Privacy Policy v1.0

This document sets out our Privacy and Security Policy (the “Policy”) of Reflektive, Inc. (the “Company”, “Reflektive”, “we” or “us”). The Company may change, modify, or update this Policy, in whole or in part, in the Company’s sole discretion at any time without notice by posting updated versions on the Reflektive website located at www.reflektive.com (the “Website”) and any changes, modifications or updates will become effective immediately upon such posting.

A. Overview.

Reflektive understands that privacy and data security is important to you and your organization (individually and collectively referred to herein as “you” or “your”) and we are committed to respecting your privacy when you visit our Website located at www.reflektive.com, use any of our mobile applications, and/or otherwise access our Services via a direct or indirect connection to the internet (collectively, the “Sites”) or sign up for and use any of our products or service offerings via the Site or otherwise, including, without limitation the Reflektive Software Suite (collectively, the “Services”). For purposes of this Policy, the “Reflektive Software Suite” consists of (1) Reflektive Real-Time Feedback and Recognition, (2) Reflektive Performance Reviews, (3) Reflektive 360 Reviews, (4) Reflektive Goal Management, and (5) any future modules or functionality you are provided access to through use of our Services.

The following information in this Policy is designed to help you better understand what information we gather from you and through your use of any of our Services, how we use and disclose this information, who we might share this information with, and to describe generally what security steps Reflektive takes.

By visiting any of our Sites, downloading any of our applications or otherwise installing any of our software, and/or by using our Services in any manner, you are accepting the practices described in this Policy and expressly consent to our collection, use and disclosure of all information transmitted or otherwise received by us (including all personally identifiable information) in the manner described in this Policy.

This Policy is incorporated into and subject to the terms of any Master Services Agreement or other agreement entered into between Reflektive and your organization (either via click-through acceptance or otherwise) (collectively, the “Use Agreements”). This Policy applies to all Sites operated or controlled by the Company and all Services provided, however it does not apply to any third party site linked to our Site or recommended or referred by our Site or any third party service used in the provision of the Services to you (including, without limitation, third party sites used for sign-in to our Services).

Data Collection and Personally Identifiable Information.

1. Overview and Definition of Personally Identifiable Information.

In providing our Services or otherwise interacting with you through your use of our Sites or our Services, we may collect your personally identifiable information (“PII”). PII includes personal information such as the user’s name, email address, account profiles and passwords, IP address, telephone number, physical addresses, and anything else a user provides to us that can in any manner identify the user individually.

2. Methods of Information Collection of Information, Including Collection of PII.

Your information, including your PII, and any other information you input via use of our Services may be collected through your direct interactions with our Site, email or written correspondence, telephone calls, or web based forms or from third party providers.

We also may place a “cookie” (a small file) on your hard drive during your access to any of our Sites or use of our Services to help us identify the number of unique visitors to our Sites, learn what our users’ technology preferences are, monitor the functionality of our Sites and/or Services, help with authentication/login and otherwise improve our Services. We may also use “local storage”, a feature of your browser, to retain information locally regarding your usage to improve our Services. If you do not wish to have cookies placed on your computer or do not wish for us to use “local storage” you may adjust your web browser settings accordingly. If adjustment is not feasible, you may elect to refrain from using our Services or accessing our Sites. Please be aware that restricting cookies may impede your ability to use our Site or our Services or certain features of our Site or our Services.

Like most Internet services, we use log files on the server side. The data held in log files includes your IP address, browser type, e-mail application, Internet service provider (“ISP”), referring/exit Web pages, computer platform type, date/time stamp, and user activity. The Company uses server log data to analyze trends, administer the Services offered through our Sites and otherwise administer our Sites.

The software enabling the Sites and the Services has associated log and temporary files that are stored on Company controlled servers. These files may store your account information, preference settings, system notifications as well as other data necessary to enable you to participate on the Site and/or use the Services. Your information may also exist within regularly performed server backups.

Additionally, if you log-in to our Services using a 3^rd Party Authenticator (as defined in Section 5 below), we may receive and collect your third party service log-in, email, profile picture, and/or other information transmitted by such 3^rd Party Authenticator to us.

3. Use of PII

We use your PII to create your account to (i) communicate with you about Services you have purchased, (ii) offer you additional products and services, (iii) allow use of the Sites and the applicable Services you have purchased, (iv) process service requests, (v) provide access to secure areas of the Sites, (vi) send invoices for our Services and process payments related thereto, and (vii) ensure compliance with intellectual property laws. We also use PII to the extent necessary to enforce all applicable Use Agreements, monitor adherence to all applicable Use Agreements, and to attempt to prevent and/or detect fraud, as well as to allow third parties to carry out technical, logistical or other functions on our behalf as long as those third parties have agreed to use the level of privacy protections commensurate with industry norms.

For example, your account information is stored on servers controlled by the Company and if you forget your log-in password, you will be asked to enter your e-mail address on record with the Company in order to gain access to the Site or Service (as applicable). Moreover, we collect additional information from you when you provide us with on-line comments or feedback via our Site or via our Services or post information about yourself or others to a Site or via the Services. This information, if any, is available to others accessing the Site or Service (as applicable). We work to process and maintain accurately the information that you share with us and will use commercially reasonable efforts to allow you the ability to change or modify your user information in order to enhance your ability to use our Sites and the Services you have purchased.

Additionally, when you purchase or subscribe to a Service, we collect your contact information (such as your address) and may collect your financial information (such as your credit/debit card information). We use the information you provide only to complete that Service order or to otherwise fulfill the Service. We do not share this information with unaffiliated parties except to the extent necessary to complete that transaction. If we have trouble processing an order, we use the information to contact you. For clarification, we may use third party vendors to process payment transactions (the “Payment Processors”) and you agree to such use and understand that the terms and conditions (and privacy and security policies) of such vendors shall govern and control for all purposes with respect to all applicable payment processing transactions related to your purchases. By using our Services, you understand and agree that we have no liability for the action, behaviors or failings of our Payment Processors.

4. Hosted Data.

Through its Services, the Company provides technology hosting services used to host a variety of internet-based solutions, including internet-based communications and applications (including “mobile apps”) as well as other information your users input via use of the Services. As a result, the Company’s hosting services store and transmit information about our customers, their business, as well as information collected or inputted by those businesses (the “Hosted Info”). Hosted Info may include PII and other information that belongs to you and/or your employees or other service providers.

With respect to all Hosted Info, the Company is a passive recipient and takes no active part in collecting or storing any Hosted Info. Moreover, except in extraordinary cases or to the extent necessary to render the Services to you, the Company does not purposefully access any Hosted Info. For example, if you input a review of an employee, our Service passively relieves such information and normally only accesses or reviews such information to the extent necessary to provide the Services to you (and provide any related support of the Services) and you agree that such access is permissible for all purposes.

5. Security Measures

Substantially all information Reflektive receives from you or via your use of any Services are copied, stored and managed through computer servers owned or controlled by Reflektive. While Reflektive attempts to employ security techniques commensurate with industry norms to protect your PII and other Hosted Info from unauthorized access by users inside and outside the organization, you should be aware that “perfect security” does not exist on the Internet; third parties may unlawfully or improperly intercept or access transmissions, personal information, or private communications. As such, we cannot make any assurances that a security breach will not occur that may expose your personally identifiable information to others.

For example, the Reflektive servers are not located at Reflektive but rather are managed and located at a third-party Infrastructure-as-a-Service provider (an “IAAS”). We have taken commercially reasonable steps to choose a professional IAAS provider but we cannot guarantee the performance of the IAAS provider, its security measures, or the actions or inactions it takes in the future. By using our Services, you understand and agree that we have no liability for the action, behaviors or failings of our IAAS provider.

Reflektive endeavours to only collect as much PII as required to provide customers with our Service and meet our legal obligations. In addition, we will use commercially reasonable efforts to store and encrypt PII in a secure location, encrypt passwords, and utilize a minimum of 128-bit Secure Socket Layer (SSL) certificates to protect transactions to and from our Site(s) if sensitive information is transmitted.

Your user account related to the Services is also protected by a password for your privacy and security. Initially, you are assigned a random password but are given the option to change it if you choose. You need to ensure that there is no unauthorized access to your account, your PII and/or your Hosted Info by selecting (if you so choose) and protecting your password appropriately and limiting access to your computer (or other device) and browser by signing off after you have finished accessing your account. Additionally, we use third party sign in providers to authenticate users of our Services, such as Google Signin and OneLogin (the “3^rd Party Authenticators”). You understand that your information (including PII) may be made available to and stored by such 3^rd Party Authenticators and by using our Services, you understand and agree that we have no liability for the action, behaviors or failings of our 3^rd Party Authenticators.

Additionally, while Reflektive endeavors to protect user information to ensure that user account information is kept private, we cannot guarantee the security of user account information. Unauthorized entry or use, hardware or software failure, and other factors, may compromise the security of user information at any time.

6. Sharing of Information.

We make other tools available to sync information with our Services, and may also develop additional features that allow you to sync information stored via our Services to other third-party services used by you or your organization (each an “Additional Platform”). For example, our Service may allow your organization or you to sync your Services account (and all information related thereto) to your organization’s human capital management platform (e.g., Workday’s Human Capital Management platform, Oracle’s PeopleSoft Human Capital Management platform, etc.). By using the Service, you consent to such syncing and agree that all such information that is distributed to an Additional Platform is permissible and that by using our Services, you understand and agree that we have no liability for the action, behaviors or failings of any operator of any applicable Additional Platform.

As a matter of policy, we will not sell or rent information about you and we will not disclose your PII or Hosted Info in a manner inconsistent with this Policy except as required by law or government regulation. We cooperate with law enforcement inquiries, as well as other third parties, to enforce laws such as those regarding intellectual property rights, fraud and other personal rights. WE CAN (AND YOU AUTHORIZE US TO) DISCLOSE ANY INFORMATION ABOUT YOU, INCLUDING YOUR PII OR OTHER HOSTED INFO, TO LAW ENFORCEMENT, OTHER GOVERNMENT OFFICIALS, OR ANY OTHER THIRD PARTY THAT WE, IN OUR SOLE DISCRETION, BELIEVE NECESSARY OR APPROPRIATE IN CONNECTION WITH AN INVESTIGATION OF FRAUD, INTELLECTUAL PROPERTY INFRINGEMENT, OR OTHER ACTIVITY THAT IS ILLEGAL OR MAY EXPOSE US, OR YOU, TO CRIMINAL OR CIVIL LIABILITY.

C. Access; Avoidance of Sensitive Information; COPPA Compliance.

Upon request, the Company will grant you reasonable access to your PII held by the Company. In addition, the Company will take reasonable steps to permit you to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete. We will not intentionally collect or maintain, and request that you please do not provide, any information regarding any medical or health conditions, your race or ethnic origins, political opinions, your religious or philosophical beliefs, or other such information. Use of our Site and our Services are not designed for or directed to children under the age of 13, and we will not intentionally collect or maintain information about anyone under the age of 13.

Under EU Data Protection Directive 95/46/EC, the Company is at times a “data controller” and at other times merely a “data processor”. When the Company is a “data controller,” meaning it is collecting, using and retaining PII from European Union member countries and Switzerland, the Company complies with the U.S.-E.U. and U.S.-Swiss Safe Harbor Privacy Principles (“Safe Harbor Principles”) of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view our certification, please visit the U.S. Department of Commerce website.

By contrast, the Company’s obligations with respect to personal data (including PII) for which the Company is solely a data processor, the Company receives such personal data from the EU merely as an agent to its customer for processing and is not required to apply Safe Harbor Principles to that information. For example, when the Company’s customers store or transfer, using the Company’s technology hosting services, any personal data, the Company’s obligations are defined solely in its written agreements with its customers and the Company’s obligations related to such personal data is not included in this Privacy Policy. Moreover, the customer will remain responsible for the personal data that it collects and processes (with or without use of the Company’s technology hosting services) and for the compliance with applicable data protection laws.

E. Opt Out Policy and Your California Privacy Rights.

Users can prevent future disclosures for direct marketing purposes of his or her PII, at no charge, by exercising his or her “opt out” rights by using the “opt out” procedures described below:

1. Send an email to: privacy@reflektive.com, or
2. Send mail to the following postal address:

Reflektive
Attn: Privacy Policy Agent
123 Townsend Street, 3rd Floor
San Francisco, CA, 94107
Telephone: 310-528-6426
Fax: 415-520-5209

Additionally, upon receipt of any electronic communication from the Company, to unsubscribe from future communications, you can click on the link that says words substantially to the effect of “If you do not wish to receive these emails in the future, You can click here to unsubscribe.”

Because the Company provides its California users with the ability to exercise his or her “opt out” rights as described above, pursuant to Section 1798.83(c)(2) of the California Civil Code, the Company is in compliance with the California “Shine the Light” law and is not obligated to provide California users with the names and addresses of all the third parties that received personal information from the Company for the third parties’ direct marketing purposes during the preceding calendar year.

F. Enforcement.

The Company will actively monitor its relevant privacy and security practices to verify adherence to this Policy. Any individual service provider that the Company determines is in violation of this Policy will be subject to disciplinary action up to and including termination of service.