Privacy Policy


EFFECTIVE: MAY 22, 2020, Version 2.1

This Privacy Policy describes how Performance Culture (“Performance Culture”) protects your data and respects your privacy. We welcome any questions or concerns related to your data, your privacy or this policy; please contact us at [email protected].  Our Privacy Policy relates all our services including our website at www.PerformanceCulture.com and other sites and domains (“Websites”), our web and mobile applications and all other interactions between Performance Culture and our clients, users and prospective clients.

Please note that this Policy relates to Performance Culture Services and Websites, and not to any third-party applications or technology that integrate with the Services or otherwise are involved with Performance Culture Services and Websites. When a client, user or prospective client encounters through Performance Culture one of these Third Party Services, he/she may be directed to a third-party website using a link or some other tool; clicking on either may take the user to a related Third Party Website; once the client, user or prospective client enters the Third Party Website, the Performance Culture Privacy Policy no longer applies to your visit or any data collected by the Third Party. (The Third Party probably will have their own Privacy Policy posted on their site(s); the client, prospective client or user should review that Third-Party policy before sharing or entering any personal data.

When you visit any Performance Culture Website or use or access any Service or interact with Performance Culture in any way, you accept the terms of this Privacy Policy.  Further, you expressly consent to Performance Culture’s collection, use, and disclosure of data, including Personal Data, as described in this Privacy Policy and the End User License Agreement. (“EULA”)

The EULA is a separate agreement that governs the access and use of the Software.  This will include the receipt, handling and processing of the “Client Data” meaning data, content, messages, schedules and other information or any other information that Client and/or Users submit, transmit or store by using the Software or other services (collectively referred to in this document as “Services” of Performance Culture. The Client or User’s sponsoring organization (usually the employer) that contracted with Performance Culture along with the EULA control the nature of interaction and use of the services (“Services”) along with the storage, transmittal, entry or uploading of any Client Data.  This sponsoring organization is referred to as the “Client” in this document; and it is the Client who authorizes specific End Users within their organization; the End Users are those or use and access the Services, referred to in this document as “Authorized Users”. The Client may have its own policies and procedures; please contact them with any questions or concerns about their policies. Performance Culture is not responsible for the privacy or security practices of our Clients; their policies and practices may vary from those within this Performance Culture Privacy Policy.

WHAT THIS PRIVACY POLICY COVERS

  1. What information we collect
  2. How the information is used
  3. How and Why Information May be Shared or Disclosed
  1. How Long is Information Retained by Performance Culture
  1. Statement of your privacy rights
  2. International Disclosure
  3. Security
  4. Children
  5. Data Breach
  6. California residents: a special note
  7. Future updates to this policy
  8. Contact Performance Culture about this policy

 

  1. What Information We Collect

There are several types or sources of Data that are collected as Clients and Authorized Users access the Services, including: Client Data (about the employer or sponsoring organization and the key contact person) and Authorized User Information (Personal Data). This may include manager and staff level information that identifies or could identify an individual person. You acknowledge and agree that we may collect, process, store and share Personal Data disclosed by you or the Client to enable us to provide Services as contracted and to meet our obligations.

Clients and Authorized Users routinely submit Client Data and Personal Information to Performance Culture when using the Services and the EULA applies to both.

  1. Client Provided Information. The Client (usually the employer) and then the Authorized Users will submit, input or otherwise transfer to Performance Culture both Client Data and Personal Data. The Client Data will include information about the employer and the contact person(s). Client Data may include payment information; The Personal Data will include information about each Authorized User and his/her employment, including the following:

 

  • Basic Employee Information: Name, ID, preferred name, date of birth, gender, nationality, photo or link to same, ID, other applicable identifying information
  • Employment Information: Information about hiring (application date, etc.); employment status, type (full or part time, etc.); hired date; termination date; compensation; job title and location; department; manager information and personal IP addresses.
  • Contact Information: phone, personal and professional email addresses and other for both the Authorized User and manager(s).
  • Other as needed

 

  1. Sensitive Personal Data. Performance Culture does not intentionally collect or store Sensitive Personal Data and we request that Clients and Authorized Users refrain from inputting, entering, sending or using the Services in any way that would cause input, display or retention of Sensitive Personal Data about oneself or any other individual. “Sensitive Personal Data” includes, but is not limited to: financial information of any kind except compensation, including any account numbers; identity numbers issued by any government agency such as driver’s license; information gleaned from background checks; passwords that would or could be used to access any personal accounts; biometric information; sexual orientation; information regarding health; genetic data; racial or ethnic information; cultural beliefs including politics, religion, and other; information about trade union membership or other organizations. Performance Culture is not responsible for and not liable for any loss or damages any individual may experience due to your disclosure of Sensitive Personal Data while using the Services.
  2. Other Information: The Services inherently track and store certain job-related information during the course of use of the Services. What we collect is what Clients and Authorized Users provide in some manner.

We collect personal information that Clients and Authorized Users voluntarily provide to us when first being introduced to Performance Culture, when communicating to us in any way, and then when accessing the Services.

We collect data necessary to process Client payments as contracted, such as Client payment instrument number (e.g. a credit card number), and the security code associated with your payment instrument. All payment data is stored by Stripe or QuickBooks. You may find their privacy policy link(s) :https://stripe.com/privacy and  https://quickbooks.intuit.com/in/resources/privacy.

During use of the Services, Authorized Users, including Clients may enter or otherwise disclose data that will be received by the Services but not accessed by the Services or Performance Culture. (e.g. a review of another user).  Performance Culture, within the Services, may store such information solely for the purposes of providing the Services.

The Privacy Policy relies upon all Client Data; Personal Data and other information provided to Performance Culture being accurate and complete and updated when any change occurs.

  1. Technical Information Collected

Technical Information such as IP address and/or browser and device characteristics are collected automatically when any Client or Authorized User accesses the Services.  This information does not reveal the specific identity of the user but may include device and usage information including operating system, language preferences, referring URLs, device name, country, location, information about how and when the Services are accessed and other technical information. Performance Culture collects the information needed, for the most part, to protect the data, maintain security and for internal management and analytical purposes. Cookies and similar technologies are also collected and used for internal purposes.

 

Additional technical information may include metadata, logs of user use of the Services and other information collected when Client or Authorized Users access the Services.  Data may also be collected from tools and processes used to integrate with Third Party service used by the Client or Authorized Users; the Client may determine which data Performance Culture will use and store.

 

 

  1. Information collected from other sources

Performance Culture may collect limited information from public databases, marketing partners, and other outside sources. These include, among others, the Clients’ HR or payroll system, joint marketing partners and other third parties. The information may include social media profile information; marketing search and link information including sponsored links.

Upon receipt of a written request, Performance Culture will inform you about the source of information and the type of information and the type of information we have collected about you within a reasonable period after obtaining the personal data, but at the latest within one month.

 

  1. How the Information is Used by Performance Culture

Client Data and Personal Data are used by Performance Culture for legitimate business needs (including Client instruction) and/or compliance with our legal obligations, or by Client or Authorized User consent.

Technical and Other Information is used to oversee and manage the Software and in operating our business. Specifically, the uses include:

  1. To Provide the Services, including the Websites. Specifically, the information is used to optimize delivery of Services according to the agreement with the Client and to manage and optimize the experience of the Authorized Users as they interact with the Services (storing User settings, etc.). Further, the information is used to support the required infrastructure, to analyze usage and address any services or security issues that may arise.
  2. To Optimize the Services and Websites. Technical and Other information in used in Performance Culture product development activities across each section or component of the applications.
  3. To Enable Support. Performance Culture uses Technical and Other Information to enable support functions for both Clients and Authorized Users.
  4. To Enable Communication. The Technical and Other Information is needed to enable optimized communication on a range of topics and issues with both Clients and Authorized Users.  These communications include maintenance announcements, security alerts or information, news on features and other development and marketing information on new offerings; account management functions are supported as well.
  5. To Optimize Security. The information, particularly the Technical Information is used to optimize security including various analyses and investigations.
  6. To Meet Legal Obligations. The information is used as needed to meet legal obligations whether contractual or as required by applicable law.
  7. We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information.  Most web browsers and some mobile operating systems and mobile applications include settings users can modify.
  1. To send marketing and promotional communications. We may use the Personal Data for our marketing purposes, to the extent permitted at the Authorized User level.  Authorized Users may opt-out of marketing emails at any time (see the “Statement of Your Privacy Rights” below).

 

  1. How and Why Information May be Shared or Disclosed: Unless described in this Privacy Policy or the agreement with the Client, Performance Culture will not use or disclose Client Data or Personal Data unless it is necessary to provide and support the Services unless Client or Authorized User consents to a specific use or disclosure.  Permitted disclosure or sharing of Personal Data includes:
  1. Consent or Instruction: We may share Client and/or Personal Data if permission has been granted by Client and/or the Authorized User or if so instructed by the Client either in the agreement with the Client or through other written communication or as required by applicable law.
  2. Access.  Client’s Administrators along with other representatives of Client may have access to Personal Data. Further, they may have the ability within the Services to modify or restrict access to Personal Data.
  3. Providing the Services. Performance Culture employees and contractors will have access to Personal Data on a confidential basis; the access is limited to what each person is required to access in order to perform their specific job in providing the Services.
  4. Internal Client Communication/Access. Within a work group inside a Client, certain Personal Data may be made available to other members of the work group e.g. Authorized User name and title. There is some ability to make certain data private, in accordance with Client instructions.  Users are responsible for the data they post or upload in the Services and results of that data being input; Performance Culture is not responsible for data, including Personal Data disclosed within the Services.
  5. Third Party Providers and Services
    • Performance Culture has contracts with providers, contractors or agents who perform services for us or on our behalf and require access to information to do that work, including Personal Data and Client Data. The providers include those engaged for email support, website hosting and customer service. Each contract with these providers includes their commitment to perform their work and services consistent with this Privacy Policy.   Performance Culture may be liable for ongoing transfers of data of citizens of European Union and Switzerland.
    • Clients may support, in the client agreement, Performance Culture’s use or integration with some Third-Party services in connection with our Services.  In these cases, it may be necessary to share and disclose some Client Data, Personal Data and Other Information to the Third Party. These Third Parties are known to the Client and may have their own privacy policies that you should investigate or review.
  6. Business Changes. If Performance Culture becomes involved in a merger, acquisition, reorganization, bankruptcy, dissolution, sale of some or all of its assets, IPO, financing or other similar transaction or process OR if it is contemplating same, then Performance Culture may disclose data. In each case, Performance Culture would disclose data only as supported and restricted by standard confidentiality agreements and/or obligations.
  7. Aggregated or Anonymized Data. If any Client Data, Personal Data or Other Information is aggregated or anonymized so that it does not and cannot reasonably identify any individual(s), Performance Culture may use and disclose the data for any legitimate purpose.
  8. Agreements and Legal Obligations. If a need arises to enforce agreements with clients or other contracts or obligations, we may share or disclose information as needed in that effort. Further, if Performance Culture is obligated by law, national security or legal process (e.g. compliance with a subpoena), we will disclose the minimum data we believe necessary to the situation.
  9. Rights. In the event Performance Culture needs to protect or defend it rights and/or property (including intellectual property), we will use and disclose data as necessary to do so under applicable law.
  10. Security. Performance Culture may disclose information if it reasonably deems it necessary to protect the security or safety of Clients or our own employees, contractors, agents or other representatives.
  11. s. Examples include: payment processing, data analysis, email delivery, hosting services, customer service and marketing efforts. We may allow selected third parties to use tracking technology on the Services, which will enable them to collect data about how users interact with the Services over time. This information may be used to, among other things, analyze and track trends, determine the popularity of certain content and better understand online activity. Unless described in this Policy, we do not share, sell, rent or trade any Personal Data or Client Data with third parties for their promotional purposes. We have contracts in place with our data processors. This means that they cannot do anything with personal information unless we have instructed them to do it. They are required to not share personal information with any organization apart from us. They are obligated to hold it securely and retain it for the period we instruct.

 

  1. How Long is Information Retained by Performance Culture

We will only keep Client Data and Personal Data in for as long as it is necessary for the purposes set out in this privacy policy and our agreement with the Client, unless a longer retention period is required or permitted by law (such as tax, accounting or other legal requirements) or for reasonable retention to support legitimate business interests including audits, dispute resolution, etc.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

 

  1. Statement of Privacy Rights Regarding Access and Changes to Data
  1.  If an Authorized User believes there is an inaccuracy in the data held or displayed by Performance Culture, believes there is inaccurate information within the Services, he/she should first submit the request to the Administrator. If authorized, Performance Culture will make the correction.
  2. If an Authorized Users wishes to review information Performance Culture holds or processes for marketing or in relation to a Third Party, please contact us at [email protected].
  3. Authorized Users may modify certain settings in their browser related to cookies and other technologies; doing so may impact certain features of the Services.  To opt-out of interest-based advertising by advertisers on our Services, users should visit http://www.aboutads.info/choices/. Further, users can unsubscribe from the marketing email list by clicking the unsubscribe button in specific emails; users would still receive service-related emails needed for administration of the account.
  4. If a client account is terminated, we will deactivate or delete your account and information from our active databases. However, some information may be retained in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our Terms of Use and/or comply with legal requirements.

 

  1. International Data Disclosure or Sharing. (Some international privacy laws refer to “controllers’ and “processors” of data; the Client is generally the controller and Performance Culture is the processor).
  2. Our servers are located in United States. If you are accessing our Services from outside United States, please be aware that your information may be transferred to, stored, and processed by us in our facilities in the United States.
  3. If you are a resident in the European Economic Area, then the other countries in the EEA may not have data protection or other laws as comprehensive as those in your country. We will however take all necessary measures to protect your personal information in accordance with this privacy policy and applicable law.
  1. If you are resident in the European Economic Area and you believe we are unlawfully processing your personal information, you also have the right to complain to your local data protection supervisory authority. You can find their contact details here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

 

  1. EU-U.S. Privacy Shield Framework:

To comply with European Union data protection laws, Performance Culture self-certified under the EU-U.S. Privacy Shield Frameworks (“Privacy Shield”) as outlined by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Union member countries to the United States. Performance Culture adheres to the Privacy Shield principles of: notice; choice; accountability for onward transfer; security; data integrity and purpose limitation; access; and recourse, enforcement, and liability. If there is any conflict between the terms in this Privacy Policy and the Privacy Shield principles, the Privacy Shield principles shall govern with respect to Personal Data transferred from the European Union member countries to the United States. Performance Culture is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC). To view our certification, see Performance Culture’s Privacy Shield Notice. To learn more about Privacy Shield, please visit www.privacyshield.gov.

Performance Culture commits to investigating and attempting to resolve complaints and disputes regarding our collecting, use, or disclosure of Personal Data in compliance with Privacy Shield. European Union individuals with questions or complaints regarding the collecting, use, or disclosure of their Personal Data or this Privacy Policy should first contact Performance Culture at the contact information provided below. Performance Culture will respond to any such inquiries or complaints within forty-five (45) days.

Performance Culture has further committed to refer unresolved Privacy Shield-related complaints to JAMS, an independent dispute resolution provider located in the United States. If a Client or Authorized User does not receive a timely acknowledgment of a Privacy Shield-related complaint from Performance Culture, or if we have not satisfactorily resolved the complaint or addressed the concern, then the complainant is to contact JAMS to file a complaint, at no cost to you. To contact JAMS and/or learn more about JAMS dispute resolution services, including instructions for submitting a complaint, please visit: https://www.jamsadr.com/eu-us-privacy-shield. Under certain limited situations, as a last resort, a complainant may seek redress from the Privacy Shield Panel, a binding arbitration mechanism.

Human resources data including Personal Data in the context of the employment relationship is subject to internal human resource policies. In addition, Performance Culture commits to cooperate with the panel established by the European Union data protection authorities (DPAs) and comply with the advice given by such authorities with regard to human resources data transferred from the European Union member states to the United States in the context of an employment relationship as detailed in the Privacy Shield principles.

The transfer of Personal Data from the European Union member countries to the United States will be subject to Privacy Shield and then, if Privacy Shield is deemed to be inadequate by European Union data protection laws, will be subject to the Standard Contractual Clauses for the transfer of Personal Data to Processors (“Standard Contractual Clauses”). The Standard Contractual Clauses will also apply to the transfer of Personal Data from the European Union member countries to any country deemed by applicable data protection laws not to ensure an adequate level of data protection

  1. GDPR. Individuals located in the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom, have certain statutory rights under the General Data Protection Regulation (“GDPR”). When providing Services to its Clients, Performance Culture acts as a “processor” under the GDPR and our receipt and collection of any Personal Data is completed on behalf of our Clients in order for us to provide the Services. To the extent that Performance Culture’s processing of Authorized User Personal Data is subject to the GDPR, Performance Culture relies on its legitimate interests set forth in this Privacy Policy to process your Personal Data. If an Authorized User is located in the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom, he/she may have the right to exercise additional rights available to you under the GDPR, including:
  2. Right to Access. Authorized Users have the right to request that we provide copies of your Personal Data; we may provide a small fee for doing this.
  3. Right to Erasure. Individuals have the right to request that Performance Culture erase your Personal Data under certain conditions. One example might be if our Contract with an employer ends for any reason, then we would not have a legal reason to retain the Personal Data of the Authorized Users of that Client. It is important to note, however, that we may need to retain certain information for record keeping purposes, to complete transactions, or to comply with our legal obligations.
  4. Right to Restrict Processing. Authorized Users have the right to request that Performance Culture restrict the processing of Personal Data under certain circumstances; one example might be an Authorized User may believe certain information is not accurate. Under a circumstance like this, we may be permitted to retain the data, but not to further process it.
  5. Right to Object to Processing. Authorized Users have the right to object to Performance Culture’s processing of Personal Data under certain conditions.
  6. Right to Data Portability. Authorized Users have the right request that Performance Culture transfer the data we have collected to another organization or directly to you under certain circumstances.
    1. Right to Rectification. Authorized Users have the right to request that we correct any information you believe is inaccurate and to request that we complete any information believed to be incomplete.
  7. Right to Lodge a Complaint. You may also have the right to complain to a data protection authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority.

In the event any Client or Authorized User has a request or question related to the rights under the Privacy Shield or GDPR, please contact us [email protected] We will consider your request in accordance with applicable laws. To protect your privacy and security, we may take steps to verify your identity before complying with the request.

 

 

  1. Security of the Data

We have implemented appropriate technical and organizational security measures designed to protect the security of any personal information we process. However, please also remember that we cannot guarantee that the internet itself is 100% secure. Although we will do our best to protect personal information, transmission of personal information to and from our Services is dependent on outside security as well. Clients and Authorized Users should only access the services within a secure environment.  Authorized Users are responsible for safeguarding their login information.

 

  1. Children

We do not knowingly solicit data from or market to children under 18 years of age. By using the Services, Clients and Authorized Users represent that they are at least 18 or that the Client or Authorized User is the parent or guardian of such a minor and consent to such minor dependent’s use of the Services. If we learn that personal information from users younger than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records or seek the necessary verifiable parental consent in compliance with the Children’s Online Privacy Protection Act (“COPPA”). If a Client or Authorized User becomes aware of any data we have collected from children under age 18, please contact us at [email protected].

 

 

  1. Data Breach

A data breach occurs when there is unauthorized access to or collection, use, disclosure or disposal of certain Personal Data. You will be notified about data breaches when Performance Culture, Inc. believes you are likely to be at risk or serious harm or when the law requires. For example, a data breach may be likely to result in serious financial harm or harm to your mental or physical well-being. In the event that Performance Culture, Inc. becomes aware of a security breach which has resulted or may result in material unauthorized access, use or disclosure of certain personal information Performance Culture, Inc. will promptly investigate the matter and notify the applicable Supervisory Authority not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons and is not required by law.

 

 

  1. California Residents
    1. California enacted the California Consumer Privacy Act (“CCPA); if a Client or Authorized User resides in California:
      1. Right to access. You may have the right to request disclosure of the categories and specific pieces of Personal Information collected about you. Once we verify a request from you, we will promptly take steps to disclose and deliver, at no cost to you, the personal information that you requested and we are required to disclose. The information may be delivered to you by mail or electronically. If it is provided electronically, the information will be, to the extent technically possible, readily useable format that allows you to transmit this information to another entity without technical impediments created by us. We are not required to provide information to you more frequently than once in a twelve-month period, though we may choose to do so.
      2. Right to Deletion. You may have the right to request the deletion of your personal information. Once we verify a request from you, we will promptly delete the personal information as you request from our records and we will direct any service providers to delete the personal information from their records, subject to certain exceptions under the CCPA.
      3. Right to Opt-Out of the Sale of Information. You may have the right to opt-out of the sale of your personal information to third parties. However, Performance Culture does not sell your personal information to third parties and will never sell your personal information to third parties without your express written consent.
      4. Performance Culture will not discriminate against you for exercising your rights under the CCPA. Specifically, if you exercise your rights, as examples, we will not deny you services, charge you different prices for services, or provide you a different level or quality of services.
      5. Performance Culture acts as a “service provider” under the CCPA when we are performing services for our Clients. Therefore, our collecting any consumer personal information is done on behalf of our Clients in order for us to provide the Services we are contracted and obligated to provide.  Therefore, per the CCPA, please direct any requests to exercise your rights under the CCPA to the Client with whom you have a direct relationship; generally, this is your employer.
      6. For any other requests or questions related to your rights under the CCPA, please contact us at [email protected] To protect your privacy and security, we verify your identity before addressing your question or request.
    2. 3.2 California “Shine the Light” Notice
      1. Authorized Users who are residents of California may have additional rights under Civil Code Section 1798.83, also known as the “Shine the Light” law. Authorized Users may request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us using the contact information provided below.
    3. If you are under 18 years of age, reside in California, and have a registered account with the Services, you have the right to request removal of unwanted data that you publicly post on the Services. To request removal of such data, please contact us using the contact information provided below, and include the email address associated with your account and a statement that you reside in California. We will make sure the data is not publicly displayed on the Services, but please be aware that the data may not be completely or comprehensively removed from our systems.

 

  1. Updates to This Policy

In Short:  Yes, we will update this policy as necessary to stay compliant with relevant laws.

We may update this privacy policy from time to time. The updated version will be indicated by an updated “Revised” date and the updated version will be effective as soon as it is accessible. If we make material changes to this privacy policy, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy policy frequently to be informed of how we are protecting your information.

 

  1. Contact Us About This Policy

If you have questions or comments about this policy, you may contact our Data Protection Officer (DPO), Dallas Romanowski, by email at [email protected], or by post to:

Performance Culture, Inc.

Dallas Romanowski

1900 Eastwood Road

Suite 11

Wilmington, NC 28403

United States

 

  1. How Can You Review, Update, Or Delete the Data We Collect from You?

Based on the laws of some countries, you may have the right to request access to the personal information we collect from you, change that information, or delete it in some circumstances. To request to review, update, or delete your personal information, please visit: performanceculture.com/privacy. We will respond to your request within 30 days.

 

Revision History: v2.0. May 8, 2020