Privacy Policy


Effective Date: 10/01/2022

1.0 Introduction

riskthinking.AI is a technology company headquartered in Toronto, Ontario which focuses on providing services to various financial institutions.

We are a visionary risk management company. Led by Dr. Ron Dembo, former founder and CEO of Algorithmics Inc., we produce the only financial risk ratings that truly account for the full uncertainty of climate stress. Unlike climate risk companies that attempt to predict the future, we use sophisticated probability models, augmented by AI and structured expert judgment, in a completely ‘bottom-up’ approach to creating future estimates of the financial impact of climate change. Our approach can be used to measure and manage financial risks across any asset type, class, or sector, anywhere in the world, and across any future time horizon.

For more information about our services, please refer to our website:

This Privacy Policy is applicable to riskthinking.AI (“we,” “our,” or “us”) as related to our services, which collectively includes:

  • The use of (“website”)
  • Social media messages and marketing campaigns and
  • The use of our products and services.

This Privacy Policy sets out the essential details relating to your personal data relationships with riskthinking.AI as:

  • A website visitor
  • An end user of the application (“end user”)
  • A prospective client
  • A job applicant and
  • Partners

Clients contract the use of our application and give access to their employees and other third parties, as solely decided by them, by creating users who access the application with their email address and credentials.bouncy castle The clients’ administrators grant end users roles, which result in different permissions and access rights to the information held in the Client account.


2.0 Personal Information We Collect

Information You Choose to Provide to Us


We may ask you to provide personal information when:

  • You use the website to download articles, data sheets or eBooks.
  • You request a free trial or demo.
  • You refer a friend to us.
  • You connect with us directly via phone calls or video conferencing platforms.
  • You or Client Account Administrators upload or enter personal information into the application.
  • You participate in a marketing or sales promotion.
  • You attend trade events and other industry networking events.
  • You register or attend a webinar or other event.
  • You participate in programs we may offer from time to time.
  • You participate in chats.
  • You pay for our services.

If you choose to provide us with a third-party’s personal information (the person’s name, email and company) when taking part in our referral program, you represent that you have the third-party’s permission to do so.


We collect personal information that may include first and last name, business email address, phone number and/or company name.

In addition, we may collect data uploaded by you, your employer or other application users that may be required to use riskthinking.AI services. We expect all users to follow their organization’s privacy policy and any applicable regulatory requirements when uploading, accessing and using personal information in our application. The data uploaded may include personal information like:

  • Employee names, email addresses and contractual agreements
  • Vendor names, email addresses, contractual agreements or other personal data necessary for riskthinking.AI services
  • Customer names and email addresses used to provide services within riskthinking.AI’s platform

As a job applicant, we may also collect your resume and cover letter.

Further information, including specific obligations of riskthinking.AI, can be found in the Service and/or Data Processing Agreements.


3.0 How We Use Personal Information

We use your personal information to:

  • Deliver the contracted services and allow full use of the application functionality as purchased by the clients.
  • Deliver training and support to our application end users and/or carry out the transactions you have requested.
  • To communicate with you directly through emails, calls, chats and video conferencing.
  • Send communications to you about:
    • New application features and upgrades.
    • Our services and offerings.
    • Event announcements.
    • Product notices and changes to our terms and policies.
    • Particular programs in which you have chosen to participate.
    • Promotional offers and surveys.
    • Scheduling demos and managing free trials.
  • Carry out market research to understand how to improve our services and their delivery.
  • Create and manage marketing campaigns.
  • Generate sales leads and increase our market share.
  • Prevent fraud and other prohibited or illegal activities.
  • Protect the security or integrity of the website, our business, or our services.
  • Or otherwise, as disclosed to you at the point of collection or as required or permitted by law.

Please note that sometimes we may record the video conferencing call in which you participate to analyze and improve our staff’s communication skills. If we do so, we will be announcing it at the beginning of the conference call and in the meeting invite, and we will be providing a link to our Privacy Policy in the meeting invites and on the registration page.

We do not sell your information to any third party.


4.0 How We Share Personal Information

Legal Disclosures

It is possible that we may need to disclose personal information when required by law, subpoena or other legal processes as identified in the applicable legislation.

We attempt to notify our clients about legal demands for their personal data when appropriate in our judgment unless prohibited by law or court order or when the request is an emergency.

Change in Control

We can also share your personal data as part of a sale, merger, change in control or in preparation for any of these events.

Any other entity which buys us or part of our business will have the right to continue to use your data, but only in the manner set out in this Privacy Policy unless you agree otherwise.


5.0 How We Secure Personal Information

We are committed to protecting the security of all of the personal information we collect and use.

We use a variety of physical, administrative and technical safeguards designed to help protect it from unauthorized access, use and disclosure. We have implemented best-practice standards and controls in compliance with internationally recognized security frameworks. We use encryption technologies to protect data at rest and in transit.


6.0 Your Rights

We provide the same suite of services to all of our clients and end users worldwide.

We offer the following rights to all individuals regardless of their location or applicable privacy regulations.
For personal information we have about you, you can:

  • Access your personal information or request a copy.
    • You have the right to obtain information about what personal information we process about you or to obtain a copy of your personal information.
    • If you have provided personal information to us, you may contact us to obtain an outline of what information we have about you or a copy of the information.
  • You have the right to be notified of what personal information we collect about you and how we use it, disclose it and protect it.
    • This Privacy Policy describes what personal information we collect and our privacy practices. We may also have additional privacy notices and statements available to you at the point of providing information to us directly.
  • Change or correct your personal information.
    • You have the right to update or correct your personal information or ask us to do it on your behalf.
    • You can ask us to change or correct it by contacting us at [email protected]
  • Delete or erase your personal information.
    • You have the right to request the deletion of your personal information at any time. We will communicate back to you within reasonable timelines the result of your request. We may not be able to delete or erase your personal information, but we will inform you of these reasons and any further actions available to you.
  • Object to the processing of your personal information.
    • You have the right to object to our processing of your personal information for direct marketing purposes. This means that we will stop using your personal information for these purposes.
  • Ask us to restrict the processing of your personal information.
    • You may have the right to ask us to limit the way that we use your personal information.
  • Export your personal data.
    • You have the right to request that we export to you in a machine-readable format all of the personal information we have about you.

We do not process personal information through the use of automated means.

If you would like to exercise any of the rights described above, please contact us at [email protected]

You also have the right to lodge a complaint with the local organizations in charge of enforcing the privacy legislation applicable in your territory.


7.0 How Long We Keep Your Personal Information

We retain information as long as it is necessary to provide the services to you and our clients, subject to any legal obligations to further retain such information.

We may also retain information to comply with the law, prevent fraud, collect fees, resolve disputes, troubleshoot problems, assist with investigations, enforce our Terms of Service and take other actions permitted by law.

The information we retain will be handled following this Privacy Policy.

Information connected to you that is no longer necessary and relevant to provide our services may be de-identified or aggregated with other non-personal data. This information may provide commercially valuable insights to riskthinking.AI, such as statistics on the use of our services.


8.0 Other Important Information

We process data on the Google Cloud Platform and rely on legally-provided mechanisms to lawfully transfer data across borders, such as contracts incorporating data protection and sharing obligations. We provide the capability for the return, transfer and/or disposal of personal data in a secure manner.

We will only collect and process your personal data where we have a lawful reason for its collection.

When you visit our website and provide us with your personal information, we collect and use it with your consent.

Where we rely on your consent to process personal data, you have the right to withdraw or decline your consent at any time.

If you have any questions about the lawful bases upon which we collect and use your personal data, please contact us at [email protected]

How to select your communications preferences

You may choose to receive or not receive marketing communications from us. Please click the “Unsubscribe” link in marketing emails sent to you to stop receiving marketing communications.

Even if you opt-out of receiving marketing communications, we may still communicate with you regarding security and privacy issues, servicing your account, fulfilling your requests, or administering any promotion or program in which you may have elected to participate.


9.0 Contact Information

You may contact us to exercise any of your rights or ask for more information about your personal information and our privacy practices by contacting us at [email protected]



A.1 For Individuals Based in the European Economic Area (EEA), United Kingdom (UK) and Switzerland

If you are based in one of these jurisdictions, riskthinking.AI is the controller of your personal data collected in the following instances:

  • When you visit our website
  • When we process your personal data for sales and marketing purposes

We only process personal data if we have a lawful basis for doing so.
The lawful bases applicable to our processing as controller are:

  • Consent: We will ask for your express and informed consent every time we collect your personal data on this legal basis.
  • Contractual basis: We process the personal data as necessary to fulfill our contractual terms with you or our clients.
  • Legitimate interest: We process the names, contact details, job titles, and companies of our existing and prospective clients for our marketing purposes, including market research and sales leads generation.

You have the following rights under the GDPR:

  • Be informed about the collection and use of your personal data
  • Access your personal data
  • Correct errors in your personal data
  • Erase your personal data
  • Object to the processing of your personal data.
    (This right is also available to individuals whose personal data is processed by us for direct marketing purposes. If you object to the processing of your personal data for direct marketing purposes, we shall stop processing within 30 days of receipt of your request.)
  • Export your personal data
  • Restrict our processing of your personal data for specific reasons, including any of the purposes supported by the legitimate interest legal bases (see the section above).
  • Not to be subject to a decision based solely on automated decision making

We process personal data on the Google Cloud Platform. We use standard contractual clauses, approved by the European Commission or competent UK authority (as applicable), as the data transfer mechanism for transferring personal data from the EEA or UK to other countries subject to data transfer requirements.

You may contact us at [email protected].

You may also lodge a complaint with your local supervisory authority:

  • EU Data Protection Authorities (DPAs). See their contact details here National Data Protection Authorities.
  • Information Commissioner’s Office (ICO)
  • Swiss Federal Data Protection and Information Commissioner (FDPIC).

A.2 For Individuals Based in California

This section provides additional specific information for consumers based in California as required by the California Consumer Privacy Act of 2018 (“CCPA”).

A.2.1 Collection and Use of Personal Information

In the last 12 months, we may have collected the following categories of personal information:

  • Identifiers, such as your name, mailing address, email address, zip code, telephone number or other similar identifiers
  • California Customer Records (Cal. Civ. Code § 1798.80(e)), such as username and password, company name, job title, business email address and department
  • Geolocation data, such as information about your location (at country and city level) collected from your IP address
  • Sensory Information, the content, audio and video recordings of conference calls between you and us that we record where permitted by you and/or the law
  • Profession/employment information that you send to us when applying for a position included in your CV and cover letter
  • Other personal information, such as personal information you provide to us in relation to a survey, comment, question, request, article download or inquiry and any other information you upload to our application

See the section above, “How We Use Personal Information,” to understand how we use the personal information collected from California consumers.

A.2.2 Recipients of Personal Information

We share personal information with third parties for business purposes. The categories of third parties to whom we disclose your personal information may include:

  1. Our service providers and advisors,
  2. Marketing and strategic partners;
  3. Ad networks and advertising partners;
  4. Analytics providers; and
  5. Social networks.

Please see the “How We Share Information” section of the Privacy Policy above for more information.

A.2.3 California Privacy Rights

As a California resident, you may be able to exercise the following rights in relation to the personal information about you that we have collected (subject to limitations of law):

  • The right to know any or all of the following information relating to your personal information that we have collected and disclosed in the last 12 months (upon verification of your identity):
    • The specific pieces of personal information we have collected about you
    • The categories of personal information we have collected about you
    • The categories of source’s of the personal information
    • The categories of personal information that we have disclosed to third parties for a business purpose, and the categories of recipients to whom this information was disclosed
    • The categories of personal information we have sold and the categories of third parties to whom the information was sold, and
    • The business or commercial purposes for collecting or selling the personal information.
  • The right to request the deletion of personal information we have collected from you, subject to certain exceptions.
  • The right to opt-out of personal information sales to third parties now or in the future. However, we do not sell your personal information.

A.2.4 How to Exercise Your California Consumer Rights

To exercise your right to know and/or your right to deletion, please submit a request by contacting us at [email protected].

We will need to verify your identity before processing your request.

In order to verify your identity, we will generally require sufficient information from you to match it to the information we maintain about you in our systems. Sometimes we may need additional personal information from you to be able to identify you. We will notify you in such cases.

We may decline a request to exercise the right to know and/or right to deletion, particularly where we cannot verify your identity or locate your information in our systems or as permitted by law.

You may choose to designate an authorized agent to make a request under the CCPA on your behalf. No information will be disclosed until the authorized agent’s authority has been reviewed and verified. Once an authorized agent has submitted a request, we may require additional information (i.e., written authorization from you) to confirm the authorized agent’s authority.

If you are an employee/former employee of a riskthinking.AI client that uses our application and services, please direct your requests or questions directly to your employer or former employer.

If you are a third party (auditor, business associate, etc.), who was given access to the riskthinking.AI application by a riskthinking.AI client, please direct your requests and/or questions directly to the riskthinking.AI client that gave you access.

Minors Under Age 16

Our application and services are intended for business use, and we do not expect them to be of any interest to minors. We do not intentionally collect any personal information of consumers below the age of 16. We do not sell the personal information of California consumers.

A.3 For Individuals Based in Australia

This section is applicable to individuals whose personal information is collected, stored, used or disclosed by an APP Entity under the Australian Privacy Principles (“APPs”) contained in the Privacy Act of 1988.

A.3.1 Providing Anonymous and Pseudonymous Options

You have the option of anonymity or using a pseudonym when dealing with riskthinking.AI. However, this option may not be made available to you in certain cases, including if it’s impractical for riskthinking.AI to allow this option or when riskthinking.AI is required or authorized to deal with an identified individual by or under the law.

A.3.2 Collection, Use and Disclosure of Personal Information

riskthinking.AI collects personal information only by lawful and fair means. Additionally, riskthinking.AI collects personal information directly from you or your authorized representative, unless we have your consent for collection from another source (i.e., third parties), it is required or authorized by law, or it is unreasonable to collect the information only from you. riskthinking.AI may collect ‘sensitive information’ about you where you have consented to the collection and it is reasonably necessary for one of our functions or activities or if it is required or authorized by law.

riskthinking.AI only uses and discloses your information for the purpose for which it was collected (the primary purpose) unless one or more of the following apply:

  • You have consented
  • You would reasonably expect the secondary purpose
  • It is required or authorized by or under law
  • riskthinking.AI believes that it is reasonably necessary for an enforcement body’s activities

We disclose your personal information with our service providers in Canada and US  and other jurisdictions. We do not disclose your personal information to any overseas recipients unless one of the following applies:

  • You have consented to the disclosure
  • The recipient is subject to a law or binding scheme substantially similar to the APPs, and you can enforce that law/binding scheme
  • It is required or authorized by law
  • It is required or authorized by an international agreement relating to information sharing
  • It is reasonably necessary for an enforcement body’s or similar entity’s activities

A.3.3 Your Rights Under the APPs

You have the following rights related to the collection, use, and disclosure of your personal data:

  • Be informed about the collection and use of your personal data
  • Access your personal information
  • Correction of your personal information to ensure accuracy and completeness
  • Request to not receive direct marketing communications from us or to not disclose your personal information to others for direct marketing purposes

If you wish to access your personal information or correct that information, please contact us at [email protected]. You may opt-out (unsubscribe) of receiving marketing communications

by using the links provided in our emails. If you are unable to find the opt-out instructions, please contact us at [email protected].

If you are concerned about riskthinking.AI’s handling of your personal information, you may lodge a complaint in writing to either the mail or email address listed below and we will provide a written response to your complaint within a reasonable time (30 days).

You may also complain directly to the Office of the Australian Information Commissioner (OAIC) by:

  • Email: [email protected] (be aware that email isn’t encrypted, if you’re concerned about this, use the online form on OAIC’s website which is secure)
  • Mail: GPO Box 5218, Sydney NSW 2001 (send it by registered mail if you’re concerned about sending it by standard post)
  • Fax: 02 9284 9666