ACHIEVERS PLATFORM PRIVACY NOTICE
Last updated: October 2, 2020
Previous version is available here.
Achievers Corp. (together with the companies owned by and in common ownership with Achievers Corp., “Achievers,” “we,” “our,” or “us”) recognizes the importance of privacy in providing our employee recognition and rewards solution (the “Services”) to our business customers (“Customers”). The Services include a platform (the “Platform”) accessible by employees and other authorized users (“Members,” “you,” or “your”) of our Customers. You have been given access to this Platform by one of our Customers (your “Employer”).
This Platform Privacy Notice (the “Platform Privacy Notice”) describes how we collect, use, disclose, and otherwise process personal information about you, our Member (“Member Data”), in delivering the Service on behalf of our Customers.
SCOPE OF THIS NOTICE
This Platform Privacy Notice only applies to Achievers; it does not apply to your Employer, nor to its use of Member Data, the Platform, or the Services. If you have any questions regarding your Employer’s privacy policies or how they use Member Data, either within or outside of the Platform, you should contact the Program Administrator for your employer’s usage of this Platform.
This Notice describes how we collect and process your personal information (which includes “personal data” or “personal information” as defined under applicable data protection laws) and the rights you have regarding such data.
This Platform Privacy Notice applies to the data processing activities of Achievers solely with regard to the Achievers Platform. It also applies to any collection or processing of Member Data by the Achievers mobile app and the Achievers Connect Plugin for productivity platforms (such as Gmail, Microsoft Outlook, Microsoft Teams, Microsoft SharePoint, Workplace by Facebook, etc.). It also applies to those channels through which individuals communicate with us about the Platform and Services, such as Customer Service, whether in person, by telephone, by postal mail, email, or other means.
This Notice applies to the processing that Achievers performs when acting as a Data Processor on behalf of your Employer (the Data Controller). Our processing of Member Data is subject to the instructions we receive from your Employer and we have no independent rights to use your Member Data. Our agreement with your Employer does allow us to anonymize certain platform usage information in order to analyze trends and perform benchmarking, however your personal information is removed or irreversibly anonymized before we perform that research.
INFORMATION COLLECTED RELATED TO PLATFORM AND SERVICES
Achievers recognizes the importance of privacy and principles of data minimization and privacy by design. As noted above, we collect and process Member Data as directed by your Employer. This means that ultimately your Employer controls the processing of your Member Data.
Member Data is provided to Achievers by your Employer and by you, our Members. For instance, your Employer may provide us with your name, position, business contact details, mobile phone number, and certain other relevant data about you, so that we can make the Platform available to you. You may then choose to provide your Member Data to us (e.g., your shipping address to redeem points for products on the Platform, or your mobile phone number to receive communications on your mobile device related to the Platform) and information about other Members (e.g., to recognize a colleague for something).
Achievers does not wish to receive, nor does it intentionally collect, sensitive Member Data from Customers or Members. If agreed by your Employer, and subject to appropriate legal agreements, we may process data that is considered within the scope of healthcare privacy laws, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Your Employer may choose to use the Platform in ways that could, either intentionally or unintentionally, capture information that could be considered sensitive, such as race and ethnic origin, religious or philosophical beliefs, gender, gender identity, sexual orientation, trade union membership, or health-related data. If we receive any Member Data that contains any of these categories of sensitive Member Data, we will treat it in accordance with this Platform Privacy Notice and provide notice to your Employer to export or remove such sensitive Member Data from the Platform. Achievers shall have the right to delete such sensitive Member Data from the Platform.
Automatically Collected Data
Achievers may automatically collect the following information about the use of the Services through cookies, web beacons, and other technologies: domain name; browser type and operating system; IP address; access time; device ID, name and model; location and language information, the length of time you are logged into the Platform; page views and referring URL; and your activities within the Platform. We may combine this information with other information that we have collected about you, including, where applicable, your username, name, and other Member Data. Please see the section Purposes of Use and Processing below for more information.
Achievers website uses a browser feature called a “cookie” to allow Members to interact with the Platform. A cookie is a small text file that is placed on your computer by a website. Cookies contain a unique session identification number, the IP address of the request origin, and the last access time. You can manage how your browser responds to cookies, including by blocking cookies, notifying you when you receive a cookie, and allowing you to delete certain cookies. However, if you block or disable cookies, you will not be able to use some of the features available on the Platform.
“Do Not Track”
The Platform does not respond to web browser “Do Not Track” (DNT) settings or headers. However, Achievers does not track Member Data of Members on the Platform over time, across third party web sites or online services. Achievers also does not authorize or enable any third party to collect Platform usage Member Data through any advertising technology.
Achievers uses images embedded in e-mail messages called “web beacons.” Web beacons are clear images that allow Achievers to determine if a message has been opened. It also allows Achievers to determine the IP address of the user that opened it and to access any Achievers cookies. We may use this information in the aggregate to assess and improve our email messages. Email web beacons can be disabled by turning off HTML display and displaying text only or by turning off image display while still using HTML within your email client.
PURPOSES OF PROCESSING
Achievers will only collect, use, disclose, and otherwise process Member Data under the instructions of your Employer, as you instruct, or where otherwise permitted or required by law. Achievers does so on behalf of Customers, to provide the Services and as otherwise directed by you or your Employer under the terms of our commercial agreement (the “Customer Agreement”).
Subject to any requirements or restrictions in our Customer Agreements, we generally process Member Data as follows:
DISCLOSURE OF MEMBER DATA
We generally disclose Member Data under the following circumstances:
Achievers may share Member Data with our affiliated businesses (“Affiliates”) who provide services to us or on our behalf, as part of our business operations and administration of the Services. Where relevant, we have executed written agreements with such Affiliates that impose appropriate safeguards for the protection of Member Data in compliance with applicable privacy laws.
Agents and Service Providers
Achievers may share Member Data with selected third parties (“Service Providers”) who provide services to us or on our behalf, subject to our written instructions. For example, we may work with fulfillment partners spanning multiple international jurisdictions who are responsible for the delivery of product redemptions; in that case, the relevant Service Provider is provided with certain Member Data when Members would like to redeem a reward offered in the Platform, which may include Members’ physical mailing address, email and name.
Where relevant, Achievers has contractual agreements with Service Providers, which require them to provide protection as required by applicable data protection laws. Achievers does not transfer Member Data to a third party for the third party’s own use. Achievers may be liable under the data protection laws if one of its third-party processors processes Member Data in a manner inconsistent with the such applicable data protection laws, if Achievers is responsible for the event giving rise to the damage.
As a processor, Achievers will disclose Member Data to your Employer. Your Employer and its designated administrator(s) will be able to access all information you provide to the Platform, including information you post or send through it, and information regarding any transactions or redemptions you make on the Platform. For example, your Employer may need your Member Data for the purpose of calculating, deducting and/or paying income tax in respect taxable benefits in accordance with your Employer’s policies and applicable law. Where applicable, Member Data provided through Listen may be masked or otherwise concealed to promote your privacy interests, however, your Employer may unmask or re-associate Member Data with your identity. Achievers has no control, and is not responsible for how your Employer may access, use and disclose Member Data. For more information on how your Employer may collect, use, disclose, or otherwise process your Member Data, please contact your Employer.
Some areas of our Platform may allow you to upload or publish your own content to an area of the Platform that may be viewed by some or all other Members who have access to your Employer’s Platform, such as your colleagues (“Posting”). You may also make Postings external to the Platform (e.g., on social media). Such Postings may be associated with your name and any Member Data that you choose to include in such Posting. Achievers cannot control, and is not responsible for how any third parties, including your colleagues and/or your Employer, may use such information. If you choose to include Member Data in a Posting you post on the Platform, you consent to the disclosure of that Member Data. If you do not wish to publish your Member Data in this manner, please do not include it in a Posting you post to any area of the Platform that may be viewed by other users. You may not include the Member Data of any other individual in your Postings unless you have their consent.
Achievers Connect plugins for productivity platforms like Gmail, Microsoft Outlook, Microsoft Teams, Microsoft SharePoint, and Workplace by Facebook require the member’s email address to connect user profiles across the Achievers platform and the target productivity tools. For Gmail and Microsoft Outlook, the Connect plugin uses the To, CC and BCC fields from emails in the Inbox or other folders to identify nominators and nominees for a recognition being posted to the Achievers platform.
Achievers may use or disclose your Member Data to comply with a subpoena, court-ordered discovery, a warrant, a lawful government request, or similar legal process. If Achievers is involved in a merger, acquisition, or sale of all or a portion of its assets, or in the event of a bankruptcy or dissolution of our business, your personal information may be transferred to an acquiring business or third party, including in contemplation of or related to due diligence for such business transactions, subject to any applicable restrictions under applicable laws. Achievers may use or disclose your Member Data if we believe in good faith that disclosure is necessary to respond to claims asserted against us; to protect our rights; to protect vital interests including your safety or the safety of others; or, to investigate or prevent fraud.
Achievers may also use, or disclose Member Data to third parties, if Achievers has reason to believe that using or disclosing such information is necessary to: (i) conduct investigations of possible breaches of law; (ii) identify, contact, or bring legal action against someone who may be violating an agreement they have with us; (iii) investigate security breaches or cooperate with government authorities pursuant to a legal matter; or (iv) to protect our rights, safety or property, and/or the rights, safety, and property of our Customers, Members of our Platform, and any other persons. Lastly, we may disclose Member Data for any other purpose for which you have provided your Employer with consent.
Achievers’ Services are provided to Employers (our Customers) and their employees (the Members) and are not directed towards children. The Platform is not designed for or intended to be used by children, which we define as anyone under sixteen (16) years of age. We do not knowingly collect data from children and we request that children do not provide personal information through the Platform.
The security of your Member Data is important to us. We have implemented safeguards designed to protect the Member Data submitted to us, both during transmission and once it is received, including encrypting the transmission information (where appropriate). However, please note that no transmission over the Internet is 100% secure. If you have any questions about the security of your Member Data, you can contact us at firstname.lastname@example.org.
Achievers will take steps to keep your Member Data accurate, complete and up-to-date. Members will have the ability to review much of the Member Data we have collected about them on the Platform. To make a request (e.g., access or correction of your Member Data), please see the “Your Rights” section below.
It is our policy to retain your information only for as long as is necessary to fulfill the purpose for which it was collected and processed, including our contractual obligations to your employer. Unless otherwise instructed by your employer, we will retain your information for as long as your account is active or as needed to provide you services and for as long as may be required to comply with our legal obligations, resolve disputes, maintain appropriate business records, and enforce our agreements. Even if you request for your information to be deleted, laws and regulations may require us to retain a copy of certain information in our files for a longer period of time. Unless a specific applicable law requires a different retention period, most data will be retained for no longer than seven (7) years.
For EU Residents
The European Union’s General Data Protection Regulation (“GDPR”) gives you certain rights, including: a right to be notified of our data collection practices; the purposes and lawful bases under which we process your data; if our legitimate interests are a basis for processing, what those interests are; the categories of data processed; the categories of third parties with whom data is shared; the details of any data transfers outside of the EU and the safeguards in place; the applicable retention periods or policies; the right to access, correct, and delete (under certain circumstances) your personal information; the right to receive a copy of your information in a “portable” form so that you may transfer it to other services; the right to withdraw consent for processing; the right to lodge a complaint with a data protection authority; the right to be advised of the existence of any automated decision-making, including profiling, and the right to object such decisions; and, the right to withdraw consent without detriment. This Notice provides details regarding how we honor those rights in the context of our role as a Data Processor to your employer.
For California Consumers
California law gives you certain rights, including: a right to be notified of (and to request more information about) our data collection practices; the categories of data we process; the categories of third parties with whom data is shared; the right to request disclosure (up to twice per year) of the personal information we have about you or have had within the last 12 months: the right to delete that information (under certain circumstances); the right to know if your data is being sold; the right to know what personal information is being sold and to opt-out of such sales (if applicable); the right to receive a copy of your information in a “portable” form so that you may transfer it to other services; and, the right to not be discriminated against for exercising these rights. This Notice provides details on how we honor those rights in the context of our role as a service provider to your employer.
How to Exercise Your Rights
If you would like to exercise your rights under applicable privacy laws to access, amend, or request deletion of your Member Data, or make other requests regarding your Member Data, you should contact your Employer and we will work with your Employer, as needed, to assist them with information that they may need to respond to your requests.
Achievers will only refuse access to information about you where permitted or required by applicable privacy laws. If Achievers refuses access to you, it will provide you with the reasons for its refusal upon request. Exceptions may include information that contains references to other individuals, information that cannot be disclosed for legal, security or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege. Achievers will respond to your requests for access in accordance with applicable privacy laws.
ENFORCEMENT AND DISPUTE RESOLUTION
Achievers will conduct periodic assessments to validate its continued adherence to this Platform Privacy Notice. If you have a question or dispute about our handling of your Member Data, please contact us at using the information in the “Contact Us” section below.
Achievers will investigate and attempt to resolve complaints and disputes regarding the use and disclosure of Member Data in accordance with the principles contained in this Platform Privacy Notice. Achievers agrees to cooperate with data protection authorities located in the European Union or authorized representatives for disputes received from the European Union.
Under certain conditions, more fully described on the Privacy Shield website at https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, binding arbitration may be an option when other dispute resolution procedures have been exhausted.
Subject to our Customer Agreements, the Member Data that we collect from you may be transferred to, processed, or stored at a location outside the local jurisdiction, including the US, Canada, the UK, and other locations. This means that Achievers may be required to disclose your Member Data in response to lawful requests by public authorities, the courts, law enforcement, or national security authorities in that other jurisdiction.
We will take steps to ensure that your Member Data receives an equivalent level of protection as required by laws of that jurisdiction, including by entering into data transfer agreements. For transfers from the EU, UK, or Switzerland to the US, Achievers relies on adequacy decisions by the EU Commission or putting in place Standard Contractual Clauses as approved by the European Commission (the form for the Standard Contractual Clauses can be found here: EU Commission Standard Contractual Clauses) or another applicable supervisory body.
Achievers, through its US affiliate Achievers LLC, complies with the EU-US Privacy Shield Framework (“EU Privacy Shield”) and the Swiss-US Privacy Shield Framework (“Swiss Privacy Shield”) as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom (“UK”), and Switzerland to the United States.
As part of the certification made via its prior affiliate, Blackhawk Network Inc., Achievers has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit: https://www.privacyshield.gov/.
Prior to July 16, 2020, Achievers relied on its EU-US Privacy Shield and Swiss Privacy Shield certification as one means of demonstrating adequacy and safeguarding transfers of data from the EU and Switzerland. In addition to Privacy Shield, Achievers also executed Standard Contractual Clauses with entities involved in such data transfers. As of July 16, 2020, Achievers will primarily rely on country-level adequacy decisions or the Standard Contractual Clauses for EU, UK, and Swiss transfers. For transfers occurring prior to July 16, 2020, Achievers will continue to be responsible for the processing of EU, UK and Swiss Personal Information under the EU Privacy Shield Framework and will maintain full compliance with the requirements of that framework until further notice. Subsequent transfers of EU, UK, and Swiss Personal Information to any third-party acting as an agent on our behalf occurring after July 16, 2020, will be under the terms of the EU Commission’s Standard Contractual Clauses.
With respect to Personal Information received or transferred pursuant to the EU or Swiss Privacy Shield Framework, Achievers is and will continue to be subject to the regulatory enforcement powers of the U.S. Federal Trade Commission until further notice.
In certain situations, Achievers may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. To the best of our knowledge, Achievers’ systems are not subject to routine access by government authorities without warrants or appropriate accountability via established legal process.
Under certain conditions, more fully described on the Privacy Shield website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
CHANGES TO THIS PRIVACY NOTICE
This Notice is subject to change, so if this is your first time reading it, please make sure it is not the last. If we make any changes to this Notice, we will post those changes on this page and revise the “Last Updated” date at the top. If we make any changes to the ways in which we process your information that could be reasonably be considered material or substantial, we will make additional efforts to notify you of those changes, either by email or via a prominent notice on this Site prior to the change becoming effective. Where required by law, we will obtain your consent or give you the opportunity to opt out of such changes. Any changes will become effective when we post the revised Notice.
If you have any questions or concerns about your Member Data held by Achievers or about the compliance by Achievers with Achievers Platform Privacy Notice, please contact our Privacy Office or contact your Program Administrator as indicated below.
By Regular Mail
c/o Achievers Solutions Inc.
Attn: Privacy Office
190 Liberty Street, Suite 100
Toronto, Ontario, M6K 3L5, Canada
Other Queries or Complaints
If you have any further queries or complaints that we are not able to answer, you are recommended to contact the Data Privacy Supervisory Authority for the country in which you reside. A list of EU/EEA Data Protection Authorities can be found via the European Data Protection Board here. A list of data protection authorities in other countries/regions can be found here.