Privacy Policy

LCG US Privacy Policy

Effective Date: As of November 25, 2025

1. INTRODUCTION

Lima Consulting Group is committed to protecting your privacy and developing technology that gives you the most powerful and safe online experience. This Statement of Privacy applies to the Lima Consulting Group Web site and governs data collection and usage. By using the Lima Consulting Group website, you consent to the data practices described in this statement.

Lima Consulting Group, Inc. (“LCG US” or “LCG”) is committed to protecting personal data and ensuring transparency in the collection and processing of information, in accordance with applicable United States federal and state data protection laws and recognized international best practices.

This Policy describes how LCG US processes personal data relating to:

  • Employees and former employees
  • Job applicants and candidates
  • Suppliers, contractors and service providers
  • Representatives of corporate clients
  • Personal data processed on behalf of our clients when acting as a Data Processor

LCG US does not conduct active consumer data collection as part of its core consulting operations.

For Brazil-specific processing activities subject to LGPD, please refer to our LCG Brazil Privacy Policy.

2. SCOPE AND APPLICABILITY

This Policy applies to:

  • Personal data processed by LCG US in its role as a Data Controller
  • Personal data processed by LCG US in its role as a Data Processor on behalf of corporate clients
  • All internal systems, processes and operational activities involving personal data
  • Employees, contractors and authorized personnel of LCG US

In certain technical activities (e.g., system integration, data analysis, audits, platform implementation, cybersecurity and support services), LCG US may have limited access to end-user data belonging to clients, always under documented client instructions.

3. ROLES AND RESPONSIBILITIES

3.1 When Acting as Data Controller

LCG US determines the purposes and means of processing personal data related to:

  • Employees and former employees
  • Job applicants and candidates
  • Independent contractors and consultants
  • Vendors and service providers
  • Corporate client representatives

3.2 When Acting as Data Processor

LCG US processes personal data exclusively in accordance with the documented instructions of its corporate clients, in accordance with contractual obligations, confidentiality commitments and applicable law.

4. DATA PROTECTION PRINCIPLES

LCG US applies the following principles in its personal data processing activities:

  • Purpose limitation
  • Data minimization
  • Transparency
  • Accuracy and data quality
  • Security and confidentiality
  • Accountability
  • Integrity and controlled access
  • Risk-based governance

5. CATEGORIES OF PERSONAL DATA PROCESSED

5.1 As Data Controller

LCG US may process the following personal data:

  • Identification data (name, business address, phone number, email)
  • Employment-related data (payroll information, benefits, performance data, system access credentials)
  • Recruitment and candidate data (resumes, professional history, interview records)
  • Supplier and contractor data (business contact and contractual data)
  • Corporate client representative contact information

5.2 As Data Processor

When acting on behalf of corporate clients, LCG US may process personal data strictly for operational purposes, including:

  • Data contained within client-managed systems
  • Transactional and platform usage data
  • User and customer datasets necessary for consulting, integration, security or analytics activities

LCG US does not carry out active consumer data collection or consumer data commercialization activities.

6. PURPOSES AND LEGAL BASES FOR PROCESSING

LCG US processes personal data primarily for the following purposes:

Purpose Legal Basis
Employment administration, payroll and benefits Contractual necessity and legal obligations
Recruitment and human resources processes Pre-employment assessment and legitimate business purposes
Vendor and contractor management Contractual necessity and legitimate business purposes
Client engagement and account management Contract performance and legitimate business purposes
Information security, access control, monitoring Legitimate business interests and risk management
Legal and regulatory compliance Compliance with applicable US laws and regulations

7. DATA SHARING AND DISCLOSURE

LCG US may share personal data with:

  • Payroll, benefits and HR service providers
  • IT and cloud infrastructure providers
  • Legal, accounting and professional advisors
  • Corporate clients, when acting as Data Processor
  • Government authorities where required by law

LCG US does not sell, rent or commercialize personal data.

8. INTERNATIONAL DATA TRANSFERS

LCG US may transfer personal data internationally in connection with:

  • Global service delivery operations
  • Cross-border client engagement
  • Use of cloud-based infrastructure and platforms

Appropriate safeguards are applied to international transfers, including contractual protections and risk-based assessments.

9. DATA RETENTION

LCG US retains personal data according to the following criteria:

  • Employment records: retained in accordance with US labor and tax regulations
  • Recruitment data: retained for up to 12 months following conclusion of the recruitment process
  • Supplier and contractor data: retained for the term of the contractual relationship and statutory retention period
  • Client-related data: retained as defined in contracts or legal obligations

When acting as Data Processor, data retention follows the instructions of the client.

10. INFORMATION SECURITY

LCG US implements appropriate technical and organizational security measures, including:

  • Access control and authentication systems
  • Encryption of sensitive data
  • Security monitoring and incident detection
  • Vulnerability management
  • Internal security policies and awareness programs

11. RIGHTS OF DATA SUBJECTS

Subject to applicable US state and federal laws (including but not limited to California privacy laws where applicable), individuals may exercise rights including:

  • Access to personal data
  • Correction of inaccurate data
  • Deletion of personal data where legally permitted
  • Information regarding processing activities

When acting as Data Processor, LCG US will redirect the request to the responsible Data Controller and inform the requesting individual accordingly.

Requests may be directed to:
[email protected]

12. DATA PROTECTION OFFICER

Designated Data Protection Contact:
Bill Good
Email: [email protected]

13. RECORD KEEPING AND GOVERNANCE

LCG US maintains internal records of processing activities, including:

  • Categories of personal data
  • Processing purposes
  • Third-party service providers
  • Security and risk assessments
  • Incident and remediation logs

14. SECURITY INCIDENT RESPONSE

In the event of a data security incident, LCG US will:

  • Assess and contain the incident
  • Activate internal response procedures
  • Notify relevant stakeholders when required by applicable US laws
  • Maintain internal records of the incident and response actions

15. POLICY UPDATES

This Policy may be updated periodically to reflect changes in legal requirements, operational practices or security standards.

16. CONTACT

For privacy or data protection inquiries:

[email protected]
Lima Consulting Group, Inc.
40 Lloyd Avenue, Suite 108B
Malvern, PA 19355 USA