1. Responsible controller/contact information
The controller responsible in accordance to data protection laws is (herein also called from time to time “Controller”):
TrueNorth, 8 Cadiz Cir, Redwood City, CA USA.
If you have any questions or suggestions regarding data protection, please do not hesitate to contact us by email at email@example.com.
2. Subject matter of data protection
Subject matter of data protection are personal data. According to Art. 4 No. 1 GDPR, ‘personal data’ means any information relating to an identified or identifiable natural person; this includes, for example, names or identification numbers.
3. Collection and use of your personal data
3.1 Collection of data by automated means (logs)
When accessing our website, your device automatically transmits data for technical reasons. Your IP address is not collected in the course of protocol. The following data is stored separately (logs) from other data that you may transmit to us:
- Date and time of accessing our website
- Name of the requested file/URL
- Status code of the request (success/fail)
- Bytes sent by the HTTP-body
- Browser type and version
- Response time of the request
The legal basis for the temporary storage of data is Art. 6 (1) lit. f GDPR.
This temporary storage is necessary in order to maintain the functionality of the website as well as for the optimization of the website and for ensuring the security of the IT systems.
For these purposes, our legitimate interest in the processing of data according to Art. 6 (1) lit. f GDPR.
The data contained in logfiles will be deleted at the latest after seven days.
In order to be able to use interact and access all areas of our website, you may be asked to register, and to provide personal information, including:
- First name
- Last name
- Email address
- Company address
- Telephone number
This data is necessary so that you can use all features and functionalities of our website. Furthermore, we may need those and additional data to support you and communicate with you.
Processing of any data entered in the context of the registration function is necessary to provide you with services as intended, Art. 6(1) lit. (b) GDPR. Insofar as we collect and process your data for the purpose to provide services, as described above, you are contractually obliged to provide this data, as we are simply not able to provide our services to without that.
During the registration process, this may also be required in view of the fulfilment of a contract or prior to an envisaged contract, even in case that such data is not required anymore for the actual execution of such contract. Even after the actual conclusion of the contract contractual or regulatory obligations may exist to keep personal data of the contractual partner.
3.3 Contact Form
If you contact TrueNorth via the contact form provided online, your input data including contact data is collected and used to process and respond to your request. Thus, we collect your contact data, in order to receive your requests and to be able to respond accordingly.
The legal basis for the storage of data is Art. 6 (1) lit. f GDPR. In case that the contact via email is intended to conclude a contract, additional legal basis for the processing is Art. 6 Abs. 1 lit. b GDPR.
TrueNorth has a legitimate interest to reply to the request of a user. Thus, the processing of data collected via the contact form is necessary unless a reply would simply not be possible. Consequently, the legitimate interest of TrueNorth prevail, Art. 6 Abs. 1 lit. f GDPR.
In general, the data is erased once the purpose of the storage is fulfilled. For personal data collected via online forms, this is the case once the respective communication with the user has ended in the sense that when taking all circumstances into consideration, the request at hand is entirely settled to the satisfaction of both parties and the nature of such request.
Furthermore, you are able to provide additional, non-necessary information via the online forms which are entirely voluntary and only help TrueNorth when reaching out to the user and in responding to the specific request or in case of question.
The legal basis for the storage of data is Art. 6 (1) lit. f GDPR as TrueNorth’s legitimate interest prevails.
TrueNorth has an interest to address and respond to the request of a user, in particular to contact the user, in order to take care of the request in a timely manner. This interest is even in line with the interest of the user itself to get the response requested or referring to and who has signaled by providing respective data that the user wants to be approached.
In general, the voluntarily provided not necessary data is also erased once the purpose of the storage is fulfilled. This is also the case once the respective communication with the user has ended in the sense that when taking all circumstances into consideration, the request at hand is entirely settled to the satisfaction of both parties and the nature of such request.
4. Transfer of data to third parties
In general, your personal data, protocol data or data provided through online forms will only be passed on without your explicit prior consent in the following cases:
The transfer of this data is justified by our legitimate interest in preventing abuse, prosecuting criminal offences and securing, asserting and enforcing legal claims and that your rights and interests in protecting your personal data do not prevail, Art. 6(1) lit. (f) GDPR.
If European data protection authorities or courts may come to the conclusion that Art. 28 Abs. 1 GDPR were no standalone legal basis for the transfer of personal data to contract processors, such transfer shall be deemed based on our legitimate interest in regard to the commercial benefit by the involvement of specialized contract processors and the fact that in comparison, these benefits are deemed predominant to your interest in view of protection of personal data, Art. 6 Abs. 1 lit. f GDPR.
We also process data in countries outside of the European Economic Area (EEA).
For data transfer to the USA, the European Commission has decided by resolution dated 12 July 2016 that the regulations of the EU/US Data Privacy Shield provide for an adequate level of data protection (Art. 45 GDPR). Thus, we use the following services provider that are certified in accordance to the EU/US Privacy Shield:
- HubSpot, Inc.
- Google, Inc.
TrueNorth stores so-called "cookies" in order to offer you a comprehensive range of functions and to make the use of our websites more convenient. "Cookies" are small files that are stored on your computer with the help of your Internet browser. If you do not wish the usage of "cookies", you can prevent the storage of "cookies" on your computer by appropriate settings of your Internet browser. Cookies, that are already stored, can be deleted at any time, this can also be done automatically. Please note that the functionality and range of functions of our website offer may be reduced as a result. We do not rent or sell your Personal Data to anyone at this time.
When you visit our websites, we, or an authorized third party, may place a cookie on your device that collects information, including Personal Data, about your online activities over time and across different sites. Cookies allow us to track use, infer-browsing preferences, and improve and customize your browsing experience.
Do Not Track Policy
Your browser may offer you a “Do Not Track” option, which allows you to signal to operators of websites and web applications and services (including behavioral advertising services) that you do not wish such operators to track certain of your online activities over time and across different websites. By using your browser settings, you may block cookies or adjust notifications when a cookie is set.
6. Use of these technologies by other authorized third-party service providers
We may work with third-party companies, commonly known as service providers, who are authorized to place third-party cookies, web beacons, or similar technologies for storing information on our sites or in our services, applications, and tools with our permission. These service providers help us to provide you with a better, faster, and safer experience.
With the exception of the use of such technologies by our service providers or other authorized third-parties, we do not permit any third-party content on sites (such as item listings, member-to-member communications, classified listings, comments, reviews, etc.) to include or utilize any cookies, web beacons, local storage, or similar technologies for tracking purposes or to collect your personal information. Where possible, security measures are set in place to prevent unauthorized access to our cookies and similar technologies. A unique identifier ensures that only we and/or our authorized service providers have access to cookie data. If you believe a listing or other third-party content might be collecting personal information or using tracking technologies on one of our sites, please report it firstname.lastname@example.org.
Furthermore, we may store cookies of third parties, such as:
- - Youtube (embedded videos)
- - Wistia, inc (embedded videos)
On other truenorth.co sites cookies of the following third parties may be stored:
- Google Analytics
The legal basis for the processing of personal data by using cookies for purposes of analysis in case of the existence of an opt-in, is Art. 6 (1) lit. a GDPR. The legal basis for the storage of data is Art. 6 (1) lit. f GDPR.
The purpose of using cookies, that are technically necessary, is to make the usage of the website easier for the user. Some of the functionalities of our website cannot be offered without the use of such cookies; for these it is necessary that the browser is recognized even while browsing across different web pages.
The use of such cookies is based on our legitimate interest in an appropriate design, the statistical evaluation and the efficient usage of our website as well as marketing and the fact that your legitimate interests do not predominate, Art. 6 (1) lit. f GDPR.
7. Email Platforms
TrueNorth may use Hubspot, iContact, and Pardot (“email platforms”) for purposes of marketing campaign analysis and customer relationship management. Hubspot is a service of Hubspot Inc., a US software company having also a subsidiary in Ireland (contact: HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland). Hubspot is certified subject under the EU-US Privacy Shield. iContact is a service of iContact Marketing (HQ contact: 2121 RDU Center Drive, 4th Floor, Morrisville, North Carolina 27560, USA). iContact participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. Pardot is a service of Salesforce, a US company with multiple international offices (HQ contact: Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105). For certain Salesforce services, for which the company acts as a data processor, Salesforce is certified under the EU-U.S. Privacy Shield framework.
In the course of the service cookies are being placed that are stored on your computer. Both enable us to analyze the performance of our marketing campaigns and allow users of our website to submit contact requests through forms. The information stored (e.g. IP-address, geographical data, browser type, time and duration of the visit and called websites) are analyzed and evaluated by these email services on behalf of TrueNorth in order to gain insights about your visit and visited websites of TrueNorth.
If you do not wish the usage of "cookies", you can prevent the storage of "cookies" on your computer at any time by appropriate settings of your Internet browser (please also see above sections in this regard).
The use of email platforms and services is based on our legitimate interest in an appropriate design, the statistical evaluation and the efficient usage of our marketing campaigns as well as managing relationships with our customers and the fact that your legitimate interests do not predominate, Art. 6 (1) lit. f GDPR.
Additional information about the functionality of email platforms, can be found in their respective privacy policies which can be downloaded directly from their websites.
8. Google Analytics
TrueNorth uses Google Analytics, a web analytics service offered by Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA („Google“). Google Analytics uses so called “Cookies” which are text files that are stored on your computer and allows the analysis of your use of our website. Die information about your use of our website created by the Cookies (incl. your shortened IP address) is transferred to Google servers in the USA and stored there. Google will use this information to analyze your use of our website and create usage reports of our websites for TrueNorth and to offer further services to TrueNorth that are related to the usage of our websites. Google may pass the collected information to third parties if this is legally required or in order to have the data processed in the name of Google.
You can deactivate Google Analytics through a browser add-on if you do not wish to be part of Google’s website analysis. You can download the add-on at http://tools.google.com/dlpage/gaoptout.
To prevent Google Analytics tracking across devices, you must opt-out on all systems you use. You activate the opt out cookie here at Opt Out Google Analytics.
The use of Google Analytics is based on our legitimate interest in an appropriate design, the statistical evaluation and the efficient marketing of our website and the fact that your legitimate interests do not predominate, Art. 6 (1) lit. f GDPR.
We use Salesforce recruiting software. With Salesforce recruiting we collect personally identifiable information on applicants. Applicants need to provide the following required inputs:
- First name, last name
- Email address
- Phone number
- Cover Letter
This data is required to create an applicant record in our recruiting software to manage and process your job application. Further we need this information and possible further information to support the application process and the communication with you.
We collect this information in order to provide you our job application portal as per Art. 6 (1) lit. (b) GDPR.
When we process your provided data in order to provide you the job application portal, you are contractually required to provide this information to us. Without this information we cannot provide you our job application portal.
During the registration process, this may also be required in view of the fulfillment of a contract or prior to an envisaged contract, even in case that such data is not required anymore for the actual execution of such contract, i.e. after the application process. This information is required to process your job application or to prepare your work contract. Further also after the job application process was completed, either with an offered work contract or rejection, we may be required to store the provided information for contractual or to fulfill other legal or regulatory reasons.
The deletion of applicant data occurs generally as soon as the purpose of the collection is reached, e.g. when a decision on the job application has been made. For documentation of the transparency and discrimination free decision, we store the applicant data up to six months respectively and upon your explicit consent for a longer period.
TrueNorth may use plugins from video service providers including Wistia, located at Wistia, Inc., 17 Tudor Street, Cambridge, Massachusetts, 02139 USA, on its website.
Wistia is a video hosting service that allows website visitors to view videos provided by TrueNorth. Wistia further provides website owners the ability to track engagement metrics and create personalized call-to-actions to improve video viewing experience.
TrueNorth does not process this information further or transfers it to further third parties.
By the usage of the Wistia plugin you agree with the described data processing by Wistia.
11. Onsite Visitors
We may collect personal identifiable information from visitors to TrueNorth offices including:
- First name, last name
- Email address
- Personal Photo
This data is required to create a visitor record in our software to manage and record your visit and print a temporary one-use badge while in TrueNorth offices.
We collect this information for security purposes in order to comply with our internal visitor policy, which represents a legitimate interest as per Art. 6 (1) lit. (f) GDPR.
When we process your provided data in the visitor kiosk at the entrance of any TrueNorth building, you are required to provide this information to us. Without this information we cannot provide access to any TrueNorth office.
The information is further stored beyond the visit as required for internal audit and information security purposes.
The deletion of this data occurs generally as soon as the purpose of the collection is reached, or upon request of the data subject, at the latest though after 12 months.
12. Your rights as data subject
In case your personal data is processed, you are the data subject within the meaning of GDPR and you have the rights outlined hereafter.
13.1 Right of confirmation and access (Information)
Each data subject shall have the right granted by the European legislator to obtain from the Controller the confirmation as to whether or not personal data concerning him or her are being processed.
In case such processing occurs, the data subject may request access to the following information:
- the purposes of the processing of personal data;
- the categories of personal data concerned in the processing;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- where the personal data are not collected from the data subject, any available information as to their source; the existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
Furthermore, the data subject shall have a right to obtain information as to whether personal data are transferred to a third country or to an international organisation. Where this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer in accordance with Art. 46 GDPR.
13.2 Right to rectification of inaccurate data
You have the right that TrueNorth has to immediately correct or complete any personal data concerning you if it is inaccurate or incomplete. We as the controller would have to execute your request without undue delay.
13.3 Right to restriction of processing
You have the right that TrueNorth has to restrict processing of your personal data subject to the following prerequisites:
- The accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data.
- The processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use.
- The Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims.
- The data subject has objected to processing pursuant to Art. 21 (1) of the GDPR pending the verification whether the legitimate interests of the Controller override those of the data subject.
In case the processing of your personal data was subject to restriction, and notwithstanding their storage, such data shall only be processed with your consent or for the establishment, exercise, or defense of claims or for the procurement of the protection of rights of a natural or legal person or for purposes of an important public interest of the European Union or a member state.
In case the restriction of processing has been executed in accordance with the above, you shall be informed by the Controller prior to the cancellation of such restriction.
13.4 Right to erasure (“Right to be forgotten”)
a) Right to erasure
Each data subject shall have the right to request from the Controller the erasure of personal data concerning him or her without undue delay, and the Controller shall have the obligation to erase personal data without undue delay where one of the following reasons applies, as long as the processing is not necessary:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent to which the processing is based according to Art. 6 (1) lit. a GDPR, or Art. 9 (2) lit. a GDPR, and where there is no other legal reason for the processing;
- the data subject objects to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or - - the data subject objects to the processing pursuant to Art. 21 (2) GDPR;
- the personal data has been unlawfully processed;
- the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject to;
- the personal data have been collected in relation to the offer of information society services referred to in Art. 8 (1) GDPR.
b) Information to third parties
Where the Controller has made personal data public and is obliged pursuant to Art. 17 (1) GDPR to erase the personal data, the Controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other Controllers processing the personal data that the data subject has requested erasure of any links to, or copy or replication of, those personal data, from these controllers.
The right to erasure does not apply where the processing is necessary:
- for the exercise of the right of freedom of speech and information;
- for the fulfilment of a mandatory legal obligation that is mandatory, according to European or the respective member state’s law the Controller is subject to, or is necessary for the performance of a task carried out in the public interest or in execution of official authority given to the Controller;
- for reasons of public interest in regard to public safety and health pursuant to Art. 9 Abs. 2 lit. h and i as well as Art. 9 (3) GDPR;
- for archives in the public interest, scientific, historical or statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the granted right mentioned in a) above would likely make the achievement of such purposes impossible or seriously endangered; or for establishing, exercising or defending legal claims.
13.5 Right of information
In case you have claimed the right of rectification, erasure or restriction of the processing towards the Controller, the Controller is obliged to inform all recipients of personal data belonging to you such rectification, erasure or restriction accordingly, unless such information seems to be impossible or only possible by needing inappropriate efforts.
You are entitled to claim to be informed by the Controller about such recipients.
13.6 Right to data portability
You shall have the right to receive the personal data concerning you, which was provided to us as the Controller, in a structured, commonly used and machine-readable format. You shall also have the right to transmit this data to another Controller without hindrance from the Controller to which the personal data has been provided, as long as the processing is based on consent pursuant to Art. 6 (1) lit. a GDPR or of Art. 9 (2) lit. a GDPR, or on a contract pursuant to Art. 6 (1) lit. b GDPR, and the processing is carried out by automated means.
Furthermore, in exercising your right to data portability, the data subject shall have the right to have personal data transmitted directly from one Controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.
The right to data portability only applies as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
13.7 Right to object
Each data subject shall have the right to object, based on his or her particular situation, at any time, to processing of personal data concerning him or her, which is based of Art. 6 (1) lit. e, or f GDPR. This also applies to profiling based on these provisions.
TrueNorth shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate reasons for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims.
If TrueNorth processes personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. This applies to profiling to the extent that it is related to such direct marketing.
If the data subject objects to TrueNorth to the processing for direct marketing purposes, TrueNorth will no longer process the personal data for these purposes.
In order to exercise the right to object, the data subject is free in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to use his or her right to object by automated means using technical specifications.
13.8 Right to withdraw data protection consent
You as data subject shall have the right to withdraw your consent to processing of your personal data at any time. Irrespective of such withdrawal of the consent, the legitimation of the processing of personal data until the withdrawal shall remain unaffected.
13.9 Automated individual decision-making, including profiling
Each data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her, as long as the decision
- is not is necessary for entering into, or the performance of, a contract between the data subject and a Controller, or
- is not authorized by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, or
- is not based on the data subject's explicit consent.
Notwithstanding the aforementioned, such decisions shall not be based on specific categories of personal data pursuant to Art. 9 (1) GDPR, insofar Art. 9 (2) lit. a or lit. g do not apply and in case that suitable measures to safeguard the data subject's rights and freedoms and legitimate interests were procured.
In view of the cases 1 to 3 above, the Controller shall procure suitable measures to safeguard the data subject's rights and freedoms and legitimate interests. This means that the Controller is at least required to procure the right to obtain human intervention on the part of the Controller, to express his or her point of view and contest the decision.
13.10 Right to file complaints with the regulatory authority
Notwithstanding any other administrative and judicial procedures, you shall have the right to file a complaint with a competent regulatory authority, in particular in the member state where you are situated, you have your place of work or where the alleged breach has occurred; if you believe that the processing of your personal data is a breach of the regulations set forth in the GDPR.
The regulatory authority, that has been approached by you, shall inform you about the status of the results of an investigation on an ongoing basis as well as about the possibility of a judicial procedure according to Art. 78 GDPR.
14. California Residents
The California Consumer Protection Act (“CCPA”) provides additional rights to know, delete and opt out, and requires businesses collecting or disclosing Personal Data to provide notices and means to exercise those rights. The words used in this section have the meanings given to them in the CCPA, which may be broader than their common meaning.
California law requires that we detail the categories of Personal Data that we disclose for certain “business purposes,” such as to service providers that assist us with securing our services or marketing our products, and to such other entities as described in Sections 5, 6 and 7 of this Privacy Statement. We disclose the following categories of Personal Data for our business purposes:
- Commercial information;
- Internet activity information;
- Financial information;
- Professional and employment-related information;
- Education information; and
- Inferences drawn from any of the above information categories.
Right to Know and Delete: California Residents have the right to delete the Personal Data we have collected from you, and the right to know certain information about our data practices in the preceding twelve (12) months. If you would like to receive or delete your personal information, you can email us at email@example.com . We will confirm receipt of your request within ten (10) days.
Right to Opt Out: We do not sell Personal Data as the term “sale” is traditionally understood. However, if and to the extent “sale” under CCPA is interpreted to include advertising technology activities specifically for interest-based advertising, we will comply with all applicable laws as to such activity.
Authorized Agent: You may choose to designate an authorized agent to submit requests on your behalf. However, we will require written proof of the agent’s permission to do so and verify your identity directly.
Right to Non-Discrimination: You have the right not to receive discriminatory treatment by us for the exercise of any of your rights.
Shine the Light: As a California resident, you may ask us for a notice describing what categories of personal information we share with third parties or affiliates for those third parties or affiliates’ direct marketing purposes and identify the name and address of the third parties that receive such personal information. Please submit a written request to the address provided below and specify you would like to receive a copy of your California Shine the Light Notice. We may require additional information from you to verify your identity. Please note that we are only required to respond to requests once during any calendar year.
Consumer Affairs: Under California Civil Code Section 1789.3, California residents are entitled to the following specific consumer rights notice: If you have a question or complaint regarding the Services, please send an email to firstname.lastname@example.org . You may also contact us by writing to us at 525 Market Street, Suite 3000, San Francisco, California 94105. California residents may reach the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs in writing at 400 R Street, Suite 1080, Sacramento, California 95814, or by telephone at 916-445-1254 or 800-952-5210.
Updated on November 19, 2020