Skip to content

We at International Institute of Business Analysis™ (IIBA®) and our Chapters (collectively, “IIBA,” “we” and “us”) know you care about how your personal information is used and shared, and we take your privacy seriously. Please read the following to learn more about how we collect, store, use, and disclose information about you when you interact or use our websites (collectively the “IIBA sites”) or any related events, trade shows, sales or marketing, and/or if you use any of our products and services (collectively the “Services”) in any manner. 

Who are we and what do we do?

The goal of IIBA is to develop and maintain standards of business analysis for the certification of practitioners around the world. To achieve this vision, membership in IIBA is open to international professionals, who may also participate in local country and city Chapters.

To communicate with members and promote the goals of the organization, IIBA uses a variety of methods including local meetings, international conferences, the official IIBA website and local Chapter websites, newsletters, and email communications, most of which require the use of a member’s personal information. 

What does this Privacy Policy cover?

This Privacy Policy covers our treatment of information that we gather when you are accessing or using our IIBA sites or Services or when you contact us in any manner. We gather various types of information, including information that identifies you as an individual (“Personal Information”) from our users, as explained in more detail below.

Please note that for users located in the European Economic Area (EEA), the term “Personal Information” used in this policy is equivalent to the term “personal data” under applicable European data protection laws. 

Does IIBA collect Sensitive Data?

“Sensitive Data” means personal data or information that discloses an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, criminal proceedings, biometrics, and data concerning health.

We do not intentionally collect - and will not request - Sensitive Data. If an IIBA employee discovers that we have received Sensitive Data, the employee will inform a designated contact within our company who will assess the processing of such data.

What information does IIBA collect?

Information that we collect can be classified as Personal Information or Personal Data. This information is categorized into information that you provide to us and the data that we collect automatically.

Information you provide to us:

When you use our IIBA sites or Services, we receive and store information you provide directly to us. The types of information we may collect directly from you may include: first name, last name, user names, email addresses, birthday, postal addresses, phone numbers, job titles, transactional information (including Services purchased), event attendance, video, and pictures as well as other contact or other information you choose to provide us or upload to our systems in connection with our Services.

When using our Services and executing a financial transaction with us online (e.g., membership, donations, or online conference registration), we never collect your financial information. We only retain information that the financial transaction has successfully completed. Online financial transactions, such as credit card payment, are processed with PCI compliant third-party providers.

Data we automatically collect:

When you use the IIBA sites, we automatically collect certain information related to your device, such as your device’s IP address, referring website, what pages your device visited, and the time that your device visited. Collecting this information may include the use of cookies. For more information on how IIBA uses cookies, please review the IIBA Cookie Policy.

In addition to cookies, we also keep track of user activity on the IIBA sites through application audit controls and log files. 

How do we use your Personal Information?

We use the personal information we collect under this Policy for our legitimate business interests, which include:

  • Provision of services: To provide and operate our IIBA sites and Services, fulfill your orders and requests, process your payments, for bug and error reporting and resolution, to perform upgrades and maintenance, and for similar purposes.
  • Customer support: To communicate with you about your use of the Services; respond to your communications, complaints and inquiries; provide technical support; and for other customer service and support purposes.
  • Personalization: To tailor content we send or display to you to offer location customization and personalized help and instructions, and to otherwise personalize your experience using the Services.
  • Marketing and promotions: For marketing and promotional purposes. For example, we may use contact information such as your email address to send you newsletters, special offers or promotions, or to otherwise contact you about IIBA products or information we think may interest you. If you are in a jurisdiction that requires opt-in consent to receive electronic marketing messages, we will only send you such messages if you opt-in to receive them. You may opt out of receiving marketing emails by following the opt-out instructions in the email. We may still email customer service and transaction-related communications, even if you have opted out of receiving marketing communications.
  • Advertising: To assist in advertising the Services on third party websites.
  • Analytics and improvement: To better understand how users access and use the Services, and for other research and analytical purposes, such as to evaluate and improve the Services and to develop additional products, services, and features. For more information on how you can opt out of analytics, please refer to the IIBA Cookie Policy
  • Protect legal rights and prevent misuse: To protect the Services; prevent unauthorized access and other misuse; and where we believe necessary to investigate, prevent, or act regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, or violations of our Terms and Conditions or this Policy.
  • Comply with Legal Obligations: To comply with the law or legal proceedings; for example, we may disclose information in response to lawful requests by public authorities, including responding to national security or law enforcement disclosure requirements.
  • General Business Operations: Where necessary to the administration of our general business, accounting, record keeping, and legal functions.

Below is a chart for users located in the European Economic Area EEA, which outlines the legal basis for processing personal information in accordance with GDPR.


Legal Basis of Processing

Provision of Services Customer Support

Necessary to Enter into or Perform a Contract with You (upon your request, or as necessary to make the Services available)
Our Legitimate Business Interests

Marketing and Promotions

Our Legitimate Business Interests
With Your Consent - Preferences / Opt-in

Analytics and Improvement

Our Legitimate Business Interests
With Your Consent - Cookie Policy

Protect Rights and Prevent Misuse
Comply with Legal Obligation

Compliance with law
Establish, defend, or protect of legal interests

General Business Operations

Our Legitimate Business Interests
Establish, Defend or Protect Legal Interests
Compliance with Law


How do we share and disclose information to third-parties?

We do not rent, trade or sell your Personal Information to anyone. We may share and disclose information (including Personal Information) about our users in the following limited circumstances:

  • Vendors, consultants, and other service providers:  

o We may share your information with third-party vendors, consultants and other service providers who we employ to perform tasks on our behalf. These companies include (for example) our payment processing providers, website analytics companies (e.g., Google Analytics), product feedback and surveys (e.g., Survey Monkey, Formstack), CRM service providers (e.g., MS Dynamics, Salesforce), or email service providers (e.g., Informz) and others.
o If IIBA has received your Personal Information and subsequently transfers that information to a third-party agent or service provider for processing, IIBA shall remain responsible for ensuring that such third-party agent or service provider processes your Personal Information to the standard required by our Privacy commitments. Unless we tell you differently and you consent, our agents do not have any right to use the Personal Information we share with them beyond what is necessary to assist us.

  • Other IIBA Entities: 

o We may also share your personal information with our affiliated chapters and other IIBA entities for purposes consistent with this Privacy Policy and your IIBA sites profile preferences.

  • Protection of IIBA and Others: 

o We reserve the right to access, read, preserve, and disclose any information as necessary to comply with law or court order; enforce or apply our agreements with you and other agreements; or protect the rights, property, or safety of IIBA, our employees, our users, or others.

  • Disclosures for National Security or Law Enforcement: 

o Under certain circumstances, we may be required to disclose your Personal Information in response to valid requests by public authorities, including to meet national security or law enforcement requirements.

Is Personal Information about me secure?

We use appropriate technical, organizational, and administrative security measures to protect any information we hold in our records from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.  Unfortunately, no company or service can guarantee complete security. Unauthorized entry or use, hardware or software failure, and other factors, may compromise the security of user information at any time. Among other practices, your account is protected by a password for your privacy and security. You must prevent unauthorized access to your account and Personal Information by selecting and protecting your password appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account.

How long do we keep Personal Information? 

We keep your personal information for as long as reasonably necessary for the purposes set out above. We will retain your account profile data as necessary for our legitimate business purposes or to comply with our legal obligations (such as record keeping, accounting, fraud prevention, and other business administrative purposes). However, we will maintain your personal information longer where required for tax or accounting purposes to ensure we would be able to defend or raise a claim, or where we have a specific need to retain, though we will generally not keep personal information for longer than seven years following the last date of communication with you. Legitimate business purposes that we may rely on to keep your personal information when you are not a customer include direct marketing (where you have not opted-out) for up to two years, facilitating the restoration or establishment of a user account in the future, maintaining business intelligence systems for analytics and other internal purposes, etc. Where your information is no longer required, we will ensure it is disposed of in a secure manner.

Cookies and other analytics

Please consult our Cookie Policy for more information about the type of cookies that we use on the IIBA sites and why, and how to accept and reject them.

We also utilize Google Analytics, a web analysis service provided by Google, to better understand your use of our IIBA sites and Services. Google Analytics collects information such as how often users visit the IIBA sites, what pages they visit and what other sites they used prior to visiting. Google uses the data collected to track and examine the use of the IIBA sites, to prepare reports on its activities and share them with other Google services. Google may use the data collected on the IIBA sites to contextualize and personalize the ads of its own advertising network. Google’s ability to use and share information collected by Google Analytics about your visits to the IIBA sites is restricted by the Google Analytics Terms of Use and the Google Privacy Policy. The Cookie Policy outlines an opt-out method available for Google Analytics.

Your Privacy Rights

What choices do you have?

You can always opt not to disclose information to us, but keep in mind some information may be needed to register with us or to take advantage of some of our Services.


Please consult our Cookie Policy for more information about our use of cookies and how to accept and reject them.

Marketing communications

You can opt-out of receiving promotional or marketing communications from us at any time, by using the unsubscribe link in the email communications we send.  

If you have any account for our Services, we will still send you non-promotional, service-related communications including but not limited to transactional confirmations, invoices, and other operational emails.

How can I update and access my information?

If you would like to access, review, update, rectify any Personal Information we hold about you, or exercise any other data subject right (see below) available to you, please email us at

If you registered with IIBA and want to be removed from IIBA's systems, please LOGIN and complete this FORM. This process will automatically remove your user profile information within 10 business days.

If you are NOT registered with IIBA and want to be removed from all email communications, please complete this form. Our Privacy team will review and process your request within 10 business days.

If you use a 3rd party presence or privacy management services to submit your request to be forgotten, IIBA will contact you directly to validate the 3rd party service request. IIBA will NOT process a request from a 3rd party service unless that request is validated directly. To avoid any processing delays, please use the above links for registered and non-registered users instead of a 3rd party service.

Please note that we may still use any aggregated and de-identified Personal Information that does not identify any individual and may also retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Rights for users

Individuals have the following rights with respect to their personal information:

  • Access. You can ask us to confirm whether we are processing your personal information; give you a copy of that data; and provide you with other information about your personal information such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad, how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your data from and whether we have carried out any profiling, to the extent that such information has not already been provided to you in this Policy.
  • Rectification. You can ask us to rectify inaccurate information. We may seek to verify the accuracy of the data before rectifying it.
  • Erasure. You can ask us to erase your personal information, but only where it is no longer needed for the purposes for which it was collected; you have withdrawn your consent (where the data processing was based on consent); following a successful right to object (see 'Objection' below); it has been processed unlawfully; or to comply with a legal obligation to which we are subject. We are not required to comply with your request to erase your personal information if the processing of your personal information is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims. There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances in which we would deny that request.
  • Restriction. You can ask us to restrict (i.e., keep but not use) your personal information, but only where its accuracy is contested (see 'Rectification' above), to allow us to verify its accuracy; the processing is unlawful, but you do not want it erased; it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise, or defend legal claims; you have exercised the right to object, and verification of overriding grounds is pending. We can continue to use your personal information following a request for restriction where we have your consent; to establish, exercise, or defend legal claims; or to protect the rights of another natural or legal person.
  • Objection. You can object to any processing of your personal information which has our 'legitimate interests' as its legal basis if you believe your fundamental rights and freedoms outweigh our legitimate interests. Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. In addition, you can object to the processing of your personal information for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing without providing any reason. We will then cease the processing of your personal information for direct marketing purposes.
  • Portability. You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another Data Controller, but only where our processing is based on your consent and the processing is carried out by automated means.
  • Withdrawal of consent. You can withdraw your consent in respect of any processing of personal information which is based upon a consent which you have previously provided

International data transfers

Personal Information you submit on the IIBA sites or through the IIBA Services is sent to and stored on the IIBA servers or our hosted service providers’ cloud servers on our behalf, which are mainly located in Canada and/or the United States. These countries may not have similar data protection laws to those in your country of residence. However, we will always protect your information in accordance with this Privacy Policy wherever it is processed.

Please note that we are required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Linked websites

For your convenience, hyperlinks may be posted on the IIBA sites or Services that link to other websites (the “Linked Sites”). We are not responsible for, and this Privacy Policy does not apply to, the privacy practices of any Linked Sites or of any companies that we do not own or control. Linked Sites may collect information in addition to that which we collect on the IIBA sites. We do not endorse any of these Linked Sites, the services or products described or offered on such Linked Sites, or any of the content contained on the Linked Sites. We encourage you to seek out and read the privacy policy of each Linked Site that you visit to understand how the information that is collected about you is used and protected.

Children’s personal information

We do not knowingly collect or solicit personal information from anyone under the age of 13. If you are under 13, please do not attempt to register for the Services or send any Personal Information about yourself to us. If we learn that we have collected Personal Information from a child under age 13, we will delete that information as quickly as possible. If you believe that a child under 13 may have provided us Personal Information, please contact us at

Will IIBA ever change this Privacy Policy?

We’re constantly trying to improve our IIBA sites and Services, so we may need to change this Privacy Policy from time to time as well. We will alert you to material changes by, for example, placing a notice on our IIBA sites and/or by sending you an email (if you have registered your e-mail details with us) when we are required to do so by applicable law. You can see when this Privacy Policy was last updated by checking the date at the top of this page. You are responsible for periodically reviewing this Privacy Policy.

What if I have questions about this policy?

If you have any questions or concerns regarding our privacy policies, please send us a detailed message to, and we will try to resolve your concerns.