Effective October 1, 2018 | Last Update November 6, 2023
Certain jurisdictions worldwide have enacted laws related generally to processing the personal information about individuals.
If you reside in California, The California Consumer Privacy Act, codified at Cal. Civ. Code §1798.100 et seq., as amended by the California Privacy Rights Act of 2020 (the “CPRA”), including any other future amendments as well as any final implementing regulations adopted either by the State of California Privacy Protection Agency (collectively, “CCPA/CPRA”) also now protects “Personal Information” that identifies, relates to, describes or can be associated with, or reasonably can be linked (directly or indirectly) with a specific individual (“Consumers”) or household in California. If you think Skytap is processing your Personal Information, please see the sections in the Policy below under the heading “Supplemental Disclosures Section: All Employment-related and Non-GDPR Privacy and Data Protection Regulation Specific Disclosures” for more information about Skytap and CCPA/CPRA.
Account means a unique account created for you to access our Services or parts of our Services.
Affiliate means an entity that controls, is controlled by, or is under common control with a party, where “control” means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
Business, for the purpose of CCPA/CPRA, refers to Skytap as the legal entity that collects Consumers’ personal information and determines the purposes and means of the processing of Consumers’ personal information, or on behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California.
CCPA/CPRA refers to California Consumer Privacy Act (the “CCPA”), as amended by the California Privacy Rights Act of 2020 (the “CPRA”).
Consumer, for the purpose of the CCPA/CPRA, means a natural person who is a California resident. A resident, as defined in the law, includes (1) every individual who is in the USA for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the USA who is outside the USA for a temporary or transitory purpose.
Cookies are small files that are placed on your computer, mobile device or any other device by a website, containing the details of your browsing history on that website among its many uses.
Data Controller, for the purposes of the GDPR (General Data Protection Regulation), refers to Skytap as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.
Device means any device that can access the Website and/or Services such as a computer, a cellphone or a digital tablet.
Do Not Track (DNT) is a concept that has been promoted by US regulatory authorities, in particular the U.S. Federal Trade Commission (FTC), for the Internet industry to develop and implement a mechanism for allowing internet users to control the tracking of their online activities across websites.
GDPR refers generally to both of the EU General Data Protection Regulation and the variant adopted by the United Kingdom post-“Brexit”.
Personal Data is any information relating to an identified or identifiable natural person (e.g., a Data Subject or a Consumer depending on the applicable regulation).
For the purposes of GDPR, Personal Data means any information relating to you such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
For the purposes of the CCPA/CPRA, Personal Data means any information that identifies, relates to, describes or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a “Consumer”. Also, for clarity, CCPA/CPRA refers to Personal Data as “Personal Information.”
Services refers to the virtualized Infrastructure as a Service that Skytap makes generally available for subscription to companies via “cloud.skytap.com”, and that is augmented and supported by “help.skytap.com”, and “learn.skytap.com”.
Service Provider means any natural or legal person who processes the data on behalf of Skytap. It refers to third-party companies or individuals employed by Skytap to facilitate the Website and/or Services, to provide the Services on behalf of Skytap, to perform services related to the Website and/or Services or to assist Skytap in analyzing how the Website and/or Services are used. For the purpose of the GDPR, Service Providers are considered Data Processors.
Usage Data refers to data collected automatically, either generated by the use of the Website and/or Services or from the Website and/or Services infrastructure itself (for example, the duration of a page visit).
Website refers to www.skytap.com.
You means the individual accessing or using the Website and/or Services, or the company, or other legal entity on behalf of which such individual is accessing or using the Website and/or Services, as applicable.
If GDPR applies to you and your Personal Data, under GDPR, you can be referred to as the Data Subject or as the user when you are the individual using the Website and/or Services. If CCPA/CPRA applies to you and your Personal Information, under CCPA/CPRA, you can be referred to as the Consumer as the individual using the Website and/or Services.
Link to Supplemental Disclosures Specifically Related to Rights as an Employee/Employment Candidate Under All Applicable Privacy and Data Protection Regulations AND Other Required Disclosures Under California Privacy Statutes
The following two categories of required disclosures under non-GDPR applicable privacy and data protection regulations are located here.
Disclosures and information about Data Subjects under GDPR and Consumers under CCPA/CPRA related to their status as employees (current or former) of and candidates for employment by Skytap, and
All other non-employee/candidate for employment related disclosures and information required by privacy and data protection regulations OTHER THAN GDPR, e.g., CCPA/CPRA.
The linked disclosures in the previous sentence will be updated as any additional privacy and data protection regulations are applicable to Skytap.
Skytap as a GDPR Data Processor
Skytap primarily provides its customers with virtualized hosting infrastructure, has limited knowledge of customer data within that infrastructure, and only processes hosted data in accordance with the customer’s instructions. Skytap is a Processor of hosted customer data. The customer is the Controller for that hosted customer data.
Skytap hosts information under the direction of its customers and may have no direct relationship with the individuals whose Personal Data it processes technically through the customers’ use of Skytap’s virtualized infrastructure technology as a subscription service offering, which is part of the Services from Skytap. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct their request to the Skytap customer (the Data Controller).
Similarly, Skytap has no direct control over the data collected by its customers. Skytap customers choose the geographical regions for the storage of data for which they are the Controller, are directly responsible for the security, configuration, and administration of their Skytap environments, and are responsible for adhering to legal and regulatory requirements for the data which they collect and process as a Controller.
Skytap as a GDPR Data Controller
In some circumstances, such as during the account registration process for customer use of Skytap Services, Skytap collects and maintains Personal Data. This data is collected and maintained solely for the offer and maintenance of Skytap Services for customer use, and for the relevant communications and uses detailed within this policy. For these purposes, Skytap is the Controller. Skytap also collects Personal Data of the Data Subjects with whom it interacts or wishes to interact with for its general business purpose including sales and marketing of the Skytap Services
The collection and processing of your Personal Data for direct use and administration of our Services is based on contractual obligation, necessary to provide You with access and use of the Services.
Personal Data We Collect
Information you give us
Skytap requires some of your Personal Data to effectively operate, while providing you the best experiences with our Website and/or Services. Some of this data comes directly from you when you perform transactions with Skytap, such as place an order, create a Skytap account, administer your organization’s dashboard access, or register for a newsletter. This data may include name, username, title, address, organization or employer, phone number, and/or email address.
Information we collect automatically
As is true of most websites, we also gather certain information automatically when you use a Device to visit our Website or interact with our Services. This information is used to analyze aggregated trends and to administer our Website and/or Services, and may include Internet protocol (IP) addresses, the type of Device you use, operating system and version, Device identifier, where the application was downloaded from, usage information, events that occur within the application, performance data, browser type, Internet service provider (ISP), referring/exit pages, the files viewed on our site (e.g., HTML pages, graphics, etc.), date/time stamp, and/or clickstream data. Please see the Cookies and Similar Technology section below for more details.
Information we receive from third parties
We may receive information about You from other sources, including publicly available databases or from third parties. This data helps us to update, expand, and analyze our records, identify possible new customers, and identify Services that may be of interest to You. This may include purchased marketing data about our customers from third parties, that is combined with information we already have about You, to create more tailored marketing content and Services related to You.
How We Use Personal Data
This section describes how Skytap uses the Personal Data that we collect to operate our business and to provide you our Website and/or Services, including improvements to the same, and in the personalization of your experiences with the same. We may also use the data to communicate with you, providing account information, security updates and Services information. We may transfer personal information to companies that as a service to us help us provide our Services. Transfers to subsequent third parties are covered by the service agreements with our customers and our agreements with our vendors. Additionally, data is used to market our Services, to comply with applicable laws and legal processes, to enforce our terms and conditions, and to allow us to pursue available remedies or limit any damages that we may sustain.
To provide a requested service or carry out a contract with you
We use data collected from you in the following ways:
- Customer Support: to diagnose and repair technical issues and provide other customer care and support services.
- Account Notifications: to communicate Services and account notifications to you. For example, we may contact you by phone, email, or other means to inform you of account status, usage, and billing details, and to notify you when security updates are available.
- Security, Safety, and Dispute Resolution: to protect the security and safety of our Website and/or Services and our customers, to detect and prevent fraud, to resolve disputes, and to enforce our agreements.
- Providing the Services: to carry out your transactions with us and to provide our Services to you, such as the account administration, authorization, and audit tools provided within our Services.
Where we have a legitimate interest
We use data collected from you in the following ways:
- Service Personalization: to include personalized features and recommendations that enhance your productivity and user experience enjoyment, and automatically tailor your Service experiences based on the data we have about your activities, interests, and locations. To better understand how to access and control the Personal Data collected for these types of processing, please see the Access and Control section below.
- Business Operations: to develop aggregate analysis and business intelligence that enable us to operate, protect, make informed decisions about, and report on the performance of our business.
- Website and/or Services Improvement: to continually improve our Website and/or Services, including adding new features or capabilities. For example, we use error reports to improve security features of our Website and/or Services, and usage data to determine new features or Services to prioritize.
Where we rely on legitimate interest for processing your information, we carry out a ‘balancing test’ to ensure that our processing is necessary and that your fundamental rights of privacy are not outweighed by our legitimate interests before we go ahead with such processing. You can find out more about the information in these balancing tests by contacting us using the details below.
Where we have your consent
We use data we collect to communicate with you in a variety of formats and to tailor those communications to you. Examples include inviting you to participate in surveys, email subscriptions, and promotional communications from Skytap, by email, SMS, physical mail, or telephone. For information about managing your contact data, email subscriptions, and promotional communications, please visit the Access and Controls section of this privacy statement.
Automated decision making
Skytap employs automated decision making (also known as “profiling”) in the processing of your data in very limited ways, and only in accordance with the specifications of this Policy and applicable laws. For example, we may auto-assign customer support personnel to respond to your inquiries, based on Your organization or employer, and necessary details of that contract, or auto-assign a regional contact to assist you, based on your location. These actions are necessary to provide you with our Services and related support.
Similarly, some automated decision making is used, with your consent, to determine appropriate communications to You, as detailed above.
Reasons We Share Personal Data
This section describes how Skytap may share and disclose Personal Data. Customers determine their own policies and practices for the sharing and disclosure of data, and Skytap does not control how they choose to share or disclose Information.
Skytap may share your Personal Data with your consent, or as necessary to complete a transaction or provide Services you have requested or authorized. For example:
- If you elect to use connected third-party applications, we may share Personal Data with companies who provide those applications. In those cases, we encourage you to review and understand the terms and conditions and privacy policies of those third parties, over whom we have no control.
- We may disclose generic, aggregated (pseudonymized) demographic information, not linked to any specific Data Subject, regarding Skytap visitors and users to our business partners, trusted affiliates, and suppliers or agents working on our behalf.
- We may use third-party service providers to help us operate or administer the Website and/or Services. For example, companies we’ve hired to provide customer service support or to assist in protecting and securing our services and systems may need access to Personal Data to complete those functions. In such cases, these companies must abide by our data privacy and security requirements and are not allowed to use Personal Data they receive from us for any other purpose.
- We may disclose Personal Data to a third-party in the event of any reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings).
- As we believe to be necessary or appropriate, we may disclose Personal Data: (a) under applicable laws, including laws outside Your country of residence; (b) to comply with a subpoena or other legal process; © to respond to requests from public and government authorities, including public and government authorities outside your country of residence; (d) to enforce our terms and conditions; (e) to protect our operations or those of any of our affiliates; (f) to protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or others; and (g) to allow us to pursue available remedies or limit the damages that we may sustain.
How We Protect Your Information
Skytap has adopted reasonable security measures to protect Personal Data against loss, theft, unauthorized access, alteration, disclosure, or destruction. These measures include policies, procedures, employee training, physical access control, and technical elements relating to data access controls. In addition, Skytap uses industry standard encryption to facilitate the exchange and transmission of data. Skytap only processes Personal Data in compliance with the purposes for which it has been collected, in accordance with this Policy.
In the event that Personal Data is acquired by an unauthorized person, and applicable law requires notification, we will promptly notify the affected Data Subject. Notice will be consistent with the legitimate needs of law enforcement, and any measures necessary for Skytap or law enforcement to determine the scope of the breach and to ensure or restore the integrity of a system. Skytap may delay notification if we, or a law enforcement agency, determine that the notification will impede a criminal investigation. In such case, notification will not be provided unless and until we or the agency determines that notification will not compromise the investigation.
We only retain your Personal Data for as long as is necessary for us to use your information as described above or to comply with our legal obligations. Please be advised that this means that we may retain some of Your information after you cease to use our Services. For instance, we may retain your data as necessary to meet our legal obligations, such as for tax and accounting purposes.
When determining the relevant retention periods, we take the following factors into account:
- our contractual obligations and rights in relation to the information involved;
- legal obligation(s) under applicable law to retain data for a certain period of time;
- our legitimate interest where we have carried out a balancing test;
- statute of limitations under applicable law(s);
- (potential) disputes;
- if You have made a request to have your information deleted; and
- guidelines issued by relevant data protection authorities.
Otherwise, we securely erase your information once this is no longer needed.
Your Rights as a Data Subject
You have a number of rights when it comes to your Personal Data.
Further information and advice about Your rights can be obtained from the data protection regulator in Your country.
The right to object to processing
You have the right to object to certain types of processing, including processing for direct marketing. You can access and manage your preferences for these as detailed in the Access and Controls section of this document.
The right to be informed
The right of access
You have the right to obtain access to your Personal Data information that Skytap processes, in order to ensure that we’re using your information in accordance with data protection laws. Upon request, we will provide you with information about whether we hold any of your personal information.
The right to rectification
You are entitled to have your information corrected if it’s inaccurate or incomplete. You can manage this as detailed in the Access and Controls section of this document.
The right to erasure
This is also known as ‘the right to be forgotten’ and enables you to request the deletion or removal of your information where there’s no compelling reason for us to keep using it. This is not a general right to erasure; there are exceptions.
The right to restrict processing
You have rights to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but may not use it further. Skytap maintains lists of individuals who have asked for further use of their information to be ‘blocked’ or ‘restricted’ to ensure the request is respected in future.
The right to data portability
You have rights to obtain and reuse your Personal Data for your own purposes across different services. If you request a copy of the Personal Data that Skytap maintains on you, we will deliver it in .csv format or similar.
The right to lodge a complaint
You have the right to lodge a complaint about the way we handle or process your Personal Data with your national data protection regulator.
The right to withdraw consent
If you have given your consent to anything we do with your Personal Data, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your Personal Data with your consent up to that point is unlawful). This includes your right to withdraw consent to us using your Personal Data for marketing purposes. You can review and manage your consent as detailed in the Access and Controls section.
Please contact us using the details below to exercise any of your rights. We usually act on requests and provide information free of charge, but may charge a reasonable fee to cover our administrative costs of providing the information for:
- baseless or excessive/repeated requests, or
- further copies of the same information.
Alternatively, we may be entitled to refuse to act on the request.
Please consider your request responsibly before submitting it. These requests do not apply to mandatory service communications that are part of certain Skytap services, or to surveys or other informational communications that can be managed directly (see details in the Access and Controls section). We’ll respond as soon as we can. Generally, this will be within 30 days from when we receive your request, unless the request will take substantially longer to fulfill.
If you cannot access certain Personal Data collected by Skytap via the Preference Center, directly through the Skytap Services You use, or if You do not have a personal Skytap account, you can always contact Skytap by emailing us at email@example.com.
How to Access and Control Your Personal Data
Access and control to your Personal Data is managed by the Skytap Preference Center. For example, in the Preference Center you may elect to:
- Receive electronic communications from us. Change your mind? Opt-out for those promotional emails.
- Allow the sharing of your Personal Data with our affiliates for their direct marketing purposes. Similarly, you may update your preference to opt-out if you so desire via the Preference Center.
Cookies & Similar Technologies
- Strictly Necessary Cookies: These cookies are necessary for the website to function. They are usually only set in response to actions made by you that amount to a request for services, such as logging in or filling in forms. These cookies do not store any Personal Data.
- Performance Cookies: These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All of the information collected by these cookies is aggregated and therefore pseudonymous. If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance.
- Functionality Cookies: These cookies enable the website to provide enhanced functionality and personalization, such as playback of tutorial videos, and customer support chat functionality. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies, then some or all of these services may not function properly.
- Targeting Cookies: These cookies may be set through our site by us or our advertising partners. They may be used to build a profile of your interests and show you content in which you may be interested. Generally, they do not store any Personal Data, but are based on uniquely identifying your browser and internet device. However, we sometimes use these cookies to do individualized tracking down to the name for marketing purposes. If you do not allow these cookies, You will experience less targeted content. If You wish to opt out of interest-based advertising, click here.
- Web Beacons: Skytap web pages may contain electronic images known as web beacons (also called single-pixel gifs) that we use to help deliver cookies on our websites, count users who have visited those websites and deliver co-branded Services. We also include web beacons in our promotional email messages or newsletters to determine whether you open and act on them.
- Analytics Services: Skytap Website and/or Services often contain web beacons or similar technologies from third-party analytics providers, which help us compile pseudonymized aggregated statistics about the effectiveness of our promotional campaigns or other operations. These technologies are strictly prohibited from collecting or accessing information that directly identifies you. If you do not allow these services, we will not be able to monitor the performance of some of our operations.
- Other Similar Technologies: In addition to standard cookies and web beacons, our Website and/or Services can also use other similar technologies to store and read data files on Your computer. This is typically done to maintain Your preferences or to improve speed and performance by storing certain files locally. But, like standard cookies, these technologies can also be used to store a unique identifier for your computer, which can then be used to track behavior. If You block these at the browser level, you will experience less targeted content, and may also experience performance issues when visiting our Website or using our Services.
International Data Transfers
Skytap may transfer your Personal Data to countries other than the one in which you live. We deploy the following safeguards when transferring Personal Data originating from the European Union, the United Kingdom (the “UK”), Switzerland, or to other countries not deemed adequate under applicable data protection law:
European Standard Contractual Clauses
Skytap offers European Union Standard Contractual Clauses (“Standard Contractual Clauses”), also known as the EU Model Clauses, to meet the adequacy and security requirements for our Customers that operate in the European Union. For Customers operating in the UK or Switzerland, Skytap also offers the Standard Contractual Clauses with provisions to meet the adequacy and security requirements of these countries. A copy of our standard data processing addendum, incorporating the Standard Contractual Clauses, is available upon request by contacting us at firstname.lastname@example.org.
EU-U.S. Data Privacy Framework and UK Extension
Skytap is responsible for the processing of personal data it receives, under the DPF, and subsequently transfers to a third party acting as an agent on its behalf. Skytap, Inc. complies with the DPF Principles for all onward transfers of personal data from the EU and the UK, including the onward transfer liability provisions.
The Federal Trade Commission has jurisdiction over Skytap’s compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. In certain situations, Skytap may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Skytap commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to TRUSTe, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://feedback-form.truste.com/watchdog/request for more information or to file a complaint. These dispute resolution services are provided at no cost to you.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Skytap commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the employment relationship.
For complaints regarding DPF compliance not resolved by any of the other DPF mechanisms, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website.
Application of Standard Contractual Clauses or EU-U.S. DPF, UK Extension, and/or Swiss DPF
Skytap’s default mechanism for addressing personal data transfers is:
EU-U.S. DPF – For data transfers from the EU to the U.S., as of October 9, 2023, Skytap’s certification under the EU-U.S. DPF.
UK Extension – Although Skytap has certified to the U.S. Department of Commerce that it adheres to the UK Extension to the EU-U.S. DPF, the UK Government has not yet adopted an adequacy decision with respect to the UK Extension and, therefore, it is not yet in force. Upon the date of the UK Extension’s entry into force, for personal data transfers from the UK to the U.S., Skytap’s certification of the UK Extension.
Swiss-U.S. DPF – The Swiss Government is currently engaged in discussions with the U.S. on a framework (“Swiss-U.S. DPF”) substantially similar to the EU-U.S. DPF. When available, Skytap will certify to the U.S. Department of Commerce that it adheres to the Swiss-U.S. DPF Principles regarding transfers of personal data from Switzerland to the U.S. When the Swiss Government adopts an adequacy decision with respect to the Swiss-U.S. DPF, on the date of its entry into force, for personal data transfers from Switzerland to the U.S., Skytap’s certification of the Swiss-U.S. PDF.
Until entry into force of the UK Extension and the Swiss-U.S. DPF, Skytap will offer the Standard Contractual Clauses with provisions to meet the adequacy and security requirements of the UK and Switzerland. Notwithstanding Skytap’s default mechanism for internal data transfers, Skytap will continue to offer the Standard Contractual Clauses for personal data transfers from the EU, the UK, and Switzerland to the U.S., if requested by a Customer.
Other Important Privacy Information
Notice to End Users
Skytap Website and Services are intended for use by organizations and are administered to you by your organization. Your use of Skytap Website and/or Services may be subject to your organization’s policies and procedures. If your organization is administering your use of the Skytap Services, please direct your privacy inquiries to your administrator. Skytap is not responsible for the privacy or security practices of our customers, which may differ from those set forth in this privacy statement.
If you use an email address provided by an organization you are affiliated with, such as an employer or school, to access Skytap online services, the owner of the domain (e.g., your employer) associated with your email address may: (i) control and administer your Skytap online services account and (ii) access and process your data, including the contents of your communications and files.
Information from Children
Skytap’s website and services are not designed for use by children under the age of 13. Skytap does not voluntarily or knowingly collect information from children under 13. As such, if you are under the age of 13, please stop using this website and/or Skytap services. If you are a parent or guardian and believe that we may have collected Personal Data from someone under the age of 13, please let us know by emailing email@example.com.
Inquiries may also be addressed to:Skytap, Inc.
255 S King St, Ste 800
Seattle, WA 98104
Supplemental Disclosures Section: All Employment-related and Non-GDPR Privacy and Data Protection Regulation Specific Disclosures.
Skytap Employee and Candidate CCPA/CPRA and EU/UK GDPR Privacy Regulation Disclosure
If you are a resident of California, the United Kingdom or the European Union and are applying for employment with, are already, or apply and then become employed by Skytap, a Skytap-owned subsidiary in a country other than the USA, or a Professional Employer Organization (or PEO) engaged by Skytap in any country other than the USA, please read this Skytap Employment Applicant and Employee Privacy Disclosure.
Skytap provides this notice and disclosure to comply with the CCPA, UK GDPR, and EU GDPR with regard to Personal Data collected related to applications for and actual employment on behalf of Skytap.
CCPA/CPRA and both of the two GDPR’s (EU and UK) define the same subject matter, but using different terms.
- The information about individual people that the regulations protect are referred to by EU and UK GDPR as “Personal Data” and by CCPA/CPRA as “Personal Information.” This disclosure for simplicity will use the GDPR term “Personal Data,” but it applies equally to Personal Data under the EU and UK GDPR versions.
- The individual persons who are and whose Personal Data are subject to protection under the EU and UK versions of GDPR are referred to under GDPR as “Data Subjects” and under CCPA/CPRA as “Consumers.” This disclosure for simplicity will use the GDPR term and refer to the individuals as “Data Subjects.” Thus, references to Data Subjects in this disclosure will mean Consumers for purposes of CCPA.
Under CCPA, the Personal Data identified in the Table below is shared with “Service Providers” who do not use the Personal Data for any purposes other than providing contracted services to Skytap, and Skytap’s Service Providers include employee benefits management companies, benefits providers, providers of payroll, human resources information systems, compensation benchmarking analytics providers, job applicant tracking software.
Skytap retains the Personal Data below for a duration that depends on whether the Data Subject is only an applicant for employment or Skytap employs the Data Subject or an applicant that is not hired immediately for an open position might be suitable for a future open position. Certain categories of Personal Data are retained for longer durations if the potential exists to rehire the Data Subject after their employment with Skytap ends.
|PERSONAL DATA CATEGORY
|SPECIFIC TYPES OF PERSONAL DATA
|SKYTAP BUSINESS PURPOSE (SEE THE KEY BELOW)
|Name, alias, postal or mailing address, email address, telephone number, tax ID or social security number (international equivalent), driver’s license or identification card number, passport number
|1-5, 9, 10, 11, 12, 13, 14
|Bank account number, credit card number, debit card number, or other financial account information
|Race, ethnicity, national origin, sex, gender, sexual orientation, gender identity, religion, age, disability, medical or mental condition, military status, familial status, language spoken
|1, 3, 5, 9
|Personal background, interests, hobbies
|Professional or Employment-Related Information
|Personnel file, new hire or onboarding records, I-9 forms, tax forms, time and attendance records, non- medical leave of absence records, workplace injury and safety records, performance evaluations, disciplinary records, training records, licensing and certification records, compensation and health benefits records, and payroll information and records
|1-9, 11, 14, 15
|Medical and Health Information
|Doctor’s notes for absences or work restrictions, medical leave of absence records, requests for accommodation, interactive process records, and correspondence with employee and his/her medical or mental health provider(s) regarding any request for accommodation or medical leave of absence
|1, 2, 4, 5, 9
|Transcripts or records of degrees and vocational certifications obtained
|Visual, Audio or Video Recordings in the Workplace
|Surveillance cameras or pictures of employees taken in the workplace or at a Skytap function or event
|7, 8, 12
|Facility Access Records
|Information identifying which employees accessed secure Skytap facilities and at what times using their keys, badges, fobs, or other security access method
|Internet and Network Activity
|Internet or other electronic network activity information on Skytap-issued computers and electronic devices, including browsing history, search history, and usage history
Key: Employment Related Personal Data and Purposes for Collection and Use.
- To comply with state and federal law and regulations requiring employers to maintain certain records (such as immigration compliance records, personnel files, wage and hour records, payroll records, accident or safety records, and tax records).
- Process payroll and/or reimburse expenses.
- Maintain commercial insurance policies and coverages, including for workers’ compensation and other liability insurance.
- Manage workers’ compensation claims.
- Administer and maintain group employee benefits such as health insurance benefits, 401K and/or retirement plans.
- Manage employee performance of their job duties
- Conduct workplace investigations (such as investigations of workplace accidents or injuries, harassment, or other misconduct).
- Provide for employee morale and engagement.
- Assess and benchmark Skytap compensation packages for employees against relevant markets, Personal Data is provided to compensation benchmarking Services Providers who promptly anonymize/de-identify the data so that it is no longer Personal Data regulated under CCPA/CPRA or EU or UK GDPR, or any other privacy regulation and the raw data is permanently erased so that it cannot be recovered in raw form or attributed to the individual Data Subjects. Some service providers use APIs to pull data securely from Skytap systems, but not all of the data is usable for benchmarking purposes, and only usable data is anonymized or de-identified, and all of the raw data is promptly, and security destroyed.
- Obtain and verify background checks on job applicants and employees *.
- Evaluate, make, and communicate decisions regarding an employee’s employment, including decisions to hire, terminate, promote, demote, transfer, suspend or discipline.
- Grant employees access to secure Skytap facilities and maintain information on who accessed the facility.
- Implement, monitor, and manage electronic security measures on employee devices that are used to access Skytap networks and systems.
- Engage in corporate transactions requiring review of employee records, such as for evaluating potential mergers and acquisitions of the Skytap.
- Respond to employment verification requests (such as pre-employment, loan, or government agency inquiries).
*Background checks actually are performed by a third party who is responsible for any obligations under CCPA/CPRA related to Personal Data submitted by the applicant to the background check provider for purposes of the background check.
CCPA/CPRA Privacy Notice Skytap General Disclosures and Your Rights
Categories of Personal Information Collected
Please note that the categories and examples provided in the list below are those defined in the CCPA/CPRA. This does not mean that all examples of that category of personal information were in fact collected by us, but reflects what Skytap in good faith believe of that information from the applicable category Skytap may have collected. For example, certain categories of personal information would only be collected if You provided such personal information directly to Skytap.
Category A: Identifiers.
Examples: A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, driver’s license number, passport number, or other similar identifiers.
Collected: Yes, from Consumers who visit the Website or are administrative users of the Skytap Services.
Category B: Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
Examples: A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.
Collected: Yes, and see Specific Disclosure above related to Employees and Candidates for Employment, as the only categories of Consumers from whom Skytap or third parties Service Providers acting for Skytap collect these categories of Personal Information.
Category C: Protected classification characteristics under California or federal law.
Examples: Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
Category D: Commercial information.
Examples: Records and history of products or services purchased or considered.
Collected: No, as respects purchases by individual Consumers for their individual use and purposes. Skytap only collects personal information in relation to “business-to-business” activities, and so the ultimate purchaser of products or services is a business for which the individual “consumer” is acting, and these businesses more typically are separate legal entities. Skytap does collect information about purchase history of such legal entities, as represented through the individuals who act for such commercial legal entities.
Category E: Biometric information.
Examples: Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.
Category F: Internet or other similar network activity.
Examples: Interaction with our Website and/or Services.
Category G: Geolocation data.
Examples: Approximate physical location.
Category H: Sensory data.
Examples: Audio, electronic, visual, thermal, olfactory, or similar information.
Category I: Professional or employment-related information.
Examples: Current or past job history or performance evaluations.
Category J: Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).
Examples: Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
Category K: Inferences drawn from other personal information.
Examples: Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Category L: Sensitive personal information.
Example: Social Security Number (or international equivalent)…
Under CCPA/CPRA, personal information does not include:
Publicly available information from government records
Deidentified or aggregated consumer information
Information excluded from the CCPA/CPRA’s scope, such as:
Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data
Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994
Sources of Personal Information
We obtain the categories of personal information listed above from the following categories of sources:
Directly from You. For example, from the forms you complete on our Website and/or Services, preferences you express or provide through our Website and/or Services.
Indirectly from You. For example, from observing your activity on our Website and/or Services.
Automatically from You. For example, through cookies we or our Service Providers set on your Device as You navigate through our Website and/or Services.
From Service Providers. For example, third-party vendors to monitor and analyze the use of our Website and/or Services, or other third-party vendors that we use to provide the Website and/or Services to you.
Use of Personal Information
We may use or disclose personal information we collect for “business purposes” or “commercial purposes” (as defined under the CCPA/CPRA), which may include the following examples:
To operate our Website and/or Services and provide you with our Services.
To provide You with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our Services.
To fulfill or meet the reason you provided the information. For example, if you share your contact information to ask a question about our Services, we will use that personal information to respond to your inquiry.
To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
As described to you when collecting your personal information or as otherwise set forth in the CCPA/CPRA.
For internal administrative and auditing purposes.
To detect security incidents and protect against malicious, deceptive, fraudulent or illegal activity, including, when necessary, to prosecute those responsible for such activities.
Other one-time uses.
Please note that the examples provided above are illustrative and not intended to be exhaustive. For more details on how we use this information, please refer to the “Use of Your Personal Data” section.
Disclosure of Personal Information
We may use or disclose and may have used or disclosed in the last twelve (12) months the following categories of personal information for business or commercial purposes:
Category A: Identifiers
Category B: Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))
Category F: Internet or other similar network activity
Please note that the categories listed above are those defined in the CCPA/CPRA. This does not mean that all examples of that category of personal information were in fact disclosed, but reflects our good faith belief that some of that information from the applicable category may be and may have been disclosed.
When we disclose personal information for a business purpose or a commercial purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.
Share of Personal Information
We may share, and have shared in the last twelve (12) months, Your personal information identified in the above categories with the following categories of third parties:
Our business partners
Third party vendors to whom You or Your agents authorize us to disclose Your personal information in connection with products or services we provide to You
Sale of Personal Information
As defined in the CCPA/CPRA, “sell” and “sale” mean selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s personal information by the Business to a third party for valuable consideration.
Your Rights under the CCPA/CPRA
The CCPA/CPRA provides California residents with specific rights regarding their personal information. If You are a resident of California, You have the following rights:
The right to notice. You have the right to be notified which categories of Personal Data are being collected and the purposes for which the Personal Data is being used.
The right to know/access. Under CCPA/CPRA, You have the right to request that we disclose information to You about our collection, use, sale, disclosure for business purposes and share of personal information. Once we receive and confirm Your request, we will disclose to You:
The categories of personal information we collected about You
The categories of sources for the personal information we collected about You
Our business or commercial purposes for collecting that personal information
The categories of third parties with whom we share that personal information
The specific pieces of personal information we collected about You
If we disclosed Your personal information for a business purpose, we will disclose to You:
The categories of personal information categories disclosed
The right to say no to the sale or sharing of Personal Data (opt-out). You have the right to direct us to not sell your personal information. To submit an opt-out request, please see the “Do Not Sell My Personal Information” or contact us by email to firstname.lastname@example.org, or calling our toll-free number 1 888-759-8278 (press option 3 to leave your message for Skytap Privacy).
The right to correct Personal Data. You have the right to correct or rectify any inaccurate personal information about you that we collected. Once we receive and confirm your request, we will use commercially reasonable efforts to correct (and direct our Service Providers to correct) your personal information, unless an exception applies.
The right to limit use and disclosure of sensitive Personal Data. You have the right to request to limit the use or disclosure of any sensitive personal information we collected about you unless an exception applies. To submit, please see the “Limit the Use or Disclosure of My Sensitive Personal Information” section or contact us by email to email@example.com, or calling our toll-free number 1 888-759-8278 (press option 3 to leave your message for Skytap Privacy).
The right to delete Personal Data. You have the right to request the deletion of your Personal Data under certain circumstances, subject to certain exceptions. Once we receive and confirm your request, we will delete (and direct our Service Providers to delete) your personal information from our records, unless an exception applies. We may deny your deletion request if retaining the information is necessary for us or our Service Providers to:
- Complete the transaction for which we collected the personal information, provide a good or service that You requested, take actions reasonably anticipated within the context of our ongoing business relationship with You, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on Your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which You provided it.
The right not to be discriminated against. You have the right not to be discriminated against for exercising any of Your consumer’s rights, including by:
- Denying goods or services to You
- Charging different prices or rates for goods or services, including the use of discounts or other benefits or imposing penalties
- Providing a different level or quality of goods or services to you
- Suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services
Exercising Your CCPA/CPRA Data Protection Rights
Please see the “Do Not Sell My Personal Information” section and “Limit the Use or Disclosure of My Sensitive Personal Information” section for more information on how to opt out and limit the use of sensitive information collected.
Additionally, in order to exercise any of your rights under the CCPA/CPRA, and if you are a California resident, you can contact us by email: firstname.lastname@example.org, or calling our toll-free number 1 888-759-8278 (press option 3 to leave your message for Skytap Privacy).
Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable request related to your personal information.
Your request to us must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it
We cannot respond to your request or provide you with the required information if we cannot:
- Verify your identity or authority to make the request
- And confirm that the personal information relates to you
We will disclose and deliver the required information free of charge within 45 days of receiving your verifiable request. The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary and with prior notice.
Any disclosures we provide will only cover the 12-month period preceding the verifiable request’s receipt.
For data portability requests, we will select a format to provide your personal information that is readily usable and should allow you to transmit the information from one entity to another entity without hindrance.
Do Not Sell My Personal Information
Because Service Providers we partner with (for example, our analytics providers) may use technology on the Services that results in sale of personal information as defined by the CCPA/CPRA law. If you wish to opt out of this use of your personal information that could result in potential sales as defined under CCPA/CPRA, you may do so by following the instructions below.
Please note that any opt out is specific to the browser you use. You may need to opt out on every browser that you use.
Click “Privacy Preference Center” buttons listed on the Website and Services to review your privacy preferences and opt out of cookies and other technologies that we may use. Please note that you will need to opt out from each browser that you use to access the Website and/or Services.
You also can access and control how your Personal Data is managed by accessing via this link the Skytap Preference Center, or email us at email@example.com, or by calling our toll-free number 1 888-759-8278 (press option 3 to leave your message for Skytap Privacy).
Limit the Use or Disclosure of My Sensitive Personal Information
If you are a California resident, you have the right to limit the use and disclosure of your sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average Consumer who requests such services or goods.
We collect, use and disclose sensitive personal information in ways that are necessary to provide the Services. For more information on how we use your personal information, please see the “Use of Your Personal Data” section or contact us.
“Do Not Track” Policy as Required by California Online Privacy Protection Act (CalOPPA)
Our Website and Services do not respond to Do Not Track signals.
However, some third-party websites do keep track of your browsing activities. If you are visiting such websites, you can set your preferences in your web browser to inform websites that you do not want to be tracked. You can enable or disable DNT by visiting the preferences or settings page of your web browser.
Your California Privacy Rights (California’s Shine the Light Law)
Under California Civil Code Section 1798 (California’s Shine the Light law), California residents with an established business relationship with us can request information once a year about sharing their Personal Data with third parties for the third parties’ direct marketing purposes.
If you’d like to request more information under the California Shine the Light law, and if you are a California resident, you can contact us using the contact information provided below.
Email to firstname.lastname@example.org or write us at: Attention General Counsel, Skytap, Inc., 255 South King Street, Suite 800, Seattle, WA 98104.
California Privacy Rights for Minor Users (California Business and Professions Code Section 22581)
California Business and Professions Code Section 22581 allows California residents under the age of 18 who are registered users of online sites, services or applications to request and obtain removal of content or information they have publicly posted.
To request removal of such data, and if you are a California resident, you can contact us using the contact information provided below, and include the email address associated with your account.
By Mail or Express Delivery to:
Attention General CounselSkytap, Inc.
255 South Main Street, Suite 800
Seattle, WA 98104
Toll-free number 1 888-759-8278 (press option 3 to leave your message for Skytap Privacy)
Be aware that your request does not guarantee complete or comprehensive removal of content or information posted online and that the law may not permit or require removal in certain circumstances.
Skytap is committed to fulfilling its responsibilities under Canada’s Personal Data Protection and Electronic Documents Act (PIPEDA). For purposes of fulfilling these responsibilities, if applicable, you consent to using Skytap’s website and services, and you consent to Skytap’s collection and use of your Personal Data for the purposes described above. If you do not consent, you may not access our Website or the Services. Please contact our General Counsel with any questions, concerns or requests about how Personal Data is collected or used by emailing email@example.com.