Dun & Bradstreet

Privacy, Data and AI Transparency Statement (U.S.)

The Privacy, Data and AI Transparency Statement of Dun & Bradstreet (U.S.) details the company's commitment to ethical data stewardship, transparency, and compliance with privacy and data protection standards in processing personal and business data—including AI use, data sharing, and security—guided by human-centered values and global policies to support responsible data-driven insights while respecting individual rights.

This Privacy, Data and AI Transparency Statement reflects the privacy, data processing, and data protection standards of the Responsible D&B Entities in the U.S. It applies to data processing in the U.S. and outlines commitments, values, data processing practices, personal data handling, data subject rights, use of cookies and online activity data, AI systems, data sharing and disclosures, cross-border data transfers, data security, and data retention.


Our Commitment to Data Ethics, Compliance, and Privacy

Dun & Bradstreet (D&B) is committed to bringing businesses and organizations together by providing insights about economic opportunities and risks, including data about businesses, business decision-makers, and other people representing organizations globally. D&B aggregates, combines, and generates data, including scores, ratings, and analytics. The D&B Data Cloud contains data and insights on over 500 million organizations worldwide.

As a responsible data steward for almost 200 years, D&B strives to balance commercial obligations with the interests of organizations and individuals whose data is processed. The company aims to be transparent about data processing and the use of Artificial Intelligence (AI) systems, supporting meaningful data-driven insights and better decision-making while respecting individual rights.

Our Values

D&B’s compliance and ethics are grounded in human-centered values and principles, as set forth in the Code of Conduct and Ethics. These guide the design, implementation, improvement, and retirement of data processing and management systems, respecting human rights, privacy, non-discrimination, diversity, equity, inclusion, and legal obligations.

Consistent Global Standards

D&B maintains trust through an accountability-based compliance and ethics program, applying global standards. Core policies include:

  • Data Compliance and Ethics
  • Privacy and Personal Data Protection
  • Data Subject Rights
  • Records Management and Data Retention
  • AI Ethics
  • Global Cross Border Privacy Management System
  • Incident and Breach Response

D&B upholds multilateral standards and certifications, including:

  • EU-U.S. Privacy Shield (2016)
  • Swiss-U.S. Privacy Shield (2017)
  • EU-U.S. Data Privacy Framework (2023)
  • Swiss-U.S. Data Privacy Framework (2023)
  • UK Extension to EU-U.S. Data Privacy Framework (2023)
  • APEC Cross-Border Privacy Rules System (2023)

Our Data Processing

D&B processes various types of data to support business decisioning, including data about people, businesses, organizations, places, economic activity, sustainability, legal and business events, and third-party risks. Some of this data is personal data, and some systems used are AI systems.

Dun & Bradstreet, Inc. is registered as a data broker in California and Oregon. Eyeota Pte. Ltd and NetWise Data, LLC are also registered as data brokers in certain states.

Responsible Data Processing Sheets (RDPS) are provided for products and solutions, such as:

  • ChatD&B for Data Blocks
  • Receivables Intelligence by Co-Action

Your Personal Data

Personal data is information relating to an identified or identifiable individual. It includes data that can be used to identify, locate, track, or contact an individual. Data that cannot be associated with an individual (anonymous or anonymized) is not considered personal data.

The processing of personal data depends on the type of data subject, their role, the nature of products and services, and D&B’s data and analytics methodologies.

Supplemental Personal Data Processing Statements

D&B provides supplemental statements for different data subject groups, including:

  • Website visitors and online service users
  • Professional contacts in products and services
  • Sole proprietors (coming soon)
  • Employees, beneficiaries, and dependents
  • Job applicants
  • Consumers
  • Cookie Policy
  • MyD&B Mobile App Privacy Statement
  • California Resident Disclosures
  • Eyeota Privacy Center Cookie Policy

Each supplemental statement forms part of the overall disclosures for regulatory and framework obligations.

Your Data Subject Rights

D&B is committed to respecting the data and digital rights of individuals in both personal and professional capacities, in accordance with the Global Data Subject Rights Policy and applicable laws. Key rights include:

  • Right to Know: To know whether D&B processes personal data, for what purposes, and other legally required information.
  • Right of Access: To access specific personal data processed by D&B.
  • Right of Correction: To correct, update, amend, or supplement inaccurate personal data.
  • Right of Deletion: To request deletion of data where there is no legitimate business need or where individual rights outweigh business needs.
  • Right to Opt-Out of Commercial Communications: To opt out of marketing and promotional communications.
  • Right to Opt-Out of Data Sale: Where required by law.
  • Right to Withdraw Consent: To withdraw consent for data processing.
  • Right to Restrictions: To request restrictions on how personal data, including sensitive data, is processed.

D&B will not retaliate or discriminate against individuals exercising these rights. Requests are honored as soon as practicable and in accordance with legal timelines, with some limitations on repeated requests.

For Eyeota and Netwise businesses, specific opt-out and access request links are provided.

Cookies and Online Activity Data

D&B uses cookies and other online data collection technologies (e.g., single pixel tags, eTags, scripts) to help navigate websites, remember selections, deliver features, measure advertising effectiveness, and remarket. Cookies are grouped into:

  • Required
  • Functional
  • Advertising

Preferences can be managed via the Cookie Consent Manager. More information is available in the Cookie Policy.

Our Use of AI Systems

D&B uses the OECD definition of "AI system": a machine-based system that infers from input how to generate outputs (predictions, content, recommendations, or decisions) that influence environments. AI systems vary in autonomy and adaptiveness.

D&B is committed to responsible AI use, development, and implementation, guided by 11 AI Ethics Principles and an agile AI Governance Council. Transparency about AI systems is provided through supplemental statements, privacy notices, user guides, system cards, model cards, and disclosures related to analytics.

D&B participated in the Centre for Information Policy Leadership (CIPL) project on Building Accountable AI Programs and supports the IAPP AI Governance Center.

Personal Data Sharing and Disclosure

D&B shares data, including personal data, in the following ways:

  • With other D&B companies (subsidiaries, parent companies, affiliates)
  • With members of the D&B worldwide network (independent providers with commercial agreements)
  • With customers (businesses and organizations licensing or accessing data)
  • With authorized resellers
  • With service providers (subcontractors, subprocessors) as necessary
  • With business partners in strategic relationships
  • Through third-party cookies and related technologies
  • Where required by law or for safety/fraud prevention (e.g., law enforcement, regulatory agencies, court orders)
  • In connection with mergers, acquisitions, divestitures, and asset sales
  • With other third parties with consent or authorization

D&B expects third parties to adhere to high ethical standards and contractual obligations.

Cross-Border Data Transfers

D&B processes data in the U.S. and other markets (Owned Markets), managing transfers according to global standards, legal requirements, adequacy decisions, and multilateral frameworks.

Data Privacy Framework

D&B U.S. Entities comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), UK Extension, and Swiss-U.S. DPF, as set by the U.S. Department of Commerce. D&B certifies adherence to these principles for personal data received from the EEA, UK, and Switzerland. The U.S. Federal Trade Commission has jurisdiction over D&B’s compliance. Unresolved complaints can be referred to TRUSTe or relevant authorities, with binding arbitration available under certain conditions.

Cross-Border Privacy Rules System

D&B complies with the APEC Cross Border Privacy Rules System (CBPRs) for transfers among participating APEC member economies. Unresolved concerns can be addressed via TRUSTe.

Data Security

D&B has a comprehensive cyber and data security program to protect data, systems, and assets from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. Policies include:

  • Acceptable Use of Information Assets Policy
  • Information Security Management Systems Policy
  • Information Security Policy Framework
  • Information Security Policy
  • Data Handling Standard
  • Cryptographic Standard

More information is available in the overview of the D&B Information Security Control Environment.

Data Retention

D&B stores data according to the Records Management and Data Retention Policy, which aligns with legal obligations and business needs. Personal data is stored only as long as necessary for its purpose or as required by law. Retention periods are documented and aligned with processing purposes and record types.

D&B Legal Entities to Which This Statement Applies

United States:

  • Dun & Bradstreet Holdings, Inc.
  • The Dun & Bradstreet Corporation
  • Dun & Bradstreet, Inc.
  • Avention, Inc.
  • Dun & Bradstreet Emerging Businesses Corp.
  • Dun & Bradstreet Government Solutions, Inc.
  • Dun & Bradstreet International, Ltd.
  • Dun & Bradstreet NetProspex, Inc.

(Additional entities may be listed in the full document.)