I. INTRODUCTION: WHO WE ARE AND WHY WE COLLECT YOUR INFORMATION
Roster, LLC (“Roster,” “we,” “us,” “our”) assists businesses in conducting personnel related activities, including executive performance reviews. Your participation in that process and in Roster’s application means that you and others will be providing to us, and we will be collecting and processing, personal information about you and others, potentially including sensitive and special categories of personal information about you and others.
(1) personally identifiable information (“PII”) protected by data security and breach notification laws in the United States (“PII Laws”),
(2) protected health information (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”), if and to the extent we handle PHI as a business associate of a covered entity under HIPAA;
(3) information protected by the California Consumer Privacy Act (“CCPA”), California Privacy Rights Act (“CPRA”), and California Online Privacy Protection Act (“CalOPPA”), if and to the extent those laws apply to information that we collect and process,
(4) information protected by the New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), if and to the extent that law applies to information that we collect and process;
(5) information protected by the European Union General Data Protection Regulation (“GDPR”), Canadian Personal Information Protection and Electronics Documents Act, and Canadian Provincial corollaries of that ACT (collectively, “PIPEDA”), Brazilian General Data Protection Law (“LGPD”), the People’s Republic of China Cybersecurity Law (“PRC Cybersecurity Law”), the Singaporean Personal Data Protection Act of 2012 (“Singaporean Act”), and the Australian Privacy Act 1988 and the Australian Privacy Principles (collectively, “Privacy Act/APPs”), if and to the extent those laws apply to information that we collect and process. The PII Laws, HIPAA, CCPA, CPRA, CalOPPA, SHIELD Act, GDPR, PIPEDA, LGPD, PRC Cybersecurity Law, Singaporean Act, and Privacy Act/APPs are referred to, collectively, as the “Privacy Laws.” All information protected by the Privacy Laws is referred to, collectively, as “Personal Information.” This policy does not apply to the practices of companies that we do not own or control, or to individuals that we do not employ or otherwise control.
III. WHAT INFORMATION DOES ROSTER COLLECT?
A. INFORMATION YOU PROVIDE TO US
Because our service is related to personnel activities, you and others will be providing information that may include, but is not necessarily limited to, the following: name, address, email, personal characteristics and traits, interpersonal capabilities and interactions, job title and duties, management duties and structure, job and management performance, compensation amounts and structure of compensation, disciplinary matters, health information, and any other information related to personnel matters.
We may collect and process Personal Information from and about you when you visit our application, register for or subscribe to any service, communicate with us, and otherwise interact with the application, service, or us. For example, when you register for our service, we may collect your name, phone number, user name or e-mail address in combination with a password or security question to access the service. You can choose not to provide us with certain information, although that may affect the functionality of the service.
B. INFORMATION COLLECTED AUTOMATICALLY
C. E-MAIL AND OTHER COMMUNICATIONS
We may communicate with you by email or other means. When we do this, in addition to the information contained in the email, we may collect a confirmation when you open email. This confirmation helps us improve our service. If you do not want to receive email or other mail from us, please indicate your preference by visiting our email preference page. Please note that, if you do not want to receive legal notices from us, those legal notices will still govern your use of the applications, and you are responsible for reviewing such legal notices for changes.
D. INFORMATION OBTAINED FROM THIRD PARTIES
Roster may obtain from third parties Personal Information about users who provide their email address or register for the services, using the Personal Information those users provide as the basis to obtain further Personal Information. This information may include names, titles, companies, firmographic information, addresses, email addresses, personal characteristics and traits, interpersonal capabilities and interactions, job title and duties, management duties and structure, job and management performance, compensation amounts and structure of compensation, disciplinary matters, and any other information related to personnel matters.
E. SPECIAL CATEGORIES OF PERSONAL INFORMATION:
F. PERSONAL INFORMATION ROSTER HAS COLLECTED IN THE LAST 12 MONTHS:
IV. WHAT DOES ROSTER DO WITH PERSONAL INFORMATION?
We may use Personal Information to perform any of the following tasks or operations:
(1) fulfill our contractual or other business agreements or arrangements with respect to personnel related activities, including executive performance reviews;
(2) share Personal Information with Customers and other third parties, as described in this Section and in Section V below;
(3) personalize and improve our service, administer and improve our application, allow our users to set up a user account, profile, and password to access the application, contact users, fulfill requests for certain products and services, analyze how users utilize the application;
(4) IP addresses to infer your geographic location; operate, maintain, develop, and grow Roster; and
If and to the extent we collect and process IP addresses, geographic location, browser information, device information, information related to the use of the application and service, we may also use such information in two ways. First, we may use such information in aggregate form, and not in a manner that would identify you personally. For example, this aggregate information tells us how often users use parts of our application, so that we can make it appealing to as many users as possible. Second, we may provide this aggregate information to our partners; and our partners may use such information to understand how often and in what ways people use our application, so that they, too, can provide you with an optimal experience.
V. WILL ROSTER SHARE ANY OF THE PERSONAL INFORMATION IT COLLECTS?
We share Personal Information with third parties as described below.
A. AGENTS AND SERVICE PROVIDERS
We employ other companies and people to perform tasks on our behalf and may need to share Personal Information with them to provide products and services to you. Unless we tell you differently, our agents and service providers do not have any right to use the Personal Information we share with them beyond what is necessary to assist us.
B. BUSINESS TRANSFERS
We may choose to buy or sell assets. In these types of transactions, Personal Information is typically one of the business assets that is transferred. Also, if we (or all of our assets) are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, Personal Information would be one of the assets transferred or acquired.
C. PROTECTION OF ROSTER AND OTHERS
We reserve the right to process any information that we reasonably believe necessary to comply with law or court order, enforce or apply our conditions of use and other agreements, or protect the rights, property, or safety of Roster, our employees, our users, or others, including exchanging information with other organizations for fraud protection.
D. WITH YOUR CONSENT
Except as set forth above, you will be notified when your Personal Information may be shared with third parties, and will be able to prevent the sharing of this information.
VI. PERSONAL INFORMATION ROSTER HAS SOLD IN THE LAST 12 MONTHS:
VII. WHAT IS ROSTER’S LEGAL BASIS FOR COLLECTING AND USING PERSONAL INFORMATION?
Roster collects and processes Personal Information for the following purposes:
(2) to pursue Roster’s legitimate business interests in providing services and maintaining the application, and
(3) to perform a service to which you or your employer are a party. Any one or more of the foregoing are the legal basis for Roster’s collection and processing of Personal Information. For further information about the specific bases permitting Roster to collect and use Personal Information, please contact Roster at email@example.com or as follows:
Attention: Data Protection Office
127 Water Street
Exeter, NH 03833
VIII. HOW LONG DOES ROSTER RETAIN PERSONAL INFORMATION?
Except upon the request of an individual, as explained in Section IX below, and except as the law permits and requires, Roster will determine the retention period for Personal Information based on the following criteria:
A. The nature of our relationship with the relevant Customer;
B. The existence of other ongoing or expected projects with the relevant Customer;
C. The nature of the Personal Information in question; and
D. Our business needs.
IX. WHAT ARE USERS’ RIGHTS TO CONTROL THEIR PERSONAL INFORMATION?
Except where otherwise restricted or addressed by Privacy Laws, you have the following rights regarding Roster’s collection and processing of your Personal Information.
A. REQUESTS TO ROSTER
You may request the following from Roster with respect to your Personal Information:
1. Correction, updating, deletion, or restriction of collection and processing of your Personal Information;
2. A description of the categories of your Personal Information that Roster collects or processes;
3. A description of the categories of sources from which Roster collects or processes your Personal Information;
4. The expected period for which Roster will store your Personal Information;
5. The purpose that Roster collects and processes your Personal Information;
6. A description of how Roster collects and processes your Personal Information;
7. A copy of your Personal Information retained by Roster, to be delivered in a structured, commonly used and machine readable format to review or to transfer or transmit to another entity without hindrance, to the extent that that is technically feasible;
8. Categories of third parties with whom Roster shares your Personal Information, and list of third parties with whom Roster has shared your Personal Information;
9. Categories of your Personal Information that we have shared with third parties, including customers, and the categories of third parties to which we have shared each particular category of Personal Information;
10. The specific Personal Information Roster has collected or processed about you.
If you request that your Personal Information be erased or deleted or that Roster otherwise restrict its collection and processing of Personal Information, Roster may terminate or limit your access to the application and service. If Roster has not collected or processed your Personal Information, or has not shared your Personal Information with another party, Roster will inform you of that in response to any of the above requests. Some information may remain in Roster’s backup media after erasure or deletion for a period of time. When you request that Roster update information, Roster may retain a copy of the unrevised information in Roster’s records. Roster also may use any anonymized aggregated statistical data derived from or incorporating Personal Information after it is updated, erased, or deleted, but not in a manner that would identify you.
We will confirm receipt of all such requests and provide information about how Roster will process the request within 30 days of receipt, and substantively respond to all such requests within 60 days, unless a shorter period is required by the Privacy Laws. Those periods may be subject to lawful extension, and there may be a delay in processing a request while we verify that the request is valid and originates from you as opposed to an unauthorized third party.
Our verification process varies based on the source and nature of the request, but may include: comparing data in the request against Personal Information we retain; contacting you using other contact information; requesting further information, although we will avoid doing so to the extent possible; and the consideration of certain factors, including the type, sensitivity, and value of your Personal Information, the risk of harm to you posed by an unauthorized request, the likelihood that fraudulent or malicious actors would seek your Personal Information, the manner in which we interact with you, the available technology, and whether the information you have provided to verify your identity is sufficiently robust to protect against fraudulent requests. To the extent permitted by the Privacy Laws, Roster retains the right to deny any request if we cannot verify that it originated from you. Roster retains records of all of the above requests and our responses for 24 months, unless otherwise prohibited by the Privacy Laws.
B. MAKING FOREGOING REQUESTS
The foregoing requests may be made by
(1) email: firstname.lastname@example.org, or
(2) contact us at 127 Water Street, Exeter, NH 03833.
C. AUTHORIZED AGENT
You may authorize an agent to take any of the acts permitted in this Section IX on your behalf. To do so, you must provide written and signed authority to the agent, and written and signed notice to Roster that Roster may act on such requests by that agent.
D. WITHDRAWAL OF CONSENT
You may withdraw your consent for Roster to collect or process your Personal Information in any of the following manners: (1) contact us at email@example.com; or (2) contact us at 127 Water Street, Exeter, NH 03833. Please be aware that such withdrawal does not affect the lawfulness of Roster’s collection or processing of your Personal Information before such withdrawal. We reserve the right to terminate or limit your access to the applications and services in the event that you withdraw your consent.
E. “DO NOT SELL MY PERSONAL INFORMATION”
Other than providing Personal Information to Customers as described in Section IV.A above, Roster does not “sell” Personal Information, as that term is defined by the CCPA and CPRA. You may opt out of Roster’s disclosure of your Personal Information to Customers in any of the following manners:
(1) contact us at firstname.lastname@example.org; or
(2) contact us at 127 Water Street, Exeter, NH 03833.
We will act upon any request to opt out of the selling of your Personal Information within 15 days of receiving your request. We will notify all Customers to whom we have disclosed your Personal Information of your request within 90 days of receiving your request, and will inform you when we have done so. If you exercise your right to opt out of the disclosure of your Personal Information to Customers, Roster will cease disclosing your Personal Information to Customers as of the date Roster receives notice in a manner provided above. Roster will not contact you about opting in to disclosing your Personal Information for at least 12 months following the date that it receives your notice.
F. OBJECT OR CHALLENGE
You may object to, or otherwise challenge, Roster’s collection and processing of your Personal Information in any of the following manners:
(1) contact us at email@example.com; or
(2) contact us at 127 Water Street, Exeter, NH 03833.
Roster will respond within 30 days. Where such objection is received from an individual whose Personal Information Roster collects and process as the “processor” for a “controller,” as those terms are defined in the GDPR, Roster will inform the controller of the objection within 30 days.
G. FILING A COMPLAINT
Regulatory authorities that oversee the Privacy Laws typically advise individuals to file an objection or challenge with the company before lodging a formal complaint with a regulatory authority. If an individual is dissatisfied with Roster’s response to an objection or challenge filed under Section IX.F, or wishes to file a complaint with a regulatory authority first, the individual may do so, including as follows:
PIPEDA: Office of the Privacy Commissioner of Canada
GDPR: Supervisory authority in the relevant European Union member state
CCPA and CPRA: California Attorney General
PII Laws: Relevant state Attorney General
H. PROHIBIT AUTOMATED PROCESSING
Roster does not use any automated decision making or profiling at this time. If and to the extent we do so in the future, at your request, Roster will terminate any automated decision making, including profiling, that is the sole source of decisions that produce a legal effect concerning or similarly significantly affecting you.
I. ACCESSIBILITY FOR USERS WITH DISABILITIES
(1) email us at firstname.lastname@example.org, or
(2) mail to 127 Water Street, Exeter, NH 03833.
J. NON- DISCRIMINATION
Roster will not discriminate against you because you have exercised any of the rights above or any other rights you retain pursuant to Privacy Laws, including, but not limited to by:
1. Not denying goods or services to you;
2. Not charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
3. Not providing a different level or quality of goods or services to you; and
4. Not suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services.
Consistent with Privacy Laws, Roster:
(a) retains the right to charge you a different price or rate, or provide a different level or quality of goods or services to you, if that difference is reasonably related to the value provided to Roster by your Personal Information;
(b) may offer financial incentives, including payments to you as compensation, for the collection, disclosure, or deletion of your Personal Information;
(c) may enter you into a financial incentive program only if Roster clearly describes the material terms of the financial incentive program, so long as you give Roster prior opt-in consent, which you may revoke at any time; and
(d) shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.
X. IS PERSONAL INFORMATION ABOUT ME SECURE?
We employ appropriate administrative, organizational, technical, and physical measures designed to protect the confidentiality, integrity, and availability of your Personal Information, which we regularly review and update as necessary.
XI. CHILDREN’S PRIVACY
We do not knowingly collect or solicit, and expressly instruct you not to provide, any Personal Information from anyone under the age of 16. If and to the extent we learn that we have collected Personal Information from a child under age 16 without verified parental consent, we will delete that information, except as provided below. If you believe that we might have any information from or about a child under age 16 without verified parental consent, please contact us immediately us at email@example.com or 127 Water Street, Exeter, NH 03833.
XII. CONTRACTUAL OR STATUTORY REQUIREMENT
XIII. FAILURE TO PROVIDE PERSONAL INFORMATION
You can always opt not to disclose information to us. Please keep in mind, some information may be needed to register with us or to take advantage of some or most of our features.
XIV. AUTOMATED DECISION MAKING
Roster does not currently rely on automated decision making, including profiling, and will not subject you to decisions based solely on automated processing which will produce legal effects concerning you or similarly significantly affecting you.
XVI. QUESTIONS OR CONCERNS; CONTACT INFORMATION
If you have any questions or concerns regarding our privacy policies, please contact us at firstname.lastname@example.org or 127 Water Street, Exeter, NH 03833.
Effective Date: February 1, 2021