Where applicable, a separate agreement may govern the delivery, access, and use of the Platform, Services and Mobile Apps (the “Client Agreement”), including the processing of Personal Information and data submitted through employer-based accounts (“Clients”). The Client that entered into the Client Agreement with DarwinApps may authorize Us to collect, process, and store your personal information and associated Client data. If you have any questions about specific Platform settings or what information DarwinApps has been authorized by Client to process on your behalf, you may contact DarwinApps at the contact information in this notice or your Client administrator for the Platform you use.
We generally collect and process the following types of Personal Information:
Information You Provide Us:
We require all third parties to respect the security of your Personal Information and to treat it in accordance with applicable laws. We do not allow third party service providers and Sub-Processors to use your Personal Information for their own purposes and only permit them to process your Personal Information for specified purposes in accordance with Our instructions or the provision of services on DarwinApps’s behalf.
We will retain your Personal Information and the Personal Information We process on behalf of Our Clients for as long as your account is active or as needed to provide Services to Our Clients in accordance with DarwinApps data retention policies, and as necessary to comply with Our legal obligations, resolve disputes, and enforce Our agreements. You may request removal of your Personal Information at any time by contacting firstname.lastname@example.org.
The security of your Personal Information and Our Clients’ information is important to Us. We put in place appropriate technical and organizational measures to ensure your Personal Information is kept secure and protected from unauthorized access, use, disclosure, alteration or destruction, in accordance with applicable laws and regulations. When you enter sensitive information (such as login credentials), We encrypt the transmission of that information using Transport Layer Security (TLS). We follow generally accepted standards to protect the Personal Information submitted to Us, both during transmission and once We receive it. When We share your Personal Information with Sub-Processors or other third-party service providers, We base our selection on said parties having adequate safeguards in place that meet Our data protection standards. We audit their compliance with such standards and incorporate contractual provisions ensuring compliance with (i) such standards and (ii) applicable data privacy laws and regulations.
If you have any questions about security on Our Site, you can contact Us at email@example.com.
All personal data must be handled in accordance with the requirements of the Data Protection Legislation, the Company’s Data Protection Policy, and other related policies.
All emails containing personal data must be encrypted with the Advanced Encryption Standard
All emails containing personal data must be marked “confidential”.
Personal data may be over unsecured networks is not permitted in any circumstances.
Personal data may be transmitted over secure networks only; can’t be transmitted over a wireless network if there is a wired alternative that is reasonably practicable.
Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted using pairwise deletion
Where personal data is to be transferred in hardcopy form it should be passed directly to the recipient
All personal data to be transferred physically, whether in hardcopy form or on removable electronic media shall be transferred in a suitable container marked “confidential”.
All electronic copies of personal data should be stored securely using passwords and Triple Data Encryption Standard (TripleDES).
All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet, or similar.
All personal data stored electronically should be backed up daily with backups stored onsite. All backups should be encrypted Triple Data Encryption Standard (TripleDES).
When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of.
No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones), whether such device belongs to the Company or other wise without the formal written approval of CTO and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary.
No personal data should be transferred to any computer or device personally belonging to an employee, agent, contractor, or other party working on behalf of the Company and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the Data Protection Legislation (which may include demonstrating to the Company that all suitable technical and organizational measures have been taken).
No personal data may be shared informally and if an employee, agent, contractor, or other party working on behalf of the Company requires access to any personal data that they do not already have access to, such access should be formally requested from CTO.
No personal data may be shared with or transferred to any employee, agent, contractor, or other party, whether such parties are working on behalf of the Company or not, without the authorization of CTO and only then if the sharing or transfer is secure, lawful, and fair. Personal data shared with third parties must be covered by a suitable written agreement to ensure compliance with the Data Protection Legislation.
Personal data must be handled with care at all times and should not be left unattended or on view to unauthorized employees, agents, contractors, or other parties at any time.
If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it.
Where personal data held by the Company is used for marketing purposes, it shall be the responsibility of CTO to ensure that the appropriate consent is obtained and that no data subjects have opted out, whether directly or via a third-party service such as the TPS.
All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols. [All software used by the Company is designed to require such passwords.]
Under no circumstance As should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords.
Under no circumstances should any passwords relating to Company systems and/or personal data be saved on any computer or device [that is not Company-owned]. This includes saving passwords in internet browsers and in third-party password manager applications.
Under no circumstances should any computer or device used for accessing or handling personal datMa be used without the correct security functions enabled including, as appropriate, passwords, PIN codes, biometric security (e.g. fingerprint), and any additional security software provided by the Company.
All software (including, but not limited to, applications and operating systems) shall be kept up-to-date. The Company’s IT staff shall be responsible for installing any and all security-related updates not more than 1 day after the updates are made available by the publisher or manufacturer, unless there are valid technical reasons not to do so.
No software may be installed on any Company-owned computer or device without the prior approval of the CTO. [Notwithstanding the above in 6.25, only the Company’s IT staff shall be permitted to install software updates. Users who are not part of the IT staff or do not have the authorization of the IT staff shall not install software updates themselves. Automatic updates (as enabled by the IT staff) are permitted.]
If any computer or device used to access or store personal data, whether personal or Company-owned, is lost or stolen, the loss or theft must be reported to CTO as soon as possible, and all assistance required provided with any investigation.
All employees, agents, contractors, or other parties working on behalf of the Company shall be made fLully aware of both their individual responsibilities and the Company’s responsibilities under the Data Protection Legislation and under all applicable Company policies, including (but not limited to) this Policy and the Data Protection Policy.
Only employees, agents, contractors, or other parties working on behalf of the Company that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by the Company.
All sharing of personal data shall comply with the information provided to the relevant data subjects and, if required, the consent of such data subjects shall be obtained prior to the sharing of their personal data.
All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately trained to do so.
All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately supervised.
Methods of collecting, holding, and processing personal data shall be regularly evaluated and reviewed.
All personal data held by the Company shall be reviewed periodically, as set out in the Company’s Data Retention Policy.
The performance of those employees, agents, contractors, or other parties working on behalf of the Company handling personal data shall be regularly evaluated and reviewed.
All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be bound to do so in accordance with the principles of the Data Protection Legislation and this Policy by contract.
All agents, contractors, or other parties working on behalf of the Company handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of the Company arising out of this Policy and the Data Protection Legislation.
Where any agent, contractor or other party working on behalf of the Company handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
Certain European Union residents have additional privacy rights as provided in the GDPR. For such residents, DarwinApps will collect, process, and store your personal information strictly in accordance with the GDPR. The GDPR further governs the transfer of subject personal information from the certain European Area countries outside of the European Union. DarwinApps is based in the U.S., the Site and Platform servers are hosted in the U.S., and many of DarwinApps’s suppliers and Sub-Processors are also based in the U.S. or otherwise outside of the European Union. In providing your Personal Information to DarwinApps, your Personal Information will be sent to the U.S. (or otherwise outside of the European Union). In such cases, DarwinApps will transfer such data in accordance with the GDPR and the following transfer mechanisms:
DarwinApps participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We are committed to subjecting all personal data received from European Union (EU) member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view Our certification, visit the U.S. Department of Commerce’s Privacy Shield List. https://www.privacyshield.gov.
DarwinApps is responsible for the processing of personal data it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. DarwinApps complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, DarwinApps is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, We may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that We have not addressed satisfactorily, please contact Our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Under certain conditions, more fully described on the Privacy Shield Website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
In addition to the lawful transfer, processing and storage of your Personal Information, the GDPR gives certain European Union members additional rights over Our use of your Personal Information. DarwinApps respects your control over your information and, in the event that you have provided Personal Information to Us in your use of the Site, We will provide you with information about whether We hold any of your Personal Information as We detail below. You may access, correct, or request deletion of your Personal Information by contacting Us at firstname.lastname@example.org. We will respond to your request within a reasonable timeframe.
As a preliminary matter, when acting as a service provider of Our Clients, DarwinApps may have no direct relationship with the individuals whose Personal Information is provided to DarwinApps through the Platform and Services. An individual who is or was employed by one of Our Clients and who seeks access to, or who seeks to correct, amend, object to the processing or profiling of, or to delete their Personal Information in the Platform, should direct the query to their employer’s HR department if they cannot make the appropriate changes via its access to the Platform provided by the Client.
If located in the European Economic Area (“EEA”), you have the following rights regarding your Personal Information We control:
We will decline your request for deletion if processing of your Personal Information is necessary: (i) for Us to comply with Our legal obligations; (ii) for the establishment, exercise or defense of legal claims; or (iii) for the performance of a task in the public interest.
We may continue to store your Personal Information to the extent required to ensure that your request to restrict processing is respected in the future.
Usually, We will not charge you any fees in connection with the exercise of your rights. If your request is manifestly unfounded or excessive, for example, because of its repetitive character, We may charge a reasonable fee, taking into account the administrative costs of dealing with your request. If We refuse your request We will notify you of the relevant reasons.
In so far as practicable, We will notify Our Clients and third parties to whom We have disclosed your Personal Information with any correction, deletion, and/or restriction to the processing of your Personal Information. Please note that We cannot guarantee our Clients or other third parties will comply with your requests and We encourage you to contact them directly.
Please note that if you decide to exercise some of your rights, We may be unable to perform the actions necessary to achieve the purposes set out above or you may not be able to use or take full advantage of the Site, Platform, and Services.
If you are not satisfied with Our response, you have the right to complain or seek advice from a supervisory authority and/or bring a claim against Us in any court of competent jurisdiction.
VeraSafe has been appointed as Our representative in the European Union for data protection matters relating to Personal Information of persons located in the EU, pursuant to Article 27 of the General Data Protection Regulation of the European Union. VeraSafe can be contacted only on matters related to the processing of Personal Information of persons located in the EU. To make such an inquiry, please contact VeraSafe using this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative
Alternatively, VeraSafe can be contacted at:
VeraSafe Ireland Ltd
Unit 3D North Point House
North Point Business Park
New Mallow Road
You may choose to opt in to receive occasional email and other communications from Us, such as communications relating to promotions. You may opt out of receiving such communications at any time by using the “Unsubscribe” link found in such emails, or by emailing Us at email@example.com. In the context of Us providing you marketing, We may analyze your preferences to make sure the information We provide you is relevant.
California residents have certain privacy rights as specified under California law, including the California Consumer Privacy Act of 2018 (“CCPA”). If you are a resident of California, you have the right to know what personal information has been collected about you, and to access that information. You have the right to request deletion of your personal information, though exceptions under the CCPA may allow DarwinApps to retain and use certain personal information notwithstanding your deletion request.
DarwinApps collects various categories of personal information when you or your employer use the DarwinApps Platform or Services, including location information, log data, tracking information, and personal information related to your employment. A more detailed description of the information DarwinApps collects and how we use it is provided above in the sections entitled: Information We Collect and Receive About You and How We Use It, Other Information, and How, and With Whom, Your Information Is Shared.
In addition to Our collection of your Personal Information, DarwinApps may engage certain third parties to perform a function or provide services to you on behalf of DarwinApps including hosting and maintenance, error monitoring, debugging, performance monitoring, billing, customer and account relationship management, database storage and management, and direct marketing campaigns. DarwinApps may share your Personal Information with these third parties, but only to the extent necessary to perform these functions and provide such services. DarwinApps requires these third parties to maintain the privacy and security of the Personal Information they process on our behalf.
DarwinApps does not sell your Personal Information when you use the DarwinApps Platform or when you use a DarwinApps Service and will not do so in the future without providing you with notice and an opportunity to opt-out of such sale as required by law. DarwinApps does not offer financial incentives associated with the collection, use, or disclosure of your personal information.
DarwinApps will not discriminate against you for exercising any of your CCPA rights. To this end, unless permitted by the CCPA, DarwinApps will not:
To exercise your rights under the CCPA please submit a verifiable consumer request to DarwinApps by either calling DarwinApps at 1-855-626-3591 by or emailing us at firstname.lastname@example.org. Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf may make a verifiable consumer request related to your personal information. You may only make a verifiable consumer request for access to your data twice within a twelve (12) month period. Your verifiable consumer request must:
In certain cases, DarwinApps collects and processes personal information on you at the contractual obligation of your employer. In order to respond to a verified request, DarwinApps may be required to provide notice to your employer of your request, and to follow your employer’s instructions as they relate to carrying out your request. DarwinApps cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm that the personal information relates to you. Making a verifiable request does not require you to create an account, but we may ask you to verify your request by logging into your account if you have one. We will only use personal information provided by a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Effective Date: January 1, 2020.