The organization is responsible for personal information under its custody and control and shall designate one or more persons who are accountable for the companies’ compliance with the following principles.

The knowledge and consent of a customer are required for the collection, use or disclosure of personal information, except where inappropriate.

ARO shall retain personal information only as long as necessary for the fulfillment of those purposes, and to comply with legislative or business requirements.

ARO shall protect personal information by security safeguards appropriate to the sensitivity of the information.

ARO shall inform a customer of the existence, use and disclosure of his or her personal information upon request and shall give the individual access to that information.

ARO’s policy does not specify what personal data elements can be collected. However, the organization shall collect personal information by fair and lawful means and shall limit the collection of personal information to that which is necessary for the purposes identified by the company and to that which is required to fulfill the authorized purposes.

ARO shall use and disclose personal information in the course of rendering the Services only for the purposes for which it was collected, or purposes consistent with these purposes, except with the informed consent of the individual, or as required or permitted by law.

Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

ARO shall make readily available to customers specific information about its policies and practices relating to the management of personal information.

A customer shall be able to address a challenge concerning compliance with the above principles to the designated person or persons accountable for the compliance of the organization with ARO’s Code.