TrustArc Privacy and Data Processing Policy

Effective: 25 May 2018

This Privacy and Data Processing Policy reflects our TrustArc global privacy practices and standards as of the effective date.

Who we are

TrustArc Inc (“TrustArc”) is a technology-powered privacy solutions company headquartered at 835 Market Street, Suite 800 in San Francisco, CA, USA.

TrustArc also operates through its subsidiaries TRUSTe Europe Ltd. in the UK, TRUSTe Web Services Technologies, Inc. in the Philippines, and TRUSTe LLC, in the USA.

If you have a privacy question, you may contact the TrustArc privacy team and our Chief Data Governance Officer any time at privacy@trustarc.com or by using the Policy Questions button on this page. We appreciate the opportunity to address your questions and concerns.

If you have concerns about how we handle your personal information, you have the right to make a complaint about us to the UK Information Commissioner’s Office (ICO) at www.ico.org.uk. You may also contact the privacy regulator in your country. Most privacy regulators can be contacted online using the resources provided at https://icdppc.org/participation-in-the-conference/members-online/. More information is included under “International Data Transfers” and “Privacy Shield.”

Our Data Values

At TrustArc, Privacy is our Business.

  • Embedding privacy. We strive to help businesses embed privacy into their strategy and operations by providing simple, scalable, and intelligent solutions that help our customers continually manage privacy compliance and risk.
  • Responsible use. We help to promote responsible data use and stewardship among businesses and suppliers around the world.
  • Purpose driven. We only collect, use, and share the information we need to provide and operate our solutions and to help our customers meet their accountability and regulatory compliance needs.
  • Always improving. We process data about the use of our solutions and the way we operate our own business in order to help us better understand the needs of our customers, prospects, and other stakeholders, and to continue to improve user experience, features, and functionality of our solutions.

Your Rights

TRUSTe

You have six basic rights under privacy and data protection laws related to the data we process about you. You do not have to pay a fee, and we will aim to respond to your request within 30 days. We will honor the requests you make related to your rights as the law allows, which means in some cases there may be legal or other official reasons that we may not be able to address the specific request you make related to your rights. You may:

request access to the personal information we process about you;

request that we correct inaccurate or incomplete personal information about you;

request deletion of personal information about you;

request restrictions, temporarily or permanently, on our processing of some or all personal information about you;

request transfer of personal information to you or a third party where we process the data based on your consent or a contract with you, and where our processing is automated; and

opt-out or object to our use of personal information about you where our use is based on your consent or our legitimate interests.

What personal information?

The data we process about you depends on who you are and how we interact with you. Personal information is data that identifies you or that makes you identifiable. It includes data that could be used to identify, locate, track or contact you.

If you are a customer, business partner, or express interest in our solutions:

If you visit the websites and online properties we provide:

If you are an employee, contractor, job applicant, or former employee:

Learning about our company and our solutions: If you request information about our solutions or partnership opportunities, we process your name, email address, phone number, job title, information about the company where you work, and any comments you provide. We append business information related to the company where you work you from third party sources, such as business intelligence providers. We also may append information from publicly available sources, such as LinkedIn.

Using the TrustArc Privacy Platform: If you are a licensed or other authorized user of our privacy technology platform, we process your name, email address, username, password, IP address, job title, phone number, information about the company where you work, actions you have taken in the applications on the platform, such as record creation, changes, input, responses, analysis, and approvals, and tickets filed on your behalf related to our platform.

  • TrustArc-IAPP Assessment Manager: If you are using the free version of our Assessment Manager offered in partnership with the IAPP, we process your name, email address, company name, and password. Please refer to the Privacy Notice for that service for more information.

Participation in our Assurance Programs and Solutions: If you participate in our certification or verification programs, or our GDPR validation, we process your name, email address, country, phone number, job title and company name.

Using our Consulting Services: If you engage us to provide consulting services, we process your name, email address, postal address, job title, signature, and company information.

Negotiating and entering into a contract with us and relationship management during the contract term: If you enter into an agreement with us related to the licensing or purchase of our solutions, we process your name, email address, postal address, company name, billing information (e.g., purchase order number, bank wire information, credit card number), company size, company financial information, and signature.

Receiving marketing, sales-related and business development communications from us: If our marketing team or a member of our sales or business development teams sends communications to you, we process your name, phone number, email address, postal address, job title, job function, company name, company size, company financial information, IP address, device type, email view information including IP address and associated city, and information about which of our solutions you use or which may be of interest to you.

Market research and surveys: If you participate in our market research and surveys, we process your email address, job title, phone number, survey responses, company name, job function, state, country, and any comments you provide.

Our website: We process personal information about you that we collect either directly, through forms or data entry fields on our website, or through passive collection by cookies and other data collection technologies. The types of personal data we process in each of these contexts is further explained in the following four categories:

  • Contact us and registration forms: we process your name, email address, company where you work, phone number, job function, job title, country, and any comments you provide.
  • Consumer opinion surveys: we process your survey responses
  • Cookies and other data collection technologies: we use browser session cookies, which are temporary cookies that are erased from your device’s memory when you close your Internet browser or turn your computer off, and persistent cookies, which are stored on your device until they expire, unless you delete them before that time. We group browser cookies on our site into three categories, which you can manage through our “Cookie Preferences” manager:
    • Required cookies: These cookies are necessary to enable the basic features of this site to function, such as allowing images to load or allowing you to select your cookie preferences.
    • Functional cookies: These cookies allow us to analyze your use of the site to evaluate and improve our performance. They may also be used to provide a better customer experience on this site. For example, remembering your log-in details or providing us information about how our site is used.
    • Advertising cookies: These cookies may be used to share data with advertisers so that the ads you see are more relevant to you, allow you to share certain pages with social networks, or allow you to post comments on our site.
    Videos and other features on our site use Flash cookies to collect and store your preferences, such as volume. Flash cookies are different from browser cookies because of the amount of, type of, and way that data is stored. Cookie management tools provided by your browser will not remove Flash cookies. To learn how to manage privacy and storage settings for Flash cookies click here. Some cookies may be placed by third party service providers who perform some of these functions for us.
  • Server log files: We automatically gather server log file information when you visit our websites. This includes IP address, browser type, referring and exit web pages, and your operating system.

Cookie Preference Manager: If you use our preference manager on a mobile device, we process your device’s Advertising Identifier. When you access our preference manager, session cookies will be set by the ad networks listed in our preference manager to honor your preferences if you choose not to receive interest-based advertising. If you clear your browser cookies, this will remove all cookies including the opt-out cookies set by the companies. You will need to re-access the opt-out tool to reset your preferences. Our cookie only knows your last set of preferences and does not reflect the current state of cookies on your browser.

Individual Rights Manager: When you submit a request related to our processing of personal information about you, we process your name, email address, type of request, the individual type you select on the form, and any comments you provide. When you submit a request to another company that has implemented our Individual Rights Manager, we process the information you provide in the form implemented by that company only as long as needed to ensure delivery of the request to that company.

Direct Marketing Consent Manager: If a company has implemented our Direct Marketing Consent Manager, we process a pseudonymous identifier related to you to help that company manage your consent preferences. TrustArc uses this approach to allow the company to manage your personal information rather than TrustArc.

Ads Interests Manager: If you click through an icon associated with our Ads Interests Manager in an online advertisement, we process information about your interests.

TrustArc Ads Compliance Manager: We process cookies to deliver our interest-based advertising notice and choice program’s opt-out tools to assist with your opt-out choices and to help us measure usage. Our opt-out tool signals companies to not use your browsing behavior to provide interest-based advertising by setting their opt-out cookie in your browser. When you access our preference manager, session cookies will be set by the ad networks listed in our preference manager to honor your preferences if you choose not to receive interest-based advertising. If you clear your browser cookies, this will remove all cookies including the opt-out cookies set by the companies. You will need to re-access the opt-out tool to reset your preferences. Our cookie only knows your last set of preferences and does not reflect the current state of cookies on your browser.

TRUSTe Dispute Resolution Program: We encourage you to use TRUSTe’s Dispute Resolution Program to report and resolve privacy complaints you may have concerning TRUSTe Certification or Dispute Resolution Program Participants, or to report misuse of TRUSTe trademarks. If you file a privacy-related complaint, we process your name, email, and country location. We will also request that you provide the details that gave rise to your complaint. Any additional personal information you choose to provide in the complaint form is optional.

Applying to work at TrustArc: If you apply to work at TrustArc, we process personal information about you and your professional experience, education and training such as your application, your name (and any former names), postal address, email address, phone number, universities attended, academic degrees obtained, grades, professional certifications and licenses, employment history, and curriculum vitae or resume.

Offer of employment or contractor position: Prior to making an offer of employment or a contractor position, we process personal information to conduct professional reference checks in accordance with applicable laws. If we extend an offer of employment or a contractor position at TrustArc to you, we will process personal information about the position to which you have been appointed, your job title at TrustArc, the compensation or project-based contractor rate we offer to you, whether you accept the offer, your signature, and your starting compensation or project-based contractor rate, and your start date at TrustArc.

Employment-Related Background checks: Prior to commencement of your employment with us, we engage service providers to conduct background checks that involve the necessary personal information processing as permitted by the laws in the location in which you reside and/or work. More details are provided to you in the context of our request to you to complete these checks.

As an employee or contractor of TrustArc: we may process personal information about your benefits, nationality, residency status, email address, office or other workplace location, work phone number, mobile phone number, photographs, passport, visas, marital status, beneficiaries, emergency contact details, financial account information, social security number or other government-issued identification number, holiday and paid time off days, salary, incentive compensation, TrustArc stock options granted, TrustArc stock ownership, assigned projects, performance against your assigned goals, training completed, any performance improvement plans, any disciplinary actions taken, system accounts, technology and physical assets provided to you, your role and actions taken in connection with TrustArc projects and processes.

If your employment with TrustArc ends, we process personal information necessary to offboard you from TrustArc, including deactivation of your access to our systems, fulfilling our financial, benefits, and related obligations with respect to the end of your employment with TrustArc.

In certain countries, supplemental privacy notices will be provided to TrustArc employees and contractors, and where applicable, consent will be obtained, to ensure compliance with local requirements.

Why do we process personal information?

The reasons that we process about you depend on who you are and how we interact with you.

If you are a customer, business partner, or express interest in our solutions:

If you visit the websites and online properties we provide:

If you are an employee, contractor, job applicant, or former employee:

If you have a contract or other agreement in place with us, we process personal information about you in order to fulfill the following obligations to you under that contract or agreement to:

  • Provision your account on our platform;
  • Authenticate you to enable you to access your account on our platform, including additional users of the solution;
  • Provide customer service and support, and investigate issues that you raise;
  • Deliver our assurance programs and solutions to you, including provision of our seals, where applicable;
  • Resolve disputes related to your organization’s privacy practices;
  • Communicate with you, including via email, about your use of our solutions, obtain your input on new features, functionality, and content, and to provide information about updates to our solutions;
  • Communicate with you about TrustArc events, industry or privacy-related news;
  • Help you build, implement, manage, and demonstrate your privacy program and practices using our solutions; and
  • Deprovision your account on our platform.

If you have provided your consent, we process personal information about you to send direct email marketing communications about our solutions. You may withdraw your consent at any time by clicking the “unsubscribe” link in the email communications we send to you. You may also withdraw consent by exercising Your Rights as described above.

Our legitimate interests - We process personal information about you based on our legitimate business interests for the following purposes, to which you may exercise Your Rights to object as described above:

  • To renew subscription-based solutions you have licensed based on our legitimate business interest in retaining you as a customer or partner;
  • To provide additional solutions you request based on our legitimate business interest to respond to your reasonable requests and to retain you as a customer or partner;
  • To analyze the effectiveness of our interactions with you based on our legitimate interests to continue and to improve upon our engagement with you;
  • To determine whether, when, and the IP address and associated city of, a marketing, sales, or business development email communication we sent was viewed based on our legitimate interest to effectively manage and improve upon such communications with you;
  • To understand the business that you work for and your prior experience based on our legitimate interest to tailor our communications with you to improve our engagement with you;
  • To understand your business and privacy-related needs based on our legitimate interest to develop and enhance our solutions to address your needs and to make them more relevant to you; and
  • To manage our legal, financial, policy and regulatory compliance responsibilities and to demonstrate our compliance upon request.

Statistical and research purposes: We may further analyze use of our solutions, and characteristics of the companies that use our solutions (e.g., by size and industry sector) to help us understand and make decisions about customer and market needs, to improve our solutions, to design new solutions, and to inform partnership and business development decisions.

If you have provided your consent, we process personal information about you to:

  • Share your name or contact information with the TRUSTe Certification or Dispute Resolution Program Participant that is the subject of your privacy-related complaint, however, please be aware that if we cannot share this information, then we may not be able to resolve your complaint.
  • Respond to your individual rights requests.
  • Manage your consent preferences.
  • Ads Interests Manager: to apply your device-specific interests for both mobile apps and mobile websites, to create a non-permanent unique ID within our platform for the purpose of storing and communicating interests within our internal platform, to communicate and share your interests to advertising and data partners, including whether you want to receive interest-based ads, and to enable advertising and data partners to honor your interests according to the preferences you have set. To learn more about how TrustArc uses your interest data, click here. To access and view interest information you have provided or made available to us, click here. Please note, to view your interests you will need to access the link using the same device from which your interests were originally set.
  • Deliver the resources and information you have requested online.
  • Send direct email marketing communications about our solutions, events and related resources that may be of interest to you.
  • Use cookies and other data collection technologies to help you navigate our website or technical solutions, personalize and provide a more convenient experience to you, analyze which pages you visit, which features you use in our technical solutions, and which consumer privacy tools you use, provide features such as social sharing widgets and videos, measure advertising and promotional effectiveness, assess which areas of our site you visit to remarket to you after you visit our site, and to provide content to you from our third party content partners.

You may withdraw your consent at any time by clicking the “unsubscribe” link in the email communications we send to you. You may also withdraw consent by exercising Your Rights as described above, including through our Individual Rights Manager and our Cookie Preferences Manager.

Our legitimate interests - We process personal information about you based on our legitimate business interests for the following purposes, to which you may exercise Your Rights to object as described above:

  • To investigate complaints or concerns based on our legitimate interest to ensure that such complaints or concerns are addressed appropriately;
  • To send optional customer satisfaction surveys once your complaint has been resolved based on our legitimate interest to continue to improve our processes;
  • To evaluate the characteristics and needs of our customers based on our legitimate interest in improving the solutions we offer and provide;
  • To communicate with you about TrustArc events, industry or privacy-related news based on our legitimate interest in engaging with you as a member of the privacy community in which we participate;
  • To conduct online consumer surveys to learn about your views on important privacy-related issues based on our legitimate interest in better understanding the privacy market and to improve our solutions; we do not directly collect any personal information about you when we conduct these surveys, however cookies and data collection technologies may be used to manage the delivery of the surveys; and
  • To administer our website and our technical solutions and to understand how our website visitors navigate through our websites and technical solutions based on our legitimate interest to continuously improve the experience for our users.

Statistical and research purposes: We may further analyze information we gather online to improve the online experience, resources and tools we provide to our users.

If you have a contract or other agreement with us, we process personal information about you to fulfill the specific obligations we have to you under the applicable contract or agreement such as:

  • Payment of project fees to contractors;
  • Managing performance obligations under employment contracts, where applicable;
  • Management of TrustArc stock options pursuant to stock option agreements; and
  • Management of stock ownership pursuant to stock purchase and related agreements.

Our legitimate interests - we process personal information about you based on our legitimate interests to establish and manage our relationship with and responsibilities to you and for effective operation of our business, such as to:

  • Recruit new talent to join TrustArc;
  • Onboard employees and contractors to TrustArc;
  • Grant and ensure appropriate access to TrustArc systems and facilities;
  • Ensure the security and safety of the workplace and the tangible and intangible assets for which we are responsible;
  • Assign roles and responsibilities;
  • Manage team and cross-functional communications and collaboration;
  • Promote a positive workplace culture;
  • Administer payroll;
  • Benefits administration;
  • Award and pay incentive compensation;
  • Invoice payments;
  • Managing TrustArc projects and processes;
  • Maintaining corporate, financial and other essential business records and reporting;
  • Evaluating financial and operational ;performance; and
  • Managing compliance, including, but not limited to our privacy, security, accounting, labor and employment, and other legal and regulatory obligations.

Statistical and research purposes: We may further analyze information to evaluate and understand employee engagement and to develop plans to continuously improve our workplace culture.

International Data Transfers

We may transfer, access, or store personal information about you outside of the European Economic Area (“EEA”), Switzerland, or another country that requires legal protections for international data transfer. When we do, we will ensure that an adequate level of protection is provided for the information by using one or more of the following approaches:

  • We may transfer personal information pursuant to our own Privacy Shield self-certification, as described further below, or to other organizations that participate in Privacy Shield for transfers from the EEA or Switzerland to the U.S.
  • We may transfer personal information to countries that have privacy laws that have been recognized by the country from which the data are transferred as providing similar protections for the data.
  • We may enter into written agreements with recipients that require them to provide the same level of protection for the data.
  • We may rely on other transfer mechanisms approved by authorities in the country from which the data are transferred.

How do we share data about you?

At TrustArc, we only share personal information in ways that we tell you about. We do not sell or rent personal information to third parties and we do not share personal information with third parties that are not owned by us or under our control or direction except as described in this Policy.

Service providers. We share personal information with service providers that help us with our business activities. They only are authorized to process that information as necessary and as directed by us.

Required by law. If we are required to disclose personal information as part of a legal process, we will take commercially reasonable steps to inform you as part of that process. We may also be required to disclose personal information in response to lawful requests by government authorities, including requests from national security agencies or law enforcement.

Safety, fraud prevention, government requests and protection of our rights are all reasons where we may share personal information where we believe in good faith it is necessary.

Mergers, acquisitions, divestitures, or asset sales but only if the acquiring organization agrees to this Policy’s protections.

Keeping and Securing Your Data

We will keep personal information about you for as long as we provide solutions to you, as long as you work for or with us, or as long as we are addressing a concern, question, complaint, or request you have made to us, as applicable to our interactions with you. If we have a contract or other agreement with you, we will follow the retention obligations of that agreement.

We may keep data longer if we have a legal obligation to keep it or to maintain necessary records for legal, financial, compliance, or other reporting obligations, and to enforce our rights and agreements. We also may keep data about you for statistical analysis or research purposes.

We take appropriate security measures to protect personal information against loss, misuse, and unauthorized access, alteration, disclosure or destruction. We also have implemented measures to maintain the ongoing confidentiality, integrity and availability of the systems and services that process personal information, and will restore the availability and access to data in a timely manner in the event of a physical or technical incident.

Privacy Shield

We participate in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, and have self-certified to the U.S. Department of Commerce our adherence to the Privacy Shield Principles for all personal information received from countries in the European Economic Area and Switzerland in reliance on the Privacy Shield. To learn more about Privacy Shield, visit the Privacy Shield website. Under Privacy Shield, we are responsible for the processing of personal information we receive and subsequently transfer to a third party acting for or on our behalf. We are liable for ensuring that the third parties we engage support our Privacy Shield commitments. The U.S. Federal Trade Commission has regulatory enforcement authority over our processing of personal information received or transferred pursuant to Privacy Shield. TrustArc commits to cooperate and comply with the advice of the regulatory authorities to whom you may raise a concern about our processing of personal information about you pursuant to Privacy Shield, including to the panel established by the EU authorities and the Swiss FDPIC. This is provided at no cost to you. For more information, see the Privacy Shield Complaints section below.

Changes to this Policy

We may make changes to this Policy from time to time based on changes to applicable laws and regulations or other requirements applicable to us, changes in technology, or changes to our business. Any changes we make to the Policy in the future will be posted on this page, and where we change this Policy in ways that also affect how we process personal information about you, where appropriate, we will notify you directly via email or other direct contact with you, and we also will post a notice on our home page that this Policy has changed.

Business Information and Links to Other Sites

Business information - In the course of using our solutions, we may ask you to provide business information related to the company where you work. Business information may include information about your company’s practices, policies, processes, and supporting documentation. This business information is stored on TrustArc systems, and we use it to provide the solutions you have contracted us to provide and in accordance with the terms and conditions set forth in agreements between TrustArc and your company,

Links to other websites - This Policy applies only to TrustArc practices, technologies, and services. Our online properties may include links to websites and online services that are operated by other companies not under the control or direction of TrustArc. If you provide or submit personal information to those websites or online services, the privacy policies on those websites or online services apply to your personal information. We encourage you to carefully read the privacy policies of any website you visit.

Privacy Shield Complaints

If personal information about you is transferred by TrustArc from the EEA to the U.S. pursuant to Privacy Shield, and you have an unresolved concern regarding personal information processing about you that we have not addressed to your satisfaction, please contact the EU authorities at http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

If personal information about you is transferred by TrustArc from Switzerland to the U.S. pursuant to Privacy Shield, and you have an unresolved concern regarding personal information processing about you that we have not addressed to your satisfaction, please contact the Swiss FDPIC at https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html

Under certain conditions, described more fully on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.