ZenGRC Privacy Policy
ZenGRC is committed to protecting your privacy. Our most important asset is you and your trust, and we want you to have confidence in the way we use your Personal Information.
Table of Contents
- Definitions
- ZenGRC and our Privacy Notice
- Categories of Personal Information Collected, the Purposes for such Collection, and Legal Bases for Collection
- More on Legitimate Interest Processing
- Sharing of Personal Information
- Security
- Where We Store Your Personal Information
- Data Retention and Deletion
- Your Rights and Choices
- Special Circumstances of Processing of Personal Information
- Selling Personal Information
- How to Make a Request or Complaint
- Federal Trade Commission and EU Supervisory Authorities Enforcement
- Links to Other Websites
- Modifications to the Privacy Notice
- Contacting ZenGRC
Definitions
In this Privacy Notice, “us”, “we” and “our” refers to ZenGRC, Inc. and our affiliates listed on this page (collectively “ZenGRC”).
“Communications information” means records of any correspondence and communications including the content of your message, the date and time and our response if you contact us or raise a question with us.
“Background check information” means a comprehensive collection of data that encompasses an individual’s criminal information, previous employment details, previous educational history, and a social security trace. It includes records of arrests, convictions, pending charges, court proceedings, employment dates, job titles, responsibilities, performance evaluations, references, reasons for leaving previous positions, schools attended, degrees earned, areas of study, academic achievements, certifications obtained, and a verification of the individual’s social security number (SSN) with associated names, addresses, and employment history.
“Contact information” means information that is typically used to contact you, such as your first and last name, business and/or personal email address, business and/or personal telephone number(s), and your employer’s physical address.
“Information about your Services usage or Site visit” includes information that lets us know how you navigate and use our Site and Services. This may include mouse movements, clicks, and scrolls. This may also include Uniform Resource Locators (URL), Clickstream to and through our Site (but not from our Site), Page response times and download errors, Page interaction information (such as scrolling, clicks, frequency and length of visits, types of content viewed or engaged with).
“Marketing information” means your marketing communication preferences.
“Personal Information” means any information relating to an identified or identifiable individual. Please read the following carefully to understand our views and practices regarding your Personal Information and how we will treat it.
“Process” means the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Information.
“Professional Information” may include job title, title level, title function, company name, and which subject matter you are interested in.
“Sensitive Personal Information” means information related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life, or sexual orientation. Included within this definition shall also be any information that relates to a person’s account login, finances, including financial accounts, debit or credit card in combination with any required security or access code, password, or credentials allowing access to an account, financial ownership, financial transactions, and/or financial credit. Lastly, Sensitive Information shall also mean a person’s social security, driver’s license, state identification card, or passport number, date of birth, precise geolocation, the contents of a consumer’s mail, email, and text messages unless ZenGRC is the intended recipient of the communication, genetic data, biometric information for the purpose of uniquely identifying a consumer, information concerning a person’s health, sex life, or sexual orientation. Excluded from this definition is information that is publicly available.
“Screen and/or voice recordings” means in limited instances, after we have provided notice and obtained your consent, we may record your voice and screen (i.e., information displayed by your device) information during MS Teams meetings with us.
“Technical identifiers/information” means Internet protocol (IP) address, Browser type and version, Device IDs, Google ID, Time zone setting, Operating system and platform, Hardware version, Device language settings, account identification number.
“Voluntary user submitted information” means any other Personal Information that you voluntarily and freely choose to provide to us.
ZenGRC and our Privacy Notice
ZenGRC is a computer software company that offers both risk management and Governance, Risk, and Compliance (“GRC”) software (through the ZenGRC and the ZenGRC Pro product suite) (“Services”) as a service that helps our customers manage business risks more effectively.
This Privacy Notice describes how we collect, use, disclose and otherwise process Personal Information about you when:
- You visit our website at www.ZenGRC.com and/or www.reciprocity.com (collectively the “Site”);
- Submit Personal Information directly to us for marketing, sales, and/or informational purposes;
- You apply for an employment or independent contractor position with or on behalf of ZenGRC; or
- Otherwise contact or inquire or otherwise engage with us through Site or our products and services which we market (our “Services”).
Where ZenGRC hosts Customer Personal Information within the ZenGRC Services, we do so in our capacity as a service provider and/or subprocessor on the Customer’s behalf. Our Customer is the controller and/or business in respect of Personal Information they supply to us when using ZenGRC’s Services.
By visiting and using our Site and/or Services, you acknowledge that you have read, understood, and agree to this Privacy Notice.
Categories of Personal Information Collected, the Purposes for such Collection, and Legal Bases for Collection
Personal Information Collected for Marketing and/or Informational Purposes
You may provide us with the following categories of Personal Information about you: (1) contact information; (2) professional information; (3) communications information; (4) screen and/or voice recordings if personal information is supplied to us through MS Teams meeting(s); (5) marketing information; (6) whether you have attended a promotion event such as a webinar or educational conference; (7) information regarding materials you may have downloaded from our website or third party website(s); and (8) information regarding whether you have responded to paid advertising by ZenGRC. We may also collect any other personal information that you choose to provide to us. These categories of personal information that are collected for the purposes of marketing and selling our products to you. This information is collected from you with your consent, and it is also collected for our legitimate interests, which is to market and sell our products and provide information to you. Where the information is not provided by you, the information is obtained from various third parties that may sell or otherwise share your personal information with us.
You may object to further marketing at any time by selecting the “unsubscribe” link at the end of all our marketing and promotional update communications to you or contact us directly. To opt-out of our marketing calls, please email us at privacy@zengrc.com.
Personal Information Collected for Employment Purposes
When you apply for employment with us, we collect the following categories of personal information: (1) contact information; (2) professional information; (3) communications information; (4) notes taken when you interview with us; (5) background check information; and (6) screen, visual, and/or voice recordings of any meetings, interviews, and/or discussions had with us.
This information is obtained from you with your consent for us considering you for an employment position with us.
Personal Information Collected When you Use our Services
We process Personal Information you provide directly to us. When you are a Customer of us, by using either ZenGRC or the ZenGRC Pro product suite, we collect the following categories of personal information: (1) contact information; (2) professional information; (3) communications information; (4) technical information; and screen, audio, and/or visual recordings when you have MS Teams meetings with us.
By default, we do not process Sensitive Personal Information; however, we may collect and store media, documents or other information you voluntarily provide to us. We do not recommend that you provide us with Sensitive Personal Information when utilizing our Services.
These categories of personal information are collected for the following purposes: (1) to identify and authenticate individuals who utilize our Services; (2) to provide the Service in a safe and secure manner; (3) for customer relations management, customer service, and customer communication; (4) to provide business intelligence information to us; and (5) to provide workflow automation to our customers.
These categories of personal information with the exception of technical identifiers are provided by the customer. Technical information is collected from the Customer’s device when utilizing the Services. The legal basis for collecting this personal information is for the performance of the contract between us and the Customer.
Personal Information Collected When You Use Our Site
We may collect by automated means the following categories of personal information about you or that relates to your use of our site: (1) technical information and (2) information about your visit. This information is obtained from your device when you visit our Site.
Additionally, we use cookies and similar technologies to collect and store certain information. This includes saving cookies to your device. For information on what cookies are, which ones we use, why we use them, and how you can manage their use, please see our Cookie Policy.
This information is used to ensure our legitimate interests that (1) content from our Site is presented in the most effective manner for you and for your device to provide you with a better experience; (2) to communicate with you and respond to your inquiries; (3) to process your job applications to us; (4) for internal operations, including troubleshooting, data analysis, testing, research, statistical analysis purposes; (5) to keep our Site safe and secure; and/or (6) to measure and understand the effectiveness of our advertising and to deliver relevant advertising to you. This information is also used to enter into any contract or carry out our obligations arising from any contract entered into between you and us including administering an account you have with us and notifying you about changes or updates to our Service. Finally, this information is used to provide you with information about our Services we believe may interest you and which may be tailored to you, in our legitimate interests (provided these interests do not override your right to object to such communications) or if you have given your consent to receiving marketing material from us at the point we collected your information, where such consent is required by law or otherwise.
These categories of personal information were shared (1) to store it; (2) where we are legally required to do so; and (3) to facilitate the operation of our group of businesses, where it is in our legitimate interests and have concluded these are not overridden by your rights.
More on Legitimate Interest Processing
Data protection law allows us to use Personal Information for our genuine and legitimate reasons if we respect your rights and freedoms. This lawful basis for using your information is called ‘legitimate interests’. When we rely on our legitimate interests as the legal basis for processing your Personal Information for the purposes set out above, we will specify what our legitimate interests are, and carefully consider and balance any possible effect this may have on you and your rights. You have the right to object to this processing; however, please bear in mind if you object this may affect our ability to carry out certain activities.
Sharing of Personal Information
We may transfer your personal information outside of Europe (1) to store it; (2) to enable us to provide our Service to you and fulfill any contract with you; (3) where we are legally required to do so; and (4) to facilitate the operation of our group of businesses, where it is in our legitimate interests and have concluded these are not overridden by your rights.
Personal Information may be shared with the following categories or organizations and/or individuals:
- Our subprocessors to provide the Services to our Customers. Information regarding our subprocessors can be found at https://zengrc.com/subprocessors/
- Companies within our group including ZenGRC Europe who may support us in any of the purposes set out in this Privacy Notice;
- Our Affiliates
- Analytics, advertising partners, and Search engine providers
- Business partners, suppliers and subcontractors performing services on our behalf
- Any company or prospective buyer of all or substantially all our assets in connection with a sale or transfer or assets to any prospective buyer
- Any person to whom disclosure is necessary to enable us to enforce our rights under this Privacy Notice or under the terms of use or to protect our rights or the rights of third parties. This includes exchanging information with law enforcement agencies or other similar government bodies.
- Another party where required to do so by court order or where we are under a duty to disclose or share your information to comply with (and/or where we believe we are under a duty to comply with) any legal obligation.
Collected personal information may be transferred to organizations and/or individuals located in the United States, European Union, Mexico, Columbia, Uruguay, and Argentina. If you are in the European Economic Area, information will be transferred to these countries through approved Standard Contractual Clauses mechanisms and in accordance with the security measures stated within this Privacy Notice.
Security
We are committed to ensuring that your Personal Information is adequately protected. In order to prevent unauthorized access to or disclosure of your Personal Information, we have implemented appropriate administrative, physical and technical controls to safeguard our systems, applications and information, as well as robust standard operating procedures in the event of a security incident.
Our security safeguards can be viewed at https://zengrc.com/dpa/.
We also maintain procedural safeguards to further restrict access to your Personal Information to employees who need it to perform their tasks or people working on our behalf and under confidentiality agreements.
Where We Store Your Personal Information
The servers used to process your Personal Information are located in the following regions:
- For Personal Information collected from the Customer of ZenGRC: United States, European Union, and Australia
- For Personal Information collected from Customers of the ZenGRC Pro product suite: United States.
For Personal Information collected for all other purposes, such Personal Information is stored in the United States.
Data Retention and Deletion
Personal Information is retained for only as long as it is needed; however, in the following instances, the maximum retention time frame is:
- Information collected for employment purposes: 24 months
- Information collected when you use our services: 30 days after the contract with the Customer is terminated
- Information collected related to user sessions when you use our Site: 14 months.
- For marketing, sales, or informational purposes: 18 months from the date of last interaction from the individual to ZenGRC.
We take measures to delete your personal information or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it, unless we are authorized or required by law to keep this information for a longer period.
When determining the retention period, we take into account various criteria, such as the type of products and services requested by or provided to you, the nature and length of our relationship with you, possible re-enrollment with our products or services, the impact on the services we provide to you if we delete some information from or about you, mandatory retention periods provided by law and the statute of limitations.
ZenGRC retains limited information that demonstrates it has met its contractual obligations with customers. This could include any documentation related to the terms of the contract, the scope of the services provided, and any relevant communication between ZenGRC and its customers.
Your Rights and Choices
You have options and choices over how we use your personal information. You may have the right under applicable laws to ask for details of the personal information we hold about you, or to amend, limit or delete your personal information. You may also have the right to object to further processing under certain circumstances. We also respect the rights you may have under applicable laws to receive that information in a commonly used electronic format (or ask for this information to be provided in that format to a third party where feasible).
Specifically, you have the right under certain circumstances to:
- To be provided with a copy of your personal information held by us;
- To know and access various aspects of your personal information, which include the categories of information collected, the sources from which it is obtained, the business purposes for collecting, selling, or sharing your information, the categories of third parties with whom your information is shared, and the specific pieces of personal information collected about you by ZenGRC.
- To opt-out of the selling or sharing of your personal information.
- To request the correction or erasure of your personal information held by us;
- To request that we delete any personal information held by us about you;
- To request that we restrict the processing of your personal information (while we verify or investigate your concerns with this information, for example);
- To object to the further processing of your personal information, including the right to object to marketing (as mentioned in our promotional updates and marketing section);
- To request that your provided personal information be shared with to a third party; and
- To withdraw consent. Where the processing of your personal information by us is based on consent, you have the right to withdraw that consent without detriment at any time by contacting us. You can also change your marketing preferences at any time as described in our promotional updates and marketing section and below.
- To not receive discriminatory treatment for the exercise of these rights.
Our Customers will typically act as data controllers for any Personal Information related to them or Personal Information that third parties upload to our Services. We will act as a data processor in accordance with the Service and/or data processing agreements. Please note that if your request relates to Personal Information processed and/or stored by us as a result of you utilizing our Services, we will refer your request to the organization that contracts with us for our Services. We will then act according to the instructions of that organization since that organization is deemed to be the controller of that personal information.
Special Circumstances of Processing of Personal Information
We do not knowingly store and/or process personal information for individuals 16 years of age or less nor do we process Sensitive Personal Information. Additionally, we do not engage in profiling or processing of personal information by automated decision making.
Selling Personal Information
According to the California Attorney General’s Office, a business is considered a seller of Personal Information if it utilizes cookies that facilitate targeted advertising. Because ZenGRC utilizes targeted advertising cookies on its website, and on that basis alone, ZenGRC is considered a seller of Personal Information. ZenGRC does not sell your Personal Information for a monetary amount to third parties, and it does not sell any information obtained through your use of ZenGRC or the ZenGRC Pro product suite.
ZenGRC utilizes the software platform Cookiebot to manage its cookie preferences. Cookiebot adheres to browser global privacy controls which can automatically instruct our website to not allow targeted advertising cookies to be placed on your device. This is performed in a frictionless manner. To learn how to implement global privacy controls for your browser, you can visit this resource.
To change your Cookiebot preferences, click on the paperclip icon at the bottom left side of the browser.
You may also make a request to opt-out of the selling or sharing of your Personal Information by emailing privacy@zengrc.com or you can complete our data privacy request form here.
How to Make a Request or Complaint
We commit to respond to requests and resolve complaints about our collection or use of your personal information. You may contact us at privacy@zengrc.com if you have a question about our privacy practices, this Privacy Policy, or if you wish to make a request regarding your Personal Information. You may also submit your request by completing this form here.
Please note that when a request is made that relates to your privacy rights, ZenGRC will contact you separately to attempt to verify your identity. If we cannot verify your identity within a reasonable amount of time, we will be unable to process your privacy request.
You may also make a request through an authorized agent. Before processing your request, we will separately contact you to verify the legitimacy of the request by examining documentation demonstrating agency between the person making the request and the subject of which the personal information relates. If we cannot verify the agency relationship, we will be unable to process the request.
If you are located within the European Economic Area and are unhappy with a response you receive from us, you can also refer the matter to your data protection supervisory authority which can be found here.
Federal Trade Commission and EU Supervisory Authorities Enforcement
We are subject to the investigation and enforcement actions of the Federal Trade Commission. We may be required to share your personal information with such enforcement authorities, including the disclosure of UK, Switzerland, and European Union residents’ personal information to public authorities and law enforcement agencies in response to lawful requests, including requests to meet national security and law enforcement requirements.
Links to Other Websites
This Privacy Notice covers the privacy practices of ZenGRC and it does not cover the privacy practices of third parties on their websites and other features. We are not responsible for the privacy notices and/or practices of third parties.
Our Site may provide links that can take you to other websites, which may include partner websites. You should review the privacy and other policies that govern the websites you visit, since those websites are not bound by our Privacy Notice, and we have no control over the content of those Websites, nor the usage of information they gather.
Modifications to the Privacy Notice
Any changes we make to our privacy notice will be posted on this page https://zengrc.com/privacy-policy and, in relation to substantive changes, Customers of our Services will be notified by email.
Contacting ZenGRC
If you would like to contact us with questions or concerns about this Privacy Policy, our privacy practices, or would like to exercise your privacy rights, you may contact us via any of the following methods:
E-mail: privacy@zengrc.com
Privacy Request Form: The Privacy Request Form is located here.
You may also write to us at:
Attn: Privacy Officer
ZenGRC, Inc.
548 Market St, #73905
San Francisco, CA 94104