Privacy Policy

Effective January 2, 2026

Contents

  1. Introduction
  2. Contact Information
  3. Personal Data We Collect and Purposes for which it is Used
  4. How We Share Personal Data
  5. Transfers of Personal Data
  6. Criteria and Time Period for Retaining Personal Data
  7. Rights Available to You
  8. How We Store Personal Data
  9. Statistical Analysis and Aggregation of Usage Data
  10. Children
  11. Changes to this Privacy Policy

A) Introduction

Herrmann International Inc. provides services related to the Herrmann Brain Dominance Instrument® (HBDI®) and Whole Brain® Thinking with an international reach by itself and through its subsidiaries (hereinafter "HERRMANN", "we", "us" and "our"). This Privacy Policy is designed as a group-wide privacy notice for all HERRMANN entities. Under applicable privacy laws (including the EU General Data Protection Regulation – "GDPR"), a controller is the legal entity that determines the purposes and means of the processing of personal data. Parties involved in processing on behalf of a controller may be referred to as processors. Depending on the jurisdiction, the designations and associated obligations may differ.

For processing activities that relate to the operation of the HERRMANN Platform itself (in particular online hosting, user account management, assessments, evaluations and the online provision of reports) Herrmann International Inc. acts as the controller. Depending on your country, region or the specific field of activity, the HERRMANN entity listed below may additionally act as an independent controller for processing activities carried out for its own purposes (for example local marketing, sales and consulting services) or as a processor on behalf of a HERRMANN entity. Where another HERRMANN entity designates itself as the controller for a specific interaction with you, this will be communicated to you at the relevant point in time.

The contact information of the HERRMANN entity of a country, region or field of activity can be found in the table below.

Main subsidiary of a country, region or field of activity Country or field of activity Contact details
Herrmann International Inc. United States of America
HERRMANN Platform: Worldwide
Thinkherrmann.com Website		 Herrmann International Inc.
1639 College Avenue, Suite 150
Spindale, NC 28160
United States of America
+1-800-432-4234
privacy@thinkherrmann.com
Herrmann International Ltd. United Kingdom Herrmann International Ltd.
10 John Street
London WC1N 2EB
United Kingdom
+1-800-432-4234
privacy@thinkherrmann.com
Herrmann South Africa South Africa Herrmann South Africa
Suite 401 Waterkloof Gardens
270 Main Street
Brooklyn
Pretoria 0181
South Africa
+1-800-432-4234
privacy@thinkherrmann.com
Herrmann International Deutschland GmbH & Co. KG DACH (Germany, Austria and Switzerland) Pöltnerstr. 25
D-82362 Weilheim
Germany
+49 881 9249 56
privacy@thinkherrmann.com
Herrmann International EMEA B.V. EMEA without DACH, The Netherlands Herrmann International EMEA B.V.
Keizersgracht 555
Amsterdam 1017DR
Netherlands
+1-800-432-4234
privacy@thinkherrmann.com

This Privacy Policy applies to i) all users of Internet websites published by HERRMANN, ii) all users of HERRMANN products and services, and iii) other individuals whose personal data (as described below) is collected or processed by HERRMANN. Where you access the HERRMANN Platform in a professional context (for example because your employer or another organization has procured access for you), you remain our direct contractual partner and user of the Platform. You may continue to use your user account when you change or leave your employer. You decide which individuals or organizations may access your assessment results or other data. You can control access for individuals via the settings in the Platform. You can control access for organizations, such as your employer, by clicking this link.

All such individuals are referred to in this Privacy Policy as "you" and "your."

In this Privacy Policy we describe the types of personal data we may collect from you and how we collect, use, share, disclose and store it. We also explain your choices regarding our use and processing of your personal data.

As used in this policy, "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) and "CPPA" means the California Consumer Privacy Act.

B) Contact Information

Headquarters

For processing related to the operation of the HERRMANN Platform (including user accounts, assessments and reports), Herrmann International Inc. will control the use of your personal data. For processing related to local marketing, sales and consulting services, the relevant HERRMANN entity identified in section A) Introduction may act as an independent controller or, where it only processes personal data on documented instructions from Herrmann International Inc., as a processor. You may contact HERRMANN regarding any questions or requests you may have using the contact information set out in section A) Introduction.

Data Protection Officer

You may contact the Data Protection Officer of HERRMANN under the following address: privacy@thinkherrmann.com

EU Representative

Our representative in the European Union within the meaning of Article 27 GDPR for processing activities where Herrmann International Inc. is the controller and has no establishment in the EU/EEA is:

Herrmann International
Bracken Road No 51, Carlisle Offices
D18 CV48
Dublin, Ireland
infosec@thinkherrmann.com

C) Personal Data We Collect and Purposes for which it is Used

Information necessary to communicate with you

To facilitate communications with you, we may collect and process your contact information including (but not limited to) your name, your employer's name, your work address (including your country location), department, job title and email address. We may also collect and process your personal email address, a personal mailing address, and mobile phone number.

We may process your contact information to transact business with you and your company and to deliver products and services to you. We may also use this information to help us understand our customers' needs and interests to better tailor our products and services to meet your needs.

Our legal bases under the GDPR for processing this data include:

  • The processing is necessary for the performance of a contract to provide you with our goods or services (GDPR Article 6, Section 1(b)); or
  • The processing is necessary for legitimate interests we pursue in efficiently operating our business, understanding our customers' needs, and providing products and services that are tailored to their requirements (GDPR Article 6, section 1 (f)).
  • For processing optional contact data we may process the data in accordance with your consent (GDPR Article 6, Section 1(a)).

Information necessary to access products and services

Account information

If you choose to create an account to access our online products and services, we will collect and process, in addition to the contact information described above, a login name and password chosen by you. Your account will store and provide you with information regarding assessments you have taken, your assessment results, activities in which you have participated, and similar information associated with services you obtain from us.

Our legal bases under the GDPR for processing this data include:

  • the processing is necessary for the performance of a contract to provide you with our goods or services (GDPR Article 6, Section 1(b)); or
  • the processing is necessary for legitimate interests we pursue in efficiently operating our business, understanding our customers' needs, and providing products and services that are tailored to their requirements (GDPR Article 6, Section 1(f)).

Responses to assessment questions

If you choose to participate in an assessment, we will first obtain your consent to process your personal data, including contact information, assessment responses, and resulting profiles and reports as reasonably necessary to conduct the assessment and provide results to you. Optional demographic and research information may also be requested. We use assessment data to create and deliver reports, such as the HBDI® individual profile reports, team reports and other reports. The HERRMANN Platform allows you to decide, via granular sharing settings, whether and to which other persons or organizations (for example your current employer, a certified practitioner or other users) your assessment results and related reports are disclosed. Unless we explicitly inform you otherwise, such disclosures are based on your consent and on your active choices within the HERRMANN Platform. You may withdraw or change these sharing settings at any time with effect for the future; this does not affect the lawfulness of processing carried out before the change. Where we disclose your assessment results to third parties selected by you, these third parties will generally act as independent controllers for their subsequent use of the data.

  • Your consent will establish a legal basis for such processing in accordance with GDPR Article 6, Section 1(a). Prior to your taking an assessment, the consent document will provide you with specific information regarding how your data will be processed and with whom it will be shared. You may withdraw your consent or request deletion at any time by clicking this link to complete the request form. It is not necessary to state reasons on the form.

Processing payments

To enable purchases of products and services, we collect data necessary to process payments. Such information may include a credit card number and the associated security code if that is your chosen method of payment.

Our legal bases under the GDPR for processing this data include:

  • The processing is necessary for the performance of a contract to provide you with our goods or services (GDPR Article 6, Section 1(b))

Information we use to provide you with information about our products and services

To provide you with information regarding our products and services, we may collect your first and last names, telephone number, address, and email address.

Our legal bases under the GDPR for processing this data include:

  • Your consent will establish a legal basis for such processing in accordance with (GDPR Article 6, Section 1(a)). Your consent will normally be established by your clicking a box indicating such consent. You may withdraw your consent at any time by clicking this link to complete the deletion request form.

Information processed via cookies

Our websites and services use "cookies." Cookies are small text files that a website transfers to your computer's local storage. We may use cookies to measure traffic patterns, personalize content, control security and help us make our websites more useful. The cookies we use may identify your OS version, your browser and your Internet specifications. You may choose to accept, reject or be notified when a site sets a cookie by configuring your browser preferences. For more information and options regarding cookies, you may view our Cookie Policy.

  • Our legal bases under the GDPR and relating EU and EU member state legislation for processing cookie data include: Storage of or access to information on your device is based on your consent in accordance with Article 5(3) of Directive 2002/58/EC (in Germany, for example in accordance with section 25(1) TDDDG), or, insofar as this is strictly necessary in accordance with Article 5(3) of Directive 2002/58/EC (in Germany in accordance with section 25(2) TDDDG) in order to provide you with a service expressly requested by you, without your consent; the subsequent processing is based on the GDPR in accordance with the purposes described in this statement. We only use non-essential cookies (including analytics and marketing cookies) on the basis of your prior consent in accordance with Article 6(1)(a) GDPR.

Information automatically collected and stored in log files

Our websites may automatically gather and store certain information in log files, including IP Address, browser type, Internet service provider, referring/exiting pages, operating system, date/time stamp and clickstream data.

Our legal basis under the GDPR for processing log file data includes our legitimate interest in providing the technically error-free, secure and optimized delivery of our services in accordance with (GDPR Article 6, Section 1(f)).

Other Information and Purposes

We also use personal data, to the extent necessary to:

  • protect against and prevent fraud, legal claims, and liabilities; and to manage associated risk exposure;
  • respond to your inquiries and requests;
  • process and manage opt-out or unsubscribe requests;
  • comply with applicable laws, regulations, codes, and industry standards and practices;
  • respond to subpoenas or to orders of a court or government agency; and
  • establish, exercise, or defend legal claims, including, without limitation, to protect our rights and/or property.

Our legal bases under the GDPR for processing this data include:

  • the processing is necessary for the performance of a contract to provide you with our goods or services (GDPR Article 6, Section 1(b)); or
  • the processing is necessary for the compliance with a legal obligation to which we are subject according to Union law or Member state law (GDPR Article 6, Section 1(c)); or
  • the processing is necessary for legitimate interests we pursue in efficiently operating our business, understanding our customers' needs, and providing products and secure services that are tailored to their requirements (GDPR Article 6, Section 1(f)).

In some cases, our apps may permit you to enter, sync, store and process third party personal data, which will not be accessible to us. If you choose to use such app functionality, you are responsible for processing the personal data you enter, sync, store and process in conformance with all applicable data processing and privacy laws and regulations and you might be required to gain consent of the data subject in advance of entering such third party personal data.

CCPA Information
CCPA Category Personal Data Processed by Herrmann Collected in Last 12 Months Sold in Last 12 Months Disclosed* for Business Purposes in Last 12 Months
Identifiers Contact information Yes No Yes
Account information Yes No Yes
Payment information Yes No Yes
Commercial information Contact information Yes No Yes
Payment information Yes No Yes
Internet or other electronic network activity Cookies Yes No Yes
Logs Yes No No
Professional or employment information Contact information Yes No Yes
Inferences drawn from any of the above Assessment results Yes No Yes
Uncategorized Assessment responses Yes No No

D) How We Share Personal Data

Your personal data will be accessible by our employees who require access in order to fulfill your requests and orders and to further our business interests as described above.

We may share your personal data with other HERRMANN entities and with selected licensees, distributors, resellers and contracted service providers where this is necessary to provide our products and services to you, including for customer support, technical operations, account management and, where applicable, marketing communications in accordance with applicable law. Such recipients process personal data either on our behalf and in accordance with our instructions or, where they act as independent controllers, only for the purposes described in this Privacy Policy. Access is restricted to persons who need the data for their respective tasks (need-to-know principle) and, where required by law, is governed by appropriate agreements such as intra-group agreements, data processing agreements or joint controller arrangements.

We do not sell, rent or trade any personal data and we do not disclose personal data to third parties for any purposes unrelated to our own business as described in this Privacy Policy.

Contractors and service providers that process personal data on our behalf must sign contracts with us that conform to the requirements of GDPR Article 28, Section 3 and other applicable laws.

Examples of data processing services that may be performed by contractors on our behalf include:

  • hosting our websites and services;
  • hosting our email server;
  • processing your orders and payments;
  • maintaining, enhancing, or adding to the functionality of our websites;
  • collecting web analytics data; and
  • performing other administrative services.

Other parties with whom we may share personal data include:

  • governmental authorities pursuant to applicable laws or court process, or as we reasonably deem necessary to prevent harm, financial loss, fraud or illegal activity;
  • the successor in interest to all or a portion of our business or assets; provided that should such a transfer occur, we will require such successor to agree in writing to use, protect, and maintain the security, integrity, and confidentiality of the transferred personal data in accordance with our Privacy Policy; and
  • others pursuant to consent obtained from you.

If you participate in taking the HBDI® thinking preference assessment or other assessments offered by us, we may, depending on your choices within the Herrmann Platform and/or for the specific product, share your contact information, assessment responses, and assessment results with certified practitioners who have been accredited by Herrmann to administer assessments and interpret assessment results and reports. We may also share such data with persons directly assisting certified practitioners. Before receiving your data, all persons described in this paragraph must have: (i) agreed to protect the data and to use it only for the purposes described in this paragraph, and (ii) been determined by us to have a legitimate need to access assessment data in order to facilitate, administer or coordinate assessments.

E) Transfers of Personal Data

Your Personal Data may be collected, transferred to and stored by us in the United States in compliance with the EU-US/Swiss-US/UK-US Data Privacy Framework as stated in "H) How We Store Your Data" below. Depending on from where you use our services from further countries may apply which may not be subject to an adequacy decision by the European Commission or your local legislature or regulator, and that may not provide for the same level of data protection as your jurisdiction, such as the EEA. We ensure that the recipient of your Personal Data offers an adequate level of protection and security, for example by entering into standard contractual clauses or an alternative mechanism for the transfer of data as approved by the European Commission (GDPR Article 46) or other applicable regulator.

In other cases, we will seek your prior consent before transferring your personal data to countries not determined to ensure an adequate level of data protection within the meaning of the applicable data protection laws and regulations if other legal derogations according to Article 49 of the GDPR do not apply.

F) Criteria and Time Period for Retaining Personal Data

We retain personal data for as long as necessary to fulfil the purposes for which they were collected, in particular for the duration of the contractual relationship with you.

Where applicable, personal data may be retained beyond this period to the extent necessary to comply with statutory retention obligations or to establish, exercise or defend legal claims, including the conduct of audits and the enforcement of agreements.

If your employer or another organization has paid for your assessment(s) and account access, we may delete your personal data upon instruction by that organization, provided that no statutory retention obligations or overriding legal requirements prevent such deletion.

Personal data are deleted without undue delay once they are no longer necessary for the above purposes, taking into account applicable statutory retention requirements.

G) Rights Available to You

Persons whose personal data is governed by the GDPR, the CCPA and other laws have several rights related to the processing of their data which are explained below. We extend these rights to everyone whose personal data we process.

In cases where you have given us your consent to collect and use your personal data, you have the right to withdraw that consent at any time (without affecting the lawfulness of processing based on your consent before its withdrawal).

You may direct such requests by clicking this link or to:

Herrmann International, Inc.
1639 College Avenue Suite 150
Spindale, NC 28160
United States
+1-800-432-4234
privacy@thinkherrmann.com

The following rights are also available to you:

  • The right to request access to personal data (GDPR Article 15; CPPA 1798.110(a)) — You have the right to obtain confirmation from us regarding whether we process personal data about you, and, where that is the case, access to the personal data and certain information about how and why we process your personal data, including:
    • the categories of personal information we have collected about you;
    • the categories of sources from which the personal information is collected;
    • the business or commercial purpose for collecting or selling personal information;
    • the categories of third parties with whom we share personal information; and
    • the specific pieces of personal information we have collected about you.
  • The right to rectification of personal data (GDPR Article 16) — You have the right to rectification and/or completion if the personal data concerning you is incorrect or incomplete.
  • The right to be forgotten/right to erasure (GDPR Article 17; CPPA 1798.105) — You have the right to obtain the erasure of your personal data where one of the following grounds applies:
    • your personal data are no longer necessary in relation to the purpose for which they were collected or otherwise processed;
    • you withdraw your previously given consent and we have no other legal ground for the processing;
    • your personal data have been unlawfully processed;
    • your personal data must be erased for compliance with a legal obligation; or
    • based only on your request for any reason or no reason, unless an exception under CCPA 1798.105(d) applies.
  • The right to restrict processing of your personal data (GDPR Article 18) — You have the right to restrict processing of your data under the following conditions:
    • the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data;
    • your personal data have been unlawfully processed and you request the restriction of processing instead of deletion;
    • we no longer need the personal data for the purpose of the processing, but the personal data is required by you for the establishment, exercise or defense of legal claims; or
    • you have objected to processing pursuant to GDPR Article 21, Section 1 and it has not been determined whether the legitimate grounds of us override those of you.
  • The right to object to processing of your personal data (GDPR Article 21) — You have the right to object to our processing of your personal data based on legitimate interests (GDPR Article 6, Section 1(f)), for the performance of a task carried out in the public interest (GDPR Article 6, Section 1(e)) or for direct marketing purposes.
  • The right to data portability (GDPR Article 20) — You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from us, as far as:
    • the processing is based on consent or on a contract pursuant to GDPR Article 6, Section 1(b); or
    • the processing is carried out by automated means.
  • The right to lodge a complaint with a supervisory authority — You have the right to lodge a complaint with the supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement.

Your exercise of the foregoing rights is subject to our verification that you are the person to whom the information pertains and other requirements of the applicable laws.

We will provide the information described above free of charge, but if requests from you are unfounded or excessive, in particular because of their repetitive character, we may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify you of the reason for refusing the request.

You are not required to provide us with any personal data we may request. However, if the requested information is necessary for us to provide any product, service or information requested by you, we will be unable to fulfill your request.

H) How We Store Personal Data

Personal data is stored on servers and systems that are owned by us or by contractors engaged by us under written agreements which comply with GDPR Article 28, Section 3 and this Privacy Policy. We maintain appropriate technical, administrative and physical safeguards to protect personal data received or collected by us. We review, monitor and evaluate our privacy practices and protection systems on a regular basis.

Transmission of personal data is protected by SSL encryption when it is exchanged between your web browser and Herrmann. We also provide secure https access to the htms.hbdi.com website and to axon.herrmannsolutions.net. Axon is hosted on virtualized servers in an industry leading cloud computing environment. All infrastructure is protected by a virtual private cloud, and access to that infrastructure by administrators is controlled via zero trust security web portal which requires two factor authentication. Key information security certifications including ISO/IEC 27001 and ISAE 3402 are enabled. Notwithstanding the foregoing measures, transmissions over the Internet or a mobile network are not 100% secure and we do not guarantee the security of transmissions. While we take appropriate measures to protect personal data, users are responsible for ensuring that the information they provide is accurate and complete.

Herrmann International, Inc., which includes our covered U.S. entity Herrmann Global, LLC, complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Herrmann International, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Herrmann International, Inc. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

With respect to personal data received or transferred pursuant to the Data Privacy Frameworks, Herrmann International, Inc. is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

Pursuant to the DPF Program, EU, UK, and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under the DPF, should direct their query to privacy@thinkherrmann.com. You may withdraw your consent or request deletion at any time by clicking this link to complete the deletion request form.

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to privacy@thinkherrmann.com.

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Herrmann International, Inc.'s accountability for personal data that it receives in the United States under the DPF and subsequently transfers to a third party is described in the DPF Principles. In particular, Herrmann International, Inc. remains responsible and liable under the DPF Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the DPF Principles, unless Herrmann International, Inc. proves that it is not responsible for the event giving rise to the damage.

In compliance with the DPF, Herrmann International, Inc. commits to resolve DPF Principles-related complaints about your privacy and our collection or use of your personal information. European Union, United Kingdom, and Swiss individuals with inquiries or complaints regarding our handling of personal data in reliance on the DPF should first contact Herrmann International, Inc. at:

Herrmann International, Inc.
1639 College Avenue Suite 150
Spindale, NC 28160
United States
+1-800-432-4234
privacy@thinkherrmann.com

Herrmann International, Inc. has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by us, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction for more information on this process.

I) Statistical Analysis and Aggregation of Usage Data

We process usage and interaction data for the purpose of anonymizing such data on the basis of our legitimate interests pursuant to Art. 6(1)(f) GDPR. Our legitimate interests consist in the statistical analysis of service usage, the improvement of our products and services and the generation of aggregated analytical insights.

The anonymization process is carried out using appropriate technical and organizational measures and is designed to significantly reduce the likelihood that individual users can be identified by us or by third parties, taking into account the state of the art and reasonably available means.

Following anonymization, the data are used in aggregated form for statistical analyses, internal evaluations and the further development of our business activities. In this context, no personal data are disclosed to third parties.

You have the right to object to processing based on legitimate interests at any time pursuant to Art. 21 GDPR. For more information, please refer to Section G).

J) Children

We do not knowingly market our products or services to, and do not solicit or collect information from, anyone under the age of 18. We may ask users for their age to ensure that we are not collecting information from anyone under age 18 or to identify when additional steps may be necessary in connection with information collected from persons as required by the jurisdiction in which they reside. If we learn that we have collected personal data from anyone under age 18, we will delete that information as quickly as possible. If you believe that we might have any personal data from or about anyone under 18, please contact us at: privacy@thinkherrmann.com.

K) Changes to this Privacy Policy

This policy may be amended from time to time, consistent with the requirements of any applicable laws. We will post the revised version on our website and update the "Effective" date above to reflect the date of the changes.