Skip to content
Bandi

Privacy

Privacy & Cookies Statement

Bandi · Effective date: 1 October 2025

This Privacy & Cookies Statement (this “Statement”) explains how the Bandi network of professional firms collects, uses, shares, and otherwise processes Personal Data. In this Statement, “Bandi,” “we,” “us,” and “our” refer to the firms and affiliated entities identified below.

“Personal Data” means any information that, alone or together with other information we hold, identifies or can reasonably be used to identify you as an individual. This Statement applies to Personal Data we process about visitors to our websites, applications, and other online properties (each, a “Site”); our clients and prospective clients and their personnel; our suppliers and their personnel; and other individuals whose Personal Data we obtain in the course of our business.

The Bandi entity that you engage, or that otherwise determines the purposes and means of processing your Personal Data, is the controller of that data (the “responsible Firm”). Unless we state otherwise, the responsible Firm is the entity with which you interact and is accountable for ensuring that its systems and processes comply with the data protection laws applicable to it.

If you provide us with Personal Data about other individuals — for example, family members, colleagues, or employees — you confirm that you are entitled to share that data with us and that you have informed those individuals of this Statement. You are also responsible for the accuracy of the Personal Data you provide.

The Bandi entities

The Bandi firms and affiliated entities are held by Bandi Holding LLC, a limited liability company organised in Wyoming, United States. Bandi Holding LLC holds the interests in the member firms and affiliated entities listed below; each such firm or entity remains responsible, as controller, for the Personal Data that it processes.

The responsible Firm for your Personal Data will be one of the following entities, depending on the jurisdiction and the relationship through which we obtained your data:

Bandi entityPrimary jurisdiction
Bandi Holding LLC (holding company)United States (Wyoming)
Bandi & Associates PLLCUnited States
Bandi LLPUnited States (New York)
Bandi & Boris LLPUnited States (Wyoming)
Bandi Advisory Ltd.United Kingdom
Bandi AARPIFrance
Bandi Conseil Luxembourg S.à r.l.Luxembourg
Bandi Unternehmensberatung GmbHGermany
阪迪森和企业咨询(深圳)有限公司 (Bandi Senhe Consulting (Shenzhen) Co., Ltd.)People’s Republic of China
外国法事務弁護士法人 バンディ・森・宮本法律事務所 (Bandi Mori & Miyamoto)Japan
PT Bandi Konsultan IndonesiaIndonesia

Registered-office addresses and local data-protection contacts for each entity are available on request and, where applicable, are published on the relevant Site. To reach a particular entity, please use the contact channels set out under Contact Us below.

Summary of Key Points

CollectionWe collect Personal Data from you directly, from our clients, and from publicly available and third-party sources in the ordinary course of operating our business and our professional relationships.
UseWe use Personal Data to deliver legal and advisory services, respond to enquiries, administer our client and supplier relationships, operate and secure our Sites, provide marketing where permitted, and meet our legal, regulatory, and professional obligations.
SharingWe share Personal Data within the Bandi network of firms and with service providers, financial institutions, advisers, and authorities, where necessary for the purposes described in this Statement.
Marketing ChoicesYou control how we use your Personal Data for direct marketing and may opt out at any time.
CookiesWe use cookies and similar technologies on our Sites and offer you choices over their use through our consent tool.
Your RightsDepending on where you are located, you may have rights to access, correct, delete, port, restrict, or object to the processing of your Personal Data, and to withdraw consent. See Your Rights below.
SecurityWe maintain technical and organisational measures designed to protect Personal Data against loss, misuse, and unauthorised access.
International TransfersWe transfer Personal Data across borders within our network and to service providers, and apply safeguards required by applicable law.
ContactYou may contact us using the details at the end of this Statement with any question or to exercise your rights.

1. Collection of Personal Data

We collect the following categories of Personal Data about Site visitors, clients, prospective clients, suppliers, and other third parties:

  • Identity and contact data: name, salutation, title, organisation, role, postal address, email address, telephone number, and similar contact information.
  • Relationship and preference data: details relating to your interests, event and seminar attendance, dietary and accessibility preferences (excluding special-category data), subscriptions, downloads, and account credentials.
  • Client and matter data: Personal Data contained in instructions, documents, correspondence, and other materials relating to the matters on which we advise, including data about our clients’ employees, customers, and counterparties.
  • Financial and billing data: billing contacts, invoicing details, and payment history.
  • Compliance and onboarding data: government identifiers, identification documents, dates of birth, beneficial-ownership information, and the results of conflict, sanctions, anti-money-laundering, and other due-diligence checks.
  • Recruitment data: information provided by or about applicants in connection with employment or contractor opportunities, which may also be governed by a separate local recruitment privacy notice.
  • Technical and usage data: IP address, device identifiers, browser and operating-system information, cookies and similar identifiers, and information about how you use our Sites.
  • Special-category and sensitive data: in limited cases and only where necessary and permitted by law, data such as health information, dietary or accessibility needs revealing health, or other categories that applicable law treats as sensitive.
  • CCTV data: images captured by closed-circuit television (CCTV) at our offices for security and safety purposes. CCTV footage is treated as strictly confidential, and access is restricted to authorised personnel.

We obtain Personal Data directly from you, from our clients and colleagues, and from publicly available and third-party sources. Where a client provides us with Personal Data about its own employees, customers, or other individuals, the client is responsible for ensuring that it may lawfully share that data with us.

2. Use of Personal Data

We use Personal Data for the purposes set out below. Where a legal basis is required (for example, under the GDPR, UK GDPR, China’s PIPL, Japan’s APPI, or Indonesia’s PDP Law), we rely on one or more of the following: performance of a contract; our legitimate interests (balanced against your interests and rights); compliance with a legal or professional obligation; and, where applicable, your consent.

  • Providing legal and advisory services: to deliver the services our clients engage us to perform and to respond to enquiries — generally necessary to perform our engagement contract or in our legitimate interest in responding to you.
  • Administering our relationships and operations: to manage engagements, billing, supplier arrangements, and the day-to-day running of our business — generally necessary to perform our contracts or in our legitimate interests.
  • Operating, improving, and securing our Sites: to make our Sites function and easy to use, to understand usage, and to detect and prevent fraud, abuse, and security incidents — in our legitimate interests.
  • Maintaining and developing relationships: to keep our contact records accurate and to strengthen our relationships with clients and other contacts — in our legitimate interests.
  • Marketing: to provide updates, invitations to events, legal alerts, and information about our services — in our legitimate interests or, where required, with your consent.
  • Meeting legal, regulatory, and professional obligations: to comply with tax, anti-money-laundering, sanctions, conflicts, and professional-conduct requirements and to respond to lawful requests — necessary for compliance with our legal and professional obligations.
  • Recruitment: to assess candidates and administer onboarding — in our legitimate interests and to meet legal obligations, subject to any local recruitment notice.
  • Security of our premises: to operate CCTV at our offices for the security and safety of our people, visitors, and property — in our legitimate interests, subject to strict confidentiality and access controls.

Where any Bandi entity relies on consent, you may withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

3. Use of Artificial Intelligence

We may use artificial-intelligence tools to support the processing described in this Statement. Before deploying any such tool, we assess it against our ethical, legal, contractual, data-protection, and information-security requirements, and we maintain internal policies and training governing its responsible use. We do not use artificial intelligence to make decisions that produce legal or similarly significant effects about you by solely automated means.

4. Sharing of Personal Data

We share Personal Data with the following categories of recipients, in each case only as necessary for the purposes described in this Statement:

  • Other Bandi entities: we share Personal Data among the firms and affiliates listed above in order to deliver services, administer our relationships, and operate our business across jurisdictions.
  • Service providers: we engage providers — including IT, hosting, client-intake, finance, customer-relationship-management, marketing-analytics, and event providers — to perform functions on our behalf and under our instructions, subject to contractual confidentiality and security obligations.
  • Financial institutions: in connection with invoicing and payments.
  • Professional advisers and counterparties: such as co-counsel, experts, and other advisers, where required to deliver our services.
  • Authorities and in legal claims: to comply with legal, regulatory, and professional obligations, to respond to lawful requests, and to establish, exercise, or defend legal rights.
  • Corporate transactions: with a prospective purchaser or successor in connection with a reorganisation, merger, or transfer of all or part of our business, to the extent permitted by law.

We do not sell your Personal Data, and we do not share your Personal Data for cross-context behavioural advertising, under any circumstances.

5. Marketing Choices

You control how we use your Personal Data for direct marketing. In some jurisdictions we will obtain your consent before sending marketing communications. In all cases, you may opt out of marketing at any time by using the unsubscribe link in any marketing email or by contacting us using the details below. Opting out applies to future communications and does not affect processing carried out before your request.

6. Cookies

We and certain providers use cookies, web beacons, and similar technologies (together, “cookies”) on our Sites.

What cookies are

Cookies are small data files stored on your browser or device. Some are deleted when you close your browser (session cookies); others remain so that you can be recognised when you return (persistent cookies).

How we use cookies

We use cookies to operate our Sites, to remember your preferences, to understand how our Sites are used, and to improve our Sites and services. We group cookies into the following categories:

  • Strictly necessary cookies: required for the Sites to function and to deliver services you request; these cannot be switched off in our systems.
  • Functional cookies: enable enhanced functionality and personalisation.
  • Performance and analytics cookies: help us measure and improve how our Sites perform; the information collected is aggregated.
  • Targeting and advertising cookies: may be set by us or our partners to build a profile of your interests and to deliver relevant content; if disabled, you will see less tailored content.
  • Social media cookies: enable content sharing and may track your browser across other sites.

When you first visit our Sites, we ask for your consent to non-essential cookies through our consent-management tool, and you can change your preferences at any time using the “manage cookies” link in the footer of our Sites. Where consent is required (for example, in the EEA and the United Kingdom), non-essential cookies are not set until you agree; in other regions we rely on notice and, where applicable, your choices.

7. Your Rights

The rights available to you depend on where you are located and on the law that applies to the processing. The sections below summarise the principal rights by region. To exercise any right, please contact us using the details below; we may need to verify your identity before responding, and we will respond within the period required by applicable law.

European Economic Area (Bandi AARPI, Bandi Conseil Luxembourg S.à r.l., Bandi Unternehmensberatung GmbH) and the United Kingdom (Bandi Advisory Ltd.)

Under the EU General Data Protection Regulation and the UK GDPR, you have the rights to: access your Personal Data; have inaccurate data corrected; have your data erased in certain circumstances; restrict processing in certain circumstances; data portability; object to processing carried out on the basis of our legitimate interests or for direct marketing; and withdraw consent where processing is based on consent.

You also have the right to lodge a complaint with your supervisory authority. The relevant authorities for our European entities are the Commission nationale de l’informatique et des libertés (CNIL) in France (Bandi AARPI); the Commission nationale pour la protection des données (CNPD) in Luxembourg (Bandi Conseil Luxembourg S.à r.l.); the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit) in Germany, where Bandi Unternehmensberatung GmbH is established in Berlin; and the Information Commissioner’s Office (ICO) in the United Kingdom (Bandi Advisory Ltd.). Contact details for any EU or UK representative we appoint are available on request.

United States — California (Bandi & Associates PLLC, Bandi LLP, Bandi & Boris LLP)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the rights to: know and access the Personal Information we collect, use, and disclose; request deletion; request correction; opt out of any “sale” or “sharing” of Personal Information; limit the use of sensitive Personal Information; and not receive discriminatory treatment for exercising your rights. As stated above, we do not sell or share your Personal Information under any circumstances. The CCPA is enforced by the California Privacy Protection Agency (CPPA) and the California Attorney General. Residents of other U.S. states may have comparable rights under the privacy laws of their state.

People’s Republic of China (阪迪森和企业咨询(深圳)有限责任公司)

Under the Personal Information Protection Law (PIPL), you have the rights to: be informed about and decide on the processing of your Personal Information; access and obtain a copy of your Personal Information; correct or supplement inaccurate data; delete your data in defined circumstances; transfer your data to another processor you designate; request an explanation of our processing rules; and withdraw consent. We provide a means for close relatives of a deceased individual to exercise applicable rights.

We obtain separate consent where the PIPL requires it, including for processing sensitive Personal Information and for transferring Personal Information outside China, and we adopt a transfer mechanism permitted under the PIPL — such as a security assessment organised by the Cyberspace Administration of China (CAC), the CAC standard contract, or certification. Oversight of personal-information protection in China is led by the CAC together with other competent authorities at national and local level.

Japan (外国法事務弁護士法人 バンディ・森・宮本法律事務所)

Under the Act on the Protection of Personal Information (APPI), you may request: disclosure of your retained Personal Data and of records of its provision to third parties; correction, addition, or deletion of your data; and the cessation of use, erasure, or cessation of third-party provision of your data in defined circumstances. Where we provide Personal Data to third parties or transfer it outside Japan, we do so in accordance with the APPI, including by obtaining your consent or providing the required information where applicable. Supervision is carried out by the Personal Information Protection Commission (PPC).

Indonesia (PT Bandi Konsultan Indonesia)

Under Law No. 27 of 2022 on Personal Data Protection (the “PDP Law”), you have the rights to: be informed about and access your Personal Data; correct or update your data; erase or terminate processing of your data; withdraw consent; object to decisions based solely on automated processing that significantly affect you; obtain and port your data; delay or restrict processing; and claim compensation for unlawful processing. Where the PDP Law requires, we appoint a data protection officer and rely on a lawful basis for any transfer of Personal Data outside Indonesia. Pending the establishment of Indonesia’s dedicated supervisory agency (Lembaga PDP), oversight is currently carried out by the Directorate General of Digital Space Supervision under the Ministry of Communication and Digital Affairs (Komdigi).

8. Data Security

We maintain technical and organisational measures designed to protect Personal Data in our custody and control against loss, misuse, and unauthorised access, use, alteration, or disclosure. These measures include restricting access to Personal Data on a need-to-know basis, applying confidentiality obligations to our personnel and service providers, and operating an information-security programme governing our systems and data.

Because no system or transmission can be guaranteed to be completely secure, we cannot warrant absolute security. You also play a part: keep your account credentials confidential, do not reuse passwords across sites, and contact us if you believe your credentials have been compromised.

9. Cross-Border Data Transfers

Because Bandi operates across multiple jurisdictions, we transfer Personal Data among our entities and to service providers located in countries that may not provide the same level of data protection as your home jurisdiction. Where we transfer Personal Data internationally, we apply the safeguards required by applicable law — for example, the European Commission’s and the UK’s standard contractual clauses for transfers from the EEA and the United Kingdom, and the consent or other mechanisms required under the PIPL, the APPI, and the PDP Law. Our Sites and key systems may be hosted in one or more jurisdictions, including the United States. You may request information about the safeguards we use by contacting us as described below.

10. Data Retention

We retain Personal Data for as long as necessary to fulfil the purposes set out in this Statement, including to meet our legal, regulatory, professional, accounting, and reporting obligations, and to establish, exercise, or defend legal claims. Retention periods are determined by reference to the nature of the data, the purpose for which it is held, and applicable record-retention requirements, including jurisdiction-specific minimum retention periods for legal files and anti-money-laundering records. Marketing data is retained while you continue to accept marketing communications from us and is deleted in accordance with applicable law on request.

11. Other Information

Consequences of not providing Personal Data

You are not required to provide all of the Personal Data described in this Statement, but if you do not provide certain data we may be unable to respond to your request, provide our services, or send you communications you have asked to receive.

Automated decision-making

We do not make decisions producing legal or similarly significant effects about you based solely on automated processing, including profiling.

“Do Not Track” signals

Because there is no common industry standard for “Do Not Track” browser signals, our Sites do not currently respond to them.

Third-party websites

Our Sites may link to websites operated by third parties. This Statement does not apply to those sites, and we encourage you to review their privacy practices before providing any Personal Data.

Personnel

Personal Data about our partners, employees, and contractors is handled under separate internal policies and is outside the scope of this Statement.

Changes to this Statement

We may update this Statement from time to time as our services, practices, or legal obligations change. The effective date appears at the top of this Statement, and, where required by law, we will seek your consent to material changes.

12. Contact Us

If you have any question or comment about this Statement or our privacy practices, or if you wish to exercise your rights, please contact us:

Bandi LLP
1 Pennsylvania Plaza, Floor 58
New York, NY 10119
United States of America
Email: