Last modified on April 30, 2023.
Introduction
360ofme Inc. (“360ofme”,“we”or “us”) offers a Personal Data Exchange platform with services across Privacy & Data Governance, GRC & Security Assurance, Ethics & Compliance and ESG & Sustainability domains. This Privacy Notice (“Notice”) covers the Personal Information that 360ofme, its subsidiaries and affiliates located worldwide within the 360ofme family of companies (“Affiliates”) collect through 360ofme.com and other websites or applications that post a link to this Notice.
Please note that this Notice does not cover the handling of Personal Information when 360ofme or our Affiliates are processing Personal Information on behalf of our customers e.g., Personal Information submitted by individuals for processing through the platforms hosted by 360ofme or our Affiliates for the purposes of providing a service to our customers is not covered by this Notice. Our customers will typically act as Controllers for any Personal Information related to them or Personal Information that third parties upload to our applications in connection with the use of our services. 360ofme will typically act as a Processor in accordance with applicable Service and/or data processing agreements (“Agreement/s”). Further information, including specific obligations of the Controller and Processor, can be found in the Agreements.
This Notice informs you about how we collect, use, disclose, and store Personal Information in our role as a Controller of Personal Information when you:
- Interact or use our Websites, including when you download materials from our resources page, request a demo or ask us to contact you.
- Register and/or attend our events e.g. conferences, or webinars (“Event” or collectively “Events”).
- Provide your Personal Information for the purposes of administering our services and managing our relationship with you in any manner (collectively “Services”) e.g. setting up an account or collecting your Personal Information to process an invoice for accounting purposes.
Definitions
Personal information means information that (either in isolation or in combination with other information) enables you to be directly or indirectly identified (“Personal Information” or “Personal Data”)
Data controller or a Business (“Controller”) is a party that sets out the purposes and means of processing of Personal Information. Data processor or a Service Provider/Contractor/Third Party (“Processor” or “Third Party”) is a party that processes Personal Information on the Controller’s behalf.
Personal Information 360ofme collects
Personal Information you provide to us
From Websites or Events: We collect Personal Information that you choose to provide to us, for example, on our “Contact US “or “Sign Up” (or similar) online form, when you interact with a chat bot on one of our Websites, or if you register for any Events. If you contact us through the Website, we will keep a record of our correspondence.
From the Services: We receive and store the Personal Information you provide directly to us. For example, when setting up new account, we collect Personal Information, such as name, e-mail address, postal address, phone number, job title, etc. We may collect and store media, documents, or other information you provide to us. We collect commercial information, such as records of the purchased Services or information related to requests for demos.
Personal Information we automatically collect
When you use the Websites: When you visit our Websites, we collect Internet or other electronic network activity information through the use of cookies and other trackers. Depending on your tracking preferences, the information we collect may include for example your device’s Internet Protocol (“IP”) address, referring website, what pages your device visited, and the time that your device visited our Website. We also rely on analytics and tools used to prevent spam and other security risks related to the use of abusive automated software. Visit our Cookie Policy for more information on the types of cookies and other trackers we use on our Websites.
When you use the Services: Internet or other electronic network activity information is also collected when you use the Services:
- Usage information – we keep track of user activity in relation to the types of Services our customers and their users use, the configuration of their computers, and performance metrics related to their use of the Services.
- Log information – we log information about our customers and their users when they use one of our Services, including their IP addresses.
- Information collected by cookies and other tracking technologies – we use various technologies to collect information, including saving cookies to users’ computers.
- Customer feedback – While using the Services, you may be asked to provide feedback (e.g., in the software directly or after receiving help from our support team). Providing this feedback is entirely optional.
Information we collect from trusted third parties
If your Personal Information has been collected as (i) you interacted or used our Website, (ii) you registered and/or attended our Events, and/or (iii) part of the Services, your Personal information, as stored in our CRM service provider, may be enriched or updated to ensure it is accurate and up to date, and we achieve the purpose for which it was originally collected. Please note that we will also obtain non-personal information related to your organization’s name, structure, industry, and similar attributes through the use of third parties’ data sets, for the purpose of enriching or updating your Personal Information we already hold.
How and on what grounds do we use your Personal Information?
Personal Information we collect directly from you via our Websites or Events
We use the Personal Information we collect through our Websites:
- To administer our Websites, our Events, and for internal operations, including troubleshooting, data analysis, testing, statistical and survey purposes.
- To improve our Websites so the content is presented most effectively for you and your device.
- For trend monitoring.
- For purposes made clear to you at the time you submit your Personal Information, for example, to fulfill your “Contact Us” or “Sign Up”, to provide you with information you have requested about our Services, or to provide you with information on Services we think might be of interest to you.
- As part of our efforts to keep our Websites secure.
Read the Cookie Policy, if you’d like to know about the Personal Information we process in order to ensure network security, information security and to help us improve our business performance.
Personal Information we collect directly from you as part of the administration of our Services
We use the Personal Information we collect from our customers and their users in connection with the Services we provide for the following reasons:
- Set up a user account.
- Provide, operate and maintain the Services.
- Process and complete transactions, and send related information, including transaction confirmations and invoices.
- Manage our customers’ use of the Services, respond to inquiries and comments, and provide customer service and support.
- Send customers technical alerts, updates, security notifications, and administrative communications.
- Investigate and prevent fraudulent activities, unauthorized access to the Services, and other illegal activities. Undertake analysis of conversion rates, sales, system usage, and other analytics projects.
- For any other purposes about which we notify customers and users.
- Cookies: When 360ofme customers access their tenants hosted in the Cloud we use strictly necessary cookies and other trackers to provide authentication tools, enhance security, and prevent fraud. The 360ofme apps (“Apps”) are the sub-domains of our Websites. Therefore, the preferences signaled on our Websites (through the cookie banner and preference centre) will be reflected on the Apps. For example, if you choose to accept performance cookies on one of our Websites, these will be active in the Apps unless you modify your choices. For more information about our use of cookies and other trackers visit our Cookie Policy.
We use your Personal Information in this context based on the Agreement that we have in place with you or our legitimate interests, typically, either for security purposes or business practice improvement (e.g., the prevention and investigation of fraudulent activities).
How do we share and disclose Personal Information to third parties?
We share and disclose information, including Personal Information, about our customers in the following limited circumstances:
Vendors, consultants, and other service providers
We may share your Personal Information with vendors, consultants, and other Processors we employ to perform services on our behalf. These Processors include our payment processing providers, website analytics providers (e.g., Google), tools we use to prevent spam and other security risks related to the abusive automated software (e.g., Cloudflare), online activities, product feedback or help desk software providers (e.g., Salesforce), CRM service providers (e.g., Salesforce), and e-mail service providers (e.g., Mailchimp).
If 360ofme receives your Personal Information and subsequently transfers that information to a Processor for processing, 360ofme remains responsible for ensuring that such Processor processes your Personal Information to the standard required by the applicable privacy laws, including the GDPR. These transfers will typically be based on our legitimate interests or agreed upon in the Agreement. For further information, please see “International data transfers“ section.
Event partners
When you attend an Event that is co-sponsored by 360ofme and another organization, we provide Terms & Conditions which includes information about sharing your contact information with the Event’s sponsor/s. Please refer to the specific Terms & Conditions provided to you during registration for further details.
Business transfers
We may choose to buy or sell assets and may share and/or transfer customer information, including Personal Information, in connection with the evaluation of and entry into such transactions and based on our legitimate interests. Also, if we or our assets are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, Personal Information may be one of the assets transferred to or acquired by the third party.
360ofme group companies
We may also share your Personal Information within the 360ofme family of companies for the purposes consistent with this Notice and based on our legitimate interests or contractual necessity.
Protection of 360ofme and others
We reserve the right to access, read, preserve, and disclose any Personal Information as necessary to i) comply with a law or a court order, ii) enforce or apply our Agreements with you and other agreements, or iii) protect the rights, property, or safety of 360ofme, our employees, our users, or others.
Disclosures for national security or law enforcement
Under certain circumstances, we may be required to disclose your Personal Information in response to valid requests by public authorities, including to meet national security or law enforcement requirements, based on our legitimate interests or legal obligations.
How long do we store your Personal Information?
We store your Personal Information for different time periods depending on the category of Personal Information and the nature of relationship that you have with us. We determine how long we need Personal Information on a case-by-case basis, but our goal is to keep your Personal Information for as short period as possible to achieve the purpose for which Personal Information is collected. We consider the following criteria when we are making decisions on how long we will retain your Personal Information:
- The category of Personal Information.
- Whether the Personal Information is typically deleted based on specific schedules, such as marketing information.
- Whether the Personal Information is necessary to operate or provide our services. For example, account information may be retained for a longer period of time based on the Agreement you have with us.
- How long we need to retain the Personal Information to comply with our legal obligations.
- Our legitimate interests or legal purposes, such as network improvement, fraud prevention, record-keeping, promoting safety, security and integrity, or enforcing our legal rights.
Security and certifications
We use appropriate technical, organizational, and administrative security measures to protect any Personal Information we store from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. For 360ofme specific certifications you may contact us at myprivacy@360ofme.com.
No company or service can guarantee complete security. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user’s Personal Information at any time. Among other practices, your account is protected by a password for your privacy and security. You must prevent unauthorized access to your account and Personal Information by selecting and protecting your password appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account.
How can I exercise my privacy rights?
You may have certain rights relating to your Personal Information, depending on your location and subject to local applicable laws. These rights may include, subject to any exceptions or limitations:
- The right to know what Personal Information is being collected and for what purpose.
- The right to know what Personal Information is being “sold” or “shared”, for what purpose and the categories of recipients of your Personal Information.
- The right to access your Personal Information.
- The right to have your Personal Information rectified, corrected or updated.
- The right to have your Personal Information deleted, including from any third parties where your Personal Information has been sold, shared or disclosed.
- The right to opt out of the “sale” or “sharing” of your Personal Information.
- The right to object to the processing of your Personal Information.
- The right not to be subject to any automated decision making and profiling.
If you would like to access, review, update, correct, and delete any Personal Information we hold about you, or exercise any other privacy rights available to you, including the right to request a copy of standard contractual clauses if located within the European Economic Area (“EEA“), you can contact us at myprivacy@360ofme.com. Our privacy team will review your verifiable privacy rights request (“Privacy Rights Request”) and respond to you as quickly as possible. If we are unable to comply with your request due to an exception or limitation, we will explain this in writing. If we need more time, we will inform you of the reason and extension period in writing.
If you would like an authorized agent to make a Privacy Rights Request on your behalf, the agent may do so by contacting us at myprivacy@360ofme.com. We will ask for written, signed permission that the agent has been authorized to act on their behalf. Once written authorization is provided, we will review your Privacy Rights Request and respond to you as quickly as possible. We will respond directly to the e-mail address provided by the authorized agent regarding the fulfillment of the Privacy Rights Request.
360ofme does not collect or use any sensitive categories of Personal Information and does not discriminate against you for exercising your privacy rights.
We remind you that you have a right to lodge a complaint with a supervisory authority should you feel unsatisfied with our treatment of your Personal Information.
International data transfers
360ofme is a company operating globally. Therefore, Personal Information of individuals who visit our Websites and/or who use our services or otherwise interact with us may be transferred and accessed from around the world, such as from countries where 360ofme, its Affiliates, or our Processors operate.
We will protect your Personal Information in accordance with this Notice wherever it is processed. 360ofme does not voluntarily or actively transfer or disclose our customers’ Personal Information to the government or law enforcement authorities (“Authorities”) and/or otherwise grant any Authorities access to your Personal Information. In the event of a request from the Authority, we have procedures and controls in place to make sure that any such request is assessed accordingly.
Information for individuals in the European Economic Area or in the United Kingdom (“UK”)
Operating globally, 360ofme may transfer Personal Information from the EEA or the UK to the United States and other countries, including Personal Information we receive from individuals residing in the EEA or the UK who visit our Websites and/or who may use our services or otherwise interact with us. Please note that the term Personal Information used in this Notice is equivalent to the term “personal data” under applicable European and UK data protection laws for individuals located in the EEA or the UK.
When 360ofme engages in such transfers of Personal Information, it relies on:
- Adequacy Decisions, as adopted by:
- European Commission (“EC”), based on Article 45 of Regulation (EU) 2016/679 (GDPR) – for more information, and to access the full list of countries deemed adequate to date, please visit https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions
- UK Secretary of State, based on Article 45 of the UK GDPR and Section 17A of the Data Protection Act 2018 – for more information, and to access the full list of countries deemed adequate to date, please visit https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/; or
- The EC’s Standard Contractual Clauses (“SCCs”) and the UK Information Commissioner’s Office’s International Data Transfer Addendum (“IDTA”), as applicable, supplemented by additional security measures as recommended by the European Data Protection Board;
- The EC’s and the UK’s Information Commissioner’s Office (“ICO”) have determined that the SCCs and IDTA may provide sufficient safeguards to protect personal data transferred outside the EEA and the UK. For more information, please visit https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en and https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/.
360ofme performs transfers impact assessments and continually monitors the circumstances surrounding such transfers to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the European and UK data protection laws.
Additional resources
- For more information on the U.S. Department of Commerce’s continued administration of the EU-US Privacy Shield program, please visit https://www.privacyshield.gov/article?id=EU-U-S-Privacy-Shield-Program-Update.
- For more information on the U.S. Department of Commerce’s continued administration of the Swiss-US Privacy Shield program, please visit https://www.privacyshield.gov/article?id=Swiss-U-S-Privacy-Shield-FAQs.
- To learn more about the Privacy Shield program, see the U.S. Department of Commerce’s Privacy Shield website at https://www.privacyshield.gov.
Additional information for consumers in the United States
Under the California Privacy Rights Act (‘CPRA’) and Virginia Commonwealth Data Protection Act (‘CDPA’), residents of California and Virginia have certain rights regarding the Personal Information that businesses collect and process about them. This includes the rights to request access or deletion of your Personal Information, as well as the right to direct a business to stop selling or sharing your Personal Information.
We are required to detail the categories of Personal Information that we that we collect and/or share for the purposes described in the section “How and on what grounds do we use your Personal Information?” of this Notice and, to the Processors and Third Parties listed in the section “How do we share and disclose Personal Information to third parties?”
We collect and in the past 12 months have collected the following categories of Personal Information for our business purposes:
- Personal Identifiers.
- Information collected by cookies and other technologies, including IP address.
- Internet or other electronic network activity information`, including app log information, content you view or engage with, and app, browser and device information.
- Inferences drawn from any of the above categories of Personal Information.
While 360ofme does not sell Personal Information in exchange for any monetary consideration, we do share Personal Information for other benefits as defined by Cal. Civ. Code 1798.140(ad)(2). We have shared in the preceding 12 months Personal Information as necessary for specific “business purposes,” as defined by Cal. Civ. Code 1798.140(e) and specified in the section “How do we share and disclose Personal Information to third parties?” This includes sharing personal identifiers, commercial information, and internet or other electronic network activity with payment processing providers, customer relationship management, consulting, e-mail, product feedback, helpdesk services, advertising networks, website analytics companies, and Event sponsors. You have a right to direct 360ofme not to sell or share your Personal Information. 360ofme does not sell or share the Personal Information of consumers who are under 16 years of age.
For more information on how to exercise your rights, including the list of privacy rights that may be available to you, please see section “How can I exercise my privacy rights?” of this Notice. If you would like to access, review, update, correct, delete any Personal Information we hold about you, or exercise any other privacy rights available to you, including the right to opt out from selling or sharing your Personal Information, you can click the “Exercise your Rights” link located on the top left corner of this Notice, send your request to: myprivacy@360ofme.com.
We endeavor to respond to a Privacy Rights Request within the required timeframes. If we need more time, we will inform you of the reason and extension period in writing. If you submit your Privacy Rights Request electronically through our request form, we will deliver our written response to the verified email associated with the request. If you did not submit the request with us via the online webform, we will deliver our written response by mail or electronically, at your option. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Right to Appeal – California
If 360ofme does not take action on your Privacy Rights Request within the 45 days response period, or in the event of an extension, within the maximum 90-day response period, we will inform you in writing of the reasons for not taking action, as well as provide an explanation of any rights you have to appeal the decision.
Right to Appeal – Virginia
You have the right to appeal a refusal to take action on a Privacy Rights Request within a reasonable period of time after your receipt of our decision. Within 60 days of receipt of an appeal, 360ofme will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you will be provided with a method through which you may contact Attorney General of Virginia to submit a complaint.
California and Delaware “Do Not Track” disclosures
Privacy regulations in the United States, such as the laws of California and Delaware, require 360ofme to indicate whether it honors your browser’s “Do Not Track” settings concerning targeted advertising. 360ofme adheres to the standards set out in this Notice and does not monitor or respond to Do Not Track browser requests.
Children
We do not knowingly collect or solicit Personal Information from anyone under the age of 13. If you are under 13, please do not attempt to register for the services or send any Personal Information about yourself to us. If we learn that we have collected Personal Information from a child under age 13, we will delete that information as quickly as possible. If you believe that a child under 13 may have provided us their Personal Information, please contact us at myprivacy@360ofme.com.
Linked websites
For your convenience, hyperlinks may be posted on the Websites that link to other websites (“Linked Sites”). We are not responsible for, and this Notice does not apply to, the privacy practices of any Linked Sites or of any companies that we do not own or control. Linked Sites may collect information in addition to that which we collect on the Websites. We do not endorse any of these Linked Sites, the services or products described or offered on such Linked Sites, or any of the content contained on the Linked Sites. We encourage you to seek out and read each Linked Site’s privacy notice to understand how the Personal Information about you is used and protected.
Changes to this Notice
We are constantly trying to improve our Websites and Services, so we may need to change this Notice from time to time. We will alert you about material changes by, for example, placing a notice on our Website and/or sending you an e-mail (if you have registered your e-mail with us) when we are required to do so by applicable law. You can see when this Notice was last updated by checking the date at the top of this page. You are responsible for periodically reviewing this Notice.
Contact us
If you have questions, requests, or concerns regarding your privacy and rights, please let us know how we can help at myprivacy@360ofme.com.