Employee and Applicant Privacy Notice 

Sources of Personal Information

For Applicants.

• We collect personal information that you provide when you apply for a job through Lever, our application service provider. You provide this information voluntarily, and you determine whether and what information you will provide us.  However, some information is required to assess your application, and without it we may have only a limited ability to evaluate you as a candidate.  The information you provide to Lever is handled in accordance with Lever’s Privacy Notice, available here. 
• We also collect personal information from other sources where relevant for your application, such as employment research firms, recruiters, identity verification services, and information that you make publicly available on websites or social media platforms (for example, LinkedIn).  In some circumstances (if permitted by applicable law), we may need to perform a background check relevant to your job, in which case we would receive the results of the background check from the provider.  If we do so, we will provide you with notice regarding this use when we collect your personal information and your consent to the background check will be sought at that time. 
• Throughout the recruitment process, we may supplement your personal information in connection with the assessment of your application.  For example, we may record the views of those considering your application about your suitability for the role for which you have applied and retain interview notes.
• If you accept an offer from us, your personal information will be incorporated into and used as part of your employee record.

For Employees.

• We collect personal information from you during your candidacy for a job, and during and after your employment.  
• We may also collect your personal information from various other sources and combine it with the personal information you provide to us. For example, we may collect your personal information from:
• job websites you use to research and to apply for jobs with us (i.e., Lever, described above)
• providers of services that we make available to our employees as part of our benefits program
• prior employers, when they provide us with employment references
• professional references that you authorize us to contact
• providers of background check, credit check, or other screening services (where permitted by law)
• your public social media profiles or other publicly-available sources
• employment agencies or recruiters
• your related persons who chose to communicate with us directly
• Company communications and IT systems/applications that automatically collect information about, and transmitted by, users
• other Company personnel

Categories of Personal Information Collected

Identifiers and contact information. This category includes names, addresses, telephone numbers, mobile numbers, email addresses, dates of birth, Social Security numbers, driver’s license or state identification numbers, bank account information, and other similar contact information and identifiers. 

Protected classification information. This category includes characteristics of protected classifications under applicable state or federal law.

Internet or other electronic network activity information. This category includes without limitation: 

• all activity on the Company’s information systems, such as internet browsing history, search history, intranet activity, email communications, social media postings, stored documents and emails, usernames and passwords.
• all activity on Company communications systems including phone calls, call logs, voice mails, text messages, chat logs, app use, mobile browsing and search history, mobile email communications, and other information regarding an employee’s use of Company-issued devices.

Geolocation data. This category includes GPS location data from Company-issued mobile devices.

Audio, electronic, visual, or similar information. This category includes, for example, information collected from Company cameras and similar devices.

Professional and employment-related information. This category includes, without limitation:

• data submitted with employment applications including salary history, employment history, employment recommendations, etc.
• background check and criminal history
• work authorization
• fitness for duty data and reports
• symptoms and other indicators of exposure to COVID-19 or other infectious diseases
• health care and medical information, such as information related to employee participation in wellness programs, health insurance programs, and information related to employee health
• travel information and information regarding close contacts
• performance and disciplinary records
• salary and bonus data
• benefit plan enrollment, participation, and claims information
• leave of absence information including religious and family obligations, physical and mental health data concerning employee/applicant and his or her family members

Education information. This category includes education history.

In certain cases we may ask you for additional information for purposes of monitoring equal opportunity and/or complying with applicable laws. 

Purposes for which Personal Information is Used

Workforce management. Managing work activities and personnel generally, such as:

• collecting and processing employment applications, including confirming eligibility for employment, background and related checks, checks regarding fitness for duty, onboarding, and related recruiting efforts
• processing payroll and employee benefit plan and program design and administration including enrollment and claims handling, and leave of absence administration
• maintaining personnel records and record retention requirements
• infectious disease contact tracing
• communicating with employees/applicants and/or employees’ emergency contacts and plan beneficiaries
• complying with applicable state and federal labor, employment, tax, benefits, workers compensation, disability, equal employment opportunity, workplace safety, and related laws, guidance, or recommendations
• preventing unauthorized access to, use, or disclosure/removal of the Company’s property, including the Company’s information systems, electronic devices, network, and data 
• ensuring and enhancing employee productivity and adherence to the Company’s policies
• investigating complaints, grievances, and suspected violations of Company policies
• designing, implementing, and promoting the Company’s diversity and inclusion programs 
• facilitating the efficient and secure use of the Company’s information systems 
• ensuring compliance with Company information systems policies and procedures 

• improving safety of employees, applicants, customers and the public with regard to use of Company property and equipment

• improving accuracy of time management systems
• evaluating an individual’s appropriateness for a particular position at the Company, or promotion to a new position

• customer engagement and other legitimate business purposes

Business operations. Operating and managing our business, including managing communications and IT systems; research, development and operation of our products and/or services; managing and allocating Company assets and personnel; strategic planning and project management; business continuity; maintenance of business and audit records; budgeting, financial management and reporting; internal communications; promoting our business; physical and information security; and evaluating and undergoing mergers, acquisitions, sales, re-organizations or disposals and integration with purchasers.

Compliance, safety and fraud prevention. Complying with legal and other requirements, such as tax, audit, recordkeeping, reporting, verifying identity and eligibility to work, and equal opportunities monitoring requirements; complying with lawful requests and legal process, such as responding to subpoenas or requests from government authorities; protecting our, your or others’ rights, safety and property; investigating and deterring against fraudulent, harmful, unauthorized, unethical or illegal activity, or conduct in violation of our policies or procedures; pursuing legal rights and remedies, including investigating, making and defending complaints or legal claims; administering and enforcing internal policies and procedures; and sharing information with government authorities, law enforcement, courts or private parties for the foregoing purposes. 

Monitoring. Monitoring offices and facilities, IT and communications systems, devices, equipment and applications through manual review and automated tools such as security software, website and spam filtering, and monitoring our physical premises (e.g., by using security cameras and keycard scans) to protect our, your or others’ rights, safety and property; operate, maintain and protect the security of our network systems and devices; protect our proprietary and confidential information and intellectual property; for recordkeeping and archiving; for personnel training and/or performance management; for the compliance, safety and fraud prevention purposes described above; to investigate and respond to security and other incidents; and for business continuity (such as monitoring business-related emails following an employee's departure).

Analytics.  Creating anonymous, aggregated or de-identified data that we use and share to analyze our workforce and business and for other lawful business purposes.

Sharing Personal Information 

We do not sell your personal information or disclose your personal information to third parties for targeted advertising. 

We may share your personal information with other parties as necessary for the purposes described above. By way of example and not limitation, we may share your personal information with:

Affiliates. Our corporate parent, subsidiaries, and other affiliates under the control of our corporate parent, for purposes consistent with this Notice or to operate shared infrastructure, systems and technology.

Company service providers. Providers of services to the Company, such as payroll administration, benefits and wellness, human resources, occupational health, performance management, training, expense management, travel agencies, transportation and lodging, IT systems and support, information and physical security, background checks and other screenings, equity award administration, corporate banking and credit cards, health care, trade associations, insurance brokers, claims handlers and loss adjusters, and any necessary third party administrators, nominees, registrars or trustees appointed in connection with benefits plans or programs.

Benefits providers. Providers of services to eligible employees as part of our employee benefits program (e.g., financial advisors, securities brokers, financial institutions and providers of health, fitness, wellness, childcare and concierge services) who need your information to verify your eligibility, invite you to take advantage of their services, and provide you with services.  

Our marketing audience.  Current and prospective customers and other business contacts with whom we share your employee Company bio, which may be shared on our website or in other publicly available marketing materials and communications as part of our marketing activities.

Government authorities, law enforcement and others. Government authorities, law enforcement, courts, and others as described in the compliance, safety and fraud prevention section above.

Business transfer participants.  Parties to transactions and potential transactions whereby we sell, transfer or otherwise share some or all of our business or assets, including our employee’s personal information, such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution.

Professional advisors. Accountants, auditors, lawyers, insurers, bankers, and other outside professional advisors who require your information in the course of providing their services. 

Customers and business partners.  Customers, other companies and individuals with whom the Company does business or is exploring a business relationship. 

Privacy Rights

You have privacy rights that allow you to submit the following requests: 

• Information about how we have collected and used your personal information. We have made this information available to you without having to request it by including it in this privacy notice.
• Access to a copy of the personal information that we maintain about you. Where applicable, we will provide the information in a portable, readily usable format.
• Correction of personal information that is inaccurate or out of date.
• Deletion of personal information that we no longer need or are otherwise required to retain.

In some instances, your choices may be limited, such as where fulfilling your request would impair the rights of others, our ability to provide a service you have requested, or our ability to comply with our legal obligations and enforce our legal rights. 

To submit a request, please email us or write to us as provided in the “Contact us” section below. We may ask for specific information from you to help us confirm your identity. You are entitled to exercise the rights described above free from discrimination.

You may empower an authorized agent to submit requests on your behalf. We will require authorized agents to confirm their identity and authority, in accordance with applicable laws. 

Data Security

We have put in place security measures designed to prevent your personal information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know and are subject to confidentiality obligations.

Retention

We retain your personal information only for as long as is necessary to fulfil the purposes for which it was collected and processed, in accordance with our retention policies, and in accordance with applicable laws. 

To determine the appropriate retention period for your personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we use your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

Other Information About this Notice

Third parties. This notice does not address, and we are not responsible for, the practices of any third parties, which have their own rules for how they collect and use your personal information.  Our links to third party websites or services are not endorsements.

Alternative formats for employees with disabilities. Upon request, this notice is available in alternative formats, such as large print, braille, or audio.  Please contact privacy@windfall.com, and an alternative format will be provided to you so you can access the information in this notice.

Your obligations. It is your responsibility to ensure that information you submit does not violate any third party’s rights. You should keep your personal information on file with the Company up to date and inform us of any significant changes to it.

Contact Us

If you have questions about this notice, please contact privacy@windfall.com.