Privacy Policy
Last updated: February 20, 2024
This Privacy Policy (the “Policy”) describes our policies regarding the collection, use, and disclosure of Personal Data when you use the website operated by HaystackID at https://www.haystackID.com (the “Services”). This Policy describes how we collect, use, and disclose such Personal Data. It also describes your rights and choices with respect to your Personal Data, and how you can contact us if you have any questions or concerns.
This Privacy Policy applies to the processing of Personal Data, subject to applicable privacy and data protection laws generally, including those of Switzerland, the United Kingdom, the European Union and the European Economic Area (collectively, “Europe”), by HaystackID, its subsidiaries and affiliates (“Company”, “we”, “our”, or “us”). For a description of how we collect, use and disclose Personal Data subject to US privacy laws, see our detailed US Privacy Notice at https://haystackid.com/privacy-us/.
1. Personal Data We Collect
In this Policy, “Personal Data” means any information relating to an identified or identifiable individual. We may collect Personal Data about you from various sources described below.
Information Provided by You
- Communications. When you contact us via a contact form, email, or other means, you provide us with Personal Data, such as your name and contact details, and the content, date, and time of our communications.
- Careers. If you apply for a job with us, you may provide us with your resume, name, contact details, and any other relevant information. If you become an employee, we collect additional information, such as your family information, beneficiary selections, banking information, and other relevant information for employment, payroll, and benefit purposes, and we may collect certain sensitive Personal Data such as trade union membership data or biometric data for identity verification.
- Account Creation. If you create an account with us, using an online review platform or other means, you may provide us with your name, contact details, and other relevant information.
- Support Information. When you request technical support services, we will process your Personal Data such as your name and the contact details you use to contact us, as well as information on the reasons for your support request, and any additional information you may provide in that context.
Where applicable, we may indicate whether and why you must provide us with your Personal Data as well as the consequences of failing to do so.
Our Services are not intended for use by children under the age of 16, and we do not knowingly collect personally identifiable information from anyone under the age of 16. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.
Information Collected from Other Sources
- Third Parties. We may obtain Personal Data about you from third parties such as event organizers, industry organizations and other entities. This information may include name, email, phone number, location and other similar information.
Information We Collect by Automated Means
- Social media. We may collect Personal Data via social media tools, widgets, or plug-ins to connect you to your social media accounts. These features may allow you to sign in through your social media account, share a link, or post directly to your social media account. When you visit a website that contains such tools or plugins, the social media or other service provider may learn of your visit. Your interactions with these tools are governed by the privacy policies of the corresponding social media platforms.
- Cookies. We may collect Personal Data via cookies and similar technologies (see section 3 of this Policy for more information).
2. How We Use Personal Data
We use the Personal Data we collect for the following purposes:
- Providing Services, including to operate, maintain, support, and provide our Services.
- Communicating with You, including to contact you for administrative purposes (e.g., to provide services and information that you request or to respond to comments and questions) or to send you marketing communications, including updates on promotions and events, relating to products and services offered by us.
- Personalization, including to customize our Services to you and provide you with the most relevant marketing and advertising materials.
- Analytics and Product Development, including to analyze usage trends and preferences in order to improve our Services, and to develop new products, services, and features. Specifically, we may use Google Analytics to monitor and analyze the use of our Services. Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Services. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network. You can opt-out of having made your activity on the Service available to Google Analytics by installing a Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js, and dc.js) from sharing information with Google Analytics about page-visit activity. For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: https://www.google.com/intl/en/policies/privacy/
- Customer and Vendor Relationship Management, including to track emails, phone calls, and other actions you have taken as our customer or vendor.
- Aggregation. We may aggregate or anonymize Personal Data and use the resulting information for statistical analysis or other purposes.
- Administrative and Legal, such as to address administrative issues or to defend our legal rights and to comply with our legal obligations and internal policies as permitted by law.
3. Legal Bases for the Processing of Personal Data
We rely on various legal bases to process your Personal Data, including:
- Consent. You may have consented to the use of your Personal Data, for example to send you electronic marketing communications or for the use of certain cookies.
- Contract. We need your Personal Data to provide you with our Services and to respond to your inquiries.
- Legal. We may have a legal obligation to process your Personal Data when necessary to establish, exercise, or defend legal claims. We may also process your Personal Data when necessary to protect your or another individual’s vital interests.
- Legitimate Interest. We or a third party have a legitimate interest in using your Personal Data, for example to prevent fraud. We only rely on this legal basis when such legitimate interests are not overridden by your interests or your fundamental rights and freedoms.
4. Your Rights and Choices
As provided under applicable law and subject to any limitations in such law, you may have the following rights:
- Access and Portability. You may ask us to provide you with a copy of the Personal Data we maintain about you, including a machine-readable copy of the Personal Data that you have directly provided to us, and request certain information about its processing.
- Rectification. You may ask us to update and correct inaccuracies in your Personal Data.
- Deletion. You may ask to have your Personal Data anonymized or deleted, as appropriate.
- Restriction and Objection. You may ask us to restrict the processing of your Personal Data or object to such processing.
- Consent Withdrawal. You may withdraw any consent you previously provided to us regarding the processing of your Personal Data at any time and free of charge. We will apply your preferences going forward. This will not affect the lawfulness of the processing before you withdrew your consent.
- Complaint. You may lodge a complaint with a supervisory authority, including in your country of residence, place of work, or where you believe an incident took place.
You may exercise these rights by contacting us by email at [email protected], by completing the form here, or by contacting us via mail at:
ATTN: Data Protection Officer
HaystackID
200 W. Jackson Blvd., Suite 250
Chicago, IL 60606
USA
In addition, you may contact our Data Protection Officer at [email protected] or +1 877.942.9782. Note that applicable laws contain certain exceptions and limitations to each of these rights.
5. International Data Transfers & Compliance with Data Privacy Frameworks
We may transfer your Personal Data outside of the country in which it was collected and where the level of protection of Personal Data may be different than in your country. Personal Data may be transferred to the United States of America, Switzerland, the United Kingdom, and countries in the European Economic Area (“EEA”). If we do so, we will comply with applicable data protection laws, in particular by relying on an EU Commission adequacy decision, on contractual protections for the transfer of your Personal Data, or on another approved derogation for a specific situation, such as your explicit consent. For more information about how we transfer Personal Data internationally, or to obtain a copy of the safeguards we use for such transfers, please contact us as specified below.
Personal information collected, stored, or used under this policy is maintained and transferred in accordance with the EU-U.S. Data Privacy Framework (DPF), the Swiss-U.S. DPF, and as applicable, the UK Extension to the EU-U.S. DPF. HaystackID treats all personal data received from the European Union, the United Kingdom (and Gibraltar), and/or Switzerland in accordance with DPF principles and in reliance on the relevant part(s) of the relevant DPF program.
HaystackID has certified its compliance with detailed privacy obligations under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce. To learn more about the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, please visit https://www.dataprivacyframework.gov/s/. To view our certification, please visit https://www.dataprivacyframework.gov/list. Note that HaystackID’s subsidiaries, Business Intelligence Associates, Inc. and eTERA Consulting, are also covered under our certification.
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF, EU, UK and Swiss individuals with inquiries or complaints regarding our compliance with the EU-US Data Privacy Framework should first contact HaystackID by email at [email protected], or via mail at:
ATTN: Data Protection Officer
HaystackID
200 W. Jackson Blvd., Suite 250
Chicago, IL 60606
USA
In addition, you may contact our Data Protection Officer by telephone at +1 877.942.9782.
HaystackID, LLC has further committed to refer unresolved complaints under the EU-U.S. DPF, the UK-Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution. For more information or to file a complaint. The services provided by JAMS are provided at no cost to you.
HaystackID, LLC, commits to cooperate with EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO) (and the Gibraltar Regulatory Authority (GRA)), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and to comply with the advice given by such authorities with regard to human resources data transferred from the EU, the UK and Switzerland in the context of the employment relationship.
HaystackID is subject to the investigatory and enforcement powers of the United States Federal Trade Commission (FTC). Under certain conditions, it is possible to invoke binding arbitration as a recourse mechanism if you believe your personal data has been misused or mishandled. HaystackID may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
6. Data Security and Data Retention
The security of your data is important to us, but no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security. We use physical, managerial, and technical safeguards that are designed to improve the integrity and security of Personal Data that we collect, maintain, and otherwise process.
We take measures to delete or anonymize your Personal Data when it is no longer necessary for the purposes for which we process it, unless we are required by law to keep it for a longer period. When determining the retention period, we take into account various criteria, such as the type of products or services provided to you, the nature and length of our relationship with you, mandatory retention periods, and applicable statutes of limitations.
7. “Do Not Track” Signals
HaystackID does not support Do Not Track (“DNT”). Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked. You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser.
8. Why & With Whom We Disclose Personal Data, Including to Third Parties
Our Services may contain features or links to websites and services provided by third parties. Any information you provide via these websites or services is provided directly to these third-party operators and is subject to their privacy policies, even if accessed through our Services. We encourage you to learn about these third parties’ policies before providing those third parties with your Personal Data.
HaystackID remains responsible and liable under the DPF Principles if third-party service providers process personal information in a manner inconsistent with the DPF Principles, unless HaystackID can prove that it is not responsible for the event giving rise to the damage.
In cases of onward transfers to third parties, HaystackID requires that third-party service providers provide the same level of protection for personal information as required by the DPF Principles. If HaystackID becomes aware that a third-party service provider is using or disclosing personal information in a manner contrary to this Privacy Policy or the DPF Principles, HaystackID will take reasonable steps to prevent or stop the use or disclosure and may potentially incur liability in cases of improper onward transfers to third parties.
HaystackID may transfer personal information to third-party service providers that perform services on our behalf. These service providers are only permitted to use the personal information for the purpose of providing the services to us and are required to maintain the confidentiality and security of the personal information.
We may disclose Personal Data about you in the following circumstances:
- Group Entities. We may disclose Personal Data about you to our affiliates and subsidiaries to assist in payment processing, customer service, marketing, providing services to you, communicating with you, customizing our services, analyzing usage trends to improve or develop new products or services, or to maintain our relationship with you.
- Public Posts. Any information that you voluntarily choose to post to a publicly accessible area of our Services will be available to anyone who has access to that content.
- Service Providers. We work with third parties to provide services such as hosting, maintenance, and support. These third parties may have access to or process your Personal Data as part of providing those services to us, to provide the services on our behalf, to perform related services or to assist us in analyzing how our Services are used.
- Legal. We may disclose your Personal Data if it is necessary (i) for compliance with our legal obligations or (ii) to establish, exercise, or defend legal claims.
- Merger. Information about our users, including Personal Data, may be disclosed and otherwise transferred to an acquirer, successor, or assignee as part of any merger, acquisition, debt financing, sale of assets, or similar transaction, as well as in the event of an insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets.
- Aggregated Information. We may use and disclose aggregated or otherwise anonymized information for any purpose, unless we are prohibited from doing so under applicable law.
9. Changes and Updates to this Policy
We may update this Policy from time to time to reflect changes in our privacy practices. We will follow applicable laws and regulations regarding notification of such changes.
10. Our Contact Information
HaystackID is the entity responsible for the processing of your Personal Data. If you have any questions or comments about this Policy, our privacy practices, or if you would like to exercise your rights with respect to your Personal Data, please contact us by email at [email protected], by completing the form here, or by contacting us via mail at:
ATTN: Data Protection Officer
HaystackID
200 W. Jackson Blvd., Suite 250
Chicago, IL 60606
USA
In addition, you may contact our Data Protection Officer at [email protected] or +1 877.942.9782.