Last Updated: February 25th, 2021
A separate agreement governs delivery, access and use of the Service (the “Client Agreement”), including the processing of any files or other content submitted through Service accounts (collectively, “Client Data”). The organization (e.g., your employer or another entity or person) that entered into the Client Agreement (“Client” or “Employer”) controls their instance of the Service (their “Client-Instance”) and any associated Client Data.
EPK collects information under the direction of its Clients and has no direct relationship with the individuals whose personal data it processes. If you are a customer or employee of one of our Clients and would no longer like to be contacted by one of our Clients that use our Service, please contact the Client that you interact with directly.
As EPK has no direct relationship with the individuals whose personal data it processes, an individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct his query to EPK’s Client (the data controller). If you have any questions about specific Client-Instance settings and privacy practices, please contact the Client whose Client-Instance you use.
Information we Collect and Receive
EPK may collect and receive Client Data and other information and data (“Other Information”) in a variety of ways and in different capacities. For all personal information included in Client Data, we will be the responsible “data processor,” the party that carries out activities on behalf of the “data controller,” the party who controls the means and purposes of the processing of personal information. When we collect Other Information from you, we will be the data controller.
- Client Data. Clients or individuals granted access to a Client-Instance through a Client Agreement (“Authorized Users”) routinely submit Client Data to EPK when using the Service.
- Other Information. EPK also collects, generates and/or receives Other Information:
- Client-Instance and Account Information. To create or update a Client-Instance account, you or your Employer supply EPK with your name, email address, employee number, work location and/or similar account details.
- Usage Information.
- Service Metadata. When an Authorized User interacts with the Service, metadata is generated that provides additional context about the way Authorized Users work. For example, EPK logs activity audit records and usage statistics.
- Log data. As with most websites and technology services delivered over the Internet, our servers automatically collect information when you access or use our Websites or Service and record it in log files. This log data may include the Internet Protocol (IP) address, the address of the web page visited before using the Website or Service, browser type and settings, the date and time the Service were used, information about browser configuration and plugins, language preferences and cookie data. For our Websites personal information collected include name, email address, phone number and information about the organization you work for
- Device information. EPK collects information about devices accessing the Service, including type of browser or device and what operating system is used.
- Location information. While using our Websites we receive information from you and other third-parties that helps us approximate your location. We may, for example, use an IP address received from your browser or device to determine approximate location.
- Additional Information Provided to EPK. We receive Other Information when submitted to our Websites or if you participate in a focus group, contest, activity or event, apply for a job, request support, interact with our social media accounts or otherwise communicate with EPK.
Generally, no one is under a statutory or contractual obligation to provide any Client Data or Other Information (collectively, “Information”). However, certain Information is collected automatically and, if some Information, such as Client-Instance setup details, is not provided, we may be unable to provide the Service.
How we Use Information
Client Data will be used by EPK in accordance with Client’s instructions, including any applicable terms in the Client Agreement and Client’s use of Service functionality, and as required by applicable law. In these respects, EPK is a data processor of Client Data and Client is the controller of that data. Client may, for example, use the Service to grant and remove access to a Client-Instance, assign roles and configure settings, access, modify, export, share and remove Client Data and otherwise apply its policies to the Service.
EPK uses Other Information it collects in furtherance of our legitimate interests in operating our Service, Websites, and business. More specifically, EPK uses Other Information:
- To provide, update, maintain and protect our Service, Websites and business. This includes use of Other Information to support delivery of the Service under a Client Agreement, prevent or address service errors, security or technical issues, analyze and monitor usage, trends and other activities or at an Authorized User’s request.
- As required by applicable law, legal process or regulation.
- To communicate with you by responding to your requests, comments and questions. If you contact us, we may use your Other Information to respond.
- To send emails and other communications. We may send you service, technical and other administrative emails, messages and other types of communications. We may also contact you to inform you about changes in our Service, our Service offerings and important Service-related notices, such as security and fraud notices. These communications are considered part of the Service and you may not opt out of them.
In addition, we may contact you about new product features, promotional communications or other news about EPK. We will only send you commercial messages if you agree to receive them. You can control this process and have the ability to opt-in to these messages or unsubscribe should you no longer wish to receive any commercial messages from us.
- We may de-identify and aggregate Other Information.
- To investigate and help prevent security issues and abuse.
If Information is aggregated or de-identified so it is no longer reasonably associated with an identified or identifiable natural person (that is, no longer considered personal information), EPK may use it for any business purpose.
How we Share and Disclose Information
This section describes how EPK may share and disclose Information. Clients determine their own policies and practices for the sharing and disclosure of Information, and EPK does not control how they choose to share or disclose Information.
- Client’s Instructions. EPK will solely share and disclose Client Data in accordance with a Client’s instructions, including any applicable terms in the Client Agreement and Client’s use of Service functionality, and in compliance with applicable law and legal process.
- Client Access. Administrators, Authorized Users and other Client representatives and personnel may be able to access, modify or restrict access to Other Information. This may include, for example, your employer using Service features to export logs of Client-Instance activity or accessing or modifying your profile details.
- Third Party Service Providers and Partners. We may engage third party companies or individuals as service providers or business partners to process Other Information and support our business. These third parties may, for example, provide virtual computing and storage services. We will ensure that any third party processing your information on our behalf does so in compliance with this Policy and applicable law.
- Aggregated or De-identified Data. We may use aggregated or de-identified Other Information for any purpose. For example, we may share aggregated or de-identified Other Information with prospects or partners for business or research purposes, such as telling a prospective EPK customer the average amount of time spent within a typical Client-Instance.
- To Comply with Laws. If we receive a request for information, we may disclose Other Information if we reasonably believe disclosure is in accordance with or required by any applicable law, regulation or legal process.
- With Consent. EPK may share Other Information with third parties when we have consent to do so.
EPK makes reasonable efforts to ensure that any Information you provide is maintained in a secure environment. Unfortunately, no data transmission over the Internet can be guaranteed to be 100% secure. While we strive to protect your Information, EPK cannot warrant the security of any Information you transmit to us or from our Service or Websites, and you do so at your own risk.
EPK has implemented and maintains reasonable and appropriate security measures, procedures and practices to protect against the loss and unauthorized access, use, modification, destruction or disclosure of your Information while it is in our custody or under our control. For example, we use TLS encryption, firewalls, anti-virus and system security monitoring.
We also limit access to your Information to those employees, contractors and agents who have a business need to know.
Data Residency and Global Access – Service
Data protection laws in certain jurisdictions differentiates between the data controller and data processor of information. In the case of the Service the Client is the data controller and EPK is the data processor.
Each Client has a data residency choice to make when the account is established. Currently they can select to have data stored in Canada, the US region or in the EU region (Ireland & Germany).
While the data will be stored as chosen by each Client based on the above, EPK personnel may access the data from other locations outside of the specified region. The data will continue to reside in the region selected by the Client.
Data Residency and Global Access – Websites
EPK processes and stores personal information and may use third party providers who may have server(s) based in Canada and the U.S.
Links to other sites
From time to time, EPK and/or Client may include links on the Service and Websites to third-party websites and applications. Please pay attention when you connect to these websites and read their terms and conditions of use and privacy policies carefully. We do not control or monitor such websites or their web content. This Privacy Statement does not apply to any third-party websites and we are not responsible for the content, privacy policies, or processing of your personal information while you are visiting any third-party websites.
Withdrawal of Consent
If you wish to withdraw (revoke) your consent for the collection, use or of your Information or Personal Information through the Website at any time, please contact us at firstname.lastname@example.org. Your withdrawal of consent is not retroactive, since EPK may already have used your information for the purposes described here; it will be applied on a go-forward basis.
If you wish to withdraw (revoke) your consent from the Service you will need to contact your Employer.
Notice to California Residents
Pursuant to Section 1798.83 of the California Civil Code, residents of California have the right to request from a business, with whom the California resident has an established business relationship, certain information with respect to the types of personal information the business shares with third parties for direct marketing purposes by such third party and the identities of the third parties with whom the business has shared such information during the immediately preceding calendar year. To request a copy of this information or to opt out of these disclosures, please contact our Privacy Officer at email@example.com.
European Economic Area (EEA) Notice
Transfers of Personal Information
For Client Data, EPK is a data processor and responsible for your personal information, which EPK processes and stores in the region selected by the Client. Any personal data for which we are the data controller, including “Other Information,” will be processed by us and any third parties we engage in this respect. This includes transferring and otherwise processing data outside of the EEA, which will only be done in accordance with this Policy.
The European Commission has decided that Canada ensures an adequate level of protection of individuals’ personal information. EPK may use the following safeguards when transferring your personal information to a country, other than the Clients’ selected region, that is not within the EEA:
- Only transfer your personal data to countries that have been deemed by the European Commission to provide an adequate level of protection for personal information;
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in the EU.
Your Legal Rights
Under certain circumstances, you may have rights under the data protection laws in relation to your personal information, including:
The right to request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- The right to request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected, though we may need to verify the accuracy of the new information you provide to us.
- The right to request erasure of your personal information. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons, which will be notified to you, if applicable, at the time of your request.
- The right to object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information that override your rights and freedoms.
- The right to request restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal information in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the information is unlawful but you do not want us to erase it; (c) where you need us to hold the information even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your personal information but we need to verify whether we have overriding legitimate grounds to use it.
- The right to request the transfer of your personal information to you or to a third party. We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- The right to withdraw consent at any time where we are relying on consent to process your personal information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of these rights, please contact our Privacy Officer.