This Services Privacy Notice will be effective starting on May 25, 2018.
PLEASE NOTE: For the purposes of European Union data protection law, this Services Privacy Notice ("Notice") only applies where Enviance acts as a data processor on behalf of our customers as data controllers. As such, this Notice is merely intended to provide you with further information as to what personal information is collected and how this data is processed in the provision of Enviance's services.
Any concerns that relate to the processing of your personal information in the performance of the Enviance services should generally be addressed to the customer (usually your employer) as the data controller. The customer may have provided you (within our application or otherwise) with their own privacy notice governing your use of the Enviance services, which may supplement or supersede this Notice in whole or in part. Questions as to any such other notice may be directed to the customer (usually your employer).
Enviance, Inc. provides its customers with access and use of hosted applications pursuant to a services agreement. Customer data is submitted by our customers and their end users (typically their employees) to our hosted applications or otherwise provided to us in connection with their use of the applications (for example in providing customer support). This customer data includes personal information about the users and others and this Notice provides information about our processing of that personal data.
This Notice does not apply to personal data we may collect outside of providing the hosted applications such as billing contacts, personal data from general visitors to our corporate website or through our marketing efforts. Such matters are addressed in our Enviance Privacy Notice found here.
HOW WE COLLECT PERSONAL DATA
Manually Collected Information
We collect personal information that is manually submitted or uploaded to our hosted applications or otherwise provided to us by users or the customer in our provision of the hosted applications. Users may submit personal information of their own or of others, for example when using the application to report on a matter involving that other person.
Automatically Collected Information
The hosted applications collect technical data automatically through their use such as user IP addresses, information about user hardware and software, and analytical data about the use of our applications. Some of this data may be personally identifiable under European Union data protection law.
PERSONAL INFORMATION WE COLLECT
For registered users of our hosted applications, we must have basic identifying information, which minimally includes the user’s name and email address, but their user profile may also include their telephone number, employee identification number, work location, department or division and similar work identifiers the customer or user submits to the application. This information is generally accessible by the user in their profile settings within the application. Other information manually submitted to and collected through our hosted applications depends upon the nature of the application and service, but is in any event determined by our customer and their users.
Case or Event Management Services
Certain applications such as Ergonomic Case Manager and Environmental Incident App permit users to manage cases or events within the customer’s organization. In such instances, the user may report or submit personal information about themselves and about other individuals. This personal information would generally relate to the matter being reported, however the customer and user are in control of such manually submitted information to the applications, not Enviance. The data provided by users or customers may include personal information that is considered "sensitive" under European Union data protection law (e.g. an event report that includes details of a health condition). We encourage customers to minimize the collection of such information but, where we do process it on their behalf, we do so in accordance with European Union data protection law.
Ergonomic Management Applications
Certain applications such as Office Ergonomic Suite (OES) are used to help manage and mitigate ergonomic harm within an organization. Users submit information about their work environment and habits relevant to ergonomics, such as information about the positioning of their monitor relative to their body position. Information is also collected automatically by the application such as technical information about the user’s computer and peripherals or information about the use of their computer relevant to ergonomics. This information is aggregated for centralized reporting, analysis and management within the customer’s organization by users authorized by the customer to access such features.
Some customers license RSIGuard, an Enviance software application installed on the user’s computer that automatically collects a variety of information about the user’s computing environment and behaviors relevant to ergonomics. This includes, for example, information about the user’s interactions with their computer such as keystroke counts, mouse usage counts, and duration of computing activity and inactivity. Certain customers use RSIGuard solely locally meaning the information the application collects remains within the customer’s organization and is not transmitted to us. Other customers link their installations of RSIGuard to their hosted OES account in which case information collected by RSIGuard is transmitted to us for reporting and management by the customer within OES. If you are a user of RSIGuard and wish to know if your copy of RSIGuard is connected to OES or have other questions, you may contact the applicable customer (generally your employer) and we will assist them in responding to the extent requested.
THE PURPOSE OF OUR COLLECTION AND PROCESSING OF PERSONAL INFORMATION
As a reminder, we act as a data processor with respect to personal information in our hosted web applications and process personal information only on the instructions of our customers. We may process it for the following purposes:
- To provide use of the applications to our customer;
- To prevent and address any problems with the applications and provide customer support;
- For any other purpose as provided for in the services agreement between us and the customer, or as otherwise authorized or directed by the customer; and
- To comply with applicable law or where we determine it is required to protect and enforce our legal rights.
SHARING OF PERSONAL INFORMATION
We do not sell or rent personal information to any third-parties; however, we do share the information with third-parties within the Enviance Group of companies consistent with this Services Privacy Notice and with our third party contracted service providers that support our operation of the hosted applications.
Where our service providers have access to the personal information, we enter into written agreements with them requiring them to keep the personal information confidential, only use it as necessary to provide the contracted services and take other measures to protect the personal information.
Additionally, we may be required to disclose personal information in response to valid requests by public authorities, including where required to meet national security or law enforcement requirements. For example we may disclose personal information where required by a valid subpoena, or where we determine it is necessary to protect or defend our legal rights. If legally permissible, we will attempt to refer any third party request or demand for disclosure of personal information to the applicable customer.
RETENTION OF YOUR PERSONAL INFORMATION
We retain customer data including personal information within it in accordance with the relevant services agreement, our internal data retention policies and our customer's instructions. Typically, this means we retain the customer data through the term of the customer's subscription to the hosted application and then delete it or return it within a reasonable time thereafter. In certain instances, some customer data may be archived to meet legal requirements, to provide evidence in cases of litigation, or if otherwise required by law.
Our customers are responsible for ensuring that those individuals whose personal information is processed by us on their behalf receive any required notices and where required, determine the legal basis for processing the personal information. This may include requesting and obtaining employees’ consent to process their personal information in connection with our applications. Certain customers may have enabled features in the applications that request user consent or provide customized notifications and consent options. If you have questions about consent options, legal bases for processing your personal information or similar questions, you should contact the customer (generally your employer) directly. If requested, we will then assist the customer in accordance with the customer’s instructions, the services agreement and applicable law.
ACCESS, CORRECTION AND OTHER RIGHTS IN PERSONAL INFORMATION
Individuals whose personal data is processed by us for our customers that is subject to European Union data protection laws such as the General Data Protection Regulation (typically permanent residents of the European Economic Area ("EEA")) have a variety of rights with respect to such processing. These include rights to access, correct, and in some instances, to erase their personal information, to object to or restrict processing of personal information, to lodge complaints with European supervisory authorities, and, where processing is based on the individual’s consent, to withdraw that consent.
An individual wishing to access, correct, amend or delete their personal information may be able to do so within the hosted application through their user profile and other features. Note that this would only reflect the information held in this specific application rather than all information processed about you by the customer. Where your request is not addressable in this manner, such requests should be directed to the customer (typically the individual’s employer).
Customers with questions or requests regarding our processing of personal information in our hosted applications may refer to their services agreement or contact us via their customer representative or at the contact information below.
We maintain reasonable and appropriate technical and organizational security measures to protect personal information in our hosted applications from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.
CROSS BORDER TRANSFERS
Enviance and the servers used to host the applications are located in the United States. Personal information of any individuals from outside the United States, including those in the EEA, is therefore transmitted to and stored on servers in the United States. We also employ service providers located in the U.S. and in countries outside of the U.S. and the EEA to whom we may provide access to personal information where it is necessary or advisable to maintain our applications and in those cases, we have put in place appropriate safeguards designed to ensure the proper and secure handling of the personal information including entering into processing agreements with standard contractual clauses with the service providers. Requests to obtain copies of materials evidencing these safeguards should be directed to the customer (typically your employer).
HOW TO CONTACT US
You may contact us about matters pertaining to this Notice and our processing of personal information in providing our hosted applications at the following:
By Email: email@example.com
By Mail: Attn: Privacy at Enviance
5780 Fleet St, Suite 200, Carlsbad, CA 92008
United States of America
CHANGES TO THIS NOTICE
We reserve the right to modify, supplement, or remove portions of this Notice from time to time and in our sole discretion, but will alert you that changes have been made by indicating on this Notice the date that it was last updated. When you access and use our hosted application, you are acknowledging the applicability of the current version of this Notice as posted or linked within the application at that time. We recommend that users revisit this Notice on occasion to learn of any changes.