TrustArc Privacy and Data Processing Policy
Effective: 18 November 2020
This Privacy and Data Processing Policy reflects our TrustArc global privacy practices and standards as of the effective date.
I want to know about
how to exercise my privacy rights | how to ask a privacy question | what data you collect about me | why you process data about me | how you share data about me | how you transfer data across country borders | how long you keep data about me
Who We Are
TrustArc Inc (“TrustArc”) is a technology-powered privacy solutions company headquartered at 111 Sutter Street, Suite 600 in San Francisco, CA, USA.
TrustArc also operates through its subsidiaries TrustArc Canada Inc. (formerly Nymity Inc.), TRUSTe Europe Ltd. in the UK, TRUSTe Web Services Technologies, Inc. in the Philippines, and TRUSTe LLC, in the USA.
If you have a privacy question, you may contact the TrustArc privacy team and our General Counsel any time at privacy@trustarc.com or by using the Policy Questions button on this page. You may also contact us via telephone. Full contact information of our privacy team, including of our representatives where this is legally required, is available via this page. We appreciate the opportunity to address your questions and concerns.
If you have concerns about how we handle your personal information, you have the right to make a complaint about us to the privacy regulator in your country, state, or province. For complaints under the GDPR, the UK GDPR or the Philippines Data Privacy Act, please refer to this page. Most privacy regulators can be contacted online using the resources provided at https://globalprivacyassembly.org/participation-in-the-assembly/members-online/ More information is included under “International Data Transfers” and “Privacy Shield.”
Our Data Values
At TrustArc, Privacy is our Business.
- Embedding privacy. We strive to help businesses embed privacy into their strategy and operations by providing simple, scalable, and intelligent solutions that help our customers continually manage privacy compliance and risk.
- Responsible use. We help to promote responsible data use and stewardship among businesses and suppliers around the world.
- Purpose driven. We only collect, use, and share the information we need to provide and operate our solutions and to help our customers meet their accountability and regulatory compliance needs.
- Always improving. We process data about the use of our solutions and the way we operate our own business in order to help us better understand the needs of our customers, prospects, and other stakeholders, and to continue to improve user experience, features, and functionality of our solutions.
Your Rights
You have six basic rights under privacy and data protection laws related to the data we process about you. You may exercise those rights through the form accessible from the Individual Rights Manager button above or by contacting us via telephone. You do not have to pay a fee, and we will aim to respond to your request within 30 days or the specific timeframe required by the laws applicable to personal information about you. We will honor the requests you make related to your rights as the law allows, which means in some cases there may be legal or other official reasons that we may not be able to address the specific request you make related to your rights. You may:
request access to the personal information we process about you;
request that we correct inaccurate or incomplete personal information about you;
request deletion of personal information about you;
request restrictions, temporarily or permanently, on our processing of some or all personal information about you;
request transfer of personal information to you or a third party where we process the data based on your consent or a contract with you, and where our processing is automated; and
opt-out or object to our use of personal information about you where either:
- our use is based on your consent or our legitimate interests, or
- you do not want us to share with third parties data related to cookies and similar technologies for website functionality or advertising purposes.
What personal information? The data we process (collect, use, and share) about you depends on who you are and how we interact with you. Personal information is data that identifies you or that makes you identifiable. It includes data that could be used to identify, locate, track or contact you. |
||
If you are a customer, business partner, or express interest in our solutions: Learning about our company and our solutions: If you request or indicate an interest in information about our solutions or partnership opportunities, we process your name, email address, phone number, job title, information about the company where you work, including its website address, and any comments you provide. We append business information related to the company where you work from third party sources, such as business intelligence providers, information from publicly available sources, such as LinkedIn, as well as information about the number and frequency of your interactions with us online and offline, such as at events, webinars, via email and our website. We maintain and update this information as we continue to engage with you and use it as described under the Legitimate Interests processing purposes described below. Using the TrustArc Privacy Platform: If you are a licensed or other authorized user of our privacy technology platform, we process your name, email address, username, password, IP address, job title, phone number, information about the company where you work, actions you have taken in the applications on the platform, such as record creation, changes, input, responses, analysis, and approvals, and tickets filed on your behalf related to our platform.
Participation in our Assurance Programs and Solutions: If you participate in our certification or verification programs, or our GDPR validation, we process your name, email address, country, phone number, job title and company name. Using our Consulting Services: If you engage us to provide consulting services, we process your name, email address, postal address, job title, signature, and company information. Negotiating and entering into a contract with us and relationship management during the contract term: If you enter into an agreement with us related to the licensing or purchase of our solutions, we process your name, email address, postal address, company name, billing information (e.g., purchase order number, bank wire information, credit card number), company size, company financial information, and signature. Receiving marketing, sales-related and business development communications from us: If our marketing team or a member of our sales or business development teams sends communications to you, we process your name, phone number, email address, postal address, job title, job function, company name, company size, company financial information, IP address, device type, email view information including IP address and associated city, and information about which of our solutions you use or which may be of interest to you. Market research and surveys: If you participate in our market research and surveys, we process your email address, job title, phone number, survey responses, company name, job function, state, country, and any comments you provide. Participation on a recorded telephone call or video conference with TrustArc: If you have consented to a recorded telephone call or video conference with TrustArc, we may process your name, email address, job title and voice for analytical purposes to improve our training and customer relationship management, as described in the Consent processing purposes section below. For any such telephone calls or video conferences, notice of the recording will be provided in advance and during the meeting. You may decline recording at any time before or during the meeting, and you may request deletion of the recording at any time. All such recorded meetings will be automatically deleted within 180 days. Webinars & Podcast:If you are invited to be a guest in a TrustArc hosted or sponsored webinar or in our Serious Privacy Podcast, your business contact information will be processed as part of the production. This includes your name, email address, phone number, company name and job title. These programs are recorded and broadcast publicly, as is the nature of such programs, which includes your voice and the information you share during such programs. |
If you visit the websites and online properties we provide: Our website: We process personal information about you that we collect either directly, through forms or data entry fields on our website, or through passive collection by cookies and other data collection technologies. The types of personal data we process in each of these contexts is further explained in the following four categories:
Cookie Preference Manager: If you use our preference manager on a mobile device, we process your device’s Advertising Identifier. When you access our preference manager, session cookies will be set by the ad networks listed in our preference manager to honor your preferences if you choose not to receive interest-based advertising. If you clear your browser cookies, this will remove all cookies including the opt-out cookies set by the companies. You will need to re-access the opt-out tool to reset your preferences. Our cookie only knows your last set of preferences and does not reflect the current state of cookies on your browser. Individual Rights Manager: When you submit a request related to our processing of personal information about you, we process your name, email address, residence, type of request, the individual type you select on the form, any comments you provide, and any additional information needed to verify your identity. When you submit a request to another company that has implemented our Individual Rights Manager, we process the information you provide in the form implemented by that company, and we support the management of your request by the company as well as retrieval of information responsive to your request. Direct Marketing Consent Manager: If a company has implemented our Direct Marketing Consent Manager, we process a pseudonymous identifier related to you to help that company manage your consent preferences. TrustArc uses this approach to allow the company to manage your personal information rather than TrustArc. Ads Interests Manager: If you click through an icon associated with our Ads Interests Manager in an online advertisement, we process information about your interests. TrustArc Ads Compliance Manager: We process cookies to deliver our interest-based advertising notice and choice program’s opt-out tools to assist with your opt-out choices and to help us measure usage. Our opt-out tool signals companies to not use your browsing behavior to provide interest-based advertising by setting their opt-out cookie in your browser. When you access our preference manager, session cookies will be set by the ad networks listed in our preference manager to honor your preferences if you choose not to receive interest-based advertising. If you clear your browser cookies, this will remove all cookies including the opt-out cookies set by the companies. You will need to re-access the opt-out tool to reset your preferences. Our cookie only knows your last set of preferences and does not reflect the current state of cookies on your browser. TRUSTe Dispute Resolution Program: We encourage you to use TRUSTe’s Dispute Resolution Program to report and resolve privacy complaints you may have concerning TRUSTe Certification or Dispute Resolution Program Participants, or to report misuse of TRUSTe trademarks. If you file a privacy-related complaint, we process your name, email, and country location. We will also request that you provide the details that gave rise to your complaint. Any additional personal information you choose to provide in the complaint form is optional. Serious Privacy Podcast: if you listen to our Serious Privacy podcast, your IP-address and some other technical information may be shared with your podcast application and/or our hosting provider Buzzsprout. TrustArc has no access to the data of our listeners, except at aggregate level. |
If you are an employee, contractor, job applicant, or former employee: Applying to work at TrustArc: If you apply to work at TrustArc, we process personal information about you and your professional experience, education and training such as your application, your name (and any former names), postal address, email address, phone number, universities attended, academic degrees obtained, grades, professional certifications and licenses, employment history, and curriculum vitae or resume. Offer of employment or contractor position: Prior to making an offer of employment or a contractor position, we process personal information to conduct professional reference checks in accordance with applicable laws. If we extend an offer of employment or a contractor position at TrustArc to you, we will process personal information about the position to which you have been appointed, your job title at TrustArc, the compensation or project-based contractor rate we offer to you, whether you accept the offer, your signature, and your starting compensation or project-based contractor rate, and your start date at TrustArc. Employment-Related Background checks: Prior to commencement of your employment with us, we engage service providers to conduct background checks that involve the necessary personal information processing as permitted by the laws in the location in which you reside and/or work. More details are provided to you in the context of our request to you to complete these checks. As an employee or contractor of TrustArc: we may process personal information about your benefits, nationality, residency status, email address, office or other workplace location, work phone number, mobile phone number, photographs, passport, visas, marital status, beneficiaries, emergency contact details, financial account information, social security number or other government-issued identification number, holiday and paid time off days, salary, incentive compensation, TrustArc stock options granted, TrustArc stock ownership, assigned projects, performance against your assigned goals, training completed, any performance improvement plans, any disciplinary actions taken, system accounts, technology and physical assets provided to you, your role and actions taken in connection with TrustArc projects and processes. If your employment with TrustArc ends, we process personal information necessary to offboard you from TrustArc, including deactivation of your access to our systems, fulfilling our financial, benefits, and related obligations with respect to the end of your employment with TrustArc. In certain countries, supplemental privacy notices will be provided to TrustArc employees and contractors, and where applicable, consent will be obtained, to ensure compliance with local requirements. |
Why do we process personal information? The reasons that we process about you depend on who you are and how we interact with you. |
||
If you are a customer, business partner, or express interest in our solutions: If you have a contract or other agreement in place with us, we process personal information about you in order to fulfill the following obligations to you under that contract or agreement to:
If you have provided your consent, we process personal information about you to send direct email marketing communications about our solutions. You may withdraw your consent at any time by clicking the “unsubscribe” link in the email communications we send to you. You may also withdraw consent by exercising Your Rights as described above. If you have consented to our recording a telephone call or video conference, we process this information for analytical purposes to improve our training and customer relationship management. For any such telephone calls or video conferences, notice of the recording will be provided in advance and during the meeting. You may decline recording at any time before or during the meeting, and you may request deletion of the recording at any time. All such recorded meetings will be automatically deleted within 180 days. Our legitimate interests – We process personal information about you based on our legitimate business interests for the following purposes, to which you may exercise Your Rights to object as described above:
Statistical and research purposes: We may further analyze use of our solutions, and characteristics of the companies that use our solutions (e.g., by size and industry sector) to help us understand and make decisions about customer and market needs, to improve our solutions, to design new solutions, and to inform partnership and business development decisions. |
If you visit the websites and online properties we provide: If you have provided your consent, we process personal information about you to:
You may withdraw your consent at any time by clicking the “unsubscribe” link in the email communications we send to you. You may also withdraw consent by exercising Your Rights as described above, including through our Individual Rights Manager and our Cookie Preferences Manager. Our legitimate interests – We process personal information about you based on our legitimate business interests for the following purposes, to which you may exercise Your Rights to object as described above:
Statistical and research purposes: We may further analyze information we gather online to improve the online experience, resources and tools we provide to our users. |
If you are an employee, contractor, job applicant, or former employee: If you have a contract or other agreement with us, we process personal information about you to fulfill the specific obligations we have to you under the applicable contract or agreement such as:
Our legitimate interests – we process personal information about you based on our legitimate interests to establish and manage our relationship with and responsibilities to you and for effective operation of our business, such as to:
Statistical and research purposes: We may further analyze information to evaluate and understand employee engagement and to develop plans to continuously improve our workplace culture. |
International Data Transfers
We may transfer, access, or store personal information about you outside of the European Economic Area (“EEA”), Switzerland, or another country that requires legal protections for international data transfer. When we do, we will ensure that an adequate level of protection is provided for the information by using one or more of the following approaches:
- We may transfer personal information to countries that have privacy laws that have been recognized by the country from which the data are transferred as providing similar protections for the data (“adequacy”).
- We may enter into written agreements, such as standard contractual clauses and other data transfer agreements, with recipients that require them to provide the same level of protection for the data.
- We may seek your consent for transfers of your personal information for specific purposes.
- We may rely on other transfer mechanisms approved by authorities in the country from which the data are transferred.
How do we share data about you?
At TrustArc, we only share personal information in ways that we tell you about. We do not sell or rent personal information to third parties and we do not share personal information with third parties that are not owned by us or under our control or direction except as described in this Policy.
Service providers. We share personal information with service providers that help us with our business activities. Service providers support us in processing the types of personal information described above in the section “What personal information” and for the purposes described in the section “Why do we process personal information.” They only are authorized to process that information as necessary and as directed by us.
Third party cookies and similar technologies. While TrustArc does not sell personal information to third parties, TrustArc does share data related to cookies and similar technologies with third parties to evaluate and optimize the performance of and analyze your use of our online services and for advertising purposes. You may choose to consent to our use of these technologies, reject non-essential technologies, or further manage your preference with our Cookie Preferences or by submitting a request via our Do Not Sell My Personal Information form.
Required by law. If we are required to disclose personal information as part of a legal process, we will take commercially reasonable steps to inform you as part of that process. We may also be required to disclose personal information in response to lawful requests by government authorities, including requests from national security agencies or law enforcement.
Safety, fraud prevention, government requests and protection of our rights are all reasons where we may share personal information where we believe in good faith it is necessary.
Mergers, acquisitions, divestitures, or asset sales but only if the acquiring organization agrees to this Policy’s protections.
Keeping and Securing Your Data
We will keep personal information about you for as long as we provide solutions to you, as long as you work for or with us, or as long as we are addressing a concern, question, complaint, or request you have made to us, as applicable to our interactions with you. If we have a contract or other agreement with you, we will follow the retention obligations of that agreement.
We may keep data longer if we have a legal obligation to keep it or to maintain necessary records for legal, financial, compliance, or other reporting obligations, and to enforce our rights and agreements. We also may keep data about you for statistical analysis or research purposes.
We take appropriate security measures to protect personal information against loss, misuse, and unauthorized access, alteration, disclosure or destruction. We also have implemented measures to maintain the ongoing confidentiality, integrity and availability of the systems and services that process personal information, and will restore the availability and access to data in a timely manner in the event of a physical or technical incident.
Privacy Shield
We participate in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, and have self-certified to the U.S. Department of Commerce our adherence to the Privacy Shield Principles for all personal information received from countries in the European Economic Area and Switzerland in reliance on the Privacy Shield. We recognize that both Privacy Shield Frameworks are no longer recognised as a legal means to transfer personal data from the EU and Switzerland to the U.S., however TrustArc retains its certification as evidence of our commitment to providing appropriate safeguards. To learn more about Privacy Shield, visit the Privacy Shield website. Under Privacy Shield, we are responsible for the processing of personal information we receive and subsequently transfer to a third party acting for or on our behalf. We are liable for ensuring that the third parties we engage support our Privacy Shield commitments. The U.S. Federal Trade Commission has regulatory enforcement authority over our processing of personal information received or transferred pursuant to Privacy Shield. TrustArc commits to cooperate and comply with the advice of the regulatory authorities to whom you may raise a concern about our processing of personal information about you pursuant to Privacy Shield, including to the panel established by the EU authorities and the Swiss FDPIC. This is provided at no cost to you. For more information, see the Privacy Shield Complaints section below.
Privacy Shield Complaints
If personal information about you is transferred by TrustArc from the EEA to the U.S. pursuant to Privacy Shield, and you have an unresolved concern regarding personal information processing about you that we have not addressed to your satisfaction, please contact the EU authorities at http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.
If personal information about you is transferred by TrustArc from Switzerland to the U.S. pursuant to Privacy Shield, and you have an unresolved concern regarding personal information processing about you that we have not addressed to your satisfaction, please contact the Swiss FDPIC at https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html
Under certain conditions, described more fully on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
Business Information and Links to Other Sites
Business information – In the course of using our solutions, we may ask you to provide business information related to the company where you work. Business information may include information about your company’s practices, policies, processes, and supporting documentation. This business information is stored on TrustArc systems, and we use it to provide the solutions you have contracted us to provide and in accordance with the terms and conditions set forth in agreements between TrustArc and your company,
Links to other websites – This Policy applies only to TrustArc practices, technologies, and services. Our online properties may include links to websites and online services that are operated by other companies not under the control or direction of TrustArc. If you provide or submit personal information to those websites or online services, the privacy policies on those websites or online services apply to your personal information. We encourage you to carefully read the privacy policies of any website you visit.
Changes to this Policy
We may make changes to this Policy from time to time based on changes to applicable laws and regulations or other requirements applicable to us, changes in technology, or changes to our business. Any changes we make to the Policy in the future will be posted on this page, and where we change this Policy in ways that also affect how we process personal information about you, where appropriate, we will notify you directly via email or other direct contact with you, and we also will post a notice on our home page that this Policy has changed.