How Aretas Partners LLC collects, uses, protects, and respects your personal information.
Summary for executives and candidates: Aretas Partners collects professional and biographical information about candidates and clients in the course of providing retained executive search and leadership advisory services. We do not sell personal data. We do not share candidate information with employers without the candidate's knowledge. We maintain strict confidentiality over all search-related information and retain candidate data only as long as necessary for the purposes for which it was collected.
Aretas Partners LLC ("Aretas Partners," "Firm," "we," "our," or "us") is a Connecticut limited liability company providing retained executive search and leadership advisory services. Our principal place of business is in the State of Connecticut.
For purposes of applicable data protection law — including the Connecticut Data Privacy Act (CDPA), the California Consumer Privacy Act (CCPA), and the EU General Data Protection Regulation (GDPR) — Aretas Partners LLC acts as a data controller with respect to personal data processed in connection with our services and website operations.
This Privacy Policy governs the collection, use, processing, storage, and disclosure of personal information by Aretas Partners LLC in connection with: (i) our retained executive search and leadership advisory services; (ii) our website at aretaspartners.com; and (iii) any other direct communications or business interactions with Aretas Partners.
For questions regarding this policy or to exercise your privacy rights, contact us at privacy@aretaspartners.com or joe.ghory@aretaspartners.com.
This Policy applies to personal information collected about:
This Policy does not apply to the personal information of Aretas Partners LLC employees or contractors, which is governed by separate internal policies.
Note for clients and employer organizations: Our Retained Executive Search and Advisory Services Agreement contains specific data protection provisions governing the parties' respective obligations with respect to candidate personal data. In the event of any conflict between this Policy and the applicable engagement agreement, the engagement agreement controls with respect to the specific search engagement.
In the course of providing executive search services, we collect and process the following categories of personal information about candidates:
| Category | Examples | Source |
|---|---|---|
| Identity & contact | Full name, professional title, current and prior employer names, email address, phone number, LinkedIn profile URL, professional website | Public sources, candidate submission, professional databases, referrals |
| Professional history | Employment history, titles, responsibilities, tenure, career progression, compensation history, academic credentials, professional certifications | Résumés, public profiles, candidate-provided information |
| Assessment & evaluation | Interview notes, competency assessments, reference check results, leadership evaluation frameworks, written candidate profiles | Aretas Partners assessments, structured interviews, reference conversations |
| Compensation | Current and target total compensation, equity holdings, benefits, offer terms (when communicated as part of a placement) | Candidate-provided, offer letters |
| References | Names and contact information of professional references; reference conversation notes | Candidate-provided, back-channel sources where legally permissible |
| Communications | Email correspondence, meeting notes, call records | Direct communications with Aretas Partners |
We do not routinely collect sensitive personal data (defined below) about candidates. Where a candidate voluntarily provides sensitive information — such as information about a disability relevant to a role — we process it only to the extent necessary and with the candidate's awareness.
Aretas Partners does not intentionally collect the following categories of sensitive personal information unless required by a specific search engagement and disclosed to the relevant individual:
| Purpose | Legal Basis (where applicable) |
|---|---|
| Identifying and evaluating candidates for executive search mandates | Legitimate interests of the Firm and client organizations; performance of services |
| Conducting structured interviews, assessments, and reference checks | Legitimate interests; candidate consent (where required) |
| Presenting candidate profiles to client organizations | Performance of search engagement; legitimate interests |
| Providing compensation benchmarking and market intelligence | Performance of services; legitimate interests |
| Managing client engagements, billing, and invoicing | Contractual necessity; legal obligation |
| Maintaining professional relationship records | Legitimate interests in maintaining a professional network |
| Complying with legal and regulatory obligations | Legal obligation |
| Operating and improving our website | Legitimate interests; consent (for analytics cookies) |
| Responding to contact form submissions and inquiries | Consent; performance of pre-contractual steps |
| Sending thought leadership and market intelligence communications | Consent; legitimate interests (for existing contacts) |
We do not use personal information for automated decision-making that produces legal or similarly significant effects on individuals without human review.
Executive search involves the collection and processing of substantial professional and biographical information about individuals. We apply the following specific principles to candidate personal data:
Candidate information is treated as strictly confidential. We will not share a candidate's name, identity, or professional profile with a specific client organization without the candidate's knowledge that they are being considered for that engagement. Candidate information shared with a client is provided only to the extent necessary for the client to evaluate the candidate's suitability for the specific role.
Where we proactively approach a candidate for an engagement, we will disclose: (a) that we are a retained executive search firm; (b) the general nature of the role and sector (without initially identifying the client); and (c) our data practices in connection with the engagement. Candidates who do not wish to be considered may withdraw at any time by contacting us at privacy@aretaspartners.com.
Formal reference checks are conducted only with the candidate's prior knowledge and approval. Back-channel references (discreet professional conversations not listed by the candidate) may be conducted where legally permissible and where the candidate is an active finalist, consistent with professional practice standards in the executive search industry. We do not conduct reference checks without the candidate's knowledge of their finalist status.
We maintain a proprietary candidate database as part of our Talent Intelligence platform. Candidate information in this database is used solely for the purpose of identifying suitable candidates for current and future search engagements. We do not sell, license, or transfer candidate database records to third parties. Candidates may request removal from our database at any time by contacting privacy@aretaspartners.com.
At the conclusion of each search engagement, we provide our client with a written record of all candidates introduced or submitted during the search term, consistent with our engagement agreement. This record is used to establish the scope of the Protection Period obligations under our standard engagement terms.
We disclose personal information only in the following circumstances:
We share candidate personal information with client organizations to the extent necessary to conduct an executive search engagement. Clients are required under our engagement agreements to process candidate information only for the purpose of evaluating candidates for the specific role and to maintain appropriate data protection measures.
We engage the following categories of service providers who may have access to personal information:
All service providers with access to personal information are required to process it only for the specified purpose and in accordance with our instructions and applicable law.
We may disclose personal information if required to do so by law, court order, or governmental authority, or where we believe in good faith that disclosure is necessary to protect our legal rights, comply with a judicial proceeding, or respond to a subpoena. Where legally permissible, we will notify the affected individual of such a request.
In the event of a merger, acquisition, or sale of all or substantially all of the assets of Aretas Partners LLC, personal information held by the Firm may be transferred to the acquiring entity, subject to equivalent privacy protections.
Aretas Partners does not sell personal information — not to data brokers, advertising networks, or any other third parties. Candidate and client data is not used for advertising targeting purposes.
Our website (aretaspartners.com) uses the following categories of cookies and tracking technologies:
| Type | Name / Provider | Purpose | Duration |
|---|---|---|---|
| Essential | Session cookies | Required for basic website functionality | Session only |
| Analytics | Google Analytics 4 (_ga, _ga_XXXX) | Aggregate website traffic and behavior analysis — used to improve the site and understand how visitors engage with content | Up to 2 years |
| Analytics | Google Tag Manager (_gtm) | Tag management for analytics and conversion tracking | Session to persistent |
| Preference | Local storage items | Storing user interface preferences | Persistent |
We use Google Analytics 4 (GA4) to collect aggregate, anonymized information about how visitors interact with our website. GA4 data collected includes: pages visited, time on site, general geographic region (country/state level), device type, and traffic source. We have configured GA4 with IP anonymization enabled. We do not use GA4 data to identify individual visitors by name.
Google's data processing terms and privacy policy govern GA4's collection and use of this data. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on or by adjusting your browser's cookie settings.
You may control cookie settings through your browser's settings. Most browsers allow you to: view and delete cookies, block cookies from specific websites, block all cookies, and be alerted when a cookie is set. Note that disabling certain cookies may affect the functionality of our website. Essential cookies cannot be disabled without affecting the operation of the site.
We retain personal information only as long as necessary for the purposes for which it was collected, consistent with applicable law and our professional obligations. Our general retention standards are:
| Category | Retention Period | Basis |
|---|---|---|
| Active search engagement records (client and candidate) | Duration of engagement + 5 years | Engagement Agreement obligations; legal claims; professional standards |
| Placed candidate records | 7 years from placement date | Contractual; legal; professional liability |
| Non-placed candidate records (proprietary database) | 5 years from last contact, unless removal requested | Legitimate interests; candidate awareness |
| Client organization records | 7 years from last engagement | Legal and regulatory; contractual |
| Website analytics data (GA4) | 14 months (GA4 default; configured at minimum) | Operational improvement; consent |
| Contact form submissions | 2 years, unless converted to engagement | Legitimate interests; follow-up |
| Financial and billing records | 7 years | Legal obligation (IRS, state tax) |
| Email and communication records | 5 years for engagement-related; 3 years for general professional | Professional obligations; legal claims |
Upon expiration of the applicable retention period, personal information is securely deleted or anonymized. Individuals may request earlier deletion subject to the limitations described in Section 9.
Depending on your jurisdiction and the applicable law, you may have some or all of the following rights with respect to your personal information:
| Right | Description |
|---|---|
| Access | To know what personal information we hold about you and to receive a copy |
| Correction | To correct inaccurate or incomplete personal information |
| Deletion | To request deletion of personal information, subject to our legal and contractual retention obligations |
| Portability | To receive personal information in a structured, machine-readable format |
| Restriction | To request that we restrict processing of your personal information in certain circumstances |
| Objection | To object to processing based on legitimate interests, including being included in our candidate database |
| Withdraw consent | To withdraw consent at any time where processing is based on your consent |
| Opt-out of sale/sharing | We do not sell personal information; this right is satisfied by our data practices |
To exercise any of these rights, submit a request to privacy@aretaspartners.com with sufficient information to identify yourself and describe your request. We will respond within the timeframes required by applicable law (generally 45 days, with possible extension). We may require verification of your identity before processing certain requests.
Limitations: Certain rights may be limited where we are required to retain information by applicable law, where deletion would compromise our professional obligations under a search engagement agreement, or where a third party's rights are affected.
The Connecticut Data Privacy Act (Conn. Gen. Stat. § 42-515 et seq.), effective July 1, 2023, applies to organizations that process the personal data of Connecticut residents. Aretas Partners LLC, as a Connecticut-based company, is subject to the CDPA with respect to our processing of personal data of Connecticut residents.
We collect and process personal data that is adequate, relevant, and reasonably necessary in relation to the specific purposes for which it was collected. We do not collect personal data beyond what is necessary for the identified purposes.
We process personal data only for the purposes disclosed in this policy and in our engagement agreements. Where we intend to process personal data for a purpose that is materially different from the original purpose of collection, we will provide notice and, where required, obtain consent.
Connecticut residents have the following rights under the CDPA:
We will respond to verified CDPA consumer requests within 45 days of receipt. Where reasonably necessary due to the complexity of the request, we may extend this period by an additional 45 days, with written notice provided to you within the initial 45-day period.
Where Aretas Partners acts as a processor of personal data on behalf of a client (controller), we enter into a data processing agreement consistent with CDPA requirements. Where Aretas Partners acts as an independent controller of candidate personal data, this policy governs our obligations.
If we decline to act on a CDPA rights request, we will provide you with a written explanation within 45 days. You may appeal our decision by contacting privacy@aretaspartners.com with "CDPA Appeal" in the subject line. If your appeal is denied, you may submit a complaint to the Connecticut Attorney General's Office.
To the extent Aretas Partners processes personal information of California residents and meets the thresholds for CCPA applicability, California residents have the following rights under the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.), as amended by the California Privacy Rights Act (CPRA):
California residents may submit CCPA rights requests to privacy@aretaspartners.com. We do not sell or share personal information with third parties for cross-context behavioral advertising. Requests will be honored within 45 days, with a possible 45-day extension with notice.
Note: The CCPA provides certain exemptions for information processed in the context of business-to-business relationships and employment-related personal information, which may limit the scope of CCPA rights in certain search engagement contexts.
To the extent Aretas Partners processes personal data of individuals in the European Economic Area (EEA) — including executive candidates located in EU member states — the GDPR (EU 2016/679) applies to such processing.
| Processing Activity | Legal Basis |
|---|---|
| Candidate identification and evaluation for search engagements | Legitimate interests (Article 6(1)(f)) — identifying qualified candidates for clients is a legitimate interest of the Firm and its clients |
| Candidate profile submission to a client | Legitimate interests; or performance of a contract (where a candidate has engaged with the process) |
| Reference checks | Legitimate interests; consent where required |
| Website analytics (GA4) | Consent (Art. 6(1)(a)) — obtained via cookie consent mechanism |
| Contractual processing for clients | Performance of contract (Art. 6(1)(b)) |
| Legal obligation compliance | Legal obligation (Art. 6(1)(c)) |
Aretas Partners is based in the United States. When we process personal data of EEA residents, such data is transferred to the US. We rely on the following mechanisms for such transfers: Standard Contractual Clauses (SCCs) as adopted by the European Commission; and adequacy decisions where applicable. We implement appropriate technical and organizational safeguards consistent with GDPR Article 32 for all international transfers.
EEA residents have the full suite of GDPR rights under Articles 15–22, including access, rectification, erasure, restriction, data portability, objection, and the right not to be subject to solely automated decisions. Requests should be submitted to privacy@aretaspartners.com. We will respond within 30 days (extendable to 90 days for complex requests with notice).
EEA residents also have the right to lodge a complaint with the supervisory authority in their EU member state. A list of supervisory authorities is available at edpb.europa.eu.
The federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) governs the use of consumer reports and investigative consumer reports in employment decisions.
Allocation of FCRA responsibility: As set forth in our standard Retained Executive Search and Advisory Services Agreement, client organizations are solely responsible for FCRA compliance with respect to any background checks, consumer reports, or investigative consumer reports used in their hiring decisions. This includes obtaining required disclosures, authorizations, and providing required adverse action notices.
Aretas Partners does not order consumer reports or investigative consumer reports as defined under FCRA as part of our standard search process. We conduct professional reference checks that are distinct from consumer reports under FCRA. Where we coordinate third-party background screening on behalf of a client, such coordination occurs pursuant to the client's express instruction, and the client remains the entity responsible for FCRA compliance.
We will cooperate with client FCRA compliance programs as reasonably directed under the applicable search engagement agreement.
Aretas Partners implements appropriate technical and organizational security measures to protect personal information against unauthorized access, disclosure, alteration, or destruction. Our security practices include:
Data breach notification: In the event of an actual or suspected data breach involving personal information, we will notify affected individuals within 48 hours of becoming aware, and notify applicable supervisory authorities within the timeframes required by applicable law (72 hours under GDPR; as required under applicable US state law). Notification will describe the nature of the breach, the data involved, the likely consequences, and the measures taken to address it.
No data transmission over the internet is completely secure. While we implement industry-standard security measures, we cannot guarantee absolute security of personal information transmitted to or from our website.
This Privacy Policy and any disputes arising out of or relating to it are governed by the laws of the State of Delaware, without giving effect to conflict-of-law rules that would apply another jurisdiction's laws. Nothing in this section limits your rights under applicable data protection law, including CDPA, CCPA, or GDPR, which are governed by their respective statutory frameworks.
Any disputes regarding this Privacy Policy that are not resolved through direct communication with Aretas Partners shall be subject to the dispute resolution provisions of the applicable engagement agreement, or — for website visitors and candidates not party to an engagement agreement — shall be subject to the exclusive jurisdiction of the state and federal courts of Delaware and Connecticut.
Counsel note: Privacy disputes involving candidates who have not executed an engagement agreement are not subject to the DRAA arbitration clause. This provision should be reviewed by counsel before first client execution to confirm it is consistent with the engagement agreement's dispute resolution framework and applicable state law.
We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or regulatory requirements. When we make material changes, we will:
Your continued use of our website or services after the effective date of any revised Policy constitutes your acceptance of the revised terms, to the extent permitted by applicable law.
For privacy requests, CDPA/CCPA/GDPR rights exercises, questions about this Policy, or data breach notifications:
Email: privacy@aretaspartners.com
Primary contact: joe.ghory@aretaspartners.com
Website: aretaspartners.com
Aretas Partners LLC · Connecticut Limited Liability Company · aretaspartners.com
We will acknowledge receipt of privacy requests within 5 business days and will respond substantively within the timeframes required by applicable law. If you believe your privacy rights have not been adequately addressed, you have the right to escalate to the applicable supervisory authority in your jurisdiction.
© 2026 ARETAS PARTNERS LLC · ALL RIGHTS RESERVED · PRIVACY POLICY v1.0 · EFFECTIVE APRIL 14, 2026
This Privacy Policy was prepared consistent with applicable data protection law as of the effective date above, and with the legal framework established in Aretas Partners' standard Retained Executive Search and Advisory Services Agreement. It should be reviewed by qualified legal counsel before publication and on a regular basis thereafter as applicable law evolves.