WHAT DATA DOES PAVESTEP RECEIVE OR COLLECT? HOW DOES PAVESTEP COLLECT IT?
We only collect information that is necessary to help us ensure that the Services are performed as expected and to help us improve the Services and your user experience. We may collect the following information:
Information about your use of our Services (e.g., what features you used on our software application, timestamp of the activities on our software application, etc.); or
Technical information related to your visit of our website or website, as well as use of our software applications (e.g., type of device you used to access our Services, Internet protocol (IP) address used to connect your device to the Internet, your login information for the Services, browser type and version, time-zone settings, browser plug-in types and versions, operating system, mobile network information and platform, full Uniform Resource Locator (URL), pages you viewed, page response time, errors, length of visit to certain pages, or page interaction information).
In certain cases, obtaining your information will be necessary to provide you with the Services. If you fail to provide us with the required information, you will be unable to use the Services. You, your employer, or your employer’s service providers may give us data about you when you take the following actions:
Activating and/or using an account on our software applications (e.g., username, password, name, role);
Accessing or viewing our Services, such as our website or content (e.g., when you request a demo or access to certain gated content, we may ask you for your name, organization you represent, email address, billing address, and/or phone number);
Contacting us (e.g., sending us an email); or
Completing a survey about our Services.
Note: your employer’s service providers may give us data about you, only with the approval of your employer. Typically, this will occur if your employer requests us to integrate with its third-party service providers (e.g., enabling Single Sign On).
WHY AND HOW DOES PAVESTEP USE OR PROCESS YOUR DATA?
We use the information collected for the following general purposes: providing our products and services you or your employer have requested, billing, identification and authentication, improving our Services, contact, and research. We may also use non-personally identifiable information submitted by users to create and provide new products, services, features, or content. No personally identifiable information is shared with or sold to other organizations for commercial purposes, except to provide products or services you or your employer have requested and when we have your or your employer’s permission to do so. From time to time, we may use your information in aggregated and/or anonymized forms for marketing purposes (e.g., sharing the average number of feedback per employee our software application across clients).
We have lawful bases to collect, use, and share data we receive from, collect, or maintain about you, based on:
Your consent (as provided for in this Policy and the Client Agreements);
Contract (where processing is necessary for the performance of a contract with you or your employer, such as the Client Agreements);
Protection of the vital interests of a natural person, such as in the event of an emergency; and
Other legitimate interests including, but not limited to:
Protecting you or us from threats (e.g., security threats);
Enabling us to administer our business, such as for quality control and customer service;
Managing corporate transactions; or
Understanding and improving our Services and client relationships generally.Areas in which we have a legal basis to use your personal data without consent, this Policy fulfils our duty to process personal data fairly and lawfully and in a manner that you would expect based on the nature of our relationship with you or your employer, by giving you appropriate notice and explanation of the way in which your personal data will be used.
Areas in which consent is required for our use of your personal data, you have the right to withdraw or decline your consent and cease your use of our Services. If you decide to withdraw your consent, such withdrawal will not affect the lawfulness of processing based on consent before such withdrawal. Except as otherwise set forth in this Policy or the Client Agreements, we will not sell, rent, or lease any of your personal information we receive from you, your employer, or your employer’s service providers.
Following termination or deactivation of your account with our software application, we may retain information in order to comply with applicable law, prevent fraud, resolve disputes, troubleshoot problems, assist with any investigation, enforce our rights under our agreements with you or your employer, for backup, audit or regulatory purposes, and for other actions permitted by law. Otherwise, we will only retain your personal data for as long as reasonably necessary to fulfil the purposes for which we originally collected it. In most cases, in which your employer terminates all Client Agreements between itself and us, we will delete all of your personal information stored in our software application within 30 days of the termination of the said Client Agreements. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data, and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.
There are special situation in which we share your personal information. These situations are rare, but can include the following:
By lawful request of public authorities, agencies, or other government and government-related entities to investigate, prevent, or take action regarding illegal activities, suspected fraud, threats to physical safety of any person, violations of Client Agreements, or anything of this nature. In such situations, you acknowledge that we may disclose such information to the extent necessary to comply with such legal requirements;
Disclosures to subprocessors (as described in the Data Processing Agreement section of this Policy) and organizations with whom we are under common corporate control;
Disclosures to our service providers, business partners, suppliers, contractors, consultants, and sub-contractors that perform services for us to improve our Services (these entities will have confidentiality requirements and terms to protect your information to the extent commercially reasonably possible between them and us); and
In the event of an emergency in which we need to protect the safety of our employees, contractors, clients, agents, representatives, or any person.
WHAT DOES PAVESTEP DO WITH COOKIES?
Session management: These can’t be removed without a significant change to the way the your session works;
Notification management: Storing whether you have closed certain notification banners in the software application; and
Buzzsprout ([podcast services solution](https://www.buzzsprout.com/)): Making sure that the podcast player functions properly within our software application.
Analytics and marketing: Improving our understanding of the visitors on our website for marketing purposes (e.g., ads);
Website operations and security: Making sure that the website functions efficiently and securely.
WHERE DOES PAVESTEP STORE THE DATA?
We use third party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and related technology required to provide our Services to you and your employer. We own the code, databases, and all rights to the our Services. You retain all rights to your data.
WHAT CONTROL DO YOU HAVE?
You have control over your personal information related to your use of the Services. You have the right to ask us not to collect, use, process, or disclose your information in any of the manners described in this Policy. Exercising this ability to opt-out may affect your ability to use the Services and your user experience. You can notify us of your intention to halt the collection, use, processing, or disclosure of your information at any time by contacting us at firstname.lastname@example.org. Some personal information is automatically collected by data analytics tools. If you object to collection in these situations, your only choice is not to access or use the Services.
If you consented to receiving marketing communications from us by opting in on any of our Services and subsequently want to withdraw your consent, you can do that at anytime. Please contact us at email@example.com or firstname.lastname@example.org. You can also change the setting in your account in our software application.
Additionally, depending on your location, subject to applicable law, you may have some or all of the following rights with respect to your personal information:
Restrict the processing of your personal information if the data is inaccurate, the processing is unlawful, or we no longer need it for the purpose for which we hold it;
Transmitting your data (as provided by you directly or collected by us due to you using our Services) to you or to a third-party when we justify our processing on the basis of your consent or the performance of a contract with you or your employer;
Withdrawing your consent to our processing of your personal information;
Obtaining a copy of the appropriate safeguards under which your personal information is transferred to a third country or international organization;
Objecting to the processing of your personal information, on legitimate grounds, except if otherwise permitted by applicable law;
Erasing your personal information; and
Filing a complaint with your local supervisory authority for data protection.
If you are legally able to, based on your location and applicable law, and wish to exercise the above rights, please email email@example.com or firstname.lastname@example.org. Once we can verify your identity, determine your rights based on your location and applicable law, and feasibility of the request, we will process your requests accordingly.
The personal information processed in connection with your use of our software application is likely necessary in order for you to maintain an account on our software application. Accordingly, if you ask us to stop processing your personal information in a certain way or erase your personal information, and this type of processing or data is needed to facilitate your use of our software application, you may not be able to access or use our software application. It may be necessary to retain your personal information for the purposes of assessing and verifying data that is submitted to and/or held within the Services and to manage or run the Services. In certain situations, you or we may need to consult with your employer to address your request to stop processing or erase your personal information.
HOW DOES PAVESTEP KEEP YOUR INFORMATION SAFE?
The security of your information is important to us. We use commercially reasonable physical, technical, and organizational measures to protect against loss, misuse, or alteration of your information. We strive to preserve the integrity and security of all information we collect, process, and share with our service providers. Security is our top priority in all of our product designs, technology development, system architecture, and internal processes. However, we also recognize that no security system is completely impenetrable. We do not warrant or guarantee the security of the data that you provide to us.
In the event that any information under our control is compromised as a result of a breach of security, we will take reasonable steps to investigate the situation, notify individuals whose information may have been compromised, take steps to contain or remove the breach, and implement a solution in place to reduce the chance of the breach happening again, all in accordance with applicable laws and regulations. You are responsible for maintaining the security of any password or other forms of authentication involved in obtaining access to password-protected or secure areas of any of our digital services. In order to protect you and your information, we may suspend your use of the Services without notice, if any breach of security is suspected.
Within Pavestep, only a limited and authorized set of personnel have access to your information. All of our employees and contractors have been informed of their obligations to preserve and protect the confidentiality of personal information. They may only use the personal information in accordance of the principles set out in this Policy and applicable regulations.
WHAT ABOUT LINKS TO THIRD-PARTY WEBSITES OR SERVICES?
Our Services may provide links to third-party websites or services that are not governed by this Policy. To the extent that any linked third-party websites or services you visit are not owned or controlled by us, we are not responsible for those websites’ or services’ content or information practices. We are bound by our internal policies, this Policy, Client Agreements, and applicable laws.
CALIFORNIA CONSUMER PRIVACY ACT
The California Consumer Privacy Act of 2018 (the “CCPA“) provides certain rights to California residents regarding their personal information. A California resident has the right to request that we disclose certain information, including:
The categories of personal information we have collected about that California resident;
The categories of sources from which the personal information is collected;
The business or commercial purpose for collecting or selling the personal information;
The categories of third parties with whom we share personal information;
The specific pieces of personal information that we have collected about that resident; and
The categories of personal information that we have sold about that resident and the categories of third parties to whom that information was sold to
A California resident has the right to request that we delete their personal information. A California resident also has a right to “opt-out” of the sale of that resident’s personal information. Finally, a California resident has the right not to be discriminated against for exercising their privacy rights under the CCPA. You can exercise any of these rights by emailing us at email@example.com.
Under California’s “Shine the Light” law, California residents who provide personal information in obtaining products or services are entitled to request and obtain from us once a calendar year information about the information we shared, if any, with other businesses for their own direct marketing uses. To obtain this information, please send an email message to firstname.lastname@example.org with “Shine the Light Request” on the subject line and in the body of your message. We will provide the requested information to you at your e-mail address in response.
Pursuant to California Civil Code Section 1789.3, California users are entitled to the following consumer rights notice: California residents may reach the Compliant Assistance Unit of the Division of Consumer Services for the California Department of Consumer Affairs by mail at 1625 North Market Blvd., Sacramento, CA 95834, or by telephone at (916) 445-1254 or (800) 952-5210.
GENERAL DATA PROTECTION REGULATION (“GDPR”)
You understand and acknowledge in connection with our provision of the Services, we are a data processor, not a controller (as such terms are defined under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data). In the event you are a user of our Services and GDPR applies to you, the data processing addendum referenced in the Client Agreements, by and between you or your employer and us, applies to the personally identifiable information of non-U.S. data subjects shared by you (the “**Data Processing Agreement**“). If a Data Processing Agreement was not executed between you or your employer and us, please notify us, so that we can put one in place.
Please be aware that your personal information may be collected, managed, transferred to, processed, stored, or accessed in a country different other than your country of residence in certain situations that necessitate those actions. Also, we may allow our service providers or subprocessors, who may be located outside of your country of residence, to access your personal information, if it’s necessary. We will always take commercially reasonable steps to ensure that any transfer of such information to entities based outside your country of residence is carefully managed to protect your rights and interests by implementing appropriate safeguards to protect your personal information. By visiting our website or content, and accessing and using our Services, you consent to the transfer of your information to such country(ies) as are set forth in this Policy.
Where there is no adequacy decision by the European Commission in respect of a country (to the extent that they are outside the EEA or Switzerland), which means it is not deemed to provide an adequate level of protection to your personal data, we will exercise commercially reasonable efforts designed to ensure your personal data receives an adequate level of protection.
For questions and requests related to GDPR, please contact us at email@example.com. We have appointed an EU Representative – we will route your GDPR-related questions and requests to the EU Representative.
Our Services are intended for use strictly by adults. We do not knowingly solicit or collect personal information from children under the age of sixteen (16). If we learn that any personal information has been collected from a child under sixteen (16), we will delete the information as soon as possible. If you believe that we might have collected information from a child under sixteen (16), please contact us at firstname.lastname@example.org.
POLICY UPDATES AND QUESTIONS
We periodically update this policy. We will notify you about significant changes in the way we treat personal information by sending a notice to the primary email address you or your employer provided us or by posting a notice on our Services.
This Policy was last modified on April 30, 2022.