Privacy Policy – General

Last revised: March 4, 2020


The Hackett Group, Inc. (NASDAQ: HCKT) is a global intellectual property-based strategic consultancy and leading enterprise benchmarking and best practices implementation firm to global companies, offering digital transformation and enterprise application approaches, including robot process automation and cloud computing. Services include business, transformation, enterprise performance management, working capital management, GBS certifications and global business services. The Hackett Group also provides dedicated expertise in business strategy, operations, finance, human capital management, strategic sourcing, procurement and information technology, including its award-winning Oracle and SAP practices.

The Hackett Group is committed to protecting and respecting your privacy. Our privacy practices may vary among the countries in which we operate to reflect local practices and legal requirements (“Applicable Data Protection Laws”). In most cases this will be the law of the country in which you are located.

This privacy policy (this “Policy“) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us when you visit (our “Site”), or agree to receive our Services, or enroll on one of our Learning Programs, and is issued on behalf of The Hackett Group. It is important that you read this Policy together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Policy supplements these other notices and is not intended to override them.

Your Data Controller

The Hackett Group is made up of different legal entities comprising our parent company and its subsidiaries, details of which can be found here (collectively “The Hackett Group”). When we mention “Hackett“, “we”, “us” or “our” in this Policy, we are referring to the relevant company in The Hackett Group responsible for processing your data, and which acts as your Data Controller.

In general, we may act as a Data Controller in the following circumstances:

  1. in respect of the Learning Programs we provide to our students (“Learning Programs”)
  2. where we process orders or requests for information for our goods and services (“Services”) and carry out related business activities such as contract management, supply chain management and customer relationship management; administration of our business systems and databases; and
  3. where we organise seminars, training courses and marketing activities, or invite you to participate in studies or other market intelligence activities.

Unless we notify you otherwise:

  • The Hackett Group Limited, a company incorporated in England and Wales with registered number 01341295 whose registered office is at Cannon Green, 27 Bush Lane, London, EC4R 0AN and The Hackett Group, Inc., a Florida corporation in the United States of America are the principal Data Controllers of personal data we receive from students in relation to The Hackett Institute, which includes the CGBSP, CEAP, WCE and RPA programs as defined in the Terms of Use for The Hackett Institute located at
  • The Hackett Group, Inc. is responsible for the Site and is the principal Data Controller of personal data we receive via the Site.

In other cases, the relevant Data Controller is likely to be that particular Hackett entity which is named in any relevant correspondence with you, or which is otherwise identified at the point at which the data is collected.

Given the structure and operations of The Hackett Group, it may be necessary, from time to time, for other companies within The Hackett Group to act as your Data Controller in addition to those entities identified above, but in such cases we shall ensure that such companies process your personal data in line with Applicable Data Protection Laws.

If you have any questions in this regard, including confirmation of who your relevant Data Controller with respect to any specific processing activity, please contact us using the details set out in the Contact section below.

The Hackett Group may also receive personal data in connection with Services it provides to its business customers, for example, when consulting and certain other services. In most cases, The Hackett Group processes this personal data as a Data Processor on behalf of its business customer and will process such data in line with its relevant services contract. Where it does so, this Policy will not apply directly but Hackett will still aim to process all personal data it receives in line with the principles set out herein, where applicable.

Information that we collect from you

We will collect and process the following data about you.

Information you give us. This is information about you that you give us by filling in forms on our Site or by corresponding with us by phone, e-mail or otherwise. It includes information you provide when you use our Site, subscribe to any of our Services, enroll in one of our Learning Programs, or otherwise engage with us through our services or systems, and when you report a problem with our Site. The information you give us may include your name, address, e-mail address and phone number, your company, your work email, work address, role and job function, years of experience, any username or password you create to access our Site, Services or Learning Programs.

Information we collect about you. With regard to each of your visits to our Site we will automatically collect the following information: technical information, including browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, information about your visit, clickstream to and through our Site (including date and time), products/services you viewed or searched for, page response times, download errors, length of visits to certain pages.

Information we receive from other sources. This is information we receive about you if you use any of the other websites we operate or the other Services or Learning Programs we provide. In this case we will have informed you when we collected that data if we intend to share those data internally and combine it with data collected on this Site. We will also have told you for what purpose we will share and combine your data. Where you are receiving our Services or enrolling in one of our Learning Programs at the request or instruction of your sponsor or employer we may receive information from your sponsor or employer about you. Please refer to your employer if you have any questions regarding what data your employer shares with The Hackett Group in connection with the provisions of our Services or Learning Programs. In addition, we are working closely with third parties and in some cases, subcontractors relating to the delivery of our Services and Learning Programs and maintenance and administration of this Site and will use such information that we receive solely in connection with the delivery of Services, Learning Programs and maintenance of this Site.


Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our Site. For detailed information on the cookies we use and the purposes for which we use them see our Cookie policy.

How we use information that we collect from you

We use information held about you in the following ways:

Information you give to us.

We will use this information:

  • to administer and improve the Services and this Site;
  • to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us;
  • to provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about;
  • to provide you, with information about other goods or services which we or our preferred partners can offer you, if we feel these may interest you. Save for where this is not prohibited under Applicable Data Protection Laws, we will only do so where you have “opted in” to receive this information. If you do not want us to use your data in this way, or to pass your details on to third parties for marketing purposes, please indicate this by contacting us as stated in the “Your Rights” section below;
  • to notify you about changes to our Services and Learning Programs;
  • to ensure that content from our Site is presented in the most effective manner for you and for your computer.

Information we collect about you.

We will use this information:

  • to administer and improve the Services and our Learning Programs;
  • to administer our Site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
  • to improve our Site to ensure that content is presented in the most effective manner for you and for your computer;
  • to allow you to participate in interactive features of our service, when you choose to do so;
  • as part of our efforts to keep our Site safe and secure;
  • to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you;
  • to make suggestions and recommendations to you and other users of our Site about goods or services that may interest you or them.

Information we receive from other sources.

  • We will combine this information with information you give to us and information we collect about you, including information we might receive from your employer or sponsor. We will use this information and the combined information for the purposes set out above (depending on the types of information we receive).

Basis for processing

We will only process your personal data when Applicable Data Protection Laws allow us to. Most commonly, we will use your personal data in the following circumstances:

  • Where we need to perform the contract we are about to enter into or have entered into with you or your employer.
  • Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.

Our legitimate interests in respect of the processing outlined in this Policy include (by way of example) but are not limited to:

  • to study how customers use our products/services, to develop our products and services and grow our business;
  • to run our business, provide administration, IT sand network security, and to prevent fraud; and
  • to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy.
  • Monitoring user access to our advisory services to ensure compliance with licensing terms.

Where we do not consider that we can rely on a legal basis for processing that is set out above, or which is otherwise provided for under Applicable Data Protection Laws, then we will ask for your consent before processing your information.

If you are unclear about the specific legal basis upon which we process your personal data, and want further information in this regard, please contact us using the details set out in the Contact section below.

Disclosure of your information

We may have to share your personal data with the parties set out below for the purposes set out above in this Policy:

  • Any member company of The Hackett Group.
  • Selected third parties including: business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you, including in relation to the provision of the Services, and analytics and search engine providers that assist us in the improvement and optimization of our Site. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
  • Your employer or sponsor, where you are receiving our Services, enrolling in one of our Learning Programs, at their request or instruction. This information may include: name, date of birth, contact information (e.g. email and home address, telephone number), employer’s name and address, nationality, gender, date of enrolment, qualification name and status, exam sitting date(s) and status(es), available exam credits (if any) and their expiry dates, course progress, service usage information (please refer to your employer if you have any questions regarding how, and for what purposes, your employer will be processing this information).
  • Advertisers and advertising networks that require the data to select and serve relevant advertisements to you and others. We do not disclose information about identifiable individuals to our advertisers, but we will provide them with aggregate information about our users (for example, we may inform them that 500 men aged under 30 have clicked on their advertisement on any given day). We may also use such aggregate information to help our advertisers reach the kind of audience they want to target.

In addition, we will disclose your personal data to third parties:

  • In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets.
  • If The Hackett Group or any subsidiary thereof, or substantially all of its respective assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
  • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use, and any other relevant agreements referenced at, or to protect the rights, property, or safety of us, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

Where we store your personal data

The Hackett Group operates a global business. To offer and perform our services, and administer the Services, we may need to transfer your personal data among several countries. The data that we collect from you will be transferred to, and stored at, a destination outside the European Economic Area (“EEA “). It will also be processed by staff operating outside the EEA who work for us or for one of our suppliers. This includes staff engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services.

The Hackett Group, Inc., a company incorporated in the United States, is the controller and responsible for this Site, therefore by submitting personal data via this Site please be aware that you will be exporting personal data outside of the EEA to the United States.

Whenever a Hackett Group entity based within the EEA acts as your Data Controller and transfers your personal data out of the EEA, we will ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
  • Where a transfer is made to another company in The Hackett Group located in a territory which is not deemed to provide an adequate level of protection for personal data by the European Commission, the transfer shall be made on the basis of an agreement which incorporates the EU Standard Contractual Clauses prepared for transfers from data controllers to data controllers, which is a specific contract approved by the European Commission which give personal data the same protection it has in Europe (“Model Form Agreement”). The template text is available in various languages at this link: EU Model Clauses
  • Where a transfer is made to one of our service providers located in a territory which is not deemed to provide an adequate level of protection for personal data by the European Commission, we may use a version of the Model From Agreement which is prepared for transfers from data controller to data processors or rely upon such party’s approved binding corporate rules;
  • Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.

Please contact us using the details set out in the Contact section below if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so under Applicable Data Protection Laws.

The Hackett Group utilizes various security measures including but not limited to: Dedicated Servers, .htaccess Authentication and Secure Sockets Layer (SSL), to protect the loss, misuse or alteration of information placed under our control.

All information you provide to us is stored on our secure servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.

Notices for California Residents

This section applies to California residents whom have provided, or from whom we have collected, personal information, including without limitation, information collected through our websites, events, applications, the communications you send to us, or your purchase or use of our products and services. The term “personal information” within this section means information that is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. We collect and use personal information as provided for under this Policy.

Sales of Personal Information. Hackett does not sell and has not sold any personal information in the past 12 months.

California Specific Privacy Rights. In addition to the rights set forth below under the “Your Rights” heading below, you have the right to request to be opted-out from the sale of your personal information, but as stated in the section above, we do not sell personal information. You have the right to request what personal information we collect on you, what we use it for, who we share it with and request that we delete such information. You also have a right not to receive any discriminatory treatment by us for exercising any of these rights. Hackett does not offer or market its services to minors, however, if your minor child has provided us information you have the right to exercise these rights on behalf of your minor child. These rights are subject to our verification of your identity and right to make such requests.

Your Rights

Under Applicable Data Protection Law, you may have certain rights regarding the personal data we maintain about you. We also offer you certain choices about what personal data we collect from you, how we use that information, and how we communicate with you.

You can choose not to provide personal data to us. However, if you do not provide your data when requested, or if you exercise your rights set out in this section, you may not be able to benefit from our Services or Learning Programs, and we may not be able to provide you with information about our products, services and promotions.

To the extent provided by Applicable Data Protection Laws, you may withdraw any consent you previously provided to us, or object at any time to the processing of your data. We will apply your preferences going forward; however, this will not affect the lawfulness of any processing carried out before you withdraw your consent. In some circumstances, withdrawing your consent to our use or disclosure of your data will mean that you cannot take advantage of certain Services or Learning Programs.

In addition you may have the right to: obtain confirmation that we hold personal data about you, request access to and receive information about the personal data we maintain about you (including the purposes and potential recipients of this personal data), receive copies of the personal data we maintain about you (including, in some cases, in a standardized format so it can be provided to another vendor), update and correct inaccuracies in your personal data, object to the processing of your personal data, and have the information blocked, anonymized or deleted, as appropriate. The right to access personal data may be limited in some circumstances by local law requirements including Applicable Data Protection Law. To exercise these rights, or to find out more, please contact us using the details set out in the Contact section below. Under Applicable Data Protection Laws, you have the right to ask us not to process your personal data for marketing purposes. Where required under Applicable Data Protection Laws we will inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. Where applicable, you can exercise your right to prevent such processing at any time by contacting us using the details set out in the Contact section below.

Under Applicable Data Protection Laws, you may have the right to lodge a complaint with your national data protection authority or other public authority governing the protection of your personal information. We would, however, appreciate the chance to deal with your concerns before you approach such regulatory authority, so please contact us using the details set out in the Contact section below in the first instance.

To exercise these rights, or any rights under this section, or any of the rights under the heading “Notice to California Residents”, you may send your request to us using the details set forth in the “Contact” section below.

Other Sites

Our Site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Access to Information

Applicable Data Protection Law may give you the right to access information held about you. Your right of access can be exercised in accordance with these laws. Where you are so entitled, you will not normally have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

Any request should be made in writing, and the best way for you to do so is to contact us using the details set out in the Contact section below. As we must be able to identify the person making the request, and because a fee may be due, we request that you confirm any request made by you via different means by contacting us at the address stated below. Due to technological constraints and/or information security considerations, it may be inappropriate to use social media to supply information in response to any request by you for access to information, and so please provide an alternative delivery address for our response. We may reject requests where we are entitled to do so under applicable data protection laws, which may include where the request is repetitive, require disproportionate effort and/or risks the privacy or confidentiality of others.

Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, marketing, analytic, reporting requirements or the delivery of our services to you.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances you can ask us to delete your data: see the Your Rights section above for further information.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

Changes to our Privacy Policy

Any changes we make to this Policy in the future will be posted on this page and/or notified to you by e-mail. Please check back frequently to see any updates or changes to this Policy.


As Hackett does not process personal data on a large scale, Hackett does not consider itself required to designate a statutory data protection officer under Applicable Data Protection Law. However, we have voluntarily appointed a data privacy manager who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the data privacy manager using the details set out below.

Contact Details: The Hackett Group, Inc.

Name or title of Data Privacy Manager: Frank Zomerfeld

Email Address: with the subject line “privacy”.

Postal Address: 1001 Brickell Bay Drive, Suite 3000 Miami, FL 33131 United State of America.

Telephone number: (305) 375-8005.