Our Privacy Policy

1. Introduction and Scope

Performance Change Initiatives, Inc., doing business as Change Management Review (“CMR”, “we”, “us”, “our”), is committed to protecting the privacy of every individual who interacts with our websites, programs, publications, and services. This Privacy Policy explains how CMR collects, uses, stores, shares, and protects personal data, and how individuals can exercise their rights.

This Policy applies to all CMR-operated digital properties, including:
• https://changemanagementreview.com
• https://www.changemanagementevents.com
• https://www.changemanagementcommunity.com
• https://www.virtualchangemanagement.com
• All CMR training program registration portals and course delivery platforms

This Policy applies to all individuals whose personal data CMR processes regardless of where they are located, including residents of the European Union (EU), the European Economic Area (EEA), the United Kingdom, and the Republic of Ireland.

CMR is the sole data controller for all personal data collected through its websites, program registrations, publications, and membership platforms. CMR does not engage in joint controllership with any third-party instructor, content contributor, or program partner with respect to participant personal data.

2. Legal Framework

CMR processes personal data in compliance with the following applicable laws and regulations:

• General Data Protection Regulation (GDPR) — EU 2016/679: The primary EU data protection framework, applicable to CMR’s processing of personal data of individuals located in the EU and EEA.
• Irish Data Protection Act 2018: Ireland’s national implementing legislation for the GDPR, enacted by the Oireachtas. Because CMR’s programs engage participants and service providers based in Ireland, the Irish Data Protection Commission (DPC) is the relevant EU supervisory authority for cross-border matters.
• North Carolina Identity Theft Protection Act (N.C.G.S. § 75-60 et seq.): Applicable to CMR’s processing of personal information of North Carolina residents.
• CAN-SPAM Act (US): Applicable to CMR’s commercial email communications to US recipients.
• Canada’s Anti-Spam Legislation (CASL): Applicable to commercial electronic messages sent to Canadian recipients. CMR obtains express or implied consent before sending commercial electronic messages to Canadian addresses.

Where the requirements of multiple legal frameworks apply, CMR applies the standard that affords the greatest protection to the individual.

3. Personal Data We Collect

CMR collects personal data in the following categories, depending on the nature of your interaction with us.

3.1 Data You Provide Directly


IMPORTANT: Do not send CMR any Special Categories of Personal Data (including race or ethnicity, religious or philosophical beliefs, health data, biometric data, genetic data, sexual orientation, political opinions, or trade union membership). CMR does not solicit this data and is not equipped to process it. If you inadvertently submit such data, contact editor@ChangeManagementReview.com immediately for deletion.

3.2 Data Collected Automatically
When you visit our websites, we automatically collect technical data including IP address, browser type and version, operating system, pages visited, time spent, referring URL, device identifiers, and cookie identifiers. See Section 9 for cookie details.

3.3 Data Obtained from Third Parties
CMR may receive personal data from social media platforms (LinkedIn, Facebook) where you interact with CMR content, public professional directories, and referrals from CMR alumni or program partners. When personal data is received indirectly, CMR will notify the individual within one month, per GDPR Article 14.

3.4 Data CMR Does Not Collect
CMR does not knowingly collect: Special Category data under GDPR Article 9; personal data of children under 16; or government-issued identification numbers unless required for certification issuance.

4. Purposes of Processing and Lawful Bases

CMR processes personal data only for specified, explicit, and legitimate purposes. The table below sets out each purpose, the data categories used, the lawful basis under GDPR Article 6, and the retention period.

CMR does not rely on consent as the primary basis for processing except for marketing to EU/EEA residents and non-essential cookies. Where CMR relies on legitimate interests, it has conducted a Legitimate Interests Assessment (LIA). Individuals may object to legitimate-interests processing at any time (see Section 8).

5. Data Sharing and Recipients

CMR does not sell, rent, or lease personal data or subscription lists to any third party for any purpose.

5.1 Service Providers (Data Processors)

CMR engages the following categories of service providers who process personal data on CMR’s instructions under written data processing agreements:

Each service provider is contractually required to: (a) process data only on CMR’s instructions; (b) maintain appropriate security; (c) not sub-process without CMR’s prior written consent; (d) delete or return data on termination.

5.2 Program Instructors and Faculty

Guest instructors and faculty members engaged by CMR for program delivery receive limited participant roster data (names, professional titles) solely for program facilitation. CMR is the sole data controller for program participant data. Guest instructors do not acquire independent data controller rights over participant personal data through program participation. Every instructor engagement is governed by a written agreement requiring:

  • Processing only for program delivery purposes
  • No participant contact outside the program without participant consent
  • Deletion of all participant data within 30 days of program conclusion, confirmed in writing
  • Full compliance with applicable data protection law

5.3 Legal Disclosure

CMR may disclose personal data without prior notice only when required by applicable law or court order, required by a regulatory authority, necessary to protect individual safety or prevent fraud, or necessary to enforce CMR’s legal rights. CMR will notify affected individuals to the extent permitted by law.

5.4 Business Transfers

In the event of a merger, acquisition, or sale, personal data may transfer to the acquiring entity. CMR will notify affected individuals prior to transfer and ensure equivalent data protection.

6. International Data Transfers

CMR is based in the United States. CMR transfers personal data of EU/EEA and Irish residents from the EU/EEA to the United States. CMR relies on the following GDPR Chapter V transfer mechanisms:

• Standard Contractual Clauses (SCCs): CMR uses the European Commission’s approved SCCs (Commission Implementing Decision 2021/914) in contracts with EU/EEA-based service providers and program participants where data transfers to CMR’s US infrastructure.
• Adequacy Decisions: Where CMR uses service providers in countries holding an EU adequacy decision, CMR relies on that decision as the transfer mechanism.

Questions about specific transfer mechanisms may be directed to editor@ChangeManagementReview.com.

7. Data Retention

CMR retains personal data only as long as necessary to fulfill the purpose for which it was collected, or as required by law.

On expiry of the applicable retention period, CMR will securely delete or anonymize personal data. Anonymized data may be retained indefinitely for research and analytical purposes.

8. Your Rights

Individuals whose personal data CMR processes have the following rights. CMR responds to verified requests within 30 days (extendable by 60 days for complex requests). To submit a request, email editor@ChangeManagementReview.com with subject “Privacy Rights Request” or use the online request form at changemanagementreview.com/privacy-request [form forthcoming before July 1, 2026].

CMR will not charge a fee for rights requests unless manifestly unfounded, excessive, or repetitive. Identity verification may be required before processing a request.

9. Cookies and Tracking Technologies

CMR’s websites use cookies and similar technologies. In accordance with the Irish DPC’s Cookie Guidance (April 2020) and the EU ePrivacy Regulations, CMR obtains prior informed consent before placing non-essential cookies on your device.

Manage cookie preferences at any time via the “Cookie Preferences” link in the footer of every CMR webpage, or configure your browser to refuse cookies. CMR reconfirms cookie consent no longer than every six months (Irish DPC standard). Records of consent are maintained by CMR.

Additional opt-out resources:

  • EU behavioral advertising: youronlinechoices.eu (European Interactive Digital Advertising Alliance)
  • US behavioral advertising: optout.networkadvertising.org (Network Advertising Initiative); www.aboutads.info/choices (Digital Advertising Alliance)
  • General cookie information: allaboutcookies.org

10. Data Security

CMR implements technical and organizational measures appropriate to the risk of processing, per GDPR Article 32, including: encryption of data in transit (TLS 1.2+) and at rest; access controls; pseudonymization where practical; regular policy review; vendor due diligence; and incident response procedures.

In the event of a personal data breach likely to result in risk to individuals, CMR will notify the Irish Data Protection Commission within 72 hours of becoming aware (GDPR Article 33). Where the breach poses a high risk to individuals, CMR will also notify affected individuals directly without undue delay (GDPR Article 34).

11. Children’s Data

CMR’s websites, programs, and services are intended for professional adults aged 18 and above. CMR does not knowingly collect personal data from individuals under 16. If CMR becomes aware of such collection, it will delete that data promptly. If you believe CMR has collected data from a child under 16, contact editor@ChangeManagementReview.com immediately.

12. Third-Party Websites and Links

CMR’s websites contain links to third-party websites. CMR is not responsible for the privacy practices of those third parties. Review their privacy policies before providing personal data. This Policy does not apply to third-party websites.

13. Marketing Communications

CMR does not sell, rent, or lease subscription lists to any third party. CMR sends marketing communications to individuals who have explicitly opted in, or (for US B2B existing clients) where the “soft opt-in” basis applies. EU, EEA, Irish, and Canadian residents receive marketing only on the basis of explicit consent. All marketing emails comply with the CAN-SPAM Act (US) and Canada’s Anti-Spam Legislation (CASL).

Unsubscribe at any time by:
• Clicking the “unsubscribe” link at the bottom of any CMR marketing email
• Emailing editor@ChangeManagementReview.com — subject: “Unsubscribe”

CMR processes unsubscribe requests within 10 business days and retains a suppression record to prevent re-addition to marketing lists.

14. Supervisory Authority

If you are located in the EU, EEA, or the Republic of Ireland and believe CMR has violated applicable data protection law, you may lodge a complaint with:

CMR encourages contacting editor@ChangeManagementReview.com first, as CMR is committed to resolving concerns promptly and informally.

15. California and US State Privacy Rights

CMR does not sell personal data within the meaning of the California Consumer Privacy Act (CCPA) or any successor statute, and does not engage in cross-context behavioral advertising. North Carolina residents may exercise data access, correction, and deletion rights by contacting CMR as set out in Section 8. CMR will respond to verified requests within 45 days.

16. Changes to This Policy

ATTN: Privacy Officer
Performance Change Initiatives, Inc. (Change Management Review)
6012 Bayfield Pky Suite 208 Concord, NC 28027, United States
Email: editor@ChangeManagementReview.com
Telephone: +1 800-510-3574
Website: https://changemanagementreview.com

CMR will acknowledge all rights requests and complaints within 5 business days and provide a substantive response within 30 days.