When RapidRatings provides services to its clients, the contracting party is its U.S.-based entity.

Under Article 3 of the EU General Data Protection Regulation (GDPR), an organization falls within the regulation’s territorial scope if it:

RapidRatings is not established in the EEA, and it does not offer services to or monitor individuals in the EEA. Our services are strictly business-to-business (B2B) and not directed at natural persons. Therefore, RapidRatings is not directly subject to the EU GDPR.

If a RapidRatings client is also not subject to the EU GDPR, GDPR-specific data processing terms are not required in the applicable data processing agreement.

However, if a client is subject to the EU GDPR, RapidRatings will comply with the regulation to the extent required under the relevant data processing agreement, including Article 28(3) contractual provisions.

RapidRatings maintains data privacy and protection standards aligned with the EU GDPR, and can meet relevant obligations, including the use of European Commission Standard Contractual Clauses (SCCs) for cross-border data transfers:
​https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

RapidRatings does have an affiliate entity located in Europe that is subject to the GDPR due to its establishment. However, this entity does not contract with clients.

When RapidRatings provides services to its clients, the contracting party is its U.S.-based entity.

Under Article 3 of the UK General Data Protection Regulation (UK GDPR), an organization falls within the regulation’s territorial scope if it:

RapidRatings is not established in the UK, and it does not offer services to or monitor individuals in the UK. As a B2B service provider, RapidRatings is not directly subject to the UK GDPR.

If a RapidRatings client is also not subject to the UK GDPR, UK GDPR-specific data processing terms are not required in the applicable agreement.

However, if a client is subject to the UK GDPR, RapidRatings will comply with the regulation as outlined in the relevant data processing agreement, including Article 28(3) provisions.

RapidRatings adheres to UK GDPR-aligned privacy standards and can meet related obligations, including the use of the UK Information Commissioner’s Office (ICO) International Data Transfer Agreement (IDTA) and Addendum:
​https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/

The terms “data controller” and “data processor” define roles and responsibilities under privacy laws such as the EU GDPR and UK GDPR.

Each RapidRatings client is typically the data controller. Depending on the context, RapidRatings may act as:

For example, when a client shares third-party contact information with RapidRatings to facilitate outreach, RapidRatings acts as a data processor. This applies when the client is simply introducing RapidRatings to a third party for engagement.

Once contact is established, a separate relationship may form between RapidRatings and the third party. In this case, RapidRatings may act as a data processor for the third party, independent of the original client relationship. The third party may also choose to share additional personal data with RapidRatings for its own purposes.

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) effective January 1, 2023, applies to for-profit entities that “do business” in California and meet certain thresholds. While the law does not define “doing business,” the California Attorney General interprets it broadly to include organizations that:

An organization that meets the above and also collects personal information from California consumers is subject to the CCPA if it satisfies any of the following:

RapidRatings does not meet these criteria. We provide services exclusively to corporate entities (i.e., B2B) and do not offer services to California consumers. Therefore, RapidRatings is not directly subject to the CCPA.

If a RapidRatings client is also not subject to the CCPA, no CCPA-specific contractual terms are required in the data processing agreement. However, if a client is subject to the CCPA, RapidRatings will comply with applicable CCPA provisions as outlined in the relevant agreement, including California Civil Code Sections 1798.100(d) and 1798.140(ag).

No. The CCPA uses the terms “business” and “service provider,” which are similar but not identical to the GDPR’s “data controller” and “data processor.”

RapidRatings does not identify as a “business” under the CCPA. However, when a client qualifies as a “business” and engages RapidRatings to process personal information on its behalf, RapidRatings may be considered a “service provider.”

To qualify as a service provider under the CCPA, a vendor must:

If a contract allows the vendor to retain personal information beyond termination, use it for its own purposes, or make decisions about its disclosure, the vendor does not qualify as a service provider under the CCPA.

No. RapidRatings does not sell personal information as defined by the CCPA. We do not rent, disclose, release, transfer, or otherwise communicate personal information to third parties for monetary or other valuable consideration.

We may share aggregated or anonymized data, which is not considered personal information under the CCPA, for research, service improvement, or benchmarking purposes, as permitted under our client agreements.

No. RapidRatings’ services and website are not intended for individuals under the age of 16, and we do not knowingly collect personal information from children. As such, RapidRatings is not subject to the U.S. Children’s Online Privacy Protection Act (COPPA).