LEGISLATION COVERED

This policy is to outline our obligations with respect to GDPR, UK GDPR, HIPAA, and any other U.S. legislation and state consumer data protection laws, including the California Privacy Rights Act, the Colorado Privacy Act, the Virginia Consumer Data Protection Act,  and any other legislation which may apply to us.  For the purposes of HIPAA compliance, where we receive Protected Health Information, we will be  considered a Business Associate ‘BA’ and Client may be considered a Covered Entity ’CE’. Any reference to personal data in this Privacy Policy may include  Protected Health Information, and Controller should be understood to mean Covered Entity and any reference to Processor shall be understood to mean Business Associate unless stated otherwise. For the purposes of HIPAA, our Managing Director shall be our Privacy Officer.  

WHAT INFORMATION DOES EQUIRATINGS COLLECT AND RECEIVE?

In the course of our operations, we operate as both a Data Processor and a Data Controller. For clarity, we are a Data Controller for Human Resources and Business personal data and a Data Processor for Customer Data:

Human Resources (Controller)

• HR File
• Payroll
• Potential Employees

Marketing (Controller)

• Marketing opt-in data
• Customer Lead Generation Data
• Cookies

Customer Data (Processor)

• ID and performance data for provision of services
• Account and billing information
• Service usage information

EQUIRATINGS AS DATA CONTROLLER

HR file: Comprises information which is collected for the purposes of our role as an employer. Payroll is the process data for the purposes of paying employees and some contractors also. Potential employees: If you apply for a job with us, we will receive the personal data you provide to us such as your name, address, contact information, education details and professional experience. We will use this information for the purposes of hiring only and will process it only on the basis of our legitimate interests. You can ask for your information to be removed from our database at any time by contacting info@equiratings.com. 

Marketing: Marketing data is that which is captured via our processes of either an individual opting into Marketing or in certain instances, cookies, and/or customer lead generation data from a third party. If you wish to opt out of marketing activity you can do so by contacting info@equiratings.com.

EQUIRATINGS AS DATA PROCESSOR

We may collect, store and analyze information (including personal data) about individuals (such as athletes) whose personal data is processed by us during the provision of the Services to our customers (“Customer Data”). This information is controlled by our customers and is processed by us in accordance with the agreement for Services (“Customer Agreement”). To the extent that we collect, store and analyze Customer Data, we do so on behalf of our customers and are a “data processor” only. If Customer Data includes your personal data or you are using the Services by invitation of a customer, whether that customer is your employer, team, another organization, or an individual, we collect, store, and analyze your personal data on behalf of our customer. That customer will determine its own policies regarding the treatment of Customer Data which may apply to your use of the Services. Please check with the customer about the policies it has in place. 

Customer Data: may, among other things, comprise data that identifies a person, and relates to them and their performance. This data will be used in order to provide the services to our customers. 

Account and billing information: To create an account and to access the Services, customers must provide us with names, usernames, passwords and contact information. In addition customers may provide billing information including bank account details to complete transactions in relation to our Services. 

Services usage information: When a customer interacts with the Services, usage information is created and may include details of administrative, technical and support communications with us. 

HOW DOES EQUIRATINGS USE CUSTOMER DATA?

Customer Data will be used by us in accordance with customer’s instructions, including any applicable terms in the Customer Agreement, and as required by applicable law. Any information processed by us as a Controller will only be done so where there is a strict legal basis (e.g. employees on the basis of contract. We will only collect the minimum information which is necessary and relevant to accomplish the legally authorized purpose of collection and will be retained for the minimum relevant periods based on that legally authorized purpose (including consent).  

We use de-personalised and aggregated data generated by our customers’ use of our Services to better understand how customers are using the Services in order to improve them.  This processing of data  is required as a matter of contractual necessity and also may be necessary in line with our legitimate interests. 

To send emails and other communications: If you contact us, we may use your contact information to respond. We may also send service, technical and administrative emails and messages. We may also contact customers to inform them about changes in our Services, our service offerings, and important service related notices, such as security and fraud notices. These emails and messages are considered part of the Services and customers may not opt-out of them. In addition, we occasionally send emails about new product features, events or other news about us. These are marketing messages you can opt out of at any time.  This processing of data is required as a matter of contractual necessity and is also necessary for our legitimate interests which are described in more detail below.  

For billing and account management: We use account and billing information to administer accounts and keep track of billing and payments.  This processing of data  is required as a matter of contractual necessity and may also be required to enable us to comply with our legal obligations. 

For investigating fraud and abuse: We work hard to keep the Services secure and to prevent abuse and fraud.  Such processing will be in our legitimate interests of keeping the Service safe and secure.  

For research: We use anonymised and aggregated data for business purposes such as performing research on specific subject-areas as well as statistical analysis and machine-learning, market analysis and producing reports. The data is anonymised and aggregated so the data is no longer associated with and can no longer be linked to an identifiable customer of the Services, or athlete whose data we have been provided with by a customer. 

OTHER USES FOR THE DATA EQUIRATINGS COLLECTS?

We may share information described in this Policy from time to time under certain circumstances, so we can offer you the best service possible, to run our business, or to comply with legal and regulatory obligations and to comply with any legal requests.  Such sharing will also be necessary for the purposes of our legitimate interests. 

Third Party Service Providers and other partners: We may provide data to vendors, service providers, and other partners including affiliates in our corporate group who work on our behalf to help provide the Services and who will use this information only in accordance with instructions from us or restrictions imposed by us. We do not share or sell any information, including that of children, with other Data Controllers. Further information on the third parties who receive this data is available by contacting info@equiratings.com. 

Legal Compliance: We may process information in order to comply with legal or regulatory requirements and to respond to lawful requests, court orders and legal process. 

Changes to Business Structure: In the event we are involved in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of our assets, financing, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities (e.g. due diligence).   

Fraud and Illegal Activity: We may work to enforce our rights, prevent fraud and for safety and to protect the Services and its customers. This is in order to protect and defend the rights, property, or safety of us or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud or other criminal activities.  Such sharing may be required by law or may be necessary for the purposes of our legitimate interests.

LEGAL BASIS FOR PROCESSING

To the extent that our processing of data is subject to the EU General Data Protection Regulation, we rely on a number of legal bases to collect and use information for purposes described in this Policy, including:

• as necessary to provide the Services and to perform the Customer Agreements;
• where you have consented to processing, which you can revoke at anytime;
• where necessary to comply with a legal obligation, a court order, or to exercise and defend legal claims; and
• as necessary for our legitimate interests or those of a third party. 

Where we rely on legitimate interest to process data, the legitimate interest we rely on are (i) to create, provide and maintain innovative Services; (ii) to ensure security (including compliance with the HIPAA security rule) of personal data for which we are either a Controller or a Processor; (iii) to carry out marketing; and (iv) to recruit talented individuals.  

SECURITY AND DATA RETENTION

We take various physical, administrative, and technological steps to store and transmit data securely. In addition to technological security measures, we place access controls on its employees, contractors, and other partners. Our employees are subject to strict contractual confidentiality obligations that are consistent with this Policy, and may be disciplined or terminated if they fail to meet these obligations. Despite these measures, we cannot guarantee that the information described in this Policy will be completely secure. We only store our data for as long as is necessary to provide our Service under the Customer Agreement or to comply with our legal and regulatory obligations. This means certain transaction data will be held beyond the duration originally intended, however this will at all times be done in compliance with our retention policy examples of where this may be reasonably necessary is to: resolve disputes, prevent fraud or abuse, or enforce this Policy and our agreements with customers. 

DATA QUALITY 

Where we are a Data Controller we will at all times seek to ensure the accuracy, relevance, timeliness and completeness of information collected, where we are a Processor we seek to facilitate this for our Clients. In order to ensure quality, information is collected directly from Clients to the greatest extent possible. This information is input directly by coaches, athletes and staff of the Client, or sometimes in bulk transfers by the Client to us.  

INTERNATIONAL DATA TRANSFERS

We may share, as described in this Privacy Policy, information with our affiliates and subsidiaries, and third parties. In order to provide the Services, our data may be transferred internationally outside of the European Economic Area (“EEA”)  to our US-based affiliate company or third party service providers who are located outside the EEA. These data transfers are necessary to provide the Service and we at all times use a legal basis for transfer as is required by EU or UK law, whether that means via adequacy decision or EU/UK SCC.

THIRD PARTY SERVICES

This Privacy Policy applies only to our Services. Our websites may contain links to other websites. We have no control over the privacy practices or the content of any of our business partners, advertisers, sponsors, or other third parties we link to from our website, and do not endorse, approve, or certify these other websites, and we do not guarantee the accuracy, completeness, efficacy, or timeliness of the information contained on those websites. You should check the applicable privacy policies of the website sponsor when linking to other websites. We use analytics.google.com to monitor and analyze the use of our Services. It is fully compliant with GDPR, CCPA and PECR.

DATA SUBJECT RIGHTS

Under certain Data Privacy Laws, if your personal data is processed by us, then you have certain statutory rights in relation to your data. Residents of the UK, EEA, and United States can find specific information about their privacy rights below.  

UK AND EEA DATA SUBJECT RIGHTS 

Subject to exemptions provided by law you can request access to your personal data as well as seek to rectify, erase, restrict, port and object to us processing your personal data. You can also access your personal information or exercise any of your rights described above by sending us a request at info@equiratings.com.  After we verify your identity, we will process the request in accordance with law. Where we are a Processor we provide our clients with the means by which they can undertake this themselves via the services we provide. Without prejudice to any other rights you also have the right to file a complaint against us with your local supervisory authority, or with the Irish Data Protection Commissioner by contacting them at info@dataprotection.ie.

U.S. DATA SUBJECT RIGHTS

Several U.S. state Data Privacy Laws, including the California Privacy Rights Act, the Colorado Privacy Act, the Virginia Consumer Data Protection Law, the Connecticut Personal Data Privacy and Online Monitoring Act, the Utah Consumer Privacy Act, and any other state consumer data protection law that may become effective provide residents with certain rights regarding their personal data. Although some of these rights apply generally, certain rights will only apply to limited individuals or circumstances. To the extent that these laws apply, you may exercise the following rights: 

Right to Know and Access Information: Note that much of the information you are entitled to know or access is disclosed in this Privacy Policy. With this said, you have the right to know about our information practices. You also have the right to access the categories of data we collect, with whom we share or sell that information, and, in some cases, what specific personal information we associate with you or your account. 

Right to Data Portability: If you request a copy of your specific information then we will provide it in an easily accessible format.

Right to Deletion or Erasure: You may request that we delete the personal information we have collected about you. Depending on the applicable law, in some cases we are required or permitted to retain your information, even if you validly requested we delete or erase it. 

Right to Correct Information: You may request we correct or rectify inaccurate information we have collected about you.

Right to Limit Use of Information for Advertising: You may opt-out of our use of your personal information for advertising purposes.

Right to Withdraw Consent: You may withdraw your consent to our data privacy practices.

Right to Non-Discrimination: You have the right to not experience discrimination from us for exercising the rights listed in this section. What we mean by discrimination is denying you access to our services or limiting the quality of our services. However, limiting use of, or deleting, your personal information may restrict the purposes or uses that rely on that information. 

Right to Appeal: If we deny your rights request, you may have the right to appeal our decision. 

To exercise any of your privacy rights, you can also access your personal information or exercise any of your rights described above by sending us a request at info@equiratings.com. Please include your email address, full name, and your specific information about your request(s) and, if applicable, specifically what information you do not want to receive. If you would like to update or correct your email address, street address, or other personal information with us, please include specific details about the information you wish to have updated or corrected. For requests submitted by email, you must provide enough information that allows us to verify your identity. Only you or your authorized agent may make requests regarding your personal information. An authorized agent must have documentation that they are authorized to act on your behalf. We will attempt to fulfill or reject your request within the amount of time required by law.  

OTHER PRIVACY CONTROLS

Global Privacy Controls. Global Privacy Control (GPC) is a special browser setting that helps user’s exercise their rights or share privacy preferences. The GPC sends signals such as not to share or sell personal data without their consent. You can download the GPC browser extension here. 

Do Not Track Signals. CalOPPA requires us to let you know how we respond to web browser Do Not Track (“DNT”) signals. DNT is a privacy preference you can set in your web browser to indicate that you do not want certain information about your webpage visits collected across websites when you have not interacted with that service on the page. 

If you want to enable Do Not Track (DNT) via CookieYes, you can follow these simple instructions see here. For Firefox, go to “Preferences,” select “Privacy & Security,” and under “Send websites a ‘Do Not Track’ signal that you don’t want to be tracked,” choose “Always.” For Chrome, go to “Settings,” click on “Privacy and security,” then “Cookies and other site data,” and enable “Send a ‘Do not track’ request with your browsing traffic.

Nevada Privacy Rights. Nevada residents have the right to opt-out of the sale of their Personal Information. We do not currently “sell” data as defined by Nevada law at this time. 

CONTACT US

If you have any questions about our Policy or practices and/or wish to exercise any of your statutory rights, please contact our Data Protection Officer at info@equiratings.com or at the address below:  EquiRatings Limited, Ballybolger, Nurney, Carlow, R93 H025, Ireland.