Privacy Policy
Effective Date: May 2026
1. Introduction
The Atoll Group LLC ("The Atoll Group," "we," "us," or "our") is a consulting firm specializing in data privacy, intelligence, cybersecurity, information security, and operational risk management for organizations, executives, and/or its offices. This Privacy Policy describes how we collect, use, disclose, and protect personal information in connection with our website (www.theatollgroup.com) (the "Site"), our consulting services (the "Services"), and our business operations.
This Privacy Policy applies to personal information we collect from and about our clients, prospective clients, business contacts, website visitors, and other individuals who interact with us in a professional capacity. Because The Atoll Group operates as a business-to-business organization, the majority of personal information we process relates to individuals acting in their professional roles as representatives of their employers or organizations.
2. Information We Collect
2.1 Information You Provide Directly
We collect personal information that you or your organization voluntarily provide to us, including:
Contact information: Name, job title, employer name, email address, phone number, and mailing address.
Account and engagement information: Information provided in connection with an SOW, service agreement, or proposal request, including payment information, billing contact details, and authorized user credentials.
Communications: Records and content of emails, contact form submissions, phone calls, video conferences, and other correspondence with us.
Event and marketing information: Registration details for webinars, conferences, workshops, or other events we host or sponsor, and marketing preferences.
Feedback and surveys: Responses to client satisfaction surveys, testimonials (with consent), and other feedback you provide.
2.2 Information Collected Automatically
When you visit our Site, we may automatically collect certain technical information, including:
Device and browser information: IP address, browser type and version, operating system, device type, and screen resolution.
Usage data: Pages visited, time spent on pages, referring URL, click patterns, and other interaction data.
Cookies and similar technologies: Information collected through cookies, pixel tags, web beacons, and similar technologies.
2.3 Information from Third Parties
We may receive personal information from third-party sources, including:
Business partners and referral sources: Contact information shared by mutual business contacts or referral partners.
Publicly available sources: Professional information from LinkedIn, corporate websites, industry directories, and public filings.
Service providers: Analytics and marketing platform providers that assist us in understanding Site usage and reaching prospective clients.
2.4 Client Engagement Data
In the course of performing our consulting Services, clients may grant us access to their systems, networks, documents, or datasets that contain personal information about the client's own employees, customers, or other individuals. Section 7 below addresses our role and obligations with respect to such data.
3. How We Use Personal Information
We use personal information for the following business purposes:
Service delivery: To provide, manage, and improve our consulting Services, including communicating with client personnel, scheduling engagements, and delivering reports and recommendations.
Business development: To respond to inquiries, prepare proposals, manage our sales pipeline, and evaluate prospective client relationships.
Billing and administration: To process invoices, collect payments, maintain records, and manage our contractual relationships.
Marketing and communications: To send newsletters, industry updates, event invitations, and other marketing communications to business contacts who have opted in or with whom we have an existing business relationship. You may opt out at any time as described in Section 6.
Site operation and improvement: To operate, maintain, and improve our Site, analyze usage trends, and personalize your experience.
Security and fraud prevention: To protect our Site, systems, and business operations from unauthorized access, misuse, or other security threats.
Legal and compliance: To comply with applicable laws and regulations, respond to legal process, enforce our Terms of Service, and protect our rights and the rights of others.
4. How We Share Personal Information
We do not sell personal information. We share personal information only in the following circumstances:
Service providers: We share information with third-party vendors who perform services on our behalf, such as cloud hosting providers, email and communication platforms, CRM systems, payment processors, and analytics providers. These providers are contractually obligated to use personal information only as necessary to provide services to us and to maintain appropriate security measures.
Professional advisors: We may share information with our legal counsel, accountants, auditors, and insurers as necessary for the management of our business.
Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets, personal information may be transferred to the successor entity, subject to applicable law.
Legal obligations: We may disclose personal information when required by law, regulation, court order, subpoena, or other legal process, or when we reasonably believe disclosure is necessary to protect our rights, the safety of any person, or the integrity of our operations.
With consent: We may share personal information with other third parties when you or your organization have given us explicit consent to do so.
5. Legal Bases for Processing (International Operations)
Where required by applicable law (including the GDPR), we process personal information on the following legal bases:
Contractual necessity: Processing necessary for the performance of a contract with you or your organization, or to take steps at your request prior to entering into a contract.
Legitimate interests: Processing necessary for our legitimate business interests, including marketing to business contacts, improving our Services, and maintaining the security of our systems, where such interests are not overridden by your rights and freedoms.
Legal obligation: Processing necessary to comply with a legal obligation to which we are subject.
Consent: Where you have provided your consent to a specific processing activity. You may withdraw consent at any time by contacting us using the details in Section 12.
6. Your Rights and Choices
6.1 Rights Under Applicable Law
Depending on your jurisdiction, you may have some or all of the following rights regarding your personal information:
Access: The right to request confirmation of whether we process your personal information and to obtain a copy of such information.
Correction: The right to request correction of inaccurate or incomplete personal information.
Deletion: The right to request deletion of your personal information, subject to certain legal exceptions.
Portability: The right to receive your personal information in a structured, commonly used, machine-readable format.
Restriction: The right to request that we restrict processing of your personal information under certain circumstances.
Objection: The right to object to processing of your personal information based on legitimate interests or for direct marketing purposes.
Withdrawal of consent: Where processing is based on consent, the right to withdraw that consent at any time.
Non-discrimination: We will not discriminate against you for exercising any of your privacy rights.
6.2 U.S. State Privacy Rights
Residents of states with comprehensive privacy legislation (including California, Colorado, Connecticut, Virginia, and other states with applicable laws) may have additional rights under those laws, including the right to opt out of the sale or sharing of personal information (we do not sell or share personal information as defined under these laws) and the right to appeal a denial of a privacy request.
6.3 Marketing Opt-Out
You may opt out of receiving marketing communications from us at any time by: (a) clicking the "unsubscribe" link in any marketing email; (b) emailing us at privacy@theatollgroup.com; or (c) contacting us using the information in Section 12. Opting out of marketing communications will not affect transactional or service-related communications.
6.4 Exercising Your Rights
To exercise any of the rights described above, please submit a request to privacy@theatollgroup.com or use the contact details in Section 12. We will verify your identity before processing your request and respond within the timeframe required by applicable law.
7. Client Data and Data Processing
7.1 Role Distinction
When The Atoll Group processes personal information as part of performing consulting Services for a client (for example, during security assessments, privacy audits, or risk evaluations that involve access to client systems or datasets), we act as a service provider / processor on behalf of the client. The client remains the business / controller of that personal information.
7.2 Processing Limitations
Personal information accessed or processed during a client engagement is handled strictly in accordance with the client's instructions, the applicable Statement of Work, and any Data Processing Agreement ("DPA") executed between The Atoll Group and the client. We do not use client engagement data for our own independent purposes, and we do not sell, share, or disclose it except as directed by the client or as required by law.
7.3 Data Processing Agreements
Where required by applicable law or requested by a client, we will execute a DPA that sets forth the parties' respective obligations regarding the processing of personal data, including the subject matter and duration of processing, the nature and purpose of processing, the types of personal data processed, and the categories of data subjects.
7.4 Sub-processors
We may engage sub-processors to assist in providing the Services. A current list of sub-processors is available upon request. We will notify clients of any material changes to our sub-processor list in accordance with the terms of the applicable DPA.
8. Data Security
We maintain administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, disclosure, alteration, loss, or destruction. These measures include, but are not limited to:
Encryption of personal information in transit and at rest.
Access controls and authentication requirements.
Regular security assessments and vulnerability testing.
Employee training on data protection and information security.
Incident response procedures for the detection, investigation, and notification of security incidents.
While we take reasonable steps to protect personal information, no system is completely secure. We cannot guarantee the absolute security of your information.
9. Data Retention
We retain personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by applicable law. Factors we consider in determining retention periods include:
The duration of our business relationship with you or your organization.
Applicable legal, regulatory, and contractual retention obligations.
Statutes of limitations for potential claims.
Ongoing legitimate business needs (such as maintaining records of past engagements for conflict-checking purposes).
When personal information is no longer needed, we will securely delete or de-identify it in accordance with our data retention policies.
10. International Data Transfers
The Atoll Group is headquartered in the United States. If you are located outside the United States, your personal information may be transferred to and processed in the United States or other countries where our service providers operate.
Where required by applicable law, we implement appropriate safeguards for international transfers of personal information, including:
Standard Contractual Clauses approved by the European Commission.
Equivalent transfer mechanisms recognized under applicable data protection laws.
Binding contractual obligations on recipients to protect transferred data.
For more information about the safeguards we use, please contact us using the details in Section 12.
11. Contact Information
If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about our data practices, please contact us at:
The Atoll Group LLC Attn: Privacy Inquiries [Address] [City, State ZIP] Email: privacy@theatollgroup.com Phone: [Phone Number]
For individuals in the European Economic Area, the United Kingdom, or Switzerland who are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, provide additional notice (such as a prominent notice on our Site or an email notification to our business contacts).
We encourage you to review this Privacy Policy periodically. Your continued engagement with our Services or use of our Site after any updates constitutes acceptance of the revised Privacy Policy.