- General Information And Who We Are
- The Information We Collect About You
- How Is Your Personal Information Collected?
- How We Use Your Personal Information
- How We Share Your Personal Information
- International Transfers
- Data Subject Rights
- Data Retention
- Security Of Your Personal Information]
Veracross is made up of different legal entities, as follows:
- Veracross LLC, a Massachusetts limited liability company with offices located at 401 Edgewater Place, Suite 360, Wakefield, MA 01880
- Magnus Health, LLC, a Delaware limited liability company with offices located at 323 West Martin Street, Raleigh, NC 27601
If you are based in the European Union, please note that you have the right to make a complaint at any time to your national supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the regulator so please contact us in the first instance.
It is important that the Personal Information we hold about you is accurate and current. Please update it or keep us informed if your Personal Information changes during your relationship with us.
2. The Information We Collect About You
We may collect, use, store and transfer the following categories of Personal Information from our Website users. For more information about the categories of Personal Information about you we collect or otherwise access as a data processor for purposes of our Services to our Clients, please contact us by email at firstname.lastname@example.org:
- Identity Data includes first name, and last name.
- Contact Data includes business phone number, email address, postal address (street address, city and state.
- Employment and Education Data includes your CV information (job applicants), job title, and employer name.
- Correspondence Data includes email, and SMS.
- Technical Data includes internet or other electronic network activity information, including, but not limited to, information about your browser, software, equipment, IP address, domain names, access times, browsing history, search history, and information regarding your interaction with an internet website, application, cookie, or advertisement. For users of our mobile applications, we automatically collect information on the type of device you use and operating system version.
If you fail to provide Personal Information
Where we need to collect Personal Information by law, or under the terms of a contract we have with you, and you fail to provide that information when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our Services). In this case, we may have to cancel a Service you have with us but we will notify you if this is the case at the time.
3. How We Collect Your Personal Information
We use different methods to collect information from and about you including through:
- Direct interactions. You may give us your Identity, Contact, Employment and Education, and Social Media Data by filling in forms or by corresponding with us by post, phone, email, through our social media accounts, fax, or otherwise. This includes Personal Information you provide when you:
- request a demo of our software.
- register for or watch previous trainings, webinars, or events.
- apply for one of our available positions at Veracross.
- apply to become one of our Partners.
- log into your account on our Service or visit our Websites.
- subscribe to our Blog.
- request marketing to be sent to you.
- contact account or customer service teams for support.
- request more information about our Services; or
- contact us.
- Automated technologies or interactions. As you interact with our Websites and Services, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this Personal Information by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies.
- Third parties or publicly available sources. We will receive Personal Information about you from various third parties as set out below:
- Technical Data from the following parties:
- analytics providers such as Google Analytics, Google Data Studio and Pendo based outside the EU
- Identity, Contact and Technical Data from following parties based outside the EU
- providers of survey services such as Survey Monkey, and Microsoft Forms
- providers of inbound marketing such as HubSpot, Campaign Monitor and Pardot
- advertising networks such as Google Ads (including Google Data Studio)
- Identity, Contact, Employment and Education, and Financial Data from our Clients that engage our Services.
- Identity, Contact, and Financial Data from providers of payment services such as Bluesnap, Authorize.net (VISA), Intuit, Network Merchants, and Spreedly based inside and outside the EU.
- Technical Data from the following parties:
When we provide our Services, we collect individuals’ information under the direction of contracted educational or other institutions (our “Clients”). We process that information as a service provider for our Clients through our Services. We have no direct relationship with the individuals whose Personal Information we process through our Services. Any Personal Information about individuals that we collect on behalf of our Clients is used solely for the business purpose for which our Clients provide the information, and we will promptly comply with Clients’ requests to provide, correct, or remove information, in compliance with applicable law.
When you use our Websites, whether you are an employee of a Client, an individual with whom we interact on behalf of our Client, or any other individual, we may collect the categories of information listed above from you directly through your interaction with the Websites.
4. How We Use Your Personal Information
We will only use your Personal Information when the law allows us to. Most commonly, we will use your Personal Information in the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal obligation.
Click here to find out more about the types of lawful basis that we will rely on to process any Personal Information that we collect directly from you.
Generally, we do not rely on consent as a legal basis for processing your Personal Information although we will get your consent before sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.
When we obtain your Personal Information through one of our Clients we will only use that information for purposes of our Services to that Client, on the Client’s behalf, and in accordance with our contract with such Client.
Purposes for which we will use your Personal Information
We have set out below, in a table format, a description of all the ways we plan to use your Personal Information collected from our Websites and, if you are based in the European Union, which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
We have also set out in the same table, separately from the above, a description of the ways we plan to use Personal Information about you obtained from our Clients in connection with our Services.
|Purpose/Activity||Type of data||Lawful basis for processing including basis of legitimate interest|
|(a) Performance of a contract with you (to inform you of any changes to our terms and conditions)
|To enable you to complete a survey regarding our services||(a) Identity
|Necessary for our legitimate interests (to study how customers use our services)|
|To administer and protect our business and our Websites (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)||(a) Identity
|Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise)|
|To deliver relevant Website content to you||(a) Identity
|Necessary for our legitimate interests (to study how customers use our services, to develop them, to grow our business and to inform our marketing strategy)|
|To use data analytics to improve our Website, Services, marketing, customer relationships and experiences||(a) Technical
|Necessary for our legitimate interests (to define types of customers for our services, to keep our Websites updated and relevant, to develop our business and to inform our marketing strategy)|
|To make suggestions and recommendations to you about services that may be of interest to you||(a) Identity
|Necessary for our legitimate interests (to develop our services and grow our business)|
|To process your application as a partner with us||(a) Identity
|Performance of a contract with you or in order to take steps at your request prior to entering into a contract with you|
|To respond to your inquiries related to employment opportunities||(c) Identity
(e) Employment and Education
|Performance of a contract with you or in order to take steps at your request prior to entering into a contract with you|
|Purpose/Activity||Type of data, as described in the Data Processing Agreement between Veracross and its Clients|
|To register a new Client and to enable those users whose information was provided to us by the Client to use our Services||(a) Identity
(c) Employment and Education
(e) Social Media
|To deliver our payment services to Clients including:
(a) Manage payments, fees and charges
(b) Collect and recover money owed to the Client or to us
|To enable Clients to survey our users regarding our services||(a) Identity
(d) Social Media
|To administer and protect our business, our Services (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)||(a) Identity
|To deliver relevant Service content to you||(a) Identity
(d) Social Media
|To use data analytics to improve our Services, marketing, customer relationships and experiences||(a) Technical
|To make suggestions and recommendations to you about services that may be of interest to you||(a) Identity
We strive to provide you with choices regarding certain Personal Information uses, particularly around marketing. We have established the following Personal Information control mechanisms:
Promotional offers from us
We may use your Identity, Contact, Technical, and Social Media Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which services and offers may be relevant for you.
You will receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving that marketing.
We will get your express opt-in consent before we share your Personal Information with any company outside our company for their own marketing purposes.
You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you.
Where you opt out of receiving these marketing messages, this will not apply to Personal Information provided to us as a result of a Service purchase, support experience or other transactions.
Change of purpose
We will only use your Personal Information for the purposes for which we collected it. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your Personal Information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your Personal Information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
5. How We Share Your Personal Information
We may share Personal Information with our service providers for the business purposes listed in the tables above. Our service providers may only use the Personal Information for the business purpose for which we provide it.
If you are a direct Client or prospect, we may share data with our trusted partners to help perform statistical analysis, send you email or postal mail, provide customer support, or arrange for deliveries. For certain sensitive information (e.g., Personal Information specifying medical or health conditions, racial or ethnic origin, or information pertaining to the sex life of an individual), we will provide you with a mechanism to obtain your affirmative consent (opt-in) before such information about you is disclosed to a third party or used for a purpose other than those for which it was originally collected or which you subsequently authorized. All such third parties are prohibited from using your Personal Information, except to provide these services to us, and they are required to maintain at least the same level of privacy protection that we maintain for your information.
We will disclose Personal Information, without notice, only if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the law or comply with legal process, such as a subpoena, served on us or the site; (b) protect and defend our rights or property; (c) act under necessary circumstances to protect the personal safety of users, or the public; and (d) in certain situations, we may be requested to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If we are involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via email and/or a prominent notice on our Websites of any change in ownership or uses of your Personal Information, as well as any choices you may have regarding your Personal Information.
Cookies and other tracking technologies
6. International Transfers
We largely operate in the United States (“U.S.”), but also have Services locations in the EU, and therefore, if you reside outside of the U.S. you understand and agree that your Personal Information may be transferred to, stored or processed in, the U.S. by us and our third-party hosting providers. Furthermore, you understand that U.S. law may not afford the same level of protection to personal information as those afforded in your country. Personal Information may be transferred for the performance of a contract or as required for the implementation of pre-contractual measures taken at your request or to establish or exercise our legal rights.
Whenever we transfer your Personal Information out of the EEA, we ensure a similar degree of protection is afforded to it by using specific contracts approved by the European Commission which give Personal Information the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
Please contact us if you want further information on the specific mechanism used by us when transferring your Personal Information out of the EEA.
EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield
Veracross LLC and its subsidiary, Magnus Health LLC, participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We are committed to subjecting all personal data received from European Union (EU) member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List. [https://www.privacyshield.gov/list/]
Veracross is responsible for the processing of personal data it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Veracross complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Veracross is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Under certain conditions, more fully described on the Privacy Shield website [https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint], you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
7. Data Subject Rights
Individuals in Andorra, Argentina, Australia, California, Canada, Cayman Islands, Europe, Faroe Islands, Guernsey, Hong Kong, Israel, Isle of Man, Japan, Jersey, Mexico, New Zealand, Singapore, South Korea, Uruguay, and certain other jurisdictions may have certain data subject rights.
Please see the glossary below to find out more about these rights:
- request access to your Personal Information.
- request correction of your Personal Information.
- request erasure of your Personal Information.
- object to the processing of your Personal Information.
- request restriction of processing your Personal Information.
- request transfer of your Personal Information.
- right to withdraw consent.
Individuals in certain jurisdictions may also have the right to lodge a complaint about the processing of Personal Information with your local data protection authority.
We will process your request within the time provided by applicable law.
We will not discriminate against you for exercising your data subject rights.
You will not have to pay a fee to access your Personal Information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
Exercising Your Data Subject Rights
The following section only applies to you if we collect and process your Personal Information directly and for our own purposes, not on behalf of our Clients for purposes of the Services we provide to you on their behalf. If we collect and/or otherwise process your information this section does not apply to you and we ask that you please direct any request to exercise your data subject rights to the data owner / controller on behalf of which we process your Personal Information for purposes of our Services.
If we collect and process your Personal Information directly and for our own purposes, you may submit a request to exercise your data subject rights by sending an email via the link below:
Individuals who submit requests to exercise data subject rights will be required to verify their identity by answering certain questions. We cannot process data subject rights requests until your identity is verified. This is a security measure to ensure that Personal Information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
If you are making a request for access, we may not be able to provide specific pieces of Personal Information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of your Personal Information, your account with us, or our systems or networks.
If you are making a request for erasure of Personal Information, we will ask that you confirm that you would like us to delete the Personal Information again before your request is processed.
You may designate an authorized agent to submit a request on your behalf by providing that agent with your written permission. If an agent makes a request on your behalf, we may still ask that you verify your identity directly with us before we can honor the request.
Agents who make requests on behalf of individuals will be required to verify the request by submitting written authorization from the individual. We will not honor any requests from agents until authorization is verified.
If you are seeking to access, correct, or delete information on our Services, we may refer your request to the Client (your educational or other institution).
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Nevada residents who wish to exercise their sale opt-out rights under Nevada Revised Statutes Chapter 603A may submit a request to this designated address: email@example.com. However, please know we do not currently sell data triggering that statute’s opt-out requirements.
8. Data Retention
We will retain your information that we have collected for our own business purposes, to provide you with services, for as long as your account is active, or as needed, to provide you services.
If we have obtained your Personal Information on behalf of our Client, we will retain that Personal Information for as long as needed to provide services to our Client.
We will retain and use this Personal Information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
To determine the appropriate retention period for Personal Information, we consider the amount, nature and sensitivity of the Personal Information, the potential risk of harm from unauthorized use or disclosure of your Personal Information, the purposes for which we process your Personal Information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
In some circumstances you can ask us to delete your data: see [data subject rights] above for further information.
In some circumstances we will aggregate your Personal Information (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
9. Security of Your Personal Information
We maintain physical, electronic, and procedural safeguards designed to help secure our platform and your Personal Information, and to assist us in preventing unauthorized access, use, disclosure, loss, alteration, and destruction of that information. When you enter sensitive information or login to our portal, we encrypt the transmission of that information using Transport Layer Security (TLS) . Nevertheless, no set of security safeguards is guaranteed to be impenetrable. We cannot and do not guarantee that communications to or from our Websites or Services, or that data transmitted or stored on or through our Websites or Services, are or will be totally secure from unauthorized access, use, disclosure, loss, alteration, or destruction by third parties.
We have put in place procedures to deal with any suspected personal data breach and will notify you (with respect to any Personal Information we collect directly from you and which we process as a controller) or our Client (with respect to any Personal Information relating to you which we process on behalf of such Client for purposes of our Services) and any applicable regulator of a breach where we are legally required to do so.
We are committed to protecting the privacy of children. We do collect Personal Information about children under the age of 18 or under the legal age of majority in your jurisdiction. Such Personal Information is however not collected directly from the children but through their parent or legal guardian and are only used by us in our role as a service provider for our Clients through our Services. As such, any Personal Information about children that is uploaded on our Websites or otherwise shared by their parent or legal guardian is only used on behalf of our Clients and solely for purposes of our Services, and we will promptly comply with Clients’ requests to provide, correct, or remove any such information, in compliance with applicable law.
Regarding the Services (and not the Websites), we may list you in our “Client-only accessible” member directory. If you are a member and wish to request removal of your information from our directory, you should refer your request to the Client (your educational or other institution).
Changes to this Policy
401 Edgewater Place
Wakefield, Massachusetts 01880
Email Address: firstname.lastname@example.org
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your Personal Information for our legitimate interests. We do not use your Personal Information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal obligation means processing your Personal Information where it is necessary for compliance with a legal obligation that we are subject to.
Consent means any freely given, specific, informed and unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify agreement to the processing of Personal Information relating to you.
YOUR LEGAL RIGHTS
You have the right to:
Request access to your Personal Information (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Information we hold about you and to check that we are lawfully processing it.
Request correction of the Personal Information that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your Personal Information. This enables you to ask us to delete or remove Personal Information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your Personal Information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your Personal Information. This enables you to ask us to suspend the processing of your Personal Information in the following scenarios:
- If you want us to establish the data’s accuracy.
- Where our use of the data is unlawful but you do not want us to erase it.
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
- You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your Personal Information to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your Personal Information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.
When your Personal Information was collected by any of our Clients and processed by us on behalf of such Clients please contact your educational institution to exercise any of the above rights.