Get Started
Select Page

TrustArc Privacy and Data Processing Policy (Notice)

Effective: 11 March 2022

This Privacy and Data Processing Policy (“Notice”) reflects our TrustArc global privacy practices and standards as of the effective date.

Individual Rights | Your Personal Information | Keeping and Securing Your Personal Information | Sharing Your Personal Information | International Data Transfers

Who We Are

 

TrustArc Inc (“TrustArc”) is a technology-powered privacy solutions company headquartered at 2121 N. California Blvd., Suite 290, Walnut Creek, CA, USA.

TrustArc also operates through its subsidiaries TrustArc Canada Inc. (formerly Nymity Inc.), TRUSTe Europe Ltd. in the UK, TRUSTe Web Services Technologies, Inc. in the Philippines, and TRUSTe LLC, in the USA. Because we have engineering, product, and support operations in the U.S., Canada, and the Philippines, most personal data will be accessed from these locations. Most information is hosted at Amazon Web Services in the U.S., but Cookie Consent Manager (and Consent Manager in general) is hosted at AWS in Ireland and we also offer an option to host platform data in Germany. In addition, through our remote work environment, we may have employees or contractors who access the data from other countries, such as Brazil, Australia, or the United Kingdom.

If you have a privacy question, you may contact the TrustArc privacy team and our Office of General Counsel at privacy@trustarc.com or by using this form. You may also contact us via telephone. Full contact information of our privacy team, including of our representatives where this is legally required, is available via this page. We appreciate the opportunity to address your questions and concerns.

If you have concerns about how we handle your personal information, you have the right to make a complaint about us to the privacy regulator in your country, state, or province. For complaints under the GDPR, the UK GDPR or the Philippines Data Privacy Act, please refer to this page. Most privacy regulators can be contacted online using the resources provided at https://globalprivacyassembly.org/participation-in-the-assembly/members-online/ More information is included under “International Data Transfers” and “Privacy Shield.”

If you have questions about this Notice or our privacy practices, you may email us at privacy@trustarc.com, complete this form online, or contact us by phone or mail as provided here.


Our Data Values

At TrustArc, Privacy is our Business.

  • Embedding privacy. We strive to help businesses embed privacy into their strategy and operations by providing simple, scalable, and intelligent solutions that help our customers continually manage privacy compliance and risk.
  • Responsible use. We help to promote responsible data use and stewardship among businesses and suppliers around the world.
  • Purpose driven. We only collect, use, and share the information needed to provide and operate our solutions and to help our customers meet their accountability and regulatory compliance needs.
  • Always improving. We process data about the use of our solutions and the way we operate our own business in order to help us better understand the needs of our customers, prospects, and other stakeholders, and to continue to improve user experience, features, and functionality of our solutions.

Individual Rights

 

TRUSTe

 

Depending on your location, you may have basic rights under privacy and data protection laws related to the data we process about you. You may exercise those rights through the form accessible from the Individual Rights Manager button above, emailing us, or contacting us via telephone. These rights are free in most cases, and we will aim to respond to your request within 30 days or the specific timeframe required by the applicable laws. We will honor the requests you make related to your rights as the law allows, which means in some cases there may be legal or other official reasons that we may not be able to address the specific request you make related to your rights. The rights relate to:

    Access to the personal information we process about you;

    Correction of inaccurate or incomplete personal information about you;

    Deletion of personal information about you;

    Restrictions, temporarily or permanently, on our processing of some or all personal information about you;

    Transfer of personal information to you or a third party where we process the data based on your consent or a contract with you, and where our processing is automated; and

    Opt-out or object to our use of personal information about you where either:

    When you submit an individual rights request, you are consenting to us using your information to respond to your request. We will communicate with you via email in most cases. If you wish to withdraw your consent for us to respond to your request, you may do so via that email. Your consent includes that your request will come to the United States, which is where we are located. If you do not consent, we are unable to respond to your request.

     


Privacy Shield Inquiries & Complaints (data from the EEA or Switzerland)

 

If personal information about you was transferred by TrustArc from the EEA to the U.S. under the EU-US Privacy Shield, and you have an unresolved concern regarding personal information processing about you that we have not addressed to your satisfaction, please contact the EU authorities at http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm. Please also see information further below about our Privacy Shield involvement.

If personal information about you is transferred by TrustArc from Switzerland to the U.S. pursuant to Privacy Shield, and you have an unresolved concern regarding personal information processing about you that we have not addressed to your satisfaction, please contact the Swiss FDPIC at https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html.

Under certain conditions, described more fully on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.


Your Personal Information

See chart below followed by more information in expandable sections.

What is personal information?

The data we process (collect, use, and share) about you depends on who you are and how we interact with you. Personal information is data that identifies you or that makes you identifiable. It includes data that could be used to identify, locate, track, or contact you. Listed below is a quick reference chart to indicate the activities in which we collect personal information on or from you. These activities may overlap, for example, a customer may visit our website. Below the chart, we provide more specific information on these activities.

If you provide any personal information to us online, such as by filling out a form, attending a webinar, or through cookies (tracking technologies), we only use this information with your consent. You may withdraw your consent at any time by clicking the “unsubscribe” link in the email communications we send to you. You may also withdraw consent by exercising Your Rights as described above, including through our Individual Rights Manager and our Cookie Preferences Manager.

Website Visitors

Customers / Partners

Personnel / Applicant

General Consumers

Those who visit our website or online properties

Those who are customers, business partners, or express interest in our solutions or content

Those who are employees, direct contractors, job applicants, or former employees

Those who engage with us in activities or relationships not already listed. e.g. respondents to customers’ assessments, vendors

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

x

ONLINE ACTIVITIES

There is information provided to us anytime you visit our website or engage in other online activities, such as using our solutions. In most cases, this information is collected based on our legitimate interests in making sure our website or other online activities function properly or that we are providing the user experience to you that we wish to provide. If it is based on our legitimate interest, we have determined that our business interest in gathering this information does not have a significant impact on your rights. In other activities, we may rely on your consent. If so, you have the ability to refuse consent or change your mind. These options are discussed in more detail below. We have tried to be comprehensive, but if you have any questions, please do not hesitate to contact us.

We keep this information for as long as we have a business relationship or potential relationship with you.

Online Forms
We process information you provide, such as your name, email address, company where you work, phone number, job function, job title, country, and any comments you provide. Given that we are a business-to-business (B2B) company, we do this in order to respond to your request for information or resources or, in our legitimate interest, to collect information in order to reach out to you for potential business interest. We may reach out to you with marketing communications using the information you submit in these online forms. You can easily opt out of future communications using the opt-out link provided in the emails sent to you.

If you do opt-out, but then complete another form, you are essentially canceling your opt-out.

Cookies, other passive trackers
We use cookies and other data collection technologies to help you navigate our website or technical solutions, personalize and provide a more convenient experience to you, analyze which pages you visit, which features you use in our technical solutions, and which consumer privacy tools you use, provide features such as social sharing widgets and videos, measure advertising and promotional effectiveness, assess which areas of our site you visit to remarket to you after you visit our site, and to provide content to you from our third party content partners.

We use browser session and persistent cookies. Session cookies are temporary cookies that are erased from your device’s memory when you close your Internet browser or turn your computer off where persistent cookies are stored on your device until they expire, unless you delete them before that time. We group browser cookies on our site into three categories, which you can manage through our “Cookie Consent Manager” – and you can return to this Cookie Consent Manager at any time to change your preferences.n

  • Required cookies: These cookies are necessary to enable the basic features of this site to function, such as allowing images to load or allowing you to select your cookie preferences.
  • Functional cookies: These cookies allow us to analyze your use of the site to evaluate and improve our performance. They may also be used to provide a better customer experience on this site. For example, remembering your log-in details or providing us information about how our site is used.
  • Advertising cookies: These cookies may be used to share data with advertisers so that the ads you see are more relevant to you, allow you to share certain pages with social networks, or allow you to post comments on our site.
  • Some cookies may be placed by third party service providers who perform some of these functions for us.
  • In addition, there are browser settings which you can set in your internet browser, such as Internet Explorer, Google Chrome, or Mozilla FireFox, which can also address cookies and trackers. Sometimes these settings contradict what you may choose on a website. For example, if you set your browser settings to refuse all non-essential cookies, then when you visit our page and make a cookie selection – that preference is stored as a cookie and per your browser settings, may override your selection. This means the site won’t remember your selection on your next visit and you may have to make a selection every visit. This may be frustrating and is not something we do deliberately. There are many efforts underway by companies, technology, lawmakers, and others to make this a better user experience for everyone – and we at TrustArc are active in trying to make this an easier process.
Server log files
We automatically gather server log file information when you visit our websites. This includes IP address, browser type, referring and exit web pages, and your operating system. We do this based on our legitimate interest in making sure our website operates as intended or to identify what may need to be changed.
Other online activities
In order to administer our website and our technical solutions and to understand how our website visitors navigate through our websites and technical solutions, we monitor our website and solutions based on our legitimate interest to continuously improve the experience for our users.

We may further analyze information we gather online to improve the online experience, resources, and tools we provide to our users. This is also based on our legitimate interest to provide appropriate materials or user experiences.

COMMUNICATION AND ENGAGEMENT

TrustArc is a business-to-business (B2B) company meaning we sell our solutions to other businesses and do not typically engage with general consumers for profit. However, general consumers may engage with us either on behalf of our customers or through other activities, such as webinars or the Serious Privacy podcast. These activities are provided in more detail in this section.

We keep this information as long as we have a potential or actual business relationship with you or if there is a legal obligation to keep the information. Where you consented to providing us the information, you may also revoke your consent. Where we do not collect identifying information, we may not be able to remove the information, because we will not know which information you provided.

Suggestions, Complaints, Inquiries
We process personal information about you based on our legitimate business interests for the following purposes, to which you may exercise your rights to object as described above:

  • To investigate complaints or concerns to ensure that such complaints or concerns are addressed appropriately;
  • To send optional customer satisfaction surveys once your complaint has been resolved in order to improve our processes;
  • To evaluate the characteristics and needs of our customers to improve our solutions; and
  • To communicate with you about TrustArc events, industry or privacy-related news to engage with you as a member of the privacy community in which we participate.
Opinion / Feedback Surveys
If we engage in a general consumer survey, we process your survey responses. You may answer or not when it is presented to you. Withdrawing your consent will not be possible as we do not ask or collect identifying information and only use answers in large groupings, such as all “Yes” or “No” answers to a particular question. We would not be able to pull your answers out.

If you participate in our market or product / services research and surveys – whether delivered by us or a service provider on our behalf – we may process your email address, job title, phone number, survey responses, company name, job function, state, country, relationship with TrustArc, and any comments you provide. We may provide remuneration in exchange, such as a gift card. We conduct online consumer surveys to learn about your views on important privacy-related issues based on our legitimate interest in better understanding the privacy market and to improve our solutions; we do not directly collect any personal information about you when we conduct these surveys, however cookies and data collection technologies may be used to manage the delivery of the surveys. You may choose to respond or not and may opt out of future communications of this nature. In part, this is through our legitimate interest in obtaining your feedback and part through your consent to such activities.

Customer Engagement
This may include voluntary participation in our customer community offerings, such as online communications, group meetings, and other engagements. You must consent to participate in such activities and if so, can revoke your consent easily by withdrawing from such activities. You must agree to follow the engagement rules, which will vary by the method of engagement.
Webinars
If you register for or attend our webinars (or other presentations), your IP-address and some other technical information may be shared with the relevant hosting provider or application, such as GoToMeeting. Where applicable, registration information and any comments or feedback you provide to us will be captured.

If you are invited to be a guest in a TrustArc-hosted or sponsored webinar (or other presentation), your contact information will be processed as part of the production. This generally includes your name, email address, phone number, company name, image, and job title. These programs are recorded and broadcast publicly, as is the nature of such programs, which includes your voice and image and the information you share during such programs.

Follow-up information for the webinars will be sent to the email address registered and you can opt out at any time. If you do register for another webinar, you will be opted back in to communications.

Serious Privacy Podcast

If you listen to the Serious Privacy podcast, your IP-address and some other technical information may be shared with the relevant hosting provider or application, such as Buzzsprout, or the podcast app you use. Where applicable, registration information and any comments or feedback you provide to us will be captured.

If you are invited to be a guest on the Serious Privacy Podcast, your contact information will be processed as part of the production. This includes your name, email address, phone number, company name, image, and job title. These programs are recorded and broadcast publicly, as is the nature of such programs, which includes your voice and the information you share during such programs. If photos are taken, they will not be published without your consent.

Interest in our Solutions
If you request or indicate an interest in information about our solutions or partnership opportunities, we process your name, email address, phone number, job title, information about the company where you work, including its website address, and any comments you provide. We add business information related to the company where you work from third party sources, such as business intelligence providers, information from publicly available sources such as LinkedIn, as well as information about the number and frequency of your interactions with us online and offline, such as at events, webinars, email communications, and our website. We maintain and update this information as we continue to engage with you. Engaging with you once you express interest in our solutions may be based on your consent or our legitimate interests. If we rely on consent, this will be clear to you that you are providing consent because you will complete a form or register for an event. As such, you can cancel your consent using the opt-out link in the emails we send or by contacting us via an individual rights form, email, or phone.
Marketing Communications
We may send you marketing communications (including sales, information, events, and business development communications) about our solutions, events, or resources that we think may be of interest to you. For these communications, we process your name, phone number, email address, postal address, job title, job function, company name, and information about which of our solutions you use or which may be of interest to you, including any responses you make to such communications. We also process automatic information such as what we collect via cookies IP address, device type, browser, if the email was opened, etc. and we may also associate other information to the communication for insight such as company size, company financial information, and whether the company is a current or prospective customer. In general, these communications are initiated in our legitimate interest to engage you in business, but if the information was collected through our online forms, you also consented to being contacted. We track these communications to determine whether, when, and the IP address and associated city of, a marketing communication we sent was viewed based on our legitimate interest to effectively manage and improve upon such communications.

Communications may also include asking for your review of our solutions from your perspective as a customer or user of our solutions. We do this from our interest in having you evaluate our performance.

You may opt-out at any time from marketing emails using the unsubscribe link in the emails or you may submit an individual rights request.

Telephone / Video Calls
If you have consented to a recorded telephone call or video conference with TrustArc, we may process your name, email address, job title, image, and voice for analytical purposes to improve our training and customer relationship management and to provide recorded information to our customers upon request. For example, a customer may want a recording of a demo on a particular solution. For any such telephone calls or video conferences, notice of the intent to record will be provided before recording. You may decline recording at any time before or during the meeting, and you may request deletion of the recording at any time. All such recorded meetings will be automatically deleted within 180 days.
Contracts / Relationship Management
We process your name, email address, postal address, company name, billing information (e.g., purchase order number, bank wire information, credit card number), company size, company financial information, and signature along with communication content and any comments or feedback you may provide. Some information about you may come from other individuals. For example, a colleague may tell us that you moved to another company or a different role. Similarly, such information may be available publicly, such as on LinkedIn.

We use this information in order to facilitate the contract execution and to deliver on the contract. We will communicate with you, including via email, about your use of our solutions, obtain your input on new features, functionality, and content, and to provide information about updates to our solutions. We will also communicate with you about TrustArc events, or industry/privacy-related news. We have a legitimate business interest in renewing your subscription-based solutions in order to retain you as a customer or partner along with providing additional solutions you request based on our legitimate business interest and / or contractual obligation to respond to your reasonable requests.

In addition, to better understand the needs of the privacy and business communities we aim to serve, we analyze our interactions with you online and offline. This helps us continue to improve how we provide information and engage specifically with you, including to help us determine when you might be ready to make a purchase based on repeated interactions with TrustArc. We want to understand the business that you work for and your prior experience based on our legitimate interest to tailor our communications with you to improve our engagement with you from a business perspective. We also want to understand your business and privacy-related needs based on our legitimate interest to develop and enhance our solutions to address your needs and to make them more relevant to you. Lastly, We do not make any automated decisions about you that would result in legal or other similarly significant or detrimental effects on you.

USING OUR SOLUTIONS

TrustArc is a business-to-business (B2B) company, meaning we sell our software solutions to other companies. You may use our solutions because your company purchased our software for their own privacy compliance needs or because you work with a company that does business with our customers. In most cases, this information should be your business information and not your personal information, but we do not control what information our customers enter about you. Below, we provide information in four categories – our customers’ authorized users, the TrustArc platform, and consumer-facing solutions. We develop and / or discontinue solutions based on our business strategy and developments, so not all solutions are detailed below, but apply in a general sense based on how you choose to engage with us.

Authorized users or other individuals named in our solutions, such as respondents to customer assessments, fall under the control of the customers’ determinations, meaning TrustArc cannot grant access or delete information without the customers’ permission.vWe retain this information for the length of the customer contract, deleting it as required by the customer or for a set time period (generally three years from termination) in agreement with the customer.

Customers' Authorized Users
If you are a licensed or other authorized user of our privacy technology platform, we process your name, email address, username, password, IP address, job title, phone number, information about the company where you work, actions you have taken in the applications on the platform or in response to communications, such as record creation, changes, input, responses, analysis, and approvals, and tickets filed on your behalf related to our platform.

For individuals at our customer companies or potential customer companies, we process this information to provision and de-provision your account on our platform; authenticate you to enable you to access your account on our platform, including adding users of the solution; provide customer service and support, and investigate issues that you raise; deliver our assurance programs and solutions to you, including provision of our seals, where applicable; resolve disputes related to your organization’s privacy practices; provide alerts in the platform based on your implementation; and help you build, implement, manage, and demonstrate your privacy program and practices using our solutions. We may further analyze the use of our solutions, and characteristics of the companies that use our solutions (e.g., by size and industry sector) to help us understand and make decisions about customer and market needs, to improve our solutions, to design new solutions, and to inform partnership and business development decisions.

TrustArc Platform, e.g. PrivacyCentral or Nymity powered by TrustArc (including external respondents)
In order to engage with our solutions, you will either be an authorized user as described above or a non-system user that our customer sends you information to complete. For example, a customer may send you a vendor assessment or you may be a business process owner for the customer and need to complete a data inventory or DPIA. In both cases, we are a vendor (a processor) to our customers and the customer is the one responsible for determining their processing purpose and choosing to communicate with you. If you have any questions, you may contact us or the customer to learn more.

TrustArc acquired Nymity in 2019 and provides these services through our TrustArc platform. In most cases, the uses and purposes are the same as those listed just above in the platform. However, in some instances, the customers may share such information to other individuals. The authorized users may enter your information into our platform to send you materials or may download the materials and send them directly. We are a vendor (processor) to our customers and their use of your information is based on their determinations. If you have any questions, you may contact the customer or us for more information.

Consumer-facing Solutions, e.g., Individual Rights, Cookie Consent

Some of our solutions that customers use are consumer-facing, such as Individual Rights Manager or Cookie Consent Manager. If you are a consumer interacting with any of our solutions, we are a vendor (processor) to our customers. As such, the customers are the ones who determine the processing purpose and use your information through our platform. In most cases, we anticipate that their basis for processing your information is consent, but you will need to confirm that with the customers. We use our own solutions, so in that case, we are the “customer” if you engage with Cookie Consent Manager on our website or submit a request through Individual Rights Manager.

  • Individual Rights Manager
    When you submit an individual rights request using a form, we process your name, email address, residence, type of request, the individual type you select on the form, any comments you provide, and any additional information customers need to verify your identity. When you submit a request to another company that has implemented our Individual Rights Manager, we process the information you provide in the form implemented by that company, and we support the management of your request by the company as well as retrieval of information responsive to your request. Communications related to an individual rights request, including more information needed or providing the data requested will be managed through the platform, using an email server.
  • Cookie Preference Manager
    If you use our preference manager on a mobile device, we process your device’s Advertising Identifier. When you access our preference manager, session cookies will be set by the ad networks listed in our preference manager to honor your preferences if you choose not to receive interest-based advertising. If you clear your browser cookies, this will remove all cookies including the opt-out cookies set by the companies. You will need to re-access the opt-out tool to reset your preferences. Our cookie only knows your last set of preferences and does not reflect the current state of cookies on your browser.
  • Direct Marketing Consent Manager
    If a company has implemented our Direct Marketing Consent Manager, we process a pseudonymous identifier related to you to help that company manage your consent preferences. TrustArc uses this approach to allow the company to manage your personal information rather than TrustArc.
  • Ads Compliance Manager
    If you click through an icon associated with our Ads Interests Manager in an online advertisement, we process information about your interests. We process cookies to deliver our interest-based advertising notice and choice program’s opt-out tools to assist with your opt-out choices and to help us measure usage. Our opt-out tool signals companies to not use your browsing behavior to provide interest-based advertising by setting their opt-out cookie in your browser. When you access our preference manager, session cookies will be set by the ad networks listed in our preference manager to honor your preferences if you choose not to receive interest-based advertising. If you clear your browser cookies, this will remove all cookies including the opt-out cookies set by the companies. You will need to re-access the opt-out tool to reset your preferences. Our cookie only knows your last set of preferences and does not reflect the current state of cookies on your browser.
  • TRUSTe Dispute Resolution
    We encourage you to use TRUSTe’s Dispute Resolution Program to report and resolve privacy complaints you may have concerning TRUSTe Certification or Dispute Resolution Program Participants. If you file a privacy-related complaint, we process your name, email, and country location. We will also request that you provide the details that gave rise to your complaint. Any additional personal information you choose to provide in the complaint form is optional.

    You can also report misuse of TRUSTe trademarks on this form, such as a company claiming to be certified by us and they are not.

    For both of these, we will not share your name and contact information with the company you are complaining about unless you consent. If not, we can still share the complaint with the company (with your consent), but without knowing more details, we may not be able to resolve your complaint. We will respond to your complaint via email and if you want to withdraw your consent, you can do so by responding to that email.

    Also, if you reside in a country with rules about sending information to other countries, called cross-border transfers, you must consent to sending your information to the United States or other countries where we have offices and process personal data for dispute resolution, such as Canada and the Philippines. We may also have employees in other countries who access the information through our platform or via email. This consent applies to your submission to us as well as us communicating with the company about the complaint, which may also be located in another country. If you do not consent, then we cannot process your information or register your complaint.

Employment Activities

Applying to work at TrustArc: If you apply to work at TrustArc, we process personal information about you and your professional experience, education and training such as your application, your name (and any former names), postal address, email address, phone number, universities attended, academic degrees obtained, grades, professional certifications and licenses, employment history, and curriculum vitae or resume.
Offer of employment or contractor position: If we extend an offer of employment or a contractor position at TrustArc to you, we will process personal information about the position to which you have been appointed, your job title at TrustArc, the compensation or project-based contractor rate we offer to you, whether you accept the offer, your signature, and your starting compensation or project-based contractor rate, and your start date at TrustArc.
Employment-Related Background checks: We engage service providers to conduct background checks that involve the necessary personal information processing as permitted by the laws in the location in which you reside and/or work. More details are provided to you in the context of our request to you to complete these checks. We also have designated employees who will do reference checks, usually HR or your supervisor. We contact individuals that you have provided and engage in conversation (written or oral) about you, your work habits, challenges, experience, and more. We do not control the information provided to us by these references.
As an employee or contractor of TrustArc: we may process personal information about your benefits, nationality, residency status, email address, office or other workplace location including remote work arrangements, work phone number, mobile phone number, photographs, passport, visas, marital status, beneficiaries and /or dependents and their associated data related to benefits such as date of birth or relationship status, emergency contact details, financial account information, social security number or other government-issued identification number, holiday and paid time off days which may include the reasons for the time off, salary, incentive compensation, TrustArc stock options granted, TrustArc stock ownership, assigned projects, feedback and opinions, performance against your assigned goals, training completed, any performance improvement plans, any disciplinary actions taken, system accounts, technology and physical assets provided to you, your role and actions taken in connection with TrustArc projects and processes. This will include information voluntarily provided by you, such as would be shared in a typical work environment, such as photos of pets, anecdotes about family, and other such information you choose to share with colleagues.
If your employment with TrustArc ends, we process personal information necessary to offboard you from TrustArc, including deactivation of your access to our systems, fulfilling our financial, benefits, and related obligations with respect to the end of your employment with TrustArc.
In certain countries, supplemental privacy notices will be provided to TrustArc employees and contractors, and where applicable, consent will be obtained, to ensure compliance with local requirements.

 

We process personal information about you based on our legitimate interests to establish and manage our relationship with and responsibilities to you and for effective operation of our business, including activities necessary to comply with laws or contracts, such as to:

  • Recruit new talent to join TrustArc;
  • Onboard employees and contractors to TrustArc;
  • Grant and ensure appropriate access to TrustArc systems and facilities;
  • Ensure the security and safety of the workplace and the tangible and intangible assets for which we are responsible;
  • Assign roles and responsibilities;
  • Manage team and cross-functional communications and collaboration;
  • Promote a positive workplace culture;
  • Administer payroll;
  • Benefits administration;
  • Award and pay incentive compensation;
  • Invoice payments;
  • Managing TrustArc projects and processes;
  • Maintaining corporate, financial and other essential business records and reporting;
  • Evaluating financial and operational performance; and
  • Managing compliance, including, but not limited to our privacy, security, accounting, labor and employment, and other legal and regulatory obligations.

Statistical and research purposes: We may further analyze information to evaluate and understand employee engagement and to develop plans to continuously improve our workplace culture.

Using Devices for Work Activities
You may participate in communication processes, which may be recorded, such as video conferences, phone calls, or written correspondence, or video/audio presentations for public release (webinars, podcasts, etc.) and such may be performed from your personal device. TrustArc may inadvertently collect information from your surroundings or device. You should take this into account if using a personal device for work purposes. We may also request or require security software to be installed. More information can be found in the employee handbook and throughout various policies and communications from executives or other personnel in key roles.
TrustArc’s Personnel Scope of Work
As part of your employment activities, you may engage with customers, other employees, technology, vendors, and/or other individuals. Your actions or communications will typically be recorded via online tools or communication technologies. These recordings may be temporary or permanent depending on their intent. For example, if you write code, that may become a permanent entry in TrustArc’s platform. If you engage with regulators on an investigation, that will likely become a long-term record both for TrustArc and the regulator.

Keeping and Securing Your Personal Information

 

We will keep personal information about you for as long as we provide solutions to you or your company; as long as you work for or with us; as long as we are addressing a concern, question, complaint, or request you have made to us; as applicable to our interactions with you; as long as the law requires us to do so; or for the time period we need to maintain the information, e.g., to respond to investigations or lawsuits. If we have a contract or other agreement with you or your company, we will follow the retention obligations of that agreement.

We may keep data longer if we have a legal obligation to keep it or to maintain necessary records for legal, financial, compliance, or other reporting obligations, and to enforce our rights and agreements. We also may keep data about you for statistical analysis or research purposes.

We take appropriate security measures to protect personal information against loss, misuse, and unauthorized access, alteration, disclosure or destruction. We also have implemented measures to maintain the ongoing confidentiality, integrity and availability of the systems and services that process personal information, and will restore the availability and access to data in a timely manner in the event of a physical or technical incident.


Sharing Your Personal Information

 

At TrustArc, we only share personal information in ways that we tell you about. We do not sell or rent personal information to third parties and we do not share personal information with third parties that are not owned by us, under our control or direction, or in a direct business relationship with us except as described in this Notice.

Service providers / Vendors. We share personal information with service providers / vendors that help us with our business activities. Service providers support us in processing the types of personal information described above in the section “What personal information” and for the purposes described in the section “Why do we process personal information.” They only are authorized to process that information as necessary and as directed by us. Some of these providers qualify as “subprocessors” under the General Data Protection Regulation because they are used in the provision of services that our customer purchase.

Business partners. TrustArc forms a variety of partnership relationships, to whom we may share your information legitimately under one of the reasons described in the Notice or receive information from them. We only permit partners to process your information as necessary and directed by us. In some cases, the partners may be contracted through TrustArc, such as customers who purchase education modules through one of our partners. In other cases, partners may share your information with us and their privacy notices will also apply.

Third party cookies and similar technologies. While TrustArc does not sell personal information to third parties, TrustArc does share data related to cookies and similar technologies with third parties to evaluate and optimize the performance of and analyze your use of our online services and for advertising purposes. You may choose to consent to our use of these technologies, reject non-essential technologies, or further manage your preference with our Cookie Preferences or by submitting a request via our Do Not Sell My Personal Information form.

Required by law. If we are required to disclose personal information as part of a legal process, we will take commercially reasonable steps to inform you as part of that process. We may also be required to disclose personal information in response to lawful requests by government authorities, including requests from national security agencies or law enforcement. Some of these requests may be by regulatory oversight agencies investigating a complaint where others may be by law enforcement looking for information.

Safety, fraud prevention, government requests and protection of our rights are all reasons where we may share personal information where we believe in good faith it is necessary.

Mergers, acquisitions, divestitures, or asset sales but only if the acquiring organization agrees to this Notice’s protections, where this is within our control. If we are under the control of a court, such as bankruptcy proceedings, we may not have full authority to ensure this protection.


International Data Transfers

 

TrustArc is headquartered in the United States and almost all data we process will be transferred to or accessed from the United States or through our subsidiaries in Canada or the Philippines. Customers have the option for their data to be hosted in the United States or Germany, and Cookie Consent Manager is hosted in Ireland. Customers should make sure that their notices reflect our transfer arrangements for their data subjects. Please see our Safeguards for more information on how we protect customer data in international transfers.

This means that we may transfer, access, or store personal information about you outside of the European Economic Area (“EEA”), Switzerland, the United Kingdom, China, or another country that requires legal protections for international data transfer. When we do, we will ensure that an adequate level of protection is provided for the information by using one or more of the following approaches:

  • We may transfer personal information to countries that have privacy laws that have been recognized by the country from which the data are transferred as providing similar protections for the data (“adequacy”).
  • We may enter into written agreements, such as standard contractual clauses and other data transfer agreements, with recipients that require them to provide the same level of protection for the data.
  • We may seek your consent for transfers of your personal information for specific purposes.
  • We may rely on other transfer mechanisms approved by authorities in the country from which the data are transferred.

 

Privacy Shield

 

We participate in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, and have self-certified to the U.S. Department of Commerce our adherence to the Privacy Shield Principles for all personal information received from countries in the European Economic Area and Switzerland in reliance on the Privacy Shield. We recognize that both Privacy Shield Frameworks are no longer recognized as a legal means to transfer personal data from the EU and Switzerland to the U.S., however TrustArc retains its certification as evidence of our commitment to providing appropriate safeguards. To learn more about Privacy Shield, visit the Privacy Shield website. Under Privacy Shield, we are responsible for the processing of personal information we receive and subsequently transfer to a third party acting for or on our behalf. We are liable for ensuring that the third parties we engage support our Privacy Shield commitments. The U.S. Federal Trade Commission has regulatory enforcement authority over our processing of personal information received or transferred pursuant to Privacy Shield. TrustArc commits to cooperate and comply with the advice of the regulatory authorities to whom you may raise a concern about our processing of personal information about you pursuant to Privacy Shield, including to the panel established by the EU authorities and the Swiss FDPIC. This is provided at no cost to you. Please see the section at the beginning about your rights.


Business Information and Links to Other Sites

 

Business information – In the course of using our solutions, we may ask you to provide business information related to the company where you work. Business information may include information about your company’s practices, policies, processes, and supporting documentation. This business information is stored on TrustArc systems, and we use it to provide the solutions you have contracted us to provide and in accordance with the terms and conditions set forth in agreements between TrustArc and your company,

Links to other websites – This Notice applies only to TrustArc practices, technologies, and services. Our online properties may include links to websites and online services that are operated by other companies not under the control or direction of TrustArc. If you provide or submit personal information to those websites or online services, the privacy policies on those websites or online services apply to your personal information. We encourage you to carefully read the privacy policies of any website you visit.


Changes to this Notice

 

We may make changes to this Notice from time to time based on changes to applicable laws and regulations or other requirements applicable to us, changes in technology, or changes to our business. New laws and decisions occur relatively frequently, but may not impact this Notice. Any changes we make to the Notice in the future will be posted on this page, and where we change this Notice in substantive ways that also affect how we process personal information about you, where appropriate, we will notify you directly via email or other direct contact with you, and we also will indicate on our homepage that this Notice has changed. We will not notify you directly of changes that are minor or that involve formatting or rearranging. Change from November 1, 2021 to current version: formatting and additional clarification.