Effective: SEPTEMBER 10, 2020
2. Notice to End Users
3. Data We Collect and Receive
3.1 Client Data
Clients and Authorized Users routinely submit Client Data to Reflektive when using the Services. Client Data is governed by the Client Agreement. Client Data may include Account Information, Hosted Data, Sync Data, or any Client Data otherwise defined in the Client Agreement. If you have any questions about your Personal Data with respect to Client Data, please contact the Client with whom you have a direct relationship and whose Workspace you use.
- Account Information. To create or update an Authorized User account for the Services, you or your Client (e.g. your employer) provide us with data about you and your employment, such as:
- Employee ID
- Email Address
- IP Address
- Performance Management Data (unstructured)
- Preferred Name
- Date of Birth
- Photo URL
- Employment Status (e.g., Active/Inactive)
- Employment Type (e.g., Full-Time, Part-Time, Contract)
- Job Title
- Job Location
- Hire Date
- Termination Date
- Division Name
- Department Name
- any other applicable Personal Data that may identify you individually
- Hosted Data. When a Client uses, or Authorized User interacts with, the Services, we may collect, process, and store any data that is created, posted, uploaded, stored, displayed, transmitted, or submitted on or through the Services (collectively, “Hosted Data”), as a function of rendering the Services. Hosted Data may contain Personal Data to the extent a Client or Authorized User discloses Personal Data on or through the Services. Reflektive is a passive recipient and takes no active part in collecting or storing Hosted Data. Except to the extent necessary to render the Services or related support for the Services, Reflektive does not purposefully access any Hosted Data. For example, if you submit a review of another Authorized User, the Services passively processes and stores such performance review for the purpose of rendering the Services, and we will only access such information to the extent necessary to provide the Services and related support for the Services.
- Sync Data. Reflektive makes tools available to integrate data from Third Party Services used by Client into the Services (“Sync Data”). For example, Client may integrate its Workspace with Client’s human capital management platform. When the Services are integrated with a Third Party Service for Sync Data, we will receive all data selected by the Client to sync with the Services. Sync Data is imported into the Services as either Account Information, Hosted Data, or such other Client Data.
3.2 Other Information
Reflektive may collect Other Information from Clients and Authorized Users related to their usage of the Services and interactions with Reflektive. Other Information may include Metadata, Log Data, Technical Data, Cookie Data, Third Party Services, and Additional Information Provided to Reflektive. If you have any questions about your Personal Data with respect to Other Information, please contact Reflektive at email@example.com.
- Metadata. When an Authorized User interacts with the Services, metadata is generated that provides additional context about the Services and the way Authorized Users use the Services (“Metadata”). Reflektive collects aggregated Metadata of the Services, so that the resulting data and statistics are not personally identifiable to any individual Authorized User.
- Log Data. Like most websites and web-based technology services, our servers automatically collect data when you access or use our Websites or the Services and record it in log files (“Log Data”). The Log Data may include your Internet Protocol (IP) address, Internet service provider (ISP), browser type and settings, information about browser plugins, language preference, default email application, referring/exit websites, operating system, date and time stamp, cookie data, and certain user activities.
- Technical Data. Reflektive collects technical data, such as information about devices accessing the Services, including the type of device, device settings, operating system, application software, peripherals, and unique device identifiers (“Technical Data”). Reflektive does not collect Personal Data with any Technical Data or relate any Technical Data to any individual Authorized User.
- Third Party Services. Clients may choose to permit or restrict integrations with Third Party Services for their Workspace. Once enabled, the enabled Third Party Services may share certain data with Reflektive to effectuate the integration. You should check the privacy settings and notices of these Third Party Services to understand what data may be disclosed to Reflektive. When the Services are integrated with Third Party Services to enhance the Services (e.g., Slack, Jira, Gmail, etc.), we may receive data regarding your credentials for and use of the applicable Third Party Services, such as your user name, your unique identifier, and your information transmitted from or made available with permissions by such Third Party Services (e.g., account profile, gender, age range, language, geographic region, etc.). When the Services are integrated with Third Party Services for the login and authentication process (e.g., Google Sign-In, OneLogin, ADFS, and many other SAML 2.0 compatible services) and an Authorized User logs in to the Services using a Third Party Services authenticator, we may receive data regarding your credentials for the applicable Third Party Services, such as your log-in, your user name, your email, your unique identifier, profile picture, and your information transmitted from or made available with permissions by such Third Party Services (e.g. account profile, gender, age range, language, geographic region, etc.).
- Additional Information Provided to Reflektive. Reflektive receives data when submitted to our Websites or through our Services, or if you contact us (e.g., by email, telephone calls, written correspondence, web based forms, or otherwise), request support, apply for or take a job with us, contract with us, interact with our social media accounts, or otherwise communicate with Reflektive.
3.3 No Sensitive Personal Data
Reflektive does not intentionally collect, process, or store, and we request that you do not post, upload, store, display, transmit, or submit Sensitive Personal Data on or through the Services or in Client Data. “Sensitive Personal Data” includes, but is not limited to, government-issued identification numbers; financial account numbers; credit or debit card numbers; consumer reports; background checks; any code or password that could be used to gain access to personal accounts; genetic data or biometric data; any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; or data concerning health or sex life or sexual orientation. Reflektive is not responsible and will not be liable for any loss or damages you or another individual may experience due to your disclosure of Sensitive Personal Data while using the Services.
3.4 No Children’s Data
Reflektive’s business activities are directed to other businesses and the Services are intended for use only by those who are 18 years of age and over. The Services are not directed to or intended for children, and Reflektive does not intentionally collect, process, or store any Personal Data from any person under 13 years of age. In the event we discover we have inadvertently collected, processed, or stored any Personal Data from a person under 13 years of age, we will promptly take the appropriate steps to delete such data or seek the necessary verifiable parental consent for that collection in compliance with the Children’s Online Privacy Protection Act (“COPPA”).
4. How and Why We Use Data
Client Data will be used by Reflektive in accordance with Client’s instructions, including any applicable terms in the Client Agreement and Client’s use of Services functionality, and as required by applicable law. Client may, for example, use the Services to grant and remove access to a Workspace, create Authorized Users accounts, assign roles and configure settings, access, modify, share, restrict, export, and remove Client Data and otherwise apply its own policies to the Services.
Other Information will be used by Reflektive to operate our business and provide the Websites and render the Services with a lawful basis for processing, such as with your express consent for a specific purpose, to perform our contractual obligations, to comply with legal obligations, or otherwise in furtherance of our legitimate interests. Specifically, Reflektive may use Other Information for these purposes and legal bases:
- Providing the Websites and Services. To provide the Websites and render the Services under a Client Agreement, manage Authorized Users requests interacting with the Services (e.g. login and authentication, remembering settings, etc.), hosting and back-end infrastructure, analyze and monitor usage, monitor and address service performance, security, and technical issues.
- Improving the Websites and Services. To improve and optimize the Websites and Services, such as to test and validate features, drive product roadmap and design decisions, and improve quality of data, analytics, and text processing.
- Support Services. To respond to support requests via live chat, phone, or email and otherwise provide support for and resolve problems with the Services.
- Communications. To send technical, administrative, and marketing emails, messages, and other communications. Services-related technical and administrative communications and important Services-related notices, such as maintenance and security announcements, are essential to delivery of the Services and you cannot opt-out. Marketing communications about new product features, service offerings, and other news about Reflektive are optional, you have the choice whether or not to receive them, and you may opt-out at any time.
- Account Management. To contact for billing, account management, feedback, and other administrative matters.
- Security Purposes. To help prevent and investigate security issues and abuse.
- Legal Obligations. To comply with legal obligations as required by applicable laws, legal process, or regulations.
5. How We Share and Disclose Data
- Client’s Instructions.Reflektive will share and disclose Client Data in accordance with a Client’s instructions, including any applicable terms in the Client Agreement and Client’s use of the Services functionality, and as required by applicable law. Pursuant to the Client Agreement, Client Data is generally treated as the confidential information of Client unless stated otherwise.
- Client Access. Administrators, Authorized Users, and other Client representatives and personnel may be able to access, modify, or restrict access to your data. For example, your Client (e.g., your employer) may use the Services administrative controls and features to access or modify your account details or view certain activities in their Workspace.
- Displaying the Services. When an Authorized User submits data on the Services, it may be displayed to the Client and other Authorized Users in the same Workspace. For example, an Authorized User’s name, job title, and work email address, among other things, may be displayed with their profile accessible to the Client and other Authorized Users in the same Workspace. While in some cases you can make certain data private to specific users, by default most data is public to other Authorized Users in the same Workspace. You are solely responsible for all data you post, upload, store, display, transmit, or submit on the Services, including Personal Data, and the consequences thereof. Reflektive is not responsible and will not be liable for the data disclosed on the Services.
- Rendering the Services. Reflektive employees and contractors may have access to your data on a need to know and confidential basis to the extent necessary to render the Services and related support for the Services.
- Third Party Services. Client may enable or permit integrations with or use of Third Party Services in connection with the Services. When enabled, Reflektive may share certain data with such Third Party Services as requested to effectuate the integration. Third Party Services are not owned or controlled by Reflektive and third parties that have been granted access to your data may have their own policies and practices for its collection and use. You should check the privacy settings and notices of these Third Party Services to understand their privacy practices.
- Changes to Reflektive’s Business. If Reflektive engages in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of its assets or stock, financing, public offering of securities, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities (e.g. due diligence), Reflektive may share or disclose data in connection therewith, subject to standard confidentiality obligations.
- Aggregated or De-identified Data. If any data is aggregated or de-identified so it is no longer reasonably associated with an identified or identifiable natural person, we may use or disclose such aggregated or de-identified data for any purpose. For example, we may share aggregated or de-identified data with prospects or partners for business or research purposes, such as statistical analysis, predictive analysis, to research trends, \or to develop or improve the Services.
- Enforcement of Agreements. Reflektive may disclose data to ensure compliance with and enforce Client Agreements and any other contractual or legal obligations with respect to the Services and our business.
- Protection of Rights. Reflektive may disclose data to protect and defend our rights and property, including intellectual property rights, and to ensure compliance with applicable laws and enforce third party rights, including intellectual property and privacy rights.
- Legal Compliance. If we are compelled by law, such as to comply with a subpoena, court order, or other lawful process, or in response to a lawful request by public authorities to meet national security or law enforcement requirements, Reflektive may disclose data if we reasonably believe disclosure is in accordance with or required by any applicable law, regulation, or legal process.
- Safety and Security. Reflektive may disclose data to protect your safety and security; to protect the safety, security and property of Clients; and to protect the safety, security, and property of Reflektive and our employees, agents, representatives, and contractors.
- Your Consent. Reflektive may disclose your data to third parties when we have your express consent to do so.
7. Security Measures
Reflektive maintains physical, technical, and administrative procedures to safeguard and secure the data we collect. We work hard to protect data in our custody and control from loss, misuse, and unauthorized access, use, disclosure, modification, or destruction. For more information about our efforts to keep your data secure, please see our Security Practices.
- You provide Personal Data at your own risk.
- Unfortunately, no data transmission over the Internet is guaranteed to be 100% secure, and we cannot guarantee that unauthorized access, hacking, data losses, or other breaches will never occur.
- You are responsible for safeguarding your Authorized User account and password.
- If you believe your privacy has been breached, please contact us immediately at firstname.lastname@example.org.
8. Identifying the Data Controller and Data Processor
Data protection and privacy laws in certain jurisdictions differentiate between the “controller” and “processor” of data. In general, Client is the controller of Client Data. In general, Reflektive is the processor of Client Data and the controller of Other Information.
9. International Data Transfers
9.1 Transfer Mechanisms for Restricted International Data Transfers
Reflektive does not transfer Personal Data from the European Union (EU), the European Economic Area (EEA), the United Kingdom (UK), or Switzerland to, or process such Personal Data in, a location outside of the foregoing, without Client’s prior written consent. However, Reflektive may transfer Personal Data from the EU, the EEA, the UK, and Switzerland to, or process such Personal Data in, the United States where Reflektive has implemented an international data transfer mechanism compliant with applicable data protection and privacy laws, which for example may include an international data transfer: (i) subject to an adequacy decision by the European Commission; (ii) to a recipient certified under Privacy Shield; (iii) subject to the Standard Contractual Clauses for the transfer of Personal Data to processors, which are incorporated herein by reference; (iv) where another appropriate safeguard pursuant to Article 46 of the the General Data Protection Regulation (“GDPR”) applies; or (v) where a derogation pursuant to Article 49 of the GDPR applies.
9.2 EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
Reflektive has further committed to refer unresolved Privacy Shield-related complaints to JAMS, an independent dispute resolution provider located in the United States. If you do not receive a timely acknowledgement of your Privacy Shield-related complaint from Reflektive, or if we have not satisfactorily resolved your complaint or addressed your concern, please contact JAMS to file your complaint, at no cost to you. To contact JAMS or learn more about JAMS dispute resolution services, including instructions for submitting a complaint, please visit: https://www.jamsadr.com/eu-us-privacy-shield. Under certain limited situations, as a last resort, you may seek redress from the Privacy Shield Panel, a binding arbitration mechanism.
Human resources data including Personal Data in the context of the employment relationship is subject to internal human resource policies. Reflektive commits to cooperate with the panel established by the European Union data protection authorities (DPAs) or the Swiss Federal Data Protection and Information Commissioner, and comply with the advice given by such authorities with regard to human resources data transferred from the EU, the EEA, the UK, and Switzerland to the United States in the context of an employment relationship as set forth in the Privacy Shield principles.
10. Your Rights
Individuals located in certain countries and jurisdictions have certain statutory rights in relation to their Personal Data. Subject to any exemptions provided by law, you may have the right to exercise your rights and request certain actions with respect to your Personal Data.
10.1 General Privacy Rights
Reflektive is committed to maintain accurate information that you share with us and will use commercially reasonable efforts to allow you to access your Personal Data. Upon request we will provide you with information about whether we hold, or process on behalf of a third party, any of your Personal Data. To request this information or if you wish to access, modify, or remove your Personal Data, please contact us as email@example.com. Reflektive will endeavor to respond to all reasonable written requests to access, modify, or remove Personal Data in a timely manner within thirty (30) days.
If you seeks to access, modify, or remove Personal Data held or processed by us on behalf of a Client, you should direct your inquiry to your Client (e.g., your employer). Upon receipt of a request from one of our Clients for us to access, modify, or remove the data, we will respond to their request in a timely manner within thirty (30) days.
10.2 Additional Rights for Europe
- Right to Erasure (aka “Right to be Forgotten”). You may have a broader right to erasure of Personal Data that we hold about you, such as, for example, if it is no longer necessary in relation to the purposes for which it was originally collected or we do not have a legal reason to continue to process and hold it. Please note, however, that we may need to retain certain information for record keeping purposes, to complete transactions, or to comply with our legal obligations.
- Right to Restrict Processing. You may have the right to request that we restrict processing of your Personal Data in certain circumstances, such as, for example, where you believe that the Personal Data we hold about you is inaccurate or unlawfully held. We may be permitted to store the data but not further process it. We may need to keep just enough data to make sure we respect your request in the future.
- Right to Data Portability. You may have the right to be provided with your Personal Data in a structured, machine readable and commonly used format and to request that we transfer the data to another data controller without effecting the usability of the data.
- Right to Object to Processing. You may have the right to request that we stop processing your Personal Data, such as for the purpose of direct marketing, scientific and historical research, or for a task in the public interest.
- Right to Lodge a Complaint. You may also have the right to complain to a data protection authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority.
When offering Services to its Clients, Reflektive acts as a “processor” under the GDPR and our receipt and collection of any Personal Data is completed on behalf of our Clients in order for us to provide the Services. Please direct any data subject requests under the GDPR to the Client with whom you have a direct relationship and whose Workspace you use.
For any other requests related to your applicable rights under the GDPR, please contact us at firstname.lastname@example.org. We will consider your request in accordance with applicable laws. To protect your privacy and security, we may take steps to verify your identity before complying with the request.
10.3 Additional Rights for California
10.3.1 California Consumer Privacy Act
California residents have certain statutory rights under the California Consumer Privacy Act of 2018, as amended (“CCPA”) regarding their personal information (as defined by the CCPA). If you reside in California, you may have the right to exercise additional rights available to you under the CCPA, including:
- Right to Access. You may have the right to request disclosure of the categories and specific pieces of personal information collected about you. Upon a verifiable request to access personal information, we will promptly take steps to disclose and deliver, free of charge to you, the personal information required to be disclosed. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, readily useable format that allows you to transmit this information to another entity without hindrance. We may provide personal information to you at any time, but shall not be required to provide personal information to you more than twice in a 12-month period.
- Right to Deletion. You may have the right to request the deletion of your personal information. Upon a verifiable request to delete personal information, we will promptly delete such personal information from our records and direct any service providers to delete such personal information from their records, subject to certain exceptions under the CCPA.
- Right to Opt-Out of the Sale of Information. You may have the right to opt-out of the sale of your personal information to third parties. Reflektive does not sell your personal information to third parties and will never sell your personal information to third parties without your express authorization.
Reflektive will not discriminate against you for exercising your rights under the CCPA. Specifically, if you exercise your rights, we will not deny you services, charge you different prices for services, or provide you a different level or quality of services.
When offering Services to its Clients, Reflektive acts as a “service provider” under the CCPA and our receipt and collection of any consumer personal information is completed on behalf of our Clients in order for us to provide the Services. Please direct any requests to exercise your rights under the CCPA to the Client with whom you have a direct relationship and whose Workspace you use.
For any other requests related to your rights under the CCPA, please contact us at email@example.com. We will consider your request in accordance with applicable laws. To protect your privacy and security, we may take steps to verify your identity before complying with the request.
10.3.2 California “Shine the Light” Notice
Reflektive does not disclose Personal Data to third parties for any third parties’ direct marketing purposes, and will not do so unless the Client or Authorized User affirmatively consents to such disclosure. Since Reflektive provides its California users with notice of its rights as described above, pursuant to Section 1798.83(c)(2) of the California Civil Code, Reflektive is in compliance with California’s “Shine the Light” law and is not obligated to provide California users with the names and addresses of all the third parties that received Personal Data from Reflektive for the third parties’ direct marketing purposes during the preceding calendar year.
13. Contact Reflektive
You may contact us at:
Attn: Privacy Team
123 Townsend Street, 3rd Floor
San Francisco, CA, 94107