Effective: May 25, 2018
2 Notice to End Users
3 Data We Collect and Receive
3.1 Client Data
Clients and Authorized Users routinely submit Client Data to Reflektive when using the Services. Client Data is governed by the Client Agreement. Client Data may include Account Information, Hosted Data, Sync Data, or any Client Data otherwise defined in the Client Agreement. If you have any questions about your Personal Data with respect to Client Data, please contact the Client whose Workspace you use.
- Account Information. To create or update an Authorized User account for the Services, you or your Client (e.g., your employer) provide us with data about you and your employment, such as:
- Your name
- Date of birth
- Job title
- Work email address
- Office location
- Office phone number
- Your company department or organization
- Your manager’s name
- Unique identifier
- Employment dates
- Profile picture
- User name
- Any other applicable Personal Data that may identify you individually
- Hosted Data. When a Client uses, or Authorized User interacts with, the Services, we may collect, process, and store any data that is created, posted, uploaded, stored, displayed, transmitted, or submitted on or through the Services (collectively, “Hosted Data“), as a function of rendering the Services. Hosted Data may contain Personal Data to the extent a Client or Authorized User discloses Personal Data on or through the Services. Reflektive is a passive recipient and takes no active part in collecting or storing Hosted Data. Except to the extent necessary to render the Services or related support for the Services, Reflektive does not purposefully access any Hosted Data. For example, if you submit a review of another Authorized User, the Services passively process and store such performance review for the purpose of rendering the Services, and we will only access such information to the extent necessary to provide the Services and related support for the Services.
- Sync Data. Reflektive makes tools available to integrate data from Third Party Services used by Client into the Services (“Sync Data“). For example, Client may integrate its Workspace with Client’s human capital management platform. When the Services are integrated with a Third Party Service for Sync Data, we will receive all data selected by the Client to sync with the Services. Sync Data is imported into the Services as either Account Information, Hosted Data, or such other Client Data.
3.2 Other Information
Reflektive may collect Other Information from Clients and Authorized Users related to their usage of the Services and interactions with Reflektive. Other Information may include Metadata, Log Data, Technical Data, Cookie Data, Third Party Services, and Additional Information Provided to Reflektive. If you have any questions about your Personal Data with respect to Other Information, please contact Reflektive at firstname.lastname@example.org.
- Metadata. When an Authorized User interacts with the Services, metadata is generated that provides additional context about the Services and the way Authorized Users use the Services (“Metadata“). Reflektive collects aggregated Metadata of the Services, so that the resulting data and statistics are not personally identifiable to any individual Authorized User.
- Log Data. Like most websites and web-based technology services, our servers automatically collect data when you access or use our Websites or the Services and record it in log files (“Log Data“). The Log Data may include your Internet Protocol (IP) address, internet service provider (ISP), browser type and settings, information about browser plug-ins, language preference, default email application, referring/exit websites, operating system, date and time stamp, cookie data, and certain user activities.
- Technical Data. Reflektive collects technical data, such as information about devices accessing the Services, including the type of device, device settings, operating system, application software, peripherals, and unique device identifiers (“Technical Data“). Reflektive does not collect Personal Data with any Technical Data or relate any Technical Data to any individual Authorized User.
- Third Party Services. Clients may choose to permit or restrict integrations with Third Party Services for their Workspace. Once enabled, the enabled Third Party Services may share certain data with Reflektive to effectuate the integration. You should check the privacy settings and notices of these Third Party Services to understand what data may be disclosed to Reflektive. When the Services are integrated with Third Party Services to enhance the Services (e.g., Slack, Jira, Gmail, etc.), we may receive data regarding your credentials for and use of the applicable Third Party Services, such as your user name, your unique identifier, and your information transmitted from or made available with permissions by such Third Party Services (e.g., account profile, gender, age range, language, geographic region, etc.). When the Services are integrated with Third Party Services for the login and authentication process (e.g., Google Sign-In, OneLogin, ADFS, and many other SAML 2.0 compatible services) and an Authorized User logs in to the Services using a Third Party Services authenticator, we may receive data regarding your credentials for the applicable Third Party Services, such as your login, your user name, your email, your unique identifier, profile picture, and your information transmitted from or made available with permissions by such Third Party Services (e.g., account profile, gender, age range, language, geographic region, etc.).
- Additional Information Provided to Reflektive. Reflektive receives data when submitted to our Websites or through our Services, or if you contact us (e.g., by email, telephone calls, written correspondence, web based forms, or otherwise), request support, apply for or take a job with us, contract with us, interact with our social media accounts, or otherwise communicate with Reflektive.
3.3 No Sensitive Personal Data
Reflektive does not intentionally collect, process, or store, and we request that you do not post, upload, store, display, transmit, or submit Sensitive Personal Data on or through the Services or in Client Data. “Sensitive Personal Data” includes, but is not limited to, government-issued identification numbers; financial account numbers; credit or debit card numbers; consumer reports; background checks; any code or password that could be used to gain access to personal accounts; genetic data or biometric data; any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; or data concerning health or sex life or sexual orientation. Reflektive is not responsible and will not be liable for any loss or damages you or another individual may experience due to your disclosure of Sensitive Personal Data while using the Services.
3.4 No Children’s Data
Reflektive’s business activities are directed to other businesses and the Services are intended for use only by those who are 18 years of age and over. The Services are not directed to or intended for children, and Reflektive does not intentionally collect, process, or store any Personal Data from any person under 13 years of age. In the event we discover we have inadvertently collected, processed, or stored any Personal Data from a person under 13 years of age, we will promptly take the appropriate steps to delete such data or seek the necessary verifiable parental consent for that collection in compliance with the Children’s Online Privacy Protection Act (“COPPA”).
4 How and Why We Use Data
Client Data will be used by Reflektive in accordance with Client’s instructions, including any applicable terms in the Client Agreement and Client’s use of Services functionality, and as required by applicable law. Client may, for example, use the Services to grant and remove access to a Workspace, create Authorized Users accounts, assign roles and configure settings, access, modify, share, restrict, export, and remove Client Data, and otherwise apply its own policies to the Services.
Other Information will be used by Reflektive in furtherance of our legitimate interests in operating our business and providing the Websites and Services, to perform contractual obligations, and/or pursuant to your express consent for a specific purpose. Specifically, Reflektive may use Other Information for these purposes and legal bases:
- Providing the Websites and Services. To make the Websites available and support delivery of the Services under a Client Agreement, manage Authorized Users requests interacting with the Services (e.g., login and authentication, remembering settings, etc.), hosting and back-end infrastructure, analyze and monitor usage, monitor and address service performance, security, and technical issues.
- Improving the Websites and Services. To test features, interact with feedback platforms and questionnaires, manage landing pages, heat mapping, traffic optimization, data analysis and research, including profiling and the use of machine learning and other techniques over your data and in some cases using third parties to do this.
- Support Services. To respond to support requests via live chat, phone, or email and otherwise provide support for and resolve problems with the Services.
- Communications. To send service, technical, and administrative emails, messages, and other communications. Service-related communications about changes to the Services and important Services-related notices, such as maintenance and security announcements, are essential to delivery of the Services and you cannot opt out. Marketing communications about new product features, service offerings, and other news about Reflektive are optional and you have the choice whether or not to receive them.
- Account Management. To contact for billing, account management, feedback, and other administrative matters.
- Security Purposes. To help prevent and investigate security issues and abuse.
- Legal Obligations. To comply with legal obligations as required by applicable law, legal process, or regulations.
5 How We Share and Disclose Data
- Client’s Instructions. Reflektive will share and disclose Client Data in accordance with a Client’s instructions, including any applicable terms in the Client Agreement and Client’s use of the Services functionality, and as required by applicable law. Pursuant to the Client Agreement, Client Data is generally treated as the confidential information of Client unless stated otherwise.
- Client Access. Administrators, Authorized Users, and other Client representatives and personnel may be able to access, modify, or restrict access to your data. For example, your Client (e.g., your employer) may use the Services administrative controls and features to access or modify your account details or view certain activities in their Workspace.
- Displaying the Services. When an Authorized User submits data on the Services, it may be displayed to the Client and other Authorized Users in the same Workspace. For example, an Authorized User’s name, job title, and work email address, among other things, may be displayed with their profile accessible to the Client and other Authorized Users in the same Workspace. While in some cases you can make certain data private to specific users, by default most data is public to other Authorized Users in the same Workspace. You are solely responsible for all data you post, upload, store, display, transmit, or submit on the Services, including Personal Data, and the consequences thereof. Reflektive is not responsible and will not be liable for the data disclosed on the Services.
- Rendering the Services. Reflektive employees and contractors may have access to your data on a need to know and confidential basis to the extent necessary to render the Services and related support for the Services.
- Third Party Services. Client may enable or permit integrations with or use of Third Party Services in connection with the Services. When enabled, Reflektive may share certain data with such Third Party Services as requested to effectuate the integration. Third Party Services are not owned or controlled by Reflektive and third parties that have been granted access to your data may have their own policies and practices for its collection and use. You should check the privacy settings and notices of these Third Party Services to understand their privacy practices.
- Changes to Reflektive’s Business. If Reflektive engages in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of its assets or stock, financing, public offering of securities, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities (e.g., due diligence), Reflektive may share or disclose data in connection therewith, subject to standard confidentiality obligations.
- Aggregated or De-identified Data. If any data is aggregated or de-identified so it is no longer reasonably associated with an identified or identifiable natural person, we may use or disclose such aggregated or de-identified data for any purpose. For example, we may share aggregated or de-identified data with prospects or partners for business or research purposes, such as statistical analysis, to research trends and predictive analysis, or to develop or improve the Services.
- Enforcement of Agreements. Reflektive may disclose data to ensure compliance with and enforce Client Agreements and any other contractual or legal obligations with respect to the Services and our business.
- Protection of Rights. Reflektive may disclose data to protect and defend our rights and property, including intellectual property rights, and to ensure compliance with applicable laws and enforce third party rights, including intellectual property and privacy rights.
- Legal Compliance. If we are compelled by law, such as to comply with a subpoena, court order, or other lawful process, or in response to a lawful request by public authorities to meet national security or law enforcement requirements, Reflektive may disclose data if we reasonably believe disclosure is in accordance with or required by any applicable law, regulation, or legal process.
- Safety and Security. Reflektive may disclose data to protect your safety and security; to protect the safety, security and property of Clients; and to protect the safety, security, and property of Reflektive and our employees, agents, representatives, and contractors.
- Your Consent. Reflektive may disclose your data to third parties when we have your express consent to do so.
7 Security Measures
Reflektive maintains physical, technical, and administrative procedures to safeguard and secure the data we collect. We work hard to protect data in our custody and control from loss, misuse, and unauthorized access, use, disclosure, modification, or destruction. For more information about our efforts to keep your data secure, please see our Security Practices.
- You provide Personal Data at your own risk.
- Unfortunately, no data transmission over the internet is guaranteed to be 100% secure, and we cannot guarantee that unauthorized access, hacking, data losses, or other breaches will never occur.
- You are responsible for safeguarding your Authorized User account and password.
- If you believe your privacy has been breached, please contact us immediately at email@example.com.
8 Identifying the Data Controller and Data Processor
Data protection laws in certain jurisdictions differentiate between the “controller” and “processor” of data. In general, Client is the controller of Client Data. In general, Reflektive is the processor of Client Data and the controller of Other Information.
9 International Data Transfers
9.1 EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
Reflektive has further committed to refer unresolved Privacy Shield-related complaints to JAMS, an independent dispute resolution provider located in the United States. If you do not receive a timely acknowledgement of your Privacy Shield-related complaint from Reflektive, or if we have not satisfactorily resolved your complaint or addressed your concern, please contact JAMS to file your complaint, at no cost to you. To contact JAMS and/or learn more about JAMS dispute resolution services, including instructions for submitting a complaint, please visit: https://www.jamsadr.com/eu-us-privacy-shield. Under certain limited situations, as a last resort, you may seek redress from the Privacy Shield Panel, a binding arbitration mechanism.
Human resources data including Personal Data in the context of the employment relationship is subject to internal human resource policies. Reflektive commits to cooperate with the panel established by the European Union data protection authorities (DPAs) and/or the Swiss Federal Data Protection and Information Commissioner, and comply with the advice given by such authorities with regard to human resources data transferred from the European Union member states and Switzerland to the United States in the context of an employment relationship as set forth in the Privacy Shield principles.
9.2 Standard Contractual Clauses
The transfer of Personal Data from the European Union member countries and Switzerland to the United States will be subject to Privacy Shield and then, if Privacy Shield is deemed to be inadequate by European Union and/or Swiss data protection laws, will be subject to the Standard Contractual Clauses for the transfer of Personal Data to Processors (“Standard Contractual Clauses“). The Standard Contractual Clauses will also apply to the transfer of Personal Data from the European Union member countries and Switzerland to any country deemed by applicable data protection laws not to ensure an adequate level of data protection.
10 Your Rights
Individuals located in certain countries and jurisdictions have certain statutory rights in relation to their personal data. Subject to any exemptions provided by law, you may have the right to exercise your rights and request certain actions with respect to your Personal Data.
10.1 General Privacy Rights
Reflektive is committed to maintain accurate information that you share with us and will use commercially reasonable efforts to allow you to access your Personal Data. Upon request we will provide you with information about whether we hold, or process on behalf of a third party, any of your Personal Data. To request this information or if you wish to access, modify, or remove your Personal Data, please contact us as firstname.lastname@example.org. Reflektive will endeavor to respond to all reasonable written requests to access, modify, or remove Personal Data in a timely manner within thirty (30) days.
If you seek to access, modify, or remove Personal Data held or processed by us on behalf of a Client, you should direct your inquiry to your Client (the data controller). Upon receipt of a request from one of our Clients for us to remove the data, we will respond to their request in a timely manner within thirty (30) days.
10.2 Additional GDPR Rights
- Right to Erasure (aka “Right to be Forgotten”). You may have a broader right to erasure of Personal Data that we hold about you, such as, for example, if it is no longer necessary in relation to the purposes for which it was originally collected or we do not have a legal reason to continue to process and hold it. Please note, however, that we may need to retain certain information for record-keeping purposes, to complete transactions, or to comply with our legal obligations.
- Right to Restrict Processing. You may have the right to request that we restrict processing of your Personal Data in certain circumstances, such as, for example, where you believe that the Personal Data we hold about you is inaccurate or unlawfully held. We may be permitted to store the data but not further process it. We may need to keep just enough data to make sure we respect your request in the future.
- Right to Data Portability. You may have the right to be provided with your Personal Data in a structured, machine-readable, and commonly used format, and to request that we transfer the data to another data controller without effecting the usability of the data.
- Right to Object to Processing. You may have the right to request that we stop processing your Personal Data, such as for the purpose of direct marketing, scientific and historical research, or for a task in the public interest.
- Right to Lodge a Complaint. You may also have the right to complain to a data protection authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority.
If you are entitled and would like to exercise such rights, please contact us at email@example.com. We will consider your request in accordance with applicable laws. To protect your privacy and security, we may take steps to verify your identity before complying with the request.
10.3 California “Shine the Light” Notice
Reflektive does not disclose Personal Data to third parties for any third parties’ direct marketing purposes, unless the Client or Authorized User affirmatively consents to such disclosure. Since Reflektive provides its California users with notice of its rights as described above, pursuant to Section 1798.83(c)(2) of the California Civil Code, Reflektive is in compliance with California’s “Shine the Light” law and is not obligated to provide California users with the names and addresses of all the third parties that received Personal Data from Reflektive for the third parties’ direct marketing purposes during the preceding calendar year.
13 Contact Reflektive
You may contact us at:
Attn: Chief Privacy Officer
123 Townsend St., 3rd Floor
San Francisco, CA 94107
Last Updated: May 25, 2018
Revision History: v2.0, v1.0