1. Introduction

Rapid Momentum Consulting (“RAMC,” “we,” “us,” or “our”) is an institutional assurance practice with permanent operations in nine countries: India, the United States, Canada, the United Arab Emirates, the Kingdom of Saudi Arabia, the United Kingdom, Germany, Singapore, and Australia. Our registered office for the purposes of this Policy is 10 Brady Road Ext, Westborough, MA 01581-1705, United States.

This Privacy Policy explains how we collect, use, share, retain, and protect personal information of visitors to theramc.com (the “Site”), recipients of our communications, and prospects and clients with whom we engage in the ordinary course of professional services.

We comply with the data-protection regimes of each jurisdiction in which we operate, including the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”); the UK GDPR and Data Protection Act 2018; India's Digital Personal Data Protection Act, 2023 (“DPDP Act”); the California Consumer Privacy Act as amended by the CPRA; Canada's Personal Information Protection and Electronic Documents Act (PIPEDA); the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021); Saudi Arabia's Personal Data Protection Law; Singapore's Personal Data Protection Act 2012; and Australia's Privacy Act 1988.

2. Information we collect

Information you provide directly. When you complete a form on the Site — including newsletter signups, resource downloads, self-assessment completions, contact enquiries, or discovery-call bookings — we collect the information you submit. This typically includes name, business email address, organisation, role or title, country of operation, and the specific service area or resource of interest.

Information collected automatically. When you visit the Site, we automatically collect technical information including your IP address (truncated for analytics purposes in EU/UK), browser type and version, device type and operating system, referring URL, pages visited, time spent on pages, and approximate geolocation derived from IP address.

Information from cookies and similar technologies. We use cookies, web beacons, and similar tracking technologies as described in our Cookie Policy.

Engagement information. In the course of providing professional services, we may collect additional information from clients and prospects necessary for the engagement — including organisational information, financial data within engagement scope, and personal information of client personnel involved in the engagement. Such information is governed by the specific engagement letter and any applicable Data Processing Addendum.

3. Legal bases for processing

For personal information subject to GDPR, UK GDPR, or equivalent regimes, we process personal information on the following legal bases (GDPR Article 6 / India DPDP Section 4):

  • Consent — where you have explicitly consented to processing for a specific purpose (such as newsletter subscription or marketing communications). You may withdraw consent at any time.
  • Contract — where processing is necessary for the performance of a professional services engagement or to take steps at your request prior to entering into one.
  • Legitimate interests — where processing is necessary for our legitimate business interests, including operating the Site, responding to enquiries, improving our services, and conducting marketing to existing business relationships, balanced against your rights and freedoms.
  • Legal obligation — where processing is required by law, including responding to lawful requests from regulatory or government authorities.

4. How we use information

We use the information we collect to operate, maintain, and improve the Site; respond to enquiries and provide requested resources; deliver self-assessment results and follow-up communications; send newsletters and marketing communications to subscribers who have opted in; coordinate discovery calls and scope professional engagements; analyse Site usage to improve content and user experience; protect against fraud, abuse, and security threats; and comply with legal obligations.

5. How we share information

We do not sell, rent, or trade personal information. We share personal information only in the limited circumstances described below:

Third-party service providers. We engage carefully selected third parties to provide infrastructure and services that support our operations. These providers process personal information on our behalf under contractual data-processing agreements and only for the purposes we specify. Our current third-party processors are:

  • Microsoft Corporation— Microsoft 365 productivity suite (email, document storage, Microsoft Lists, SharePoint) under the Microsoft Online Services Data Protection Addendum. Processing locations: per the Microsoft regional data residency configuration applicable to RAMC's tenant.
  • Vercel Inc.— Site hosting and serverless function execution. Data subject to Vercel's Data Processing Addendum. Processing locations: global edge network with EU/US regional configuration.
  • Google LLC — Google Analytics 4 for Site analytics, with IP anonymisation enabled for EU/UK visitors; no advertising features active.
  • Microsoft Corporation — Microsoft Clarity for user-experience analytics; configured to mask personal information in session recordings.
  • LinkedIn Corporation — LinkedIn Insight Tag for conversion measurement on outbound marketing campaigns (when active).

Professional and regulatory disclosures. We may disclose information where required by law, regulation, court order, or governmental authority, or where necessary to protect our rights, the rights of clients, or to comply with our professional obligations.

Business transactions. If RAMC is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction, subject to the protections of this Policy or a successor policy of equivalent standard.

6. International data transfers

Because RAMC operates across nine jurisdictions, personal information may be transferred across borders in the course of our operations. Where personal information of EU, UK, or other regulated-jurisdiction data subjects is transferred to jurisdictions without an adequacy decision, we rely on Standard Contractual Clauses (EU SCCs 2021), the UK International Data Transfer Addendum, or equivalent transfer mechanisms as appropriate to the receiving jurisdiction.

Transfers to and from India occur in accordance with the DPDP Act's cross-border transfer provisions as in force from time to time. Transfers to and from the United States rely on Standard Contractual Clauses supplemented by transfer impact assessments where required.

7. Data retention

We retain personal information only as long as necessary for the purposes for which it was collected and to comply with legal, regulatory, and professional record-retention obligations.

  • Marketing and lead data (newsletter subscribers, resource download enquiries, self-assessment completions) — 36 months from last interaction, unless you withdraw consent or request deletion sooner.
  • Discovery-call and prospect data — 36 months from last interaction.
  • Engagement records (client engagement files, working papers, deliverables) — minimum 7 years from engagement close, in accordance with professional services record-retention norms; longer where required by regulation in the applicable jurisdiction.
  • Site analytics data — aggregated and pseudonymised after 14 months; identifiable session-level data retained no longer than 26 months in GA4.

8. Your rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

  • The right to access the personal information we hold about you
  • The right to request rectification of inaccurate or incomplete information
  • The right to request erasure of personal information in certain circumstances
  • The right to restrict or object to processing in certain circumstances
  • The right to data portability — to receive your personal information in a structured, commonly used format
  • The right to withdraw consent at any time where processing is based on consent
  • The right to lodge a complaint with a supervisory authority in your jurisdiction

EU/UK data subjects may complain to their national data protection authority. India DPDP Act data principals may approach the Data Protection Board of India. California residents have additional rights under the CCPA/CPRA including the right to opt out of the sale or sharing of personal information (RAMC does not sell or share personal information for cross-context behavioural advertising purposes).

To exercise any of these rights, contact privacy@theramc.com. We will respond within the timeframes required by the applicable regime (typically 30 days under GDPR; promptly under other regimes).

9. Cookies and tracking

See our separate Cookie Policy for detailed information about the cookies we use, the categories they fall into, and how you can control them.

10. Children's privacy

The Site is directed to business professionals and is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact privacy@theramc.com and we will delete the information.

11. Security

We maintain commercially reasonable technical and organisational security measures to protect personal information against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit (TLS 1.2 minimum), encryption at rest in our M365 tenant, role-based access controls, least-privilege principles, and ISO/IEC 27001:2022 certification of our information security management system at the firm level.

No system is fully secure. We do not warrant absolute security, but we apply the standards our profession requires and that you would expect of a firm holding ISO 27001 certification.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal obligations, or business operations. The “Last updated” date at the top of this Policy indicates when it was most recently revised. Material changes will be communicated through a notice on the Site or, for subscribers, via email.

13. Contact us

For privacy questions, requests, or to exercise any rights under this Policy:

Email: privacy@theramc.com
General enquiries: enquire@theramc.com
Postal address: Privacy Office, Rapid Momentum Consulting, 10 Brady Road Ext, Westborough, MA 01581-1705, United States
Phone: +1 (508) 589-1881

For data subjects in the EU or UK, our representative for GDPR / UK GDPR Article 27 purposes can be contacted via privacy@theramc.com pending formal appointment per the EU/UK regulatory framework.