EFFECTIVE: MAY 22, 2020, Version 2.1
- What information we collect
- How the information is used
- How and Why Information May be Shared or Disclosed
- How Long is Information Retained by Performance Culture
- Statement of your privacy rights
- International Disclosure
- Data Breach
- California residents: a special note
- Future updates to this policy
- Contact Performance Culture about this policy
- What Information We Collect
There are several types or sources of Data that are collected as Clients and Authorized Users access the Services, including: Client Data (about the employer or sponsoring organization and the key contact person) and Authorized User Information (Personal Data). This may include manager and staff level information that identifies or could identify an individual person. You acknowledge and agree that we may collect, process, store and share Personal Data disclosed by you or the Client to enable us to provide Services as contracted and to meet our obligations.
Clients and Authorized Users routinely submit Client Data and Personal Information to Performance Culture when using the Services and the EULA applies to both.
- Client Provided Information. The Client (usually the employer) and then the Authorized Users will submit, input or otherwise transfer to Performance Culture both Client Data and Personal Data. The Client Data will include information about the employer and the contact person(s). Client Data may include payment information; The Personal Data will include information about each Authorized User and his/her employment, including the following:
- Basic Employee Information: Name, ID, preferred name, date of birth, gender, nationality, photo or link to same, ID, other applicable identifying information
- Employment Information: Information about hiring (application date, etc.); employment status, type (full or part time, etc.); hired date; termination date; compensation; job title and location; department; manager information and personal IP addresses.
- Contact Information: phone, personal and professional email addresses and other for both the Authorized User and manager(s).
- Other as needed
- Sensitive Personal Data. Performance Culture does not intentionally collect or store Sensitive Personal Data and we request that Clients and Authorized Users refrain from inputting, entering, sending or using the Services in any way that would cause input, display or retention of Sensitive Personal Data about oneself or any other individual. “Sensitive Personal Data” includes, but is not limited to: financial information of any kind except compensation, including any account numbers; identity numbers issued by any government agency such as driver’s license; information gleaned from background checks; passwords that would or could be used to access any personal accounts; biometric information; sexual orientation; information regarding health; genetic data; racial or ethnic information; cultural beliefs including politics, religion, and other; information about trade union membership or other organizations. Performance Culture is not responsible for and not liable for any loss or damages any individual may experience due to your disclosure of Sensitive Personal Data while using the Services.
- Other Information: The Services inherently track and store certain job-related information during the course of use of the Services. What we collect is what Clients and Authorized Users provide in some manner.
We collect personal information that Clients and Authorized Users voluntarily provide to us when first being introduced to Performance Culture, when communicating to us in any way, and then when accessing the Services.
During use of the Services, Authorized Users, including Clients may enter or otherwise disclose data that will be received by the Services but not accessed by the Services or Performance Culture. (e.g. a review of another user). Performance Culture, within the Services, may store such information solely for the purposes of providing the Services.
- Technical Information Collected
Technical Information such as IP address and/or browser and device characteristics are collected automatically when any Client or Authorized User accesses the Services. This information does not reveal the specific identity of the user but may include device and usage information including operating system, language preferences, referring URLs, device name, country, location, information about how and when the Services are accessed and other technical information. Performance Culture collects the information needed, for the most part, to protect the data, maintain security and for internal management and analytical purposes. Cookies and similar technologies are also collected and used for internal purposes.
Additional technical information may include metadata, logs of user use of the Services and other information collected when Client or Authorized Users access the Services. Data may also be collected from tools and processes used to integrate with Third Party service used by the Client or Authorized Users; the Client may determine which data Performance Culture will use and store.
- Information collected from other sources
Performance Culture may collect limited information from public databases, marketing partners, and other outside sources. These include, among others, the Clients’ HR or payroll system, joint marketing partners and other third parties. The information may include social media profile information; marketing search and link information including sponsored links.
Upon receipt of a written request, Performance Culture will inform you about the source of information and the type of information and the type of information we have collected about you within a reasonable period after obtaining the personal data, but at the latest within one month.
- How the Information is Used by Performance Culture
Client Data and Personal Data are used by Performance Culture for legitimate business needs (including Client instruction) and/or compliance with our legal obligations, or by Client or Authorized User consent.
Technical and Other Information is used to oversee and manage the Software and in operating our business. Specifically, the uses include:
- To Provide the Services, including the Websites. Specifically, the information is used to optimize delivery of Services according to the agreement with the Client and to manage and optimize the experience of the Authorized Users as they interact with the Services (storing User settings, etc.). Further, the information is used to support the required infrastructure, to analyze usage and address any services or security issues that may arise.
- To Optimize the Services and Websites. Technical and Other information in used in Performance Culture product development activities across each section or component of the applications.
- To Enable Support. Performance Culture uses Technical and Other Information to enable support functions for both Clients and Authorized Users.
- To Enable Communication. The Technical and Other Information is needed to enable optimized communication on a range of topics and issues with both Clients and Authorized Users. These communications include maintenance announcements, security alerts or information, news on features and other development and marketing information on new offerings; account management functions are supported as well.
- To Optimize Security. The information, particularly the Technical Information is used to optimize security including various analyses and investigations.
- To Meet Legal Obligations. The information is used as needed to meet legal obligations whether contractual or as required by applicable law.
- To send marketing and promotional communications. We may use the Personal Data for our marketing purposes, to the extent permitted at the Authorized User level. Authorized Users may opt-out of marketing emails at any time (see the “Statement of Your Privacy Rights” below).
- Consent or Instruction: We may share Client and/or Personal Data if permission has been granted by Client and/or the Authorized User or if so instructed by the Client either in the agreement with the Client or through other written communication or as required by applicable law.
- Access. Client’s Administrators along with other representatives of Client may have access to Personal Data. Further, they may have the ability within the Services to modify or restrict access to Personal Data.
- Providing the Services. Performance Culture employees and contractors will have access to Personal Data on a confidential basis; the access is limited to what each person is required to access in order to perform their specific job in providing the Services.
- Internal Client Communication/Access. Within a work group inside a Client, certain Personal Data may be made available to other members of the work group e.g. Authorized User name and title. There is some ability to make certain data private, in accordance with Client instructions. Users are responsible for the data they post or upload in the Services and results of that data being input; Performance Culture is not responsible for data, including Personal Data disclosed within the Services.
- Third Party Providers and Services
- Clients may support, in the client agreement, Performance Culture’s use or integration with some Third-Party services in connection with our Services. In these cases, it may be necessary to share and disclose some Client Data, Personal Data and Other Information to the Third Party. These Third Parties are known to the Client and may have their own privacy policies that you should investigate or review.
- Business Changes. If Performance Culture becomes involved in a merger, acquisition, reorganization, bankruptcy, dissolution, sale of some or all of its assets, IPO, financing or other similar transaction or process OR if it is contemplating same, then Performance Culture may disclose data. In each case, Performance Culture would disclose data only as supported and restricted by standard confidentiality agreements and/or obligations.
- Aggregated or Anonymized Data. If any Client Data, Personal Data or Other Information is aggregated or anonymized so that it does not and cannot reasonably identify any individual(s), Performance Culture may use and disclose the data for any legitimate purpose.
- Agreements and Legal Obligations. If a need arises to enforce agreements with clients or other contracts or obligations, we may share or disclose information as needed in that effort. Further, if Performance Culture is obligated by law, national security or legal process (e.g. compliance with a subpoena), we will disclose the minimum data we believe necessary to the situation.
- Rights. In the event Performance Culture needs to protect or defend it rights and/or property (including intellectual property), we will use and disclose data as necessary to do so under applicable law.
- Security. Performance Culture may disclose information if it reasonably deems it necessary to protect the security or safety of Clients or our own employees, contractors, agents or other representatives.
- s. Examples include: payment processing, data analysis, email delivery, hosting services, customer service and marketing efforts. We may allow selected third parties to use tracking technology on the Services, which will enable them to collect data about how users interact with the Services over time. This information may be used to, among other things, analyze and track trends, determine the popularity of certain content and better understand online activity. Unless described in this Policy, we do not share, sell, rent or trade any Personal Data or Client Data with third parties for their promotional purposes. We have contracts in place with our data processors. This means that they cannot do anything with personal information unless we have instructed them to do it. They are required to not share personal information with any organization apart from us. They are obligated to hold it securely and retain it for the period we instruct.
- How Long is Information Retained by Performance Culture
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
- Statement of Privacy Rights Regarding Access and Changes to Data
- If an Authorized User believes there is an inaccuracy in the data held or displayed by Performance Culture, believes there is inaccurate information within the Services, he/she should first submit the request to the Administrator. If authorized, Performance Culture will make the correction.
- If an Authorized Users wishes to review information Performance Culture holds or processes for marketing or in relation to a Third Party, please contact us at [email protected].
- Authorized Users may modify certain settings in their browser related to cookies and other technologies; doing so may impact certain features of the Services. To opt-out of interest-based advertising by advertisers on our Services, users should visit http://www.aboutads.info/choices/. Further, users can unsubscribe from the marketing email list by clicking the unsubscribe button in specific emails; users would still receive service-related emails needed for administration of the account.
- International Data Disclosure or Sharing. (Some international privacy laws refer to “controllers’ and “processors” of data; the Client is generally the controller and Performance Culture is the processor).
- Our servers are located in United States. If you are accessing our Services from outside United States, please be aware that your information may be transferred to, stored, and processed by us in our facilities in the United States.
- If you are resident in the European Economic Area and you believe we are unlawfully processing your personal information, you also have the right to complain to your local data protection supervisory authority. You can find their contact details here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.
- EU-U.S. Privacy Shield Framework:
Performance Culture has further committed to refer unresolved Privacy Shield-related complaints to JAMS, an independent dispute resolution provider located in the United States. If a Client or Authorized User does not receive a timely acknowledgment of a Privacy Shield-related complaint from Performance Culture, or if we have not satisfactorily resolved the complaint or addressed the concern, then the complainant is to contact JAMS to file a complaint, at no cost to you. To contact JAMS and/or learn more about JAMS dispute resolution services, including instructions for submitting a complaint, please visit: https://www.jamsadr.com/eu-us-privacy-shield. Under certain limited situations, as a last resort, a complainant may seek redress from the Privacy Shield Panel, a binding arbitration mechanism.
Human resources data including Personal Data in the context of the employment relationship is subject to internal human resource policies. In addition, Performance Culture commits to cooperate with the panel established by the European Union data protection authorities (DPAs) and comply with the advice given by such authorities with regard to human resources data transferred from the European Union member states to the United States in the context of an employment relationship as detailed in the Privacy Shield principles.
The transfer of Personal Data from the European Union member countries to the United States will be subject to Privacy Shield and then, if Privacy Shield is deemed to be inadequate by European Union data protection laws, will be subject to the Standard Contractual Clauses for the transfer of Personal Data to Processors (“Standard Contractual Clauses”). The Standard Contractual Clauses will also apply to the transfer of Personal Data from the European Union member countries to any country deemed by applicable data protection laws not to ensure an adequate level of data protection
- Right to Access. Authorized Users have the right to request that we provide copies of your Personal Data; we may provide a small fee for doing this.
- Right to Erasure. Individuals have the right to request that Performance Culture erase your Personal Data under certain conditions. One example might be if our Contract with an employer ends for any reason, then we would not have a legal reason to retain the Personal Data of the Authorized Users of that Client. It is important to note, however, that we may need to retain certain information for record keeping purposes, to complete transactions, or to comply with our legal obligations.
- Right to Restrict Processing. Authorized Users have the right to request that Performance Culture restrict the processing of Personal Data under certain circumstances; one example might be an Authorized User may believe certain information is not accurate. Under a circumstance like this, we may be permitted to retain the data, but not to further process it.
- Right to Object to Processing. Authorized Users have the right to object to Performance Culture’s processing of Personal Data under certain conditions.
- Right to Data Portability. Authorized Users have the right request that Performance Culture transfer the data we have collected to another organization or directly to you under certain circumstances.
- Right to Rectification. Authorized Users have the right to request that we correct any information you believe is inaccurate and to request that we complete any information believed to be incomplete.
- Right to Lodge a Complaint. You may also have the right to complain to a data protection authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority.
In the event any Client or Authorized User has a request or question related to the rights under the Privacy Shield or GDPR, please contact us [email protected] We will consider your request in accordance with applicable laws. To protect your privacy and security, we may take steps to verify your identity before complying with the request.
- Security of the Data
We have implemented appropriate technical and organizational security measures designed to protect the security of any personal information we process. However, please also remember that we cannot guarantee that the internet itself is 100% secure. Although we will do our best to protect personal information, transmission of personal information to and from our Services is dependent on outside security as well. Clients and Authorized Users should only access the services within a secure environment. Authorized Users are responsible for safeguarding their login information.
We do not knowingly solicit data from or market to children under 18 years of age. By using the Services, Clients and Authorized Users represent that they are at least 18 or that the Client or Authorized User is the parent or guardian of such a minor and consent to such minor dependent’s use of the Services. If we learn that personal information from users younger than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records or seek the necessary verifiable parental consent in compliance with the Children’s Online Privacy Protection Act (“COPPA”). If a Client or Authorized User becomes aware of any data we have collected from children under age 18, please contact us at [email protected].
- Data Breach
A data breach occurs when there is unauthorized access to or collection, use, disclosure or disposal of certain Personal Data. You will be notified about data breaches when Performance Culture, Inc. believes you are likely to be at risk or serious harm or when the law requires. For example, a data breach may be likely to result in serious financial harm or harm to your mental or physical well-being. In the event that Performance Culture, Inc. becomes aware of a security breach which has resulted or may result in material unauthorized access, use or disclosure of certain personal information Performance Culture, Inc. will promptly investigate the matter and notify the applicable Supervisory Authority not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons and is not required by law.
- California Residents
- California enacted the California Consumer Privacy Act (“CCPA); if a Client or Authorized User resides in California:
- Right to access. You may have the right to request disclosure of the categories and specific pieces of Personal Information collected about you. Once we verify a request from you, we will promptly take steps to disclose and deliver, at no cost to you, the personal information that you requested and we are required to disclose. The information may be delivered to you by mail or electronically. If it is provided electronically, the information will be, to the extent technically possible, readily useable format that allows you to transmit this information to another entity without technical impediments created by us. We are not required to provide information to you more frequently than once in a twelve-month period, though we may choose to do so.
- Right to Deletion. You may have the right to request the deletion of your personal information. Once we verify a request from you, we will promptly delete the personal information as you request from our records and we will direct any service providers to delete the personal information from their records, subject to certain exceptions under the CCPA.
- Right to Opt-Out of the Sale of Information. You may have the right to opt-out of the sale of your personal information to third parties. However, Performance Culture does not sell your personal information to third parties and will never sell your personal information to third parties without your express written consent.
- Performance Culture will not discriminate against you for exercising your rights under the CCPA. Specifically, if you exercise your rights, as examples, we will not deny you services, charge you different prices for services, or provide you a different level or quality of services.
- Performance Culture acts as a “service provider” under the CCPA when we are performing services for our Clients. Therefore, our collecting any consumer personal information is done on behalf of our Clients in order for us to provide the Services we are contracted and obligated to provide. Therefore, per the CCPA, please direct any requests to exercise your rights under the CCPA to the Client with whom you have a direct relationship; generally, this is your employer.
- For any other requests or questions related to your rights under the CCPA, please contact us at [email protected] To protect your privacy and security, we verify your identity before addressing your question or request.
- 3.2 California “Shine the Light” Notice
- Authorized Users who are residents of California may have additional rights under Civil Code Section 1798.83, also known as the “Shine the Light” law. Authorized Users may request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us using the contact information provided below.
- If you are under 18 years of age, reside in California, and have a registered account with the Services, you have the right to request removal of unwanted data that you publicly post on the Services. To request removal of such data, please contact us using the contact information provided below, and include the email address associated with your account and a statement that you reside in California. We will make sure the data is not publicly displayed on the Services, but please be aware that the data may not be completely or comprehensively removed from our systems.
- California enacted the California Consumer Privacy Act (“CCPA); if a Client or Authorized User resides in California:
- Updates to This Policy
In Short: Yes, we will update this policy as necessary to stay compliant with relevant laws.
- Contact Us About This Policy
If you have questions or comments about this policy, you may contact our Data Protection Officer (DPO), Dallas Romanowski, by email at [email protected], or by post to:
Performance Culture, Inc.
1900 Eastwood Road
Wilmington, NC 28403
- How Can You Review, Update, Or Delete the Data We Collect from You?
Based on the laws of some countries, you may have the right to request access to the personal information we collect from you, change that information, or delete it in some circumstances. To request to review, update, or delete your personal information, please visit: performanceculture.com/privacy. We will respond to your request within 30 days.
Revision History: v2.0. May 8, 2020