Effective Date: September 11, 2018
We care deeply about your rights as a Spot User or Organization using Spot for Teams. We've done our best to clearly lay out our policies related to privacy, including a three-point summary of our privacy protection philosophy. If you see an opportunity for improvement, please let us know by emailing firstname.lastname@example.org.
Our Philosophy of Privacy Protection
- We collect information for the purpose of helping Spot Users and Organizations create confidential records and reports of inappropriate workplace behavior, and, at their request, sending their reports to the relevant Organization or our researchers. Except as specifically described in this Policy, we keep information for the minimum amount of time required to provide the Spot service.
- Our employees are prohibited from: (1) monitoring chats Spot Users have with Spot and (2) reading reports submitted to organizations.
- We do not track Spot Users or Organizations for the purposes of advertising or selling their data. We do track minimal aggregated, anonymized statistics to determine how Spot is being used.
The policy below explains in detail how we operate in accordance with this philosophy.
When using Spot as an Individual User, Palace is a data controller. If you use Spot for Teams as a Verified Employee, the data controller is the Organization you are working for and Palace is the data processor of this Organization. When information of a Spot User is shared for research purposes with recipients subject to strict security obligations and that guarantee they comply with applicable data protection laws, whether in an Individual User or Spot for Teams as a Verified Employee context, Palace is both data controller and data processor.
Information We Collect and How We Use It
We collect and process your personal data based on the consent you gave us when using Spot. You have the possibility to withdraw your consent at any time by writing to us at email@example.com.
I. SPOT USERS
Personal information that you choose to provide Spot
When you answer questions or submit other information to Spot, you may elect to provide Spot certain personal information. The personal data or categories of data processed are the following, taking into account that the provision of certain information by the Team Member is compulsory and the provision of other information is optional.
- Email address (which is the only mandatory personal data to be provided)
- Your name
- Demographic information (such as your gender and occupation)
- The name of your employer
- Other information about your employer, such as your department, location, industry or size
- Email address(es) to which the Team Member would like us to submit a report
- The name of the person the Team Member feel treated him/her inappropriately
- Other details about an event, such as the time, location, or recurring nature (certain questions will need to be answered only if you wish to proceed with Spot, given that your answer to such questions is open-ended and that an answer such as “not applicable” or “prefer not to answer” can enable you to continue through the process – however, this can have an impact on your use of Spot)
- Feedback about the Team Member’s experience experience using Spot
Depending on how you decide to use Spot, the personal information we collect from you may vary. For example, you may only want to submit keywords or tags to summarize your experience for the relevant organization. Summarizing your experience in keywords, without adding identifying details, helps protect anonymity while still alerting your employer of inappropriate behavior.
You may elect to submit to an organization a more detailed report that includes information such as your name or the names of people who treated you unfairly. You should not include sensitive data (such as names, places, or events) in a Spot report if you want to submit it to your employer and preserve anonymity. Spot highlights instances in which you’re asked to submit sensitive information and tells you what we’ll do with that information. Please understand that you are solely responsible for your decision as to the amount of personal information to include in a Spot report.
Using Spot for confidential purposes
You may elect to provide information and generate a confidential record or report solely for your own purposes. In this case, don’t ask Spot to send a redacted version to someone else or submit your report to our researchers. If you create a report only for yourself, you’ll receive it as an email attachment from Spot. Once Spot has sent you the email, you’ll go through a step that deletes all the data from your chat with Spot. We strongly advise checking the email attachment you receive before you agree to delete all data from your chat with Spot. We are not able to retrieve data once it’s deleted.
Submitting a report to an Organization – Information we retain
Spot can send a version of your report to your employer or anyone else. How you submit will vary slightly depending on whether you’re using Spot as (A) an Individual User or (B) a Verified Employee of an Organization that uses Spot for Teams.
(A) Individual User
When using Spot, you have the possibility to send your report to your employer or another party. To do so, you must provide us with the recipient’s email address. We use such email addresses solely for the purpose of submitting the report on your behalf.
The recipient receives an email from Spot with a link to download the report, and you receive a link to a status webpage that shows if the recipient has initiated a download. Spot retains the report for 30 days after the recipient downloads it for the first time. If the recipient hasn’t downloaded the report three months after receiving the download link, Spot deletes that version of the report from our servers. If you sent a report via Spot and the recipient has not yet downloaded it, you can delete that version of the report from our servers on the status webpage.
When Spot emails a download link, Spot retains the recipient’s email address and a timestamp for when the download link was sent. If the recipient downloads the report, Spot also retains a timestamp for that event. We do not retain any other data about your report. Should the recipient ever deny that they received a download link or initiated a download of your report, Spot can offer proof that the email was sent and indicate whether a download for the report was initiated. We will not have the report itself after the expiration of the 30-day period following the first download. We also will not have the report itself if you manually deleted it on the status webpage before the recipient downloaded it.
If you wish to obtain information regarding the delivery of a report download link or download initiation, email Spot at firstname.lastname@example.org. If possible, please provide: (1) the report ID on the version of the report you kept for your records, (2) the email address where you asked Spot to send the report, and (3) the date and time you chatted with Spot. We review all requests for information and will investigate as to whether or not the individual requesting information is entitled to receive it. We retain the right to decide whether or not to provide the information requested.
(B) Verified Employees
Verified Employees of Organizations that use Spot for Teams should receive a response to their report from their Organization within 10 working days. If your Organization fails to follow up on a report, email us at email@example.com. Please provide the report ID on the version of the report you kept for your records. We’ll initiate a review and determine whether we need to terminate or monitor that Organization’s use of Spot for Teams.
Reports submitted to Organizations using Spot for Teams may be retained by the Organization indefinitely. They cannot be manually deleted by the person who submitted them. For more information regarding the retention of your data contact your Organization.
Submitting a report to the Spot research team
In addition to creating a report for yourself and asking Spot to send a report to another person, you may choose to have Spot submit your report to our research team. If you do so, Spot will automatically delete information you provide in the following fields before sending your report to the researchers:
- Your name
- Name of person accused of behaving inappropriately
After automatically deleting this information, our research team will read your report and manually remove any other individual names or organization names that they can identify.
When choosing to submit your report to our research team you consent to the processing of your personal data for research purposes.
All information submitted to our researchers is collected in a database. By combining the experiences of many people, Spot can examine how people are experiencing harassment and discrimination at work. The goal is to diminish stress and frustration in the reporting process. Due to open science guidelines and data-sharing responsibilities, we share the redacted set of reports with the scientific community.
Information collected from Organizations (“Organization Data”)
The Organization Data we collect from Organizations subscribing to Spot for Teams includes the information described below:
- Information you provide when subscribing to the service;
- financial information, including credit card, debit card, or bank account information, which you provide when paying for Spot for Teams;
- information you provide in connection with any customer support, product evaluation, and dispute resolution;
- communications through which Spot monitors the progress of reports, communications with Spot and our personnel, and other communications generated by use of our service;
- all data Administrators are able to access in the dashboard (such as reports, and follow-up reports submitted by Verified Employees), activity logs of Administrators for each report, and optional comments for each report.
Please note that the processing of your data is necessary for the performance of the contract you signed with us by choosing to use Spot for Teams.
How we use Organization Data
We use Organization Data to:
- establish the Customer account and communicate with the Buyer, Administrator(s) and Spot Users regarding the Customer account;
- operate, improve, and personalize Spot for Spot Users, including any collection and processing of payment for Spot for Teams;
- provide you information regarding Spot and other services or products, or provide promotional offers (consistent with your communications preferences), including sponsored gifts or rewards;
- provide reports and other information in the Organization dashboard;
- define the domain names for email addresses through which users can verify themselves; and
Information we retain
We retain Organization Data as long as we believe it is necessary and relevant for the operation of Spot. When your Organization stops using Spot for Teams and your relationship with Palace stops, we retain your Organization Data for 3 months starting from the moment you stop using Spot.
Organization Data does not include the content of chats of Verified Employees nor any identifying information that will be stored on Spot servers. We have strict internal policies that prohibit Palace personnel from monitoring communications with the Spot chatbot, reading reports submitted to the Organization, or reading report comments and activity logs.
Your information choices
The Organization’s Buyer and Administrator(s) choose what information we obtain by providing us the Organization Data. The Buyer and each Administrator must ensure the Organization Data is correct, and we may rely upon that information being current. You consent to our using the then-current Organization Data to deliver notices and important messages.
III. SPOT USERS AND ORGANIZATIONS
We do not sell or rent your information to third parties for their marketing purposes without your explicit consent. We use Spot Users’ email addresses to send PDF versions of Spot documents, to verify them as employees of an Organization that uses Spot for Teams, to notify Verified Employees of action taken on their reports, and/or to respond if they contact us. We use an Administrator’s email address to notify them about report updates.
You may choose to sign up for a newsletter on our website. In this case, we may contact you via email with special offers. We may also contact you with information about products and services from our business partners. You may opt out of such commercial communications at any time by following the opt-out instructions provided in these messages.
Exercising Your Rights
We will honor any statutory right you might have. In accordance with the applicable law, each Spot User has a right to access, rectify and erase personal data by writing at firstname.lastname@example.org. Spot Users can also, using the same email address, ask for their data to be transferred to them or to another controller or request restriction of the processing of their personal data.
In accordance with certain applicable law, you also have the right to lodge a complaint to us by writing at email@example.com or to a data protection authority.
- Right of access: you can ask us if your data are being processed and ask information about the processing operations. If you wish to do so, you can also ask us for a copy of your data
- Right to rectification: you can ask us to rectify, change, update your personal data at any time
- Right to erasure: you can ask us to erase your personal data in certain cases
- Right to data portability: upon certain conditions, you can request a copy of your data or their transmission to another controller
- Right to objection: you can object, in certain cases, to the processing of your data
- Right to restriction of the processing: you can ask us to limit the processing operations to the only retention of your data in certain cases
Please be aware that in certain cases, we cannot guarantee the success of your request, as we will not always be able to identify your data set. We may have to retain certain data to comply with our research (if you submitted a report for research) or legal obligations, to resolve disputes, and to enforce our agreements.
Information We Collect by Automated Means
When you use Spot, your computing device is automatically providing technical information to us so we can customize our responses to you and improve the user experience. The type of information we collect may vary but generally includes technical information about your computer, such as its Internet protocol (“IP”) address or other device identifier and operating system. It may also include usage information and statistics about your interaction with Spot such as URLs of the Spot web pages you visit, URLs of referring and exiting pages, page views, time spent on a page, number of clicks, platform type, and location data.
When you visit a Spot web page, your browser automatically sends us your IP address so that the web pages you request can be sent to your computer or device. We use your IP address to determine additional information, such as whether the device has ever been used to visit Spot and how much time was spent on a page. Information about your general location may be discernable from your device's IP address or the URLs we receive.
We use this information for analytical purposes and to manage technical issues that may arise. At no point do we attempt to identify Individual Users through this information.
We may log information using "cookies." Cookies are small data files stored on your hard drive by a website. We may use both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer until you delete them) to provide you with a more personal and interactive experience on Spot. This type of information is collected to make Spot more useful to you and to tailor the experience with us to meet your special interests and needs. Please note, you have the possibility to block and delete these cookies through your browser settings.
Disclosure of Spot Users’ and Organizations’ Information
We created Spot to provide a secure way to report harassment and discrimination, not to obtain User Content or Organization Data to sell or rent to third parties. The circumstances in which we disclose User Content or Organization Data are limited to the following:
- You provide express consent;
- we need to share your information with Service Providers for the limited purpose of processing data on our behalf in order to operate the Spot service and improve Spot’s features and functionality, including fulfilling reporting requests (subject to contractual data protection requirements);
- we determine that the access, preservation, or disclosure of information is required or permitted by law to protect the rights, property, or personal safety of Spot or Spot Users, or is required to comply with applicable laws, including compliance with warrants, court orders, subpoenas, legal process, or other lawful government requests (including in response to public authorities to meet national security or law enforcement requirements);
- we share aggregated usage statistics that cannot be used to identify users individually; or
- we do so in connection with the sale or reorganization of all or part of our business, as permitted by applicable law.
While we use contractual and other measures to ensure protection of information, the laws and regulations relating to privacy and information protection in other legal jurisdictions may not be the same as, or similar to, your local privacy laws. The governments, courts, law enforcement, or regulatory agencies in these other jurisdictions may be able to request disclosure of personal information through the laws of these countries. In an effort to respect your privacy, we will not otherwise disclose your personal information to law enforcement, other government officials, or other third parties without a subpoena, court order, or substantially similar legal procedure, except when we believe in good faith that the disclosure of information is necessary to prevent imminent physical harm or financial loss, or to report potentially illegal or fraudulent activity.
Other Important Information
We’re committed to protecting the security of your information and take reasonable precautions to protect it. We use industry-standard encryption to protect your data in transit and while it is stored on our servers. This is commonly referred to as transport layer security (TLS) or secure socket layer (SSL) technology. However, Internet data transmissions are not guaranteed to be 100% secure, and we cannot ensure the security of information during its transmission between you and us. Accordingly, you acknowledge that when you transport such information, you do so at your own risk.
We protect your information in our systems using technical and administrative security measures designed to reduce the risks of loss, misuse, unauthorized access, disclosure, and alteration. Some of the safeguards we use are firewalls and data encryption, physical access controls to our data centers, and information access to authorization controls.
If we learn of a system breach, we we notify you as soon as possible and in any event within 7 days and provide information on protective steps, if available, using the information that you have provided to us. We may also post a notice on our website and/or notify you via other communication platforms. Depending on where you live, you may have a legal right to receive such notices in writing.
We explicitly recommend that you do not access www.talktospot.com from any work device or while on a work network. We cannot prevent, nor be held responsible for, you being monitored by others, particularly if you communicate using computing devices or networks owned or controlled by third parties, such as your employer.
If you received suspicious reports via a Spot email address, please contact us at firstname.lastname@example.org.
Vulnerability disclosure policy
Spot is committed to protecting your safety and keeping your data secure. If you believe you’ve discovered a potential security vulnerability with Spot’s online systems, we appreciate your help in disclosing the issue to us at email@example.com.
Privacy of minors
Spot is not intended for minors. Minors, as defined in the country of the Spot User, are expressly prohibited from using Spot or providing any personal information. If you become aware that a minor has provided us with personal information without parental consent, please contact us at firstname.lastname@example.org. If we become aware that that we have inadvertently obtained information in violation of applicable laws, we will delete such information if we can identify it.
Scope of policy
International transfer of personal data
Most of your data is only temporarily stored on our servers and will be removed after your report is downloaded. If you use Spot for Teams, your data may be stored longer. During the period that your personal data is stored on our servers, it may be collected, processed, and/or otherwise transferred outside your current geographic location and may be processed not only in the country in which it was collected but also in other countries, including the United States, where data protection and privacy laws and regulations may not offer the same level of protection as in other parts of the world.
By providing your personal data to us, you consent to such transfer, collection, and/or processing in the United States of your personal data. In addition, we have implemented organizational and technical measures to guarantee that, as the case may be, any potential data transfer complied with applicable law.
California privacy rights
If you are a California resident, California Civil Code Section 1798.83 permits you to request information regarding the disclosure of your personal information to third parties for their direct marketing purposes. To make such a request, please send an email to email@example.com or write to us at the address provided below.
Attn: Legal Department
1266 Harrison Street
San Francisco, CA, 94103