Last modified: 06/05/20
PLEASE READ THIS DOCUMENT CAREFULLY.
In addition to covering how we collect, use, disclose, transfer, and store your information, this policy also discloses our purpose and lawful basis for processing your information, and your related rights. Our legal basis for collecting and using personal information will depend on the personal information concerned and the specific context in which we collect it. In most cases, the lawful basis will be that the processing: (i) is necessary for our legitimate interests in carrying out our business with you, including direct marketing, provided those interests are not outweighed by your rights and interests, or (ii) is necessary to perform a contract with you. Where processing is based on your consent, we will identify the processing purposes and provide you with relevant information to make the processing fair and transparent. If you have consented to our use of information about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place.
In this policy the following words have the following meanings:
“Data Protection Laws” means any Applicable Law relating to the processing, privacy, and use of Personal Data, including (a) in the United Kingdom, (i) the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426, and any laws or regulations implementing Directive 95/46/EC (Data Protection Directive) or Directive 2002/58/EC (ePrivacy Directive); and/or (ii) the General Data Protection Regulation (EU) 2016/679 (GDPR), and/or any corresponding or equivalent national laws or regulations (Revised UK DP Law) (b) in member states of the European Union, the Data Protection Directive or the GDPR, once applicable, and the ePrivacy Directive, and all relevant member state laws or regulations giving effect to or corresponding with any of them; and (c) any judicial or administrative interpretation of any of the above, any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority;
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person and where referred to in this policy includes special categories of Personal Data.
- Information we collect from you
Depending on the context in which you interact with us, ORock may collect or receive the following information:
- Account and Profile Information: This includes information you provide when you create an account, contact support, and may include name, username, email address, phone number, address, company name, state, or country.
- Service Information: When you use our Services, we receive information generated through the use of the Services, either entered by you or others who use the Services, or from the Services infrastructure itself. This information may include, but is not limited to, name, username, company/organization, company/organization address, email address, phone number, IP address, MAC address, latitude, longitude, device name(s), device ID(s), and directory ID or other information you place within the Services.
- Performance and Usage Data: We may collect statistical, usage, configuration, and performance data of the Services to monitor the performance, integrity, and stability of the Services. Further, we may use and disclose this information for any purpose, provided that such data is first de-identified.
- Information from Third Parties: We receive information from third party business partners such as the contact details of prospects and sales leads. In addition, we collect information from public databases or other data you may have made publicly available, such as information posted on professional networks and social media platforms.
The technologies we use for automatic data collection may include:
- Information we collect from children
The Children’s Online Privacy Protection Act of 1998 and its rules (collectively, “COPPA”) require us to inform parents and legal guardians (as used in this policy, “parents“) about our practices for collecting, using, and disclosing personal information from children under the age of 13 (“children“). COPPA and the GDPR also require us to obtain verifiable consent from a child’s parent for certain collection, use, and disclosure of the child’s personal information. Our Services are not intended to be used by children, and you should not provide us information from or about children. Accordingly, the information we collect from children is the same information we collect from individuals 13 years of age or older identified in Section 2 of this Policy. We also use and disclose information we collect from children in the same manner that we use and disclose information about individuals 13 years of age or older. At any time, you or the parents may review the child’s personal information maintained by us, require us to correct or delete the personal information, and/or refuse to permit us from further collecting or using the child’s information by logging into the child’s account or contacting us as indicated in the Contact section of this Policy.
- Use of collected information.
- We will only use your Personal Data to the extent the law allows us to do so. Under the GDPR we rely on the following legal bases for processing your Personal Data:
- where you have given us your consent;
- where it is necessary to perform a contract we have entered into or are about to enter into with you or a party utilizing our Services; and
- where it is necessary for the purposes of our legitimate interests (or those of a third party) and your interests or fundamental rights and freedoms do not override those interests.
- We use information held about you in the following ways:
- to perform Services for you;
- processing of an enquiry received from you; and
- processing a request for further information or in response to you expressing an interest in one or more of our products or services.
- We will use information you give to us:
- to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us;
- to provide you with information about other services we offer that are similar to those that you have already purchased or enquired about;
- to provide you with information about services related to your enquiry;
- to notify you about changes to the Services; and
- to ensure that content from our site is presented in the most effective manner for you and for your computer.
- We will use information we collect about you:
- to perform Services for you;
- to administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to improve our site to ensure that content is presented in the most effective manner for you and for your computer; and
- as part of our efforts to keep our site safe and secure.
- We may combine information we receive from other sources with information you give to us and information we collect about you. We will use this information and the combined information for the purposes set out above (depending on the types of information we receive).
- Disclosure of your information
- You agree that we have the right to share your Personal Data with:
- Selected third parties including business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you; and
- Analytics and search engine providers that assist us in the improvement and optimization of our site.
- We will not disclose your personal information to third parties except:
- In the event that we sell or buy any business or assets, in which case we will disclose your Personal Data to the prospective seller or buyer of such business or assets.
- If ORock or substantially all of its assets are acquired by a third party, in which case Personal Data held by it about its customers will be one of the transferred assets.
- If we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation, or in order to enforce other agreements; or to protect the rights, property, or safety of ORock, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction. In certain situations, we may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
- Location of Personal Data
- Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your Personal Data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.
- Retention of Personal Data
- We will only retain your Personal Data for as long as necessary to fulfil the purposes for which we collected your Personal Data.
- To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of that Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
- Your rights under GDPR. Under certain circumstances, you have the right to:
- Request access to your Personal Data (commonly known as a “subject access request”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
- Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data in certain circumstances.
- Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
- Request the restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of Persona Data about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your Personal Data to another party.
- If you want to review, verify, correct or request erasure of your Personal Data, object to the processing of your Personal Data, or request that we transfer a copy of your Personal Data to another party, please contact us as indicated in the Contact section of this Policy.
- Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any Personal Data to these websites.
- To exercise any of the above rights, you can contact ORock using the information in Section 13 below. You may also have the right to make a GDPR complaint to the relevant Supervisory Authority. A list of Supervisory Authorities is available here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.
- Privacy Shield Frameworks for individuals in the EU, United Kingdom, and Switzerland
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, ORock is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.
- Pursuant to the Privacy Shield Frameworks, EU, United Kingdom, and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You also may correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to firstname.lastname@example.org. If requested to remove data, we will respond within a reasonable timeframe.
- We will provide an individual opt-out or opt-in choice before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to email@example.com.
- ORock’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, ORock remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless ORock proves that it is not responsible for the event giving rise to the damage.
- ORock commits to cooperate with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.
- In compliance with the Privacy Shield Principles, ORock commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union, United Kingdom, and Swiss individuals with Privacy Shield inquiries or complaints should first contact us by email at firstname.lastname@example.org, or using the mailing address listed below.
- ORock has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/privacy-shield-complaints/for more information and to file a complaint. This service is provided free of charge to you.
- Contact details for the EU data protection authorities can be found at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
- Individuals Outside the EU, United Kingdom, and Switzerland
- Agreement to Arbitrate
- Class Action Waiver
ARBITRATION MUST BE ON AN INDIVIDUAL BASIS. THIS MEANS NEITHER YOU NOR OROCK MAY JOIN OR CONSOLIDATE CLAIMS IN ARBITRATION BY OR AGAINST OTHER INTERESTED PARTIES, OR LITIGATE IN COURT OR ARBITRATE ANY CLAIMS AS A REPRESENTATIVE OR MEMBER OF A CLASS OR IN A PRIVATE ATTORNEY GENERAL CAPACITY.
- Governing Law and Rules for Arbitration.
The Arbitration Agreement is governed by the Federal Arbitration Act (FAA). Arbitration must proceed only with the American Arbitration Association (AAA) or Judicial Arbitration and Mediation Services (JAMS). The rules for the arbitration will be the procedures of the chosen arbitration organization. If the organization’s procedures change after the claim is filed, the procedures in effect when the claim was filed will apply. Arbitration hearings will take place in Minnesota. A single arbitrator will be appointed. The arbitrator must:
- Follow all applicable substantive law, except when contradicted by the FAA;
- Follow applicable statutes of limitations;
- Honor valid claims of privilege; and
- Issue a written decision including the reasons for the award.
The arbitrator’s decision will be final and binding except for any review allowed by the FAA. However, if more than $100,000 was genuinely in dispute, then either you or ORock may choose to appeal to a new panel of three arbitrators. The appellate panel is completely free to accept or reject the entire original award or any part of it. The appeal must be filed with the arbitration organization not later than 30 days after the original award issues. The appealing party pays all appellate costs unless the appellate panel determines otherwise as part of its award. Any arbitration award may be enforced (such as through a judgment) in any court with jurisdiction.
ORock Technologies Inc.
Attn: Chief Privacy Officer
11921 Freedom Drive, Suite 800
Reston, VA 20190
Effective date: May 7, 2020