Skip to Main Content
Main Menu
Legal Center

TrustArc Privacy Notice

Last updated and effective date: 21 July 2023

This Privacy and Data Processing Policy (“Notice”) reflects our TrustArc Inc (“TrustArc”) global privacy practices and standards as of the effective date. TrustArc Inc is a technology-powered privacy solutions company headquartered at 2121 N. California Blvd., Suite 290, Walnut Creek, CA, USA. TrustArc also operates through its subsidiaries TrustArc Canada Inc. (formerly Nymity Inc.), TRUSTe Europe Ltd. in the UK, TRUSTe Web Services Technologies, Inc. in the Philippines, and TRUSTe LLC, in the USA. This Notice applies only to TrustArc practices, technologies, and services. Our online properties may include links to websites and online services that are operated by other companies not under the control or direction of TrustArc. If you provide or submit personal information to those websites or online services, the privacy policies on those websites or online services apply to your personal information.

At TrustArc, Privacy is our Business. We strive to help businesses embed privacy into their strategy and operations by providing simple, scalable, and intelligent solutions that help our customers continually manage privacy compliance and risk. We help to promote responsible data use and stewardship among businesses and suppliers around the world.

Individual Rights
Your Personal Information
Keeping and Securing Your Personal Information
Disclosing Your Personal Information
International Data Transfers
Additional Rights for U.S. Residents
Contact Us

Individual Rights

Depending on your location, you may have basic rights under privacy and data protection laws related to the data we process about you. You may exercise those rights through the form accessible from the Individual Rights Manager button above, emailing us at [email protected] or contacting us via telephone. These rights are free in most cases, and we will aim to respond to your request within 30 days or the specific timeframe required by the applicable laws. We will honor the requests you make related to your rights as the law allows, which means in some cases there may be legal or other official reasons that we may not be able to address the specific request you make related to your rights. The rights relate to:

Access to the personal information we process about you. This means you have the right to request access to and receive details about the personal information we maintain about you and how we have processed it, and correct inaccuracies;

Correction of inaccurate or incomplete personal information about you;

Deletion of personal information about you;

Restrictions, temporarily or permanently, on our processing of some or all personal information about you;

Transfer of personal information to you or a third party where we process the data based on your consent or a contract with you, and where our processing is automated; and

Opt-out or object to our use of personal information about you where either our use is based on your consent or our legitimate interests. Additionally, you may opt-out of our use of your personal information we have either made available or disclosed to third parties for advertising purposes.

When you submit an individual rights request, you are consenting to us using your information to respond to your request. We will communicate with you via email in most cases. If you wish to withdraw your consent for us to respond to your request, you may do so via that email. Your consent includes that your request will come to the United States, which is where we are located. If you do not consent, we are unable to respond to your request.


Additional Rights for U.S. Residents
If you are a resident of California, Connecticut, Colorado, or Virginia, you may have certain additional privacy rights. For additional information on these rights, please visit our U.S. residents page for more information.

Your Personal Information

What is personal information?

Personal information is data that identifies, relates to, describes, or can be associated with you including data that could be used to identify, locate, track, or contact you.

How we collect your personal information depends upon how you interact with us

The categories and specific types of personal information we obtain about you depends on how you interact with us and our products and services. Depending upon this interaction, you may fall into one of the following data subject categories:

  • Website Visitors – Those who visit our website or online properties
  • Customers/Partners – Those who are customers, business partners, or express interest in our solutions or content
  • Employees/Applicants – Those who are employees, direct contractors, job applicants, or former employees
  • General Consumers – Those who engage with us in activities or relationships not already listed, for example, respondents to customers’ assessments, vendors

We list the below activities (sources) in which we collect personal information on or from you. Depending upon the activity (source), we may collect different categories and specific types of personal information from you. These activities may overlap, for example, a customer may visit our website. If you provide any personal information to us online, such as by filling out a form, attending a webinar, or through cookies (tracking technologies), we only use this information with your consent. Depending on how you interact with us, you may withdraw consent by exercising Your Rights as described above, including submitting a request through our Individual Rights Manager, our Cookie Preferences Manager, by phone, or by email.

Where is your personal information stored or accessed?
Because we have engineering, product, and support operations in the U.S., Canada, and the Philippines, most personal data will be accessed from these locations. Most information is hosted at Amazon Web Services in the U.S., but Cookie Consent Manager (and Consent Manager in general) is hosted at AWS in Ireland. We also offer an option to host platform data in Germany. In addition, through our remote work environment, we may have employees or contractors who access the data from other countries, such as Brazil, Australia, or the United Kingdom.

ONLINE ACTIVITIES – Data subject categories: all

There is information provided to us anytime you visit our website or engage in other online activities, such as using our solutions. In most cases, this information is collected based on our legitimate interests in making sure our website or other online activities function properly or that we are providing the user experience to you that we wish to provide. If it is based on our legitimate interest, we have determined that our business interest in gathering this information does not have a significant impact on your rights. In other activities, we may rely on your consent. If so, you have the ability to refuse consent or change your mind. These options are discussed in more detail below. We have tried to be comprehensive, but if you have any questions, please do not hesitate to contact us. We keep this information for as long as we have a business relationship or potential relationship with you.

Online Forms

We process information you provide, such as your name, email address, company where you work, phone number, job function, job title, country, and any comments you provide. Given that we are a business-to-business (B2B) company, we do this in order to respond to your request for information or resources or, in our legitimate interest, to collect information in order to reach out to you for potential business interest. We may reach out to you with marketing communications using the information you submit in these online forms. You can easily opt out of future communications using the opt-out link provided in the emails sent to you. If you do opt-out, but then complete another form, you are essentially canceling your opt-out.

Cookies and other online tracking technologies

We use cookies and other data collection technologies to help you do the following: navigate our website or technical solutions, personalize and provide a more convenient experience to you, analyze which pages you visit, which features you use in our technical solutions, and which consumer privacy tools you use, provide features such as social sharing widgets and videos, measure advertising and promotional effectiveness, assess which areas of our site you visit to remarket to you after you visit our site, and to provide content to you from our third party content partners.

We use browser session and persistent cookies. Session cookies are temporary cookies that are erased from your device’s memory when you close your Internet browser or turn your computer off where persistent cookies are stored on your device until they expire, unless you delete them before that time. We group browser cookies on our site into three categories, which you can manage through our “Cookie Consent Manager” – and you can return to this Cookie Consent Manager at any time to change your preferences.

    • Required cookies: These cookies are necessary to enable the basic features of this site to function, such as allowing images to load or allowing you to select your cookie preferences.
    • Functional cookies: These cookies allow us to analyze your use of the site to evaluate and improve our performance. They may also be used to provide a better customer experience on this site. For example, remembering your log-in details or providing us information about how our site is used.
    • Advertising cookies: These cookies may be used to disclose data with advertisers so that the ads you see are more relevant to you, allow you to disclose certain pages with social networks, or allow you to post comments on our site.
  • Some cookies may be placed by third party service providers who perform some of these functions for us.
  • In addition, there are browser settings which you can set in your internet browser, such as Internet Explorer, Google Chrome, or Mozilla FireFox, which can also address cookies and trackers. Sometimes these settings contradict what you may choose on a website. For example, if you set your browser settings to refuse all non-essential cookies, then when you visit our page and make a cookie selection – that preference is stored as a cookie and per your browser settings, may override your selection. This means the site won’t remember your selection on your next visit and you may have to make a selection every visit. This may be frustrating and is not something we do deliberately. There are many efforts underway by companies, technology, lawmakers, and others to make this a better user experience for everyone – and we at TrustArc are active in trying to make this an easier process.
  • The Global Privacy Control (GPC) is another technological tool that may be used to control your cookies and tracking preferences. To learn more about the GPC, please download and use a browser supporting the GPC browser signal clicking here: https://globalprivacycontrol.org/orgs. If you choose to use the GPC signal, you will need to turn it on for each supported browser or browser extension you use.
  • To the extent these online tracking technologies are deemed to be a “sale” / “share” (which includes targeted advertising, as defined under the applicable laws) under applicable U.S. state laws, you can opt-out of these online tracking technologies by submitting a request via a form at this link: Do Not Sell or Share My Personal Information. For further information on the privacy rights of U.S. residents, please see our notice for U.S. residents page.

Server log files

We automatically gather server log file information when you visit our websites. This includes IP address, browser type, referring and exit web pages, and your operating system. We do this based on our legitimate interest in making sure our website operates as intended or to identify what may need to be changed.

Other online activities

In order to administer our website and our technical solutions and to understand how our website visitors navigate through our websites and technical solutions, we monitor our website and solutions based on our legitimate interest to continuously improve the experience for our users. We may further analyze information we gather online to improve the online experience, resources, and tools we provide to our users. This is also based on our legitimate interest to provide appropriate materials or user experiences.

COMMUNICATION AND ENGAGEMENT – Data subject categories: depends on activity, see below

TrustArc is a business-to-business (B2B) company, meaning we sell our solutions to other businesses and do not typically engage with general consumers for profit. However, general consumers may engage with us either on behalf of our customers or through other activities, such as webinars. These activities are provided in more detail in this section. We keep this information as long as we have a potential or actual business relationship with you or if there is a legal obligation to keep the information. Where you consented to providing us the information, you may also revoke your consent. Where we do not collect identifying information, we may not be able to remove the information, because we will not know which information you provided.

Suggestions, Complaints, Inquiries – Data subject categories: all

We process personal information about you based on our legitimate business interests for the following purposes, to which you may exercise your rights to object as described above:

  • To investigate complaints or concerns to ensure that such complaints or concerns are addressed appropriately;
  • To send optional customer satisfaction surveys once your complaint has been resolved in order to improve our processes;
  • To evaluate the characteristics and needs of our customers to improve our solutions; and
  • To communicate with you about TrustArc events, industry or privacy-related news to engage with you as a member of the privacy community in which we participate.
  • Opinion / Feedback Surveys – Data subject categories: all

If we engage in a general consumer survey, we process your survey responses. You may answer or not when it is presented to you. Withdrawing your consent will not be possible as we do not ask or collect identifying information and only use answers in large groupings, such as all “Yes” or “No” answers to a particular question. We would not be able to pull your answers out.

If you participate in our market or product / services research and surveys – whether delivered by us or a service provider on our behalf – we may process your email address, job title, phone number, survey responses, company name, job function, state, country, relationship with TrustArc, and any comments you provide. We may provide remuneration in exchange, such as a gift card. We conduct online consumer surveys to learn about your views on important privacy-related issues based on our legitimate interest in better understanding the privacy market and to improve our solutions; we do not directly collect any personal information about you when we conduct these surveys, however cookies and data collection technologies may be used to manage the delivery of the surveys. You may choose to respond or not and may opt out of future communications of this nature. In part, this is through our legitimate interest in obtaining your feedback and part through your consent to such activities.

Customer Engagement – Data subject categories: customers / partners

This may include voluntary participation in our customer community offerings, such as online communications, group meetings, and other engagements. You must consent to participate in such activities and if so, can revoke your consent easily by withdrawing from such activities. You must agree to follow the engagement rules, which will vary by the method of engagement.

Webinars/Presentations/Speaking Engagements – Data subject categories: all

If you register for or attend our webinars (or other presentations), your IP address and some other technical information may be disclosed with the relevant hosting provider or application, such as GoToMeeting. Where applicable, registration information and any comments or feedback you provide to us will be captured.

If you are invited to be a guest in a TrustArc-hosted or sponsored webinar (or other presentation), your contact information will be processed as part of the production. This generally includes your name, email address, phone number, company name, image, and job title. These programs are recorded and broadcast publicly, as is the nature of such programs, which includes your voice and image and the information you disclose during such programs. Follow-up information for the webinars will be sent to the email address registered and you can opt out at any time. If you do register for another webinar, you will be opted back into communications.

Interest in our Solutions – Data subject categories: all

If you request or indicate an interest in information about our solutions or partnership opportunities, we process your name, email address, phone number, job title, information about the company where you work, including its website address, and any comments you provide. We add business information related to the company where you work from third party sources, such as business intelligence providers, information from publicly available sources such as LinkedIn, as well as information about the number and frequency of your interactions with us online and offline, such as at events, webinars, email communications, and our website. We maintain and update this information as we continue to engage with you. Engaging with you once you express interest in our solutions may be based on your consent or our legitimate interests. If we rely on consent, this will be clear to you that you are providing consent because you will complete a form or register for an event. As such, you can cancel your consent using the opt-out link in the emails we send or by contacting us via an individual rights form, email, or phone.

Marketing Communications – Data subject categories: all

We may send you marketing communications (including sales, information, events, and business development communications) about our solutions, events, or resources that we think may be of interest to you. For these communications, we process your name, phone number, email address, postal address, job title, job function, company name, and information about which of our solutions you use or which may be of interest to you, including any responses you make to such communications. We also process automatic information such as what we collect via cookies, IP address, device type, browser, and if the email was opened.We may also associate other information to the communication for insight such as company size, company financial information, and whether the company is a current or prospective customer. In general, these communications are initiated in our legitimate interest to engage you in business, but if the information was collected through our online forms, you also consented to being contacted. We track these communications to determine whether, when, and the IP address and associated city of, a marketing communication we sent was viewed based on our legitimate interest to effectively manage and improve upon such communications.

Communications may also include asking for your review of our solutions from your perspective as a customer or user of our solutions. We do this from our interest in having you evaluate our performance. You may opt-out at any time from marketing emails using the unsubscribe link in the emails.

Telephone / Video Calls – Data subject categories: all

If you have consented to a recorded telephone call or video conference with TrustArc, we may process your name, email address, job title, image, and voice for analytical purposes to improve our training and customer relationship management and to provide recorded information to our customers upon request. For example, a customer may want a recording of a demo on a particular solution. For any such telephone calls or video conferences, notice of the intent to record will be provided before recording. You may decline recording at any time before or during the meeting, and you may request deletion of the recording at any time. All such recorded meetings will be automatically deleted within 180 days.

Contracts / Relationship Management – Data subject categories: customers/partners, plus vendors

We process your name, email address, postal address, company name, billing information (e.g., purchase order number, bank wire information, credit card number), company size, company financial information, and signature along with communication content and any comments or feedback you may provide. Some information about you may come from other individuals. For example, a colleague may tell us that you moved to another company or a different role. Similarly, such information may be available publicly, such as on LinkedIn.

We use this information in order to facilitate the contract execution and to deliver on the contract. We will communicate with you, including via email, about your use of our solutions, obtain your input on new features, functionality, and content, and to provide information about updates to our solutions. We will also communicate with you about TrustArc events, or industry/privacy-related news. We have a legitimate business interest in renewing your subscription-based solutions in order to retain you as a customer or partner along with providing additional solutions you request based on our legitimate business interest and / or contractual obligation to respond to your reasonable requests.

In addition, to better understand the needs of the privacy and business communities we aim to serve, we analyze our interactions with you online and offline. This helps us continue to improve how we provide information and engage specifically with you, including to help us determine when you might be ready to make a purchase based on repeated interactions with TrustArc. We want to understand the business that you work for and your prior experience based on our legitimate interest to tailor our communications with you to improve our engagement with you from a business perspective. We also want to understand your business and privacy-related needs based on our legitimate interest to develop and enhance our solutions to address your needs and to make them more relevant to you. Lastly, we do not make any automated decisions about you that would result in legal or other similarly significant or detrimental effects on you.

USING OUR SOLUTIONS – Data subject categories: customers/partners – and their data subjects

TrustArc is a business-to-business (B2B) company, meaning we sell our software solutions to other companies. You may use our solutions because your company purchased our software for their own privacy compliance needs or because you work with a company that does business with our customers. In most cases, this information should be your business information and not your personal information, but we do not control what information our customers enter about you. Below, we provide information in three categories: 1) our customers’ authorized users, 2) the TrustArc platform, and 3) consumer-facing solutions. We develop and / or discontinue solutions based on our business strategy and developments, so not all solutions are detailed below, but apply in a general sense based on how you choose to engage with us.

In the course of using our solutions, we may ask you to provide business information related to the company where you work. Business information may include information about your company’s practices, policies, processes, and supporting documentation. This business information is stored on TrustArc systems, and we use it to provide the solutions you have contracted us to provide and in accordance with the terms and conditions set forth in agreements between TrustArc and your company.

Customers’ Authorized Users

Authorized users or other individuals named in our solutions, such as respondents to customer assessments, fall under the control of the customers’ determinations, meaning TrustArc cannot grant access or delete information without the customers’ permission. We retain this information for the length of the customer contract, deleting it as required by the customer or for a set time period (generally three years from termination) in agreement with the customer. If you are a licensed or other authorized user of our privacy technology platform, we process your name, email address, username, password, IP address, job title, phone number, information about the company where you work, actions you have taken in the applications on the platform or in response to communications, such as record creation, changes, input, responses, analysis, and approvals, and tickets filed on your behalf related to our platform.

For individuals at our customer companies or potential customer companies, we process this information to provision and de-provision your account on our platform; authenticate you to enable you to access your account on our platform, including adding users of the solution; provide customer service and support, and investigate issues that you raise; deliver our assurance programs and solutions to you, including provision of our seals, where applicable; resolve disputes related to your organization’s privacy practices; provide alerts in the platform based on your implementation; and help you build, implement, manage, and demonstrate your privacy program and practices using our solutions. We may further analyze the use of our solutions, and characteristics of the companies that use our solutions (e.g., by size and industry sector) to help us understand and make decisions about customer and market needs, to improve our solutions, to design new solutions, and to inform partnership and business development decisions.

TrustArc Platform, e.g. PrivacyCentral or Nymity powered by TrustArc (including external respondents)

In order to engage with our solutions, you will either be an authorized user as described above or a non-system user that our customer sends you information to complete. For example, a customer may send you a vendor assessment or you may be a business process owner for the customer and need to complete a data inventory or Data Protection Impact Assessment. In both cases, we are a vendor (a processor/subprocessor) to our customers and the customer is the one responsible for determining their processing purpose and choosing to communicate with you. If you have any questions, you may contact us or the customer to learn more.

TrustArc acquired Nymity in 2019 and provides these services through our TrustArc platform. In most cases, the uses and purposes are the same as those listed just above in the platform. However, in some instances, the customers may disclose such information to other individuals. The authorized users may enter your information into our platform to send you materials or may download the materials and send them directly. We are a vendor (processor) to our customers and their use of your information is based on their determinations. If you have any questions, you may contact the customer or us for more information.

Consumer-facing Solutions, e.g., Individual Rights, Cookie Consent, PrivacyCentral (includes consumers who engage with customers)

Some of our solutions that customers use are consumer-facing, such as Individual Rights Manager or Cookie Consent Manager. If you are a consumer interacting with any of our solutions, we are a vendor (processor) to our customers. As such, the customers are the ones who determine the processing purpose and use your information through our platform. In most cases, we anticipate that their basis for processing your information is consent, but you will need to confirm that with the customers. We use our own solutions, so in that case, we are the “customer” if you engage with Cookie Consent Manager on our website or submit a request through Individual Rights Manager.

  • Individual Rights Manager
    When you submit an individual rights request using a form, we process your name, email address, residence, type of request, the individual type you select on the form, any comments you provide, and any additional information customers need to verify your identity. When you submit a request to another company that has implemented our Individual Rights Manager, we process the information you provide in the form implemented by that company, and we support the management of your request by the company as well as retrieval of information responsive to your request. Communications related to an individual rights request, including more information needed or providing the data requested will be managed through the platform, using an TrustArc’s email server hosted in either Frankfurt, Germany, or Virginia. Although we allow our customers to customize the categories of personal information they wish to collect, we neither recommend nor know of the collection of the category of sensitive personal information.
  • Cookie Consent Manager
    If you have given your consent through our Cookie Consent Manager (CCM) we process your full IP address at initiation to infer your location and serve your the correct cookie banner. After this, we immediately pseudonymized the IP address to record your consent choice (opt-in or opt-out), storing it in our CCM application at our data center in Dublin, Ireland for 13 months. When you first visit our website, we drop a browser-specific cookie. Additionally, session cookies will be set by the ad networks listed in our preference manager to honor your preferences if you choose not to receive interest-based advertising. Our cookie only knows your last set of preferences and does not reflect the current state of cookies on your browser. If you clear your browser history, which includes clearing the opt-out cookies set by companies, we will not be able to identify you or honor your previous preferences when you return to this site from that specific browser. You will need to re-access the opt-out tool to reset your preferences.
    The connection between your browser or device and any other personal information we may have is not “known” to us until you provide more information. Some of our customers may “know” who you are across browsers or devices based upon the personal information they have collected. In those instances, our customer may direct us to collect and store in its CCM instance an identifier (e.g., IP address) it uses to identify you across browsers or devices. You may want to visit our customers’ website or contact them to learn more about their data privacy practices.
  • Consent Preference Manager
    If a customer of TrustArc has implemented our Consent & Preferences Manager, we process any data related to you collected by this customer to help them manage your consent and preferences. This data may include various categories of personal information selected by the customer. Although we allow our customers to customize the categories of personal information they wish to collect, we neither recommend nor know of the collection of the category of sensitive personal information.
  • Ads Compliance Manager
    If you click through an icon associated with our Ads Interests Manager in an online advertisement, we process information about your interests. We process cookies to deliver our interest-based advertising notice and choice program’s opt-out tools to assist with your opt-out choices and to help us measure usage. Our opt-out tool signals to companies to not use your browsing behavior to provide interest-based advertising by setting their opt-out cookie in your browser. When you access our preference manager, session cookies will be set by the ad networks listed in our preference manager to honor your preferences if you choose not to receive interest-based advertising. If you clear your browser cookies, this will remove all cookies including the opt-out cookies set by the companies. You will need to re-access the opt-out tool to reset your preferences. Our cookie only knows your last set of preferences and does not reflect the current state of cookies on your browser.
  • TRUSTe Dispute Resolution
    We encourage you to use TRUSTe’s Dispute Resolution Program to report and resolve privacy complaints you may have concerning TRUSTe Certification or Dispute Resolution Program Participants. If you file a privacy-related complaint, we process your name, email, and country location. We will also request that you provide the details that gave rise to your complaint. Any additional personal information you choose to provide in the complaint form is optional.

You can also report misuse of TRUSTe trademarks on this form, such as a company claiming to be certified by us and they are not.

For both of these, we will not disclose your name and contact information with the company you are complaining about unless you consent. If not, we can still disclose the complaint with the company (with your consent), but without knowing more details, we may not be able to resolve your complaint. We will respond to your complaint via email and if you want to withdraw your consent, you can do so by responding to that email.

Also, if you reside in a country with rules about sending information to other countries, called cross-border transfers, you must consent to sending your information to the United States or other countries where we have offices and process personal data for dispute resolution, such as Canada and the Philippines. We may also have employees in other countries who access the information through our platform or via email. This consent applies to your submission to us as well as us communicating with the company about the complaint, which may also be located in another country. If you do not consent, then we cannot process your information or register your complaint.

EMPLOYMENT-RELATED ACTIVITIES – Data subject categories: employees, applicants

This section applies to current, past and future employees or individuals in an employment-like relationship, such as contractors, cosnultants, volunteers, interns, externs, or other individuals acting in a work-related capacity. We keep this information for the time period required by law or based on your consent, for example, for employment applications.

Employment Activities

Applying to work at TrustArc: If you apply to work at TrustArc, we process personal information about you and your professional experience, education and training such as your application, your name (and any former names), postal address, email address, phone number, universities attended, academic degrees obtained, grades, professional certifications and licenses, employment history, and curriculum vitae or resume.

Offer of employment or contractor position: If we extend an offer of employment or a contractor position at TrustArc to you, we will process personal information about the position to which you have been appointed, your job title at TrustArc, the compensation or project-based contractor rate we offer to you, whether you accept the offer, your signature, and your starting compensation or project-based contractor rate, and your start date at TrustArc.

Employment-Related Background checks: We engage service providers to conduct background checks that involve the necessary personal information processing as permitted by the laws in the location in which you reside and/or work. More details are provided to you in the context of our request to you to complete these checks. We also have designated employees who will do reference checks, usually HR or your supervisor. We contact individuals that you have provided and engage in conversation (written or oral) about you, your work habits, challenges, experience, and more. We do not control the information provided to us by these references.

As an employee or contractor of TrustArc: we may process personal information about your benefits, nationality, residency status, email address, office or other workplace location including remote work arrangements, work phone number, mobile phone number, photographs, passport, visas, marital status, beneficiaries and /or dependents and their associated data related to benefits such as date of birth or relationship status, emergency contact details, financial account information, social security number or other government-issued identification number, holiday and paid time off days which may include the reasons for the time off, salary, incentive compensation, TrustArc stock options granted, TrustArc stock ownership, assigned projects, feedback and opinions, performance against your assigned goals, training completed, any performance improvement plans, any disciplinary actions taken, system accounts, technology and physical assets provided to you, your role and actions taken in connection with TrustArc projects and processes. This will include information voluntarily provided by you, such as would be disclosed in a typical work environment, such as photos of pets, anecdotes about family, and other such information you choose to disclose with colleagues.

If your employment with TrustArc ends, we process personal information necessary to offboard you from TrustArc, including deactivation of your access to our systems, fulfilling our financial, benefits, and related obligations with respect to the end of your employment with TrustArc.

In certain countries, supplemental privacy notices will be provided to TrustArc employees and contractors, and where applicable, consent will be obtained, to ensure compliance with local requirements.

We process personal information about you based on our legitimate interests to establish and manage our relationship with and responsibilities to you and for effective operation of our business, including activities necessary to comply with laws or contracts, such as to:

  • Recruit new talent to join TrustArc;
  • Onboard employees and contractors to TrustArc;
  • Grant and ensure appropriate access to TrustArc systems and facilities;
  • Ensure the security and safety of the workplace and the tangible and intangible assets for which we are responsible;
  • Assign roles and responsibilities;
  • Manage team and cross-functional communications and collaboration;
  • Promote a positive workplace culture;
  • Administer payroll;
  • Benefits administration;
  • Award and pay incentive compensation;
  • Invoice payments;
  • Managing TrustArc projects and processes;
  • Maintaining corporate, financial and other essential business records and reporting;
  • Evaluating financial and operational performance; and
  • Managing compliance, including, but not limited to our privacy, security, accounting, labor and employment, and other legal and regulatory obligations.

Statistical and research purposes: We may further analyze information to evaluate and understand employee engagement and to develop plans to continuously improve our workplace culture.

Using Devices for Work Activities

You may participate in communication processes, which may be recorded, such as video conferences, phone calls, or written correspondence, or video/audio presentations for public release (webinars, podcasts, etc.) and such may be performed from your personal device. TrustArc may inadvertently collect information from your surroundings or device. You should take this into account if using a personal device for work purposes. We may also request or require security software to be installed. More information can be found in the employee handbook and throughout various policies and communications from executives or other personnel in key roles.

TrustArc’s Personnel Scope of Work

As part of your employment activities, you may engage with customers, other employees, technology, vendors, and/or other individuals. Your actions or communications will typically be recorded via online tools or communication technologies. These recordings may be temporary or permanent depending on their intent. For example, if you write code, that may become a permanent entry in TrustArc’s platform. If you engage with regulators on an investigation, that will likely become a long-term record both for TrustArc and the regulator.

Keeping and Securing Your Personal Information

We will keep personal information about you for as long as we provide solutions to you or your company; as long as you work for or with us; as long as we are addressing a concern, question, complaint, or request you have made to us; as applicable to our interactions with you; as long as the law requires us to do so; or for the time period we need to maintain the information, e.g., to respond to investigations or lawsuits. If we have a contract or other agreement with you or your company, we will follow the retention obligations of that agreement.

We may keep data longer if we have a legal obligation to keep it or to maintain necessary records for legal, financial, compliance, or other reporting obligations, and to enforce our rights and agreements. We also may keep data about you for statistical analysis or research purposes.

We take appropriate security measures to protect personal information against loss, misuse, and unauthorized access, alteration, disclosure or destruction. We also have implemented measures to maintain the ongoing confidentiality, integrity and availability of the systems and services that process personal information, and will restore the availability and access to data in a timely manner in the event of a physical or technical incident.

Disclosing Your Personal Information

At TrustArc, we only disclose personal information in ways that we tell you about. Depending upon your location, we do not sell or rent personal information to third parties and we do not disclose personal information with third parties that are not owned by us, under our control or direction, or in a direct business relationship with us except as described in this Notice. We do share personal information (as share is defined under certain data protection laws) with third party advertisers and website analytics providers. If you are a resident of California, Connecticut, Colorado, or Virginia, you may have certain additional privacy rights. For additional information on these rights, please visit our U.S. residents page.

Service providers / Vendors. We disclose personal information with service providers / vendors that help us with our business activities. Service providers support us in processing the types of personal information described above in the section “What personal information” and for the purposes described in the section “Why do we process personal information.” They only are authorized to process that information as necessary and as directed by us. Some of these providers qualify as “subprocessors” under the General Data Protection Regulation because they are used in the provision of services that our customer purchase.

Business partners. TrustArc forms a variety of partnership relationships, to whom we may disclose your information legitimately under one of the reasons described in the Notice or receive information from them. We only permit partners to process your information as necessary and directed by us. In some cases, the partners may be contracted through TrustArc, such as customers who purchase education modules through one of our partners. In other cases, partners may disclose your information with us and their privacy notices will also apply.

Third party cookies and similar technologies. While TrustArc does not sell personal information to third parties, TrustArc does disclose data related to cookies and similar technologies with third parties both to evaluate and optimize the performance of and analyze your use of our online services and for advertising purposes. This may qualify under U.S. state laws as “selling” or “sharing.” You may choose to consent to our use of these technologies, reject non-essential technologies, or further manage your preference with our Cookie Preferences or by submitting a request via our Do Not Sell My Personal Information form.

Required by law. If we are required to disclose personal information as part of a legal process, we will take commercially reasonable steps to inform you as part of that process. We may also be required to disclose personal information in response to lawful requests by government authorities, including requests from national security agencies or law enforcement. Some of these requests may be by regulatory oversight agencies investigating a complaint where others may be by law enforcement looking for information.

Safety, fraud prevention, government requests and protection of our rights are all reasons where we may disclose personal information where we believe in good faith it is necessary.

Mergers, acquisitions, divestitures, or asset sales but only if the acquiring organization agrees to this Notice’s protections, where this is within our control. If we are under the control of a court, such as bankruptcy proceedings, we may not have full authority to ensure this protection.

 

International Data Transfers

TrustArc is headquartered in the United States and almost all data we process will be transferred to or accessed from the United States or through our subsidiaries in Canada or the Philippines. Customers have the option for their data to be hosted in the United States or Germany, and Cookie Consent Manager is hosted in Ireland. Customers should make sure that their notices reflect our transfer arrangements for their data subjects. Please see our Safeguards for more information on how we protect customer data in international transfers.

This means that we may transfer, access, or store personal information about you outside of the European Economic Area (“EEA”), Switzerland, the United Kingdom, China, or another country that requires legal protections for international data transfer. When we do, we will ensure that an adequate level of protection is provided for the information by using one or more of the following approaches:

  • We may transfer personal information to countries that have privacy laws that have been recognized by the country from which the data are transferred as providing similar protections for the data (“adequacy”).
  • We may enter into written agreements, such as standard contractual clauses and other data transfer agreements, with recipients that require them to provide the same level of protection for the data.
  • We may seek your consent for transfers of your personal information for specific purposes.
  • We may rely on other transfer mechanisms approved by authorities in the country from which the data are transferred.

TrustArc Inc and its subsidiary, TRUSTe LLC, in the USA, (“TrustArc”) participate in the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), having self-certified to the U.S. Department of Commerce our adherence to the Data Privacy Framework Principles. TrustArc is committed to applying the EU-U.S. Data Privacy Framework Principles and, as applicable the United Kingdom (and Gibraltar), the Swiss-U.S. Data Privacy Framework Principles (as applicable), to all personal information received from countries within the European Economic Area and, as applicable the United Kingdom (and Gibraltar), Switzerland.

To learn more about the Data Privacy Framework, visit the Data Privacy Framework website. Under the Data Privacy Framework, we are responsible for the processing of personal information we receive and subsequently transfer to a third party acting for or on our behalf. We are liable for ensuring that the third parties we engage support our DPF commitments. The U.S. Federal Trade Commission has regulatory enforcement authority and jurisdiction over TrustArc’s compliance with and processing of personal information received or transferred pursuant to the EU-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. DPF (when effective), and the Swiss-U.S. Data Privacy Framework (when effective). TrustArc commits to cooperate and comply with the advice of the regulatory authorities to whom you may raise a concern about our processing of personal information about you pursuant to the Data Privacy Framework, including to the panel established by the EU and UK authorities and the Swiss FDPIC. This is provided at no cost to you. Please see the section at the beginning about your rights.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, TrustArc commits to cooperate and comply, respectively, with the advice of the panel established by the EU data protection authorities DPAs, the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, and, when effective, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

When effective, TrustArc commits to cooperate and comply, respectively, with the advice of the panel established by the UK Information Commissioner’s Office (ICO), the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF. Under certain conditions, described more fully on the Data Privacy Framework website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

Contact Us

If you have any questions about this Notice or our privacy practices, you can contact us by mail, telephone, or e-mail:

TrustArc Inc
2121 N. California Blvd.
Suite 290
Walnut Creek, CA 94596, USA

Phone: 1-866-467- 8688 (or 866-I-OPT-OUT), service code 751 or the main US headquarters +1-415-520-3490.
[email protected]

Full contact information of our privacy team, including of our representatives where this is legally required, is available via this page. If you have concerns about how we handle your personal information, you have the right to make a complaint about us to the privacy regulator in your country, state, or province. For complaints under the GDPR, the UK GDPR or the Philippines Data Privacy Act, please refer to this page. Most privacy regulators can be contacted online using the resources provided here. More information is included under “International Data Transfers” and “Data Privacy Framework.”

Changes to this Notice

We may revise this privacy policy from time to time and will post the date it was last updated at the top of this privacy policy. We will provide additional notice to you if we make any changes that materially affect your privacy rights.

 
Back to Top