social security number, government issued identification information, etc., which we use to provide tax and accounting services as part of our private client services.
  • Commercial Information, such as the products and services purchased from us. We may collect this information to maintain client records, identify trends in our client relationships, and conduct business analytics.
  • Internet or other Electronic Activity Information, such as your browsing history, search history, and information regarding your interactions with pages you visit on the Sites. We may collect this information to understand your use of the Sites and your Account.
  • Professional and Employment-Related Information, such as information about your current employment, professional degrees and certifications, and education background. We may collect this information to verify your identity, perform regulatory compliance checks, and other related processes.
  • Profile Information, such as information about your preferences and characteristics (including inferences drawn from other personal information). We may collect this information in order to understand your preferences and tailor our services and communications to you. In addition, if you visit our premises, we may collect information to protect the health and safety of our personnel, clients, guests, and the general public, such as health and travel information. 

In addition to the purposes for collection described above, we also may collect each category of information for the purpose of maintaining our client relationship with you and performing services, which include:

  • Onboarding you as a client, maintaining or servicing your Account, processing and fulfilling your requests, and other activities that are part of our service offerings.
  • Conducting verification and background checks as part of our business acceptance, finance, administration and marketing processes, including anti-money laundering, conflict, reputational, and financial checks.
  • Taking steps to improve our services to you, including to run analytics, improve our artificial intelligence tools, assess the quality of our services, and for other related internal business purposes.
  • Confirming your balances and managing other aspects of your financial transactions.
  • Sending you messages promoting our products and services. You may opt-out of receiving certain promotional e-mail messages from us as described in the "Marketing Opt-Out" section below.
  • Protecting the health and safety of our personnel, clients, guests, and the general public.
  • Administering and improving our Sites, including to measure the effectiveness of the Sites, help diagnose problems with our server, see where Site traffic is coming from, and to identify our Site users.
  • Complying with our legal, regulatory and risk management obligations, including establishing, exercising and/or defending legal claims.
  • Fulfilling any other purpose described in our Agreements with you.
  • For other purposes consistent with the context of the collection of your information, or as otherwise disclosed to you prior to the use of your information.

Some of the information we collect may be considered Sensitive Personal Information under privacy laws, such as your health information and account log-in information. We use your Sensitive Personal Information only for legitimate business purposes, including to (i) perform services or provide goods reasonably expected by an average person; (ii) detect security incidents; (iii) resist malicious, deceptive, or illegal actions; (iv) ensure the physical safety of individuals; (v) for short-term, transient use, including non-personalized advertising; (vi) perform or provide internal business services; or (vii) verify or maintain the quality or safety of a service or device. 

 

How We Disclose Your Personal Information

We may share the categories of Personal Information described above in the following circumstances to the following categories of third parties: 

  • We may share your Personal Information with companies or individuals that we contract with in order to receive services (our “Service Providers”). These services may include, among other things, providing products or services to you on our behalf, creating or maintaining our databases, payment processing, researching and analyzing the people who request information from us, preparing distribution communications or responding to inquiries. We may also disclose to these Service Providers your health and travel-related information in order to protect the health and safety of our personnel, clients, guests, and the general public.  Our policy is to inform our Service Providers not to use or disclose your Personal Information for any purpose other than for providing services to us.
  • We may share your Personal Information with companies that we own or control, or are owned or controlled by (our “Corporate Family”), including health and travel-related information in order to protect the health and safety of our personnel, clients, guests, and the general public.
  • We may share your Personal Information with companies or individuals outside of BDO USA who may use your Personal Information for their own purposes (a “Third Party”). For example:
    • If you choose to submit Personal Information through the “Testimonials” link, we may share your Personal Information publicly or with Third Parties.
    • From time to time, we may be required to provide Personal Information to a Third Party in response to a court order, subpoena, government investigation, or as otherwise required by law or legal process.
    • We may share your Personal Information with Third Parties, such as law enforcement agencies, other government agencies, or health authorities (i) when we, in good faith, believe you or others are acting unlawfully, (ii) when we believe it is necessary or appropriate to satisfy any law, regulation or other governmental request, (iii) to operate our business and Sites properly, (iv) to protect or defend our rights or the rights or well-being of our users, even without a subpoena, warrant or court order, or (v) we believe disclosure is necessary to protect the health and safety of our personnel, clients, guests, and the general public.
  • We may, as a result of a sale, merger, consolidation, change in control, transfer of assets, reorganization or liquidation of our company (a “Reorganization Event”), transfer or assign your Personal Information to parties involved in the Reorganization Event. You acknowledge that such transfers may occur and are permitted by and subject to this Privacy Policy.


Cookies and Other Technologies

We may use "cookies" to keep, and sometimes track, information about you on our Sites. Cookies are small data files that are sent to your browser or related software from a Web server and stored on your computer's hard drive. Cookies track where you travel on the Sites and what you look at. In doing so, a cookie may enable us to relate your use of the Sites to your Personal Information. Many other websites use cookies for very similar purposes.

Most Web browsers can be set to inform you when a cookie has been sent to you and provide you with the opportunity to refuse that cookie. Additionally, your Flash player can be set to reject or delete Flash cookies. Refusing a cookie will generally not interfere with your use of the Sites. However, refusal of a cookie may, in some cases, preclude you from using or negatively impact the display or function of the Sites or certain areas or features of the Sites.

We may also use web beacons (a.k.a. clear GIFs, web bugs or pixel tags) to personalize your experience on the Sites, to generate information about Site traffic and trends, and to verify your viewing and/or receipt of communications. Web beacons collect information automatically, such as the type of browser that you use and your IP address. Web beacons may be used alone or in conjunction with cookies. When web beacons are used with cookies, they may link this information to other Personal Information that you have provided to us. Web beacons usually are not visible to you.


Third-Party Analytics

We use automated devices and applications, such as Google Analytics and Crazy Egg, to evaluate usage of our Sites. We also may use other analytic means to evaluate our Sites and services. We use these tools to help us improve the Sites and user experiences. These entities may use cookies and other tracking technologies to perform their services. We do not share your Personal Information with these third parties.  To learn how Google Analytics collects and processes data, please visit: “How Google uses data when you use our partners’ sites or apps” located at www.google.com/policies/privacy/partners.  To learn about how Crazy Egg uses the analytics information it collects, please visit Crazy Egg’s Privacy Policy; to opt-out of Crazy Egg’s analytics tracking, please visit https://www.crazyegg.com/opt-out/.

 

How We Respond to Do Not Track Signals

Some web browsers (including Safari, Internet Explorer, Firefox and Chrome) incorporate a "Do Not Track" ("DNT") or similar feature that signals to websites that a user does not want to have his or her online activity and behavior tracked. If a website that responds to a particular DNT signal receives the DNT signal, the browser can block that website from collecting certain information about the browser's user. Not all browsers offer a DNT option and DNT signals are not yet uniform. For this reason, many digital service operators, including BDO USA, do not recognize or respond to DNT signals.

 

Marketing Opt-Out

If you would like to opt out of receiving promotional or marketing e-mails from us, you may use the “unsubscribe” mechanism included in each marketing message. You may let us know by sending us an email to [email protected] with REMOVE in the subject line and stating the email address you wish to be removed from our mailing list. If you have an Account, you may be able to manage your subscriptions through your Account. However, your option not to receive promotional and marketing email shall not preclude us from corresponding with you, by email or otherwise, regarding your existing relationship with us. Your opt-out request will also not apply to correspondence that has already been initiated.

 

California Privacy Disclosures

California residents are entitled to the following disclosures about our data processing:

In the preceding 12 months, BDO USA has collected the categories of Personal Information detailed in How We Collect and Use Your Personal Information above. The purposes for which BDO USA has collected Personal Information and the sources of that information are also described above.

In the preceding 12 months, BDO USA has disclosed Personal Information for a business purpose as detailed in the How we Disclose Your Personal Information section above.  

We do not sell your Personal Information covered under this Privacy Policy, and we are not aware of any sales of Personal Information pertaining to children under 16. We do not share your Personal Information covered under this Privacy Policy for cross-context behavioral advertising purposes.

Shine the Light: This Privacy Policy describes how we may share your information, including for marketing purposes. California residents are entitled to request and obtain from BDO USA once per calendar year information about any of your Personal Information shared with third parties for their own direct marketing purposes, including the categories of information and the names and addresses of those businesses with which we have shared such information. To request this information and for any other questions about our privacy practices and compliance with California law, please contact us at [email protected].

For an explanation of the rights you might have as a California resident, please see the Your Rights section below.


Your Rights 

Depending on where you live, you may have the following rights, subject to any applicable exemptions or limitations:

  • The right to know and access your Personal Information, such as the categories of Personal Information we have collected, the sources of Personal Information, the purposes of collection, and how we used, disclosed, sold, or shared Personal Information; 
  • The right to correct inaccurate Personal Information that we maintain about you;
  • The right to delete your Personal Information under specific circumstances;
  • The right to object or opt out of certain types of processing, such as direct marketing and certain types of profiling and automated decision-making;
  • The right to request the restriction of processing of your Personal Information; 
  • The right to data portability, which means requesting a copy of your Personal Information in an accessible format; 
  • The right to withdraw your consent under certain circumstances; and
  • The right to lodge a complaint with the relevant data protection supervisory authority. Where applicable, you can find contact information for your data protection supervisory authority on the European Data Protection Board’s website, https://edpb.europa.eu/about-edpb/about-edpb/members_en, or through other publicly available sources. 

To the extent any of the above rights are applicable, you may exercise your rights by contacting us at [email protected], by phone at 1 (877) 236-0001 or by completing our Consumer Request Form. If you choose to exercise any of these rights, BDO USA will not discriminate against you in any way. If you exercise certain rights, understand that you may be unable to use or access certain features of BDO USA’s Sites or services. 

We will take steps to verify your identity before processing certain requests. We will not fulfill your request unless you have provided sufficient information for us to reasonably verify you are the individual about whom we collected Personal Information. If you have an Account with us, we will use our existing Account authentication practices to verify your identity. If you do not have an Account with us, we may request additional information about you to verify your identity. We will only use the Personal Information provided in the verification process to verify your identity or authority to make a request and to track and document request responses, unless you initially provided the information for another purpose or we are otherwise required by law.

You may be able to use an authorized agent to submit a rights request on your behalf. When we verify your agent’s request, we may verify both your and your agent’s identity and request a signed document from you that authorizes your agent to make the request on your behalf. To protect your Personal Information, we reserve the right to deny a request from an agent that does not submit proof that they have been authorized by you to act on their behalf.

Certain laws may give you a right to appeal any denials of your request to exercise your rights. If we deny your request and you would like to submit an appeal, please contact us at [email protected].


Legal Basis for Processing

Where applicable under the European Union’s General Data Protection Regulation (“GDPR”) or similar laws, the legal basis for our collection and use of your Personal Information may include any of the following:

  • Performance of a contract. We process your Personal Information as necessary to perform our obligations under any contract with you, such as to provide our Sites or services to you or complete transactions.
  • Consent. We may ask for your consent to use your Personal Information, including if we need your consent to process certain sensitive information about you or engage in certain marketing activities. If we obtain your consent as a legal basis for processing, you may withdraw your consent at any time.
  • Legitimate interests. We have a legitimate interest in using your Personal Information for our business purposes, including operating, improving, and marketing our business, Sites and services.  
  • Compliance with a legal obligation. We may need to use your Personal Information to comply with applicable legal requirements.


Information for Clients Outside of the United States

If you are a client located outside of the United States or access and use the Sites from outside of the United States, your information will be transferred to, stored and processed in the United States and other countries where BDO USA or its vendors operate in accordance with this Privacy Policy and all applicable laws. Please note that data protection and consumer protection laws of the United States and such other countries may differ from the data protection or consumer protection laws in your country. By using the Sites or providing us with your Personal Information, you understand that your Personal Information will be collected from and processed in the United States and other countries where BDO USA or its vendors operate, and acknowledge that your information may be subject to access by law enforcement and other government entities, including courts and tribunals, in accordance with laws applicable in those jurisdictions. Where applicable, we have implemented appropriate cross border data transfer mechanisms when transferring your Personal Information to a country outside of your home jurisdiction, including the BDO Binding Corporate Rules.   


Data Security and Retention

We maintain one or more databases to store your Personal Information and may retain it as reasonably required to serve you, run our business, and comply with our legal obligations. In determining when your Personal Information is retained or disposed, we may consider the nature and sensitivity of your Personal Information, the potential risk of harm from unauthorized use or disclosure of your Personal Information, the purposes for which we process your Personal Information, and applicable legal requirements.

We have implemented reasonable safeguards designed to protect your information from loss, misuse, alteration or destruction. We also take reasonable steps designed to ensure that third parties who work with us agree to protect the Personal Information.

Please be careful whenever sending Personal Information to us via email. Email is not a secure means of transferring information. Whenever possible, please use the file-sharing services available on the Client Center to share with us files containing Personal Information about you, your employees, customers and other individuals from whom you collect Personal Information.

Without limiting any other terms that apply to our Sites and this Privacy Policy, you understand that we cannot guarantee that your Personal Information will be private or secure. Except to the extent provided by law, we are not responsible or liable to you for any lack of privacy or security you may experience. You are fully responsible for taking precautions and providing security measures best suited for your situation and intended use of the Sites and our services.

 

Third Parties

Our Sites, client services and materials may contain references and/or links to third-party websites and services, including references and links to third parties that accept and process your payments to BDO USA. Except as described above regarding Service Providers, we have no control over what information third parties track or collect. Any access to and use of such third-party websites and services is not governed by this Privacy Policy but instead is governed by the privacy policies of those third-parties. We are not responsible for the information practices of such third parties.


Children’s Privacy

We do not knowingly collect any Personal Information from clients or children under 13 years of age without prior verifiable parental consent. If BDO USA learns that a child under the age of 13 has submitted Personal Information without parental consent, we will take all reasonable measures to delete the information as soon as possible and to not use such information for any purpose, except where necessary to protect the safety of the child or others as required or allowed by law. If you believe a child under 13 years of age has provided us with Personal Information, please contact us at [email protected] or the mailing address below.

 

Questions about Our Privacy Policy

If you have questions about this Privacy Policy, please contact us at [email protected]. You can also send us physical mail to: BDO USA, 600 North Pearl Street, Suite 1700, Dallas, TX 75201, Attention: Chief Compliance & Ethics Officer.


Changes to Our Privacy Policy

We may occasionally update this Privacy Policy to reflect changes in our practices. When we post modifications to this Privacy Policy, we will revise the "Last Updated" date at the top of this web page. If the changes are material, we will endeavor to notify you in advance of such changes taking place. If you object to any modification, your sole recourse is to notify us that you do not agree and to stop using the Sites and providing us with your Personal Information.

We encourage you to periodically review this page for the latest information on our privacy practices.



1 BDO USA refers to BDO USA, P.C., a Virginia professional corporation, also doing business in certain jurisdictions with an alternative identifying abbreviation, such as Corp. or P.S.C.