BPM GROUP PRIVACY POLICY

Effective Date: 2/23/2025

This Privacy Policy informs how BPM LLP, Burr Pilger Mayer, Inc., BPM Canada, Inc., BPM India Advisory Services Private Limited, BPM UK Advisory Services Ltd, and BPM UK Audit Ltd (collectively, “BPM,” “we,” “us,” “our”) collects, uses and shares data we collect from individuals who interact with our business.  This might include (but is not limited to) when you visit our websites or applications, such as www.bpm.com (“Site”), when you engage with us about our services or products, when you (or your employer) use our services or products, when we engage with you (or your employer) for you to provide  BPM with services or products, or when we otherwise process your personal information.

Information Collection

The specific personal  information we may collect will depend on the precise nature of your relationship with us.  However, as a general principle, we limit the personal information that we collect to what is necessary for the purposes for which it was collected.  Some common examples of personal information that we may collect are as follows

If you engage BPM or are engaged by BPM

BPM may need to collect personal information in order to enter into a contract with you or your employer, e.g., to provide our services to you or your employer, or to receive services. This may include the following categories of information:

  • Identity information such as your first and last name, title (which may indicate gender and marital status), job role, employer, etc.
  • Contact information  such as your email address, telephone number, contact address, billing address, etc.
  • Finance and transaction information such as any bank accounts or payment details, contact information, details of any orders, details of payments made/received, details of services and products provided/received, etc.
  • Service-related information such as specific information required to provide services to you or that is generated in the provision of such services.  This may include, “Know Your Customer” information, information about your business, tax, or other affairs, etc.
  • Employment information such as information about your current and previous roles, responsibilities, and salary/benefits; date of hire, age, planned/actual retirement date; etc.

If you otherwise interact with BPM

We may also collect some personal information if you otherwise interact with BPM, for example if you contact us (e.g., to enquire about services we can provide or to offer your services) or attend an event that we have hosted or attended.  This information will depend on the nature of the interaction, but may include at a minimum your name, contact details, and the circumstances of the interaction.  We may also be provided with your personal information by a third party, such as a colleague, or may collect it from publicly available resources, such as LinkedIn.

If personal information is included in any communications with BPM, this information will also be processed.

Via the Site or other applications

BPM collects personal information that is voluntarily provided by visitors to the Site or other applications offered by BPM.

  • BPM receives limited personal information, such as name, company name, job title, email address, communication preferences, and telephone number from website visitors. Typically, personal information is collected when website visitors ask to participate in mailing lists, register for events or podcasts, request downloadable content, engage with a chatbot, or inquire for further information.
  • If you are a client using our online client portal, you will be required to register by providing your company name, job title, email address and telephone number.
  • If you use any of our other applications, such as BPMTaxAI, we will process your account and login information (e.g., name and email address), employer, job title, and the inputs and outputs from such applications.      

We also automatically collect information when you visit the Site including information about your device, such as your browser type and IP address, and statistics about how you use the Site including when you visit the Site and how you navigate through the Site.

  • Use of Cookies. With consent, where required, we use cookies, tracking pixels, and similar technology to help us remember you and your preferences when you revisit the Site and also to collect aggregate (non-personal) information about Site usage by all of our visitors. These cookies may stay on your browser into the future until they expire or you delete them. You may refuse to consent to the placement of these cookies, or subsequently opt-out of their use at any time.   We may allow selected third parties to place cookies through the Site to provide us with better insights into the use of the Site or user demographics or to provide relevant advertising to you.  These third parties may collect information about a consumer’s online activities over time and across different websites when he or she uses our website. We may also permit third party service providers to place cookies through our Site to perform analytic or marketing functions.  We obtain your consent before placing these third party cookies but do not otherwise control them or the resulting information and we are not responsible for any actions or policies of such third parties.  For more information, see our cookie policy.  
  • Do Not Track. We do not use technology that recognizes a “do-not-track” signal from your web browser except as provided in this privacy policy.

If you apply for a position at BPM

Our Careers page directs Site visitors as to how to apply for open positions at BPM and to submit information about themselves, their qualifications and their resumes.  This page is operated by a trusted third-party service provider that assists us with our staffing needs. 

Information collected if you apply for a position at BPM includes phone number, email address, education and employment history, and any information contained in your application (including any CV or resume that accompanies this).  It may also include diversity information such as gender, ethnicity, race, disability, sexual orientation, or military status if you choose to provide this information (which is entirely voluntary). Such diversity information is anonymized and maintained separately from the job candidate records and your decision whether to provide this information will in no way impact your application.  If you voluntarily provide diversity information, BPM accepts your explicit consent to use that information in the ways described in this privacy policy or as described at the point where you choose to disclose this information.

If you are successful in your application, your personal information will be processed in accordance with our colleague privacy notice, a copy of which will be provided during your onboarding. 

Use of Information

BPM uses the collected information for our general commercial purposes such as to operate and manage our business; engage and interact with current and potential suppliers and customers; operate, maintain, and improve our Site and applications; and grow our business. 

Information is used for the intended purpose stated at the time that the information is collected and as stated in this privacy policy.  By way of example, we may process the collected information for the following reasons:

  • To respond to your inquiries, to provide information about our services to you, to administer and manage our agreement with you (or your employer), or to otherwise communicate with you.
  • To administer or otherwise carry out our obligations in relation to any agreement to which we are a party, assist you in completing a transaction or request, prepare and process invoices, respond to queries or requests, provide services and associated support, and resolve disputes.
  • To provide customer relationship management, create and manage our accounts, notify you about changes to our services, and send you routine customer service messages, or information on updates.
  • To offer our services to you in a personalized way, send you personalized marketing communications (with your consent, where this is required), allow you to participate in questionnaires, contests and surveys and benefit from personalized promotional offers.
  • To monitor quality control and ensure compliance with any and all applicable laws, regulations, codes and ordinances, for example, in response to a request from a court or regulatory body, where such request is made in accordance with the law.
  • To help keep your account and our Site, business, services, products and premises safe and secure, and to prevent or detect malicious activity or abuses of our Site and services, for example, by requesting verification information in order to reset your account password (if applicable), and to prevent or detect fraud or illegal activity.
  • To administer our Site, applications and services, and for internal business administration and operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes, to create services, applications or products that may meet your needs, and to develop and improve our services, applications and products.

BPM makes every practical effort to avoid excessive or irrelevant collection of data. Except for mailing lists and website inquiries described above, BPM will not use personal information collected from our Site to facilitate unsolicited marketing activities.

Disclosing Information to Third Parties

We may share your personal information with other members of the BPM group (as listed at the top of this privacy policy) for internal business administration purposes and to ensure we can offer an efficient global service.  This may involve the transfer of your personal information to other jurisdictions from the one in which you are based (and in which the information was originally collected).  Where necessary to comply with applicable law, all transfers of personal information (including within the BPM group) are undertaken in accordance with appropriate safeguards.

BPM may also disclose information to unaffiliated third parties in the following circumstances:

  • For legal, security or safety purposes; to comply with laws; as required by law through subpoena, search warrant or other legal process (or, where not legally required but BPM considers it in BPM’s interests to comply with a non-binding request or otherwise volunteer information to a government, regulatory, or law enforcement authority or similar body); to enforce, protect and defend the rights, property and safety of BPM, our agents, customer and others including enforcing our agreements, policies and terms of use;
  • To help complete a transaction or fulfill a request such as to deliver publications or reference materials as requested or to facilitate conferences or events hosted by a third party;
  • To facilitate our agents, advisors, outside vendors, or service providers’ performance of services they provide to us, such as payment processing, analytics and marketing assistance, legal and other advice, and customer service;
  • If the disclosure is done as part of a purchase, financing, transfer or sale of services or assets, restructuring, or similar transaction (e.g., in the event that substantially all of our assets are acquired by another party, customer and supplier information may be one of the transferred assets);
  • When explicitly requested by the individual to which the personal information relates or when we have the individual’s authorization or consent; and  
  • As otherwise provided in this privacy policy.

When we share your personal information with third parties that we engage to process data on our behalf we will ensure that those third parties are subject to appropriate contractual terms relating to your personal information.

The Site does not collect or compile personal information for dissemination or sale to outside parties for consumer marketing purposes, or host mailings on behalf of third parties.

Data Processing and Cross-Border Data Transfers

We may transfer your personal information to other jurisdictions, e.g., to other BPM group companies or service providers located globally (e.g., the United States, the UK, the EEA, Canada and India). 

Our Site is maintained on servers located in the United States, and personal information submitted is stored on our servers in the United States.  If you are visiting our Site from outside the United States, please be advised that your information is transferred to our U.S. servers. 

Disclosing your personal information to us pursuant to this privacy policy is at your own risk.  We strive to comply with laws of jurisdictions in which we maintain operations or which we are otherwise subject to, but we make no representations that the practices described in this privacy policy are compliant with laws outside of those jurisdictions.

Third Party Links on the Site

BPM’s Site may contain links to other websites that do not operate under BPM’s privacy practices. When you visit these other websites, BPM’s privacy practices no longer apply. We are not responsible for other websites or their privacy practices. We encourage visitors to review each site’s privacy policy before disclosing any personal information.

Choices relating to the Site

Personal information provided to BPM through the Site is provided voluntarily by visitors. We provide instructions on the appropriate website area or in communications to our visitors should such visitors subsequently choose to unsubscribe from mailing lists or any registrations.

Site visitors can update, amend or delete their information at any time by logging into their online client portal account or by emailing us at [email protected].

Site visitors can reject cookies via our cookie banner or can choose to delete or block cookies and similar technologies by setting their browser to either reject all cookies or to allow cookies only from selected sites.  If you block cookies the performance of the Site may be impaired and certain features may not function at all.  For more information, see our cookie policy. 

Security

BPM has implemented generally accepted standards of technology and operational security in order to protect personal information from loss, misuse, alteration or destruction. All BPM employees follow a network-wide security policy. Only authorized BPM personnel are provided access to personal information and these employees have agreed to ensure confidentiality of this information.

We may use standard encryption technology to protect information being transferred to our Site,.  However, there is no electronic transmission or storage method that is completely secure.

If we receive instructions using your log-in information we will consider that you have authorized the instructions.

Children’s Privacy

This Site is not designed nor intended to be attractive to use by children under the age of 13.  We do not knowingly collect information from children under the age of 13.  If you are under 13, please do not submit any information to us.

Changes to the Privacy Policy

We may amend this privacy policy from time to time.  If we make material changes, we will post the revised policy and the revised effective date on this Site. Please revisit this page periodically to review any updates.

Questions or Concerns

If you have any questions or concerns regarding your privacy or BPM’s use of your personal information, please direct them to [email protected] or write to us at BPM LLP, 2001 North Main Street, Suite 360, Walnut Creek, CA 94596, Attn: Legal Department.

Jurisdiction-Specific Notices

Notice to Residents of California

Your California Privacy Rights – Direct Marketing.  California residents with an established business relationship with us are permitted by California law once a year to request information about the manner in which we shared certain categories of information with others for their direct marketing purposes during the prior calendar year. We do not share your personal information with third parties for their direct marketing use unless we have your permission.  To withdraw permission previously granted please email us at [email protected].  Once we receive your instruction we will cease sharing your information, but this will not affect previously shared information.

Privacy Rights Notice to Residents of U.S. States with Comprehensive Privacy Laws

Residents of certain U.S. states that have enacted comprehensive privacy laws may be afforded certain rights in relation to their personal data.  Learn about rights under these state laws and how to exercise them here.

Notice to Residents of the United Kingdom and the European Economic Area

This Notice to Residents of the United Kingdom (“UK”) and the European Economic Area (“EEA”) supplements our privacy policy and includes specific information required under the General Data Protection Regulation (EU) 2016/679 including as it applies in the UK (“GDPR”).

Lawful bases for processing

Our processing of your personal information is based on the following legal bases:

  • Legitimate interests. We will use your personal information as necessary for our legitimate business interests. When doing so, we make sure we consider and balance any potential impact on you and your rights and do not use your personal information where your rights and freedoms override our business interest.  Some examples of the legitimate business interests we may pursue include:
    • To exercise our rights and perform our obligations under any contracts entered into with your employer or a company you represent;
    • To effectively operate our global business and our Site, to keep our business and Site up to date;
    • To study how our customers use our services, products, applications, and Site and to develop and grow our business;
    • To keep our records updated and manage our relationship with you;
    • To protect BPM’s interests and assist in the prevention or detection of crime or the investigation into potential crimes (e.g., when voluntarily providing information to government authorities); and
    • To carry out direct marketing and to undertake market research.
  • Performance of a contract.  Where you engage with BPM directly (either to receive services or products from us or to provide us with services or products) then we may process your personal information where it is necessary for us to perform our obligations or enforce our rights under the contract we have entered into with you.
  • Legal obligation.  We may process your personal information where we are required to do so, for example when issued within a legally binding request for information or when complying with anti-money laundering or anti-fraud laws.
  • Consent. In some limited circumstances, we may rely on your consent as the legal basis for processing your personal information.  For example, where required by law to obtain consent for direct marketing purposes, consent will also be the legal basis for associated processing activities.

If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us at the address provided under the “Questions or Concerns” heading in the privacy policy.

Your data subject rights

If you are accessing our Site from the UK or the EEA, you may have the following rights in certain circumstances:

  • Access. To request access to any personal information we hold about you as well as related information, including the purposes for processing the personal information , the recipients or categories of recipients with whom the personal information has been shared, where possible, the period for which the personal information will be stored, the source of the personal information, and the existence of any automated decision making;
  • Rectification. To obtain without undue delay the rectification of any inaccurate personal information we hold about you;
  • Erasure. To request that personal information held about you be deleted;
  • Restriction. To prevent or restrict processing of your personal information ;
  • Portability. To request transfer of personal information directly to a third party where this is technically feasible;
  • Object. You have the right to object to our processing of your personal information on the basis of our legitimate interests and to object to our use of your personal information for marketing purposes; and
  • Consent.  Where our processing is based on your consent, you may withdraw this consent at any time (this does not affect the lawfulness of any processing undertaken before such consent was withdrawn).

You can exercise any of these rights by contacting us using the details under “Questions or Concerns” above. We aim to respond to requests made by you within one (1) month but may extend that period by two (2) further months where necessary. Also, where you believe that we have not complied with our obligation under this privacy policy or UK or EEA law, you have the right to make a complaint to the UK or an EEA Data Protection Authority.

International transfers

Where we transfer personal information subject to the GDPR outside of the EEA or UK to a country that has not been deemed to provide an adequate level of protection for personal information, we will obtain contractual commitments from such third parties to protect your personal information, such as standard contractual clauses approved by the European Commission and the UK Government for transfers of personal information to third countries.

You have a right to contact us for more information about the safeguards we have put in place (including a copy of relevant contractual commitments) to ensure the adequate protection of your personal information when it is transferred outside the EEA/UK.