Performance Culture, Inc.

Privacy Policy

Your privacy is important to us, and we are strongly committed to protecting your privacy. This Privacy Policy describes how we, Performance Culture, Inc. (“Performance Culture”, “we”, “our” or “us”) collects, stores, uses and discloses data regarding individuals (“you”) who: (i) visit or otherwise interact with our website (“Visitors”) at https://performanceculture.com (the “Website”); and (ii) use our human resources performance management platform via the Website (the “Service”) as employees, contractors or other authorized representatives (collectively, “Authorized Users”) of Performance Culture’s business customers subscribing to the Service (“Clients”).

We may update this Privacy Policy from time to time and if so will post the updated version on the Website. The updated version will be indicated by an updated “Revised” date below, and will be effective as soon as it is accessible. We encourage you to review this Privacy Policy frequently to be informed of updates and changes to it.  This Privacy Policy is part of each of our Service contracts with Clients.

This Privacy Policy addresses the following:

  1. Data Collected
  2. How We Use Personal Data
  3. Data Sharing with Third Parties; Third Party Providers
  4. Data Protection Laws
  5. Third Party Providers
  6. Retention of Data
  7. Security
  8. Third-Party Websites, Products and Services
  9. Certain Rights as to Personal Data
  10. Contact Us for Privacy Policy Questions or Concerns
  1. Data Collected

We collect various types of data regarding Visitors; and regarding Clients and Authorized Users through their interaction with the Service, including data that they upload or input to Service, or that we collect at Clients’ direction.  We also collect data through automatic means.  The data includes “Personal Data”, defined as information relating to an identified or identifiable natural person.  Specifically, the following Personal Data and other data about Authorized Users may be collected through their use of the Service:

  • Names, titles, positions, roles, department/business unit, manager name(s)
  • Identification numbers or other identifiers issued by Clients
  • Photographic images
  • Business physical and email addresses, phone numbers
  • Compensation and performance data
  • Account login and registration information

Exclusion of Sensitive Data   Use of the Service does not require any Authorized User (or Visitor) to submit to the Service (or the Website) any “Sensitive Data,” nor do we structure our systems and processes to comply with the specific regulatory and other requirements applicable to Sensitive Data. You and all Clients agree not to submit to us any Sensitive Data, as described in this paragraph. Contact us at [email protected] if you have any uncertainty as to whether any data may be Sensitive Data, prior to submitting it to us.  All Authorized Users, Clients, and Visitors assume any and all risks associated with their Sensitive Data. “Sensitive Data” includes without limitation, “protected heath information” within the meaning of the Health Insurance Portability and Accountability Act; financial (except compensation) or financial account information of any kind; identity numbers issued by any government agency such as driver’s license or passport; information gleaned from background checks; passwords that would or could be used to access any personal accounts; biometric information; sexual orientation; genetic data; racial or ethnic information; cultural, political, or religious beliefs; information about trade union membership; and credit card/payment information for Service payment.  All credit card/payment information is submitted through a Third Party Provider’s platform as described further below.

Data from Third Party Sources   Performance Culture may collect (including at Clients’ direction) Personal Data from public databases, joint and other marketers, and other third-party sources which maintain their own privacy policies governing the sharing of Personal Data with others. These sources may include, for example, Clients’ human resources or payroll systems, social media profile information, and marketing searches.  You may request that we inform you of the source and type of information we have obtained about you from such source(s), by submitting a request to us at [email protected] and we will respond to it within a reasonable period, typically no later than one month.

Data automatically collected or generated       We may collect, record or generate certain technical data about you in connection with your visits to the Website, or interactions with or use of the Service, some of which may constitute Personal Data. We do so independently, or with the assistance of Third Party Providers (defined below).

  • Usage data: We collect usage data about you whenever you interact with the Service, which may include IP address, web pages you visit, what you click on, when you performed those actions, and other activities. This information does not reveal the specific identity of the user but may include device/device name and operating system, browser information, language preferences, referring URLs, country/location, information about how and when the Service is accessed and other technical information.

 

  • The Website uses “cookies” to enhance a user’s experience when viewing the Website and to compile statistical information regarding the use of the Website. A cookie is a file that is transmitted by a website to a user’s browser. The browser then saves that file in a designated file for cookies on the user’s computer. We use cookies to personalize your experience on the Website and to enable us to compile statistics about how the Website is used, including to help us identify Website features in which you may have the greatest interest. You may have the ability to change your browser settings to refuse to accept cookies. However, without cookies, some Website features may not be available to you or function as intended.

 

  • When Visitors navigate to our Website from an external source (such as a link on another website or via an email), we record the referring URLs.

 

  • In addition, phone calls (e.g. with our support services consultants) may be automatically recorded, tracked and analyzed, for purposes including analytics, service, operations, quality control and improvements, and record-keeping.

 

  • Additional technical information collected may include metadata, Service usage logs and other information collected when Authorized Users access the Service. Data may also be collected from tools and processes used to integrate with Third Party Provider services used by Authorized Users. Clients may determine which data Performance Culture will use and store.

Data automatically collected or generated is typically used for data protection and security reasons, for internal management and analytical purposes and other internal business purposes.

  1. How We Use Personal Data

We use and process Personal Data and other data that we collect to comply with Client instructions relating to its use of the Service, for our internal business needs, and compliance with our legal obligations (contractual or under applicable law).  Specifically, the uses of Personal Data include:

  • To optimize delivery and function of the Service, and to optimize the navigation experience of Visitors, and to optimize and manage Authorized Users’ experience and support account management functions as they interact with the Service (storing Authorized User settings, etc.); and to support the required Service infrastructure, analyze usage, and address any functional or security issues that may arise.
  • To enable support for Clients and Authorized Users; to communicate effectively with them on various topics and issues, such as maintenance announcements, security alerts or Service information, news on features and other developments, and marketing information on new offerings.
  • To optimize security and for data protection purposes, which may include using data in analyses and investigations.
  • To meet legal obligations whether contractual or as required by applicable law, and to protect our legal interests.
  • For our marketing purposes, to the extent consented to by Authorized Users.  Authorized Users may opt-out of our marketing emails at any time by request to [email protected]. To opt-out of interest-based advertising by third-party advertisers in the Service, Authorized Users should visit http://www.aboutads.info/choices/.  Further, you should be able to unsubscribe from such advertisers’ marketing emails list by clicking the corresponding “unsubscribe” option in their email messages.

 

  1. Data Sharing with Third Parties; Third Party Providers

 

We share Personal Data with certain third parties that we retain to perform certain services and functions required for our provision of the Service (“Third Party Providers”).  For example, a Third Party Provider hosts the Website, Third Party Providers provide email and Service support; and if you pay for the Service by credit card, a Third Party Provider will process the credit card payments. The Third Party Service Providers have agreed to use the Personal Data to perform their work and services consistent with this Privacy Policy. These Third Party Providers are referred to as “subprocessors” under certain Data Protection Laws (defined below). A list of these Third Party Providers/subprocessors, and information regarding the nature of their services or functions, is available to Clients upon request to [email protected] You should investigate these entities and review their respective privacy policies.

 

We also share Personal Data as follows:

 

  • We may disclose Personal Data to the appropriate legal, judicial, or law enforcement authorities and our advisors and investigators: (i) when we believe, in our sole discretion, that such disclosure is necessary to investigate, prevent, or respond to suspected illegal or fraudulent activity, or to protect our safety, rights, or property  and those of our Clients, Third Party Providers, other business partners, Visitors, prospective employees, or others; (ii) when we suspect abuse of the Website or Service, or unauthorized access to any system, spamming, denial of service attacks, or similar unpermitted or illegal activities; (iii) to exercise or protect legal rights or defend against legal claims; or (iv) to allow us to pursue available remedies or limit the damages that we may incur.

 

  • Performance Culture may be compelled to disclose the Personal Data pursuant to court order, or pursuant to law enforcement or other public or government authority request when we believe that such request was made in compliance with applicable law.

 

  • We may share Personal Data as instructed by Clients or as consented to in our Service contracts with them. Our contractors may access Personal Data in supporting our provision of the Service, but only as required to perform their specific duties for us subject to appropriate confidentiality restrictions.

 

  • We may use Authorized Users’ Personal Data for our marketing purposes, to the extent consented to by Authorized Users.

 

  • We may use, disclose, and share with third parties Personal Data and data about Clients, that has been aggregated or anonymized so that it does not identify any particular individual(s), for our internal business, research, analytical, statistical, and other legitimate purposes.

 

  • If Performance Culture is involved in or is considering a merger, acquisition, reorganization, bankruptcy, dissolution, sale of some or all of its assets, IPO, financing or other similar transaction, then we may need to disclose Personal Data solely for the purposes of reviewing and as applicable accomplishing that transaction; subject to customary confidentiality protections.

 

Performance Culture does not share, sell, rent, or exchange any Personal Data with third parties for their promotional purposes.

 

  1. Data Protection Laws.

“Data Protection Laws” means all laws and regulations, including without limitation those of the European Union (EU) and European Economic Area (EEA) (e.g. the European General Data Protection Regulation (“GDPR”)), Switzerland, the United Kingdom and the United States of America (U.S.A.) and its states, that regulate the processing of Personal Data; as amended from time to time. Each Client must ensure that its use of the Service and Client’s own collection and processing of Personal Data comply with all Data Protection Laws.

Data Processing Annex    Performance Culture’s servers and facilities are located in the U.S.A., and the servers and facilities of the Third Party Providers (subprocessors) may be located in the U.S.A. and/or other countries in the world.  Authorized Users located in the EU, EEA, Switzerland, and the United Kingdom have certain rights with respect to their Personal Data under the Data Protection Laws of those jurisdictions, including when their Personal Data is deemed to be transferred to countries not ensuring an adequate level of data protection. For purposes of the requirements of the GDPR and the Data Protection Laws of Switzerland and the United Kingdom, solely to the extent such requirements are directly applicable to the processing of Personal Data by Performance Culture through the Service, Client is the “controller” and Performance Culture is the “processor” of such Personal Data, and the terms of the Data Processing Annex in the form offered by us to Clients will apply. To the extent that any of the terms of this Privacy Policy conflict with any of the provisions of the Data Protection Laws, such provisions of the Data Protection Laws will govern.

 

California, U.S.A. residents  This paragraph only applies with respect to Personal Data that is personal information of California residents, that is subject to the California Consumer Privacy Act (“CCPA”). Client acknowledges and agrees that if it is a business subject to the CCPA, Performance Culture then will be a service provider to Clients for CCPA purposes. In processing personal information that Clients have transferred to Performance Culture (or that Performance Culture has collected on their behalf) for processing in connection with the Service, Performance Culture will comply with all requirements of the CCPA that are applicable to service providers. Without limiting the foregoing, during the term of the Agreement and thereafter, we will: (i) not retain, use or disclose the personal information for any purpose (including any commercial purpose) other than for the specific purpose of performing the Service; (ii) not retain, use or disclose the personal information outside of the direct business relationship between Performance Culture and the Client; (iii) not sell the personal information to any third parties; (iv) promptly (and in any case within ten (10) days after receipt) comply with the Client’s written instructions associated with responding to any consumer’s request to exercise the consumer’s rights under the CCPA; and (v) implement, maintain and adhere to a written data security program that features reasonable security policies, procedures and practices appropriate to the nature of the information and consistent with industry best practices, in order to protect the personal information from unauthorized access, use, modification, exfiltration, theft or disclosure.  Performance Culture certifies that it understands and will comply with the restrictions, duties and obligations set forth in this paragraph and will provide a written certification to this effect from time-to-time upon the Client’s request, for CCPA compliance purposes. Each Client acknowledges that its use of the Service will not violate the rights of any Authorized User that has opted-out from sales or other disclosures of personal information, to the extent applicable under the CCPA.

 

In addition, the California Civil Code permits California residents with whom we have an established business relationship to request that we provide a list of certain categories of personal information that we have disclosed to third parties for their direct marketing purposes during the preceding calendar year.  To make such a request, please send an e-mail to [email protected] or otherwise contact us using the information under “Contacts” below.  Please indicate that you are making a “California Shine the Light” inquiry.  Please note, however, that we do not currently disclose personal information to third parties for their direct marketing purposes.

 

Nevada, U.S.A. Residents   Nevada residents who wish to exercise their sale opt-out rights under Nevada Revised Statutes Chapter 603A may submit a request by contacting us at [email protected].  Please note, however, that we do not currently sell any personal information to third parties within the meaning of such statute.

 

Children’s privacy   We are committed to complying with the U.S.A. federal Children’s Online Privacy Protection Act (COPPA). The Website and the Service are not directed or intended for use by children under the age of 13 and Performance Culture does not knowingly collect “personal information” as defined in COPPA, from children under the age of 13.  Clients must not permit access to the Service by children under the age of 13 (i.e. they cannot be Authorized Users); and further, if Client allows access to the Services by Authorized Users under the age of 18, Client represents that it has obtained all necessary permissions and consents from such Authorized Users’ parents or guardians. If a Client or Authorized User believes that data has been or could be submitted through the Service regarding individuals younger than age 13, please contact us at [email protected].

  1. Third Party Providers

When Performance Culture engages Third Party Providers in connection with the Service, they will be subject to the relevant standards for data protection and security in accordance with the type of data collected and stored.  We contractually restrict the Third Party Providers to the use of Personal Data only as necessary for them to provide their services to enable the Service to be provided.

  1. Retention of Data

We will only retain Personal Data and other data for as long as is necessary to achieve the uses and purposes stated in this Privacy Policy and our Service contracts with Clients, unless a longer retention period is required or permitted by law (such as tax, accounting or other legal requirements) or is reasonably needed to support our business interests (such as for audits or dispute resolution reasons).  We will either delete or anonymize such retained data, or, if this is not possible (for example, due to its storage in backup archives), then we will securely store the retained data and isolate it from any further processing until deletion is possible.

  1. Security

Performance Culture exercises commercially reasonable administrative, technical and physical measures to safeguard Personal Data against loss, theft and misuse, and unauthorized access, and to maintain its integrity. A description of the security measures we use to protect Personal Data and other data provided to us by Clients is described [https://performanceculture.com/security-and-infrastructure/].  Where relevant, the Web Site uses Transport Layer Security (TLS) encryption on all web pages where Personal Data may be collected.  Authorized Users should use a TLS-enabled browser whenever possible to support protection of Authorized User’s data.   No transmission of data over the Internet, however, is guaranteed to be completely secure. While we strive to protect Personal Data, we cannot ensure or warrant the security of any data that we receive. We have procedures in place to address any suspected Personal Data breach and will notify you of such a breach to the extent and in the manner that we are required to do so under the Data Protection Laws.

  1. Third-Party Websites, Products and Services

The Web Site and Service may contain links to third-party websites, products and services. Data collected by third parties whose websites you visit may include Personal Data and other generic usage information. This collection of data (including your Personal Data, as applicable) is governed by the privacy practices of those third parties. We encourage you to learn about those practices. Performance Culture is not responsible for the content, operation, or privacy practices of any third-party websites, products, or services. Unless we otherwise expressly and specifically state, we do not represent or endorse in any manner such third-party websites or their content, or any third-party products or services.

  1. Certain Rights as to Personal Data

You can request that we correct or delete your Personal Data if it is inaccurate (subject to our retention policies stated above in this Privacy Policy). We may decline to process your request if such request is unreasonably repetitive; requires disproportionate technical efforts; jeopardizes the privacy of others; is impractical; or does not legally require response.  As Performance Culture does not have a direct relationship with Authorized Users, they should first contact the management of the Client they work for; or the Client’s administrative contact for the Service, regarding such requests or others that they may have pertaining to this Privacy Policy. Please note that we may charge a reasonable administrative fee to address certain requests, such as pertaining to GDPR rights.

You may also have the right to complain to a data protection authority under the Data Protection Laws about our collection and use of your Personal Data. For more information, please contact your local data protection authority.

  1. Contact Us for Privacy Policy Questions or Concerns

If you have any questions or concerns related to this Privacy Policy, or your Personal Data, please contact our Data Protection Officer (DPO), Ryan Kennedy, by email at [email protected], or by mail to:

Performance Culture, Inc.

Attention:  Ryan Kennedy
1900 Eastwood Road
Suite 11
Wilmington, NC 28403
United States

 

 

Revision: Version 3.0, 2021