NAVEX Global
Privacy Statement

NAVEX Global has acquired WhistleB. WhistleB’s Privacy Policy is available here: https://whistleb.com/privacy-policy/.

Overview

NAVEX Global and its affiliates and subsidiaries (“NAVEX Global,” “we,” “us,” etc.) offer guidance, software and technology products for companies to manage risk and reach their compliance goals. We provide risk and compliance solutions including, without limitation: compliance training, policy and procedure management, ethics and incident management (including a hotline), vendor risk management, risk management software, claims management, and compliance analytics. We also offer various resources and ways for compliance professionals to connect through our websites.

We are dedicated to improving workplace integrity worldwide. We help our business customers create a more resilient business by providing tools to identify and reduce risk and misconduct. When it comes to handling your personal information, then, it is not enough for us to simply abide by the law. We believe it is important to set an example for other companies to follow, which includes transparency about personal information. This Privacy Statement is part of our effort to achieve that.

We want you to be confident that we are handling your personal information with care and respect, whether you’re completing job training, delivering or receiving corporate policies that shape how your job gets done, or filing a complaint, concern or question. We also want to explain the tools and options available to you to manage and protect that information within the bounds of law, your rights, and your company’s risk and compliance goals.

We will collect personal information in different ways and for different purposes as we run our business and deliver services to our business customers. We have created separate Privacy Statements, one for our corporate Websites and one for our service Applications, intended to provide you with information about what personal information we collect, how and why, how we use it, who we share it with, how we protect it and how long we keep it.

Updated: November 2021

NAVEX Global and its affiliates and subsidiaries (“NAVEX Global,” “we,” “us,” etc.) offer guidance, software and technology for companies to manage risk and reach their compliance goals. We are dedicated to improving workplace integrity worldwide and helping companies create a more resilient business by providing tools to identify and reduce risk and misconduct.

This Statement applies to NAVEX Global’s collection of personal information that we collect as a controller, in particular, through our Websites (https://www.navexglobal.com/, https://www.netclaim.com/, and all subdomains hosted by NAVEX Global) and any sites or products that display these terms, though webinars or events we may host or sponsor, or even at in person events such as trade shows or conferences. It does not apply to any website, mobile app, service, or product that does not display or link to this Privacy Statement or that contains its own privacy notice. For information about how we use personal information we receive associated with the software applications and related services we provide to our business customers please go to our Applications Privacy Statement here. If you do not agree with our policies and practices, please do not use the Website or related services. By accessing the Website or using the related services, you agree to this Statement.

How we collect personal information

We may collect personal information from you directly or indirectly. For example, when you register for one of our web seminars or virtual events or sign up to receive our email communications, you provide personal information directly to us. Other times, personal information is collected automatically as you use our Website. In addition, we also may receive personal information from third parties with whom we work.

We collect personal information when you provide it

You may provide certain kinds of personal information directly by interacting with NAVEX Global online and offline (via social media or Web forms, by phone, email, in person – or even through regular old postal mail). Personal information may also be provided to us directly or indirectly through the use of our customer relationship management systems, in order for us to track support for the service in our role as a controller.

When you register for a web seminar or download white papers available on our Website, for example, you typically provide your email address, phone number and geographic location. Or, to become a member of Compliance Next, you provide your name and email address and then create a username and password, information that on subsequent visits helps us confirm your identity and grant you access to member-exclusive content.

We may also collect personal information, typically name and contact information, you voluntarily provide at industry events.

We collect personal information from third-party sources

We may collect personal information about you from third parties, including from conference partners, public databases or third parties from whom we have purchased data, including advertising companies that specialise in interest-based ads. We may combine this with information we already have about you.

This helps us update, expand, and analyse our records, identify new customers, and provide information tailored to products and services that may interest you. You may opt out of receiving interest-based advertising by clicking here (or if you are in the European Union, click here.) Opting out of interest-based advertising will not prevent ads from being served to you; the ads will simply be more general.

We also work with third parties to support delivery of our online services (such as email and content streaming), or those that help us manage events. Your personal information may be provided to us by those third parties.

We also may collect personal information from online social networks if you take part in a forum, for example, on LinkedIn. We may collect personal information when you click “Share This” or “Like” buttons or otherwise use social media buttons or plug-ins.

We collect personal information using automated technologies

Sometimes personal information is collected by automated technologies and shared with us when Website visitors navigate through our products and services online. We may track your browsing actions and log your IP address. We track product preferences and content downloads, to make future visits to our Website more efficient.

Other automated collection technologies – such as cookies, beacons, tags, and scripts – are used by us to analyse trends, administer the Website, and track users’ movements around the Website. We, and our third-party partners, also use these technologies to gather demographic information about our user base as individuals and in the aggregate. You may opt out of us sharing your information with our advertising partners by not accepting our cookies on your internet browser. Keep in mind that declining certain cookies may decrease the functionality of the Website or disable some features. Read more about our use of cookies associated with the applicable components of our Websites (https://www.navexglobal.com/, https://www.netclaim.com/, and all subdomains hosted by NAVEX Global) here.

We will not knowingly collect information from anyone younger than 16 years

Our Website and services associated with our Website are not intended for use by anyone younger than 16 years old, and we will never knowingly collect personal information from anyone younger than that. If we become aware that personal information of anyone younger than 16 has been provided to us, for any purpose, we will delete the information from our files.

Our Legal Basis for Collection

Certain data protection laws require that we have a legal basis for collecting your personal information. The legal basis we rely upon may be different in each circumstance or we may have one or more legal basis for the collection. When accessing our Websites, we collect personal information from you where 1) we have your consent, 2) where your personal information is necessary for us to provide a service (for example, when you register for a webinar), or 3) where we have a legitimate interest to process your information and that legitimate interest is not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may have a legal obligation to process your personal information, or to process your personal information to exercise, establish or defend legal claims.

Do-not-track requests

Some browsers offer a “Do Not Track” privacy preference. Generally, when a user turns on the Do Not Track Signal, their browser sends a message to websites requesting that the user not be tracked. Our Website currently does not respond to “Do Not Track” signals.

How we use personal information

We know your personal information is important to you, so we want to be transparent about our use of that information.

As mentioned above, visitors to the Website will provide their name and email address when they want to receive emails from us or download white papers, articles, or other content available there. Visitors can also become members of our Compliance Next community by creating an account to access member-only resources and community opportunities.

Collecting and using this information allows not only easier, quicker access to our Website, content, and services on subsequent visits but also allows us to secure the information you have provided. As users navigate through the Website, their movements will be tracked and analysed. Using this information allows us to provide more relevant content and create a better visitor experience. We also use personal information:

To market our products and services, typically through email and phone.
To respond to support requests.
To provide access to and maintain the security and integrity of the Website and services, which include personal information associated with logs generated from our service Applications.
To provide updates regarding the Website and marketing information, such as special promotions or surveys, etc.
To comply with legal and regulatory requirements applicable to our business and internal policies for maintaining records.
To protect all parties in the event of disputes.
To comply with court orders and legal processes, and to enforce our Terms of Use and this Privacy Statement.
For any other legal, business, or marketing purposes that comply with the practices described in this Statement.

As noted above, we use the information we receive through our Website for our own business purposes as a controller, but where we are acting as a processor in delivery of our Applications, including providing guidance and services to our business customers, we do so as a processor. The information we receive through our Applications and related services is subject to our Applications Privacy Statement.

If you provide personal information about others, or others give us your information, its use is limited to the specific purpose for which it was provided. Typically, this includes your name and business contact information (email address, phone number, job title).

Please note that we do not sell personal information we receive through our Website, nor do we share that information, other than as outlined in this Privacy Statement.

When we share personal information

Once your personal information is collected, as detailed above, we may share it with third parties for various reasons, among them email delivery, data hosting, analytics, payment processing and content streaming. These services may collect browsing data that includes IP addresses, referring pages, and users’ movements as they navigate the Website. Other third parties help us with our marketing efforts including sending and analysing our marketing efforts by measuring whether recipients have opened an email and clicked on any content within it.

When we share your personal information with a third party, we require that third party to protect the information consistent with this Statement and limit its use of the information to performing the services they provide to us. For example, when we share personal information with payment processors or presenters of web seminars, its use is limited to providing that service.

If you make a public post, other users may see it

If you make a post on a third-party social media site, such as LinkedIn, or by identifying us in your social media feed by tagging us using a hashtag (#) or “at” (@), your personal information may be publicly available and is subject to the privacy policies of those third-party social media sites. As a reminder, this Statement describes how we will treat your personal information once it is in our possession.

We recommend you review the privacy policies of any third-party sites you visit to understand their data collection and practices.

We may share feedback you provide to us

We want to hear how we’re doing. If you have suggestions for improving our Website or services, we want those as well. Please be aware that any feedback relating to our Website or social media channels may be publicly shared.

Eventual successors may access information

In the event of a merger, acquisition, reorganisation, bankruptcy, or other sale of all or a portion of our assets, any user information owned or controlled by us may be among the assets transferred to third parties as successors in interest. As part of this type of transaction, we reserve the right to transfer or assign your personal information to third parties. Other than to the extent ordered by a bankruptcy or other court, or as otherwise agreed to by you, the use and disclosure of all transferred user information will be subject to this Statement.

We need to comply with legal requirements

We may disclose your information to government authorities or other third parties if any lawful circumstances arise, including when:

You have given us permission to share your information;
We are required to do so by law, or in response to a subpoena or court order;
We believe in our sole discretion that disclosure is reasonably necessary to protect against fraud, or to protect our property or other rights or those of other users of the Website, third parties, or the public at large; or
We believe that you have misused the Website by using it to attack or gain unauthorised access to a system or to engage in spamming or other conduct that violates applicable laws or our Terms of Use.

How we secure personal information

We have implemented industry-accepted administrative, physical, and technology-based security measures to protect against loss, misuse, unauthorised access, and alteration of personal information in our systems. We ensure that any employee, contractor, corporation, organisation, or vendor who has access to personal information in our systems is subject to legal and professional obligations to safeguard that personal information.

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or form of electronic storage is 100 percent secure. Therefore, we cannot guarantee its absolute security.

NAVEX Global prohibits unauthorised access or use of personal information stored on our servers. Such access is a violation of law, and we will fully investigate and press charges against any party that has illegally accessed information within our systems.

Data Retention

Where NAVEX Global collects your personal information for its own independent business purpose, such as through our Websites, or in connection with webinars and events, we do so as a controller and will retain your information in accordance with our data retention practices. Typically, we retain your personal information for the time necessary to serve the purpose for which it was originally collected or you subsequently authorised, and in accordance with applicable law. For example, we will retain your information for as long as your account is active, as necessary to comply with our legal obligations and rights, to resolve disputes, and to enforce our agreements.

Data Storage and International Transfers

NAVEX Global is headquartered in the United States. Your personal information may be transferred to, processed, and maintained in places other than where you live.

The United States currently is not a country the European Union (“EU”) has deemed “adequate” under applicable data protection laws. NAVEX Global collects, transfers, and processes personal information under terms required by applicable law, including: when you provide your consent, to perform a contract with you (such as to deliver products or services), or to fulfill a compelling legitimate interest of NAVEX Global in a manner that does not outweigh your rights and freedoms. NAVEX Global may enter into data protection agreements or other legally approved mechanisms with its vendors to support compliance with applicable law.

NAVEX Global (and its subsidiaries The Network, Inc. and Lockpath, Inc.) are certified under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks (the “Frameworks”). However, in 2020, both Frameworks were declared invalid as a legal mechanism we could rely on for the lawful transfer and processing of personal information from the European Economic Area, the United Kingdom, and Switzerland. Despite this, NAVEX Global continues to certify its compliance with the Frameworks as a means of evidencing its continued commitment to protecting personal information from the European Economic Area, the United Kingdom, and Switzerland and remains under the jurisdiction of the U.S. Federal Trade Commission. As required by the Frameworks, any personal information we receive under the Frameworks will be maintained in accordance with the Privacy Shield principles. NAVEX Global is responsible for the processing of personal information it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. NAVEX Global complies with the Privacy Shield Principles for all onward transfers of personal information from the European Economic Area, United Kingdom, and Switzerland, including the onward transfer liability provisions. In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

We have taken appropriate safeguards to require that the personal information we process will remain protected in accordance with this Statement when transferred internationally, including when processed internationally by third-party service providers and partners. For personal information from the European Economic Area, the United Kingdom, or Switzerland, data protection laws in those jurisdictions require that that we tell you the legal safeguards we have in place to protect that personal information. We may implement the European Commission's Standard Contractual Clauses, rely on a third-party service provider’s Binding Corporate Rules or other legally approved mechanism, for any transfer of personal information to non-European Economic Area, United Kingdom, or Switzerland third-party service providers or business partners.

Personal information received by NAVEX Global following invalidation of the Frameworks will be transferred and processed in accordance with the applicable European Commission’s Standard Contractual Clauses. More information about Privacy Shield can be found here and more information about the Standard Contractual Clauses can be found here.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. Under certain conditions, more fully described on the Privacy Shield website [https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint], you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

Your Rights

We understand that you want to protect and control your personal information. This section details how you may review, update, correct, or delete that information.

Viewing or updating your personal information

You may contact us to update your name, contact information, email preferences, job title and other business information by completing the form located here or by emailing us at privacy@navexglobal.com and including “Update My Information” in the subject line. For our Compliance Next members, please access your account on the Website to update your contact information, or email us at info@compliancenext.com with “Update My Compliance Next Account Information” in the subject line.

Opting out of promotional emails

If you do not wish to receive promotional e-mails from us, you may follow the unsubscribe process at the bottom of the promotional e-mail you received or by emailing us at privacy@navexglobal.com. For our Compliance Next members, please access your account on the Website to update your email subscription preferences, or email us at info@compliancenext.com. Please keep in mind that you still may receive transactional e-mails from us (such as e-mails related to the completion of your registration, correction of user data, password reset requests, reminder e-mails you have requested, and other similar communications) that may be necessary for us to make the Website available to you or respond to your inquiries and support requests.

Deactivating your account

You may deactivate your Compliance Next account any time. To deactivate your account, please edit your account on the Website by clicking “Email Compliance Next to delete my account” or send an email to info@compliancenext.com with “Deactivate Compliance Next Account” in the subject line. Upon receiving your request, NAVEX Global will deactivate your account and delete personal information where required by applicable law.

European Economic Area, Switzerland, or United Kingdom

Individuals from the European Union, including the United Kingdom and Switzerland, have certain rights associated with their personal information based on applicable law.

Your data protection rights

In addition to the rights granted under this Privacy Statement, European Economic Area, Switzerland, and United Kingdom data subjects have the following data protection rights under applicable law:

You can request access to, correction of, updates to, or request deletion of your personal information based on information collected from accessing our Website or participating in our web seminars, forums or events.
You can request more information about how we process your personal information, where and how we collected that information, the categories of that information, with whom we share it, and how long we retain it.
You can object to the processing of your personal information, ask us to restrict the processing, or request portability of your personal information.
You have the right to opt out of marketing communications we send at any time. You can opt out by clicking on the “unsubscribe” or “opt-out” link in any marketing email we send you.
When we have collected and processed your personal information based upon your consent, then you can withdraw your consent at any time. However, withdrawing your consent will not affect the lawfulness of any processing we conducted before your withdrawal, nor will it affect processing of your personal information when we have relied on other legal grounds for the processing.
Upon your request, and where it is technically feasible, NAVEX Global will provide you with a copy of your personal information or transmit it directly to another controller.
You have the right to make a complaint to the data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority. Contact details are available here.

To make a request, please contact us by completing the form located here or by emailing us at privacy@navexglobal.com with “Personal Information Request” in the subject line. Provide full details relating to your request, including your contact information and any other details you believe are relevant. We are committed to responding to requests to exercise data protection rights in accordance with applicable laws.

California Consumer Rights

The California Consumer Privacy Act provides specific rights to those who live in California. If you are a California-based consumer, as that term is defined under California law, this section shall apply in addition to all other applicable rights and information contained in this Statement.

You have the right to request that we provide you with information about what personal information we collect, use, and disclose.
You have the right to request that we delete personal information we, or our service providers, store about you.
We will not discriminate or retaliate against you if you elect to exercise any rights under this section of our Privacy Statement.
You may request that we not sell your personal information. As noted above, we do not sell your personal information and we only share your personal information with third parties, as described in this Statement.
You have the right to designate an authorised agent to make a request on your behalf. Please see the Identity Verification Requirement below for information on our process for verifying that we have received a legally valid request.
If you are a California consumer and have additional questions based on this section of our Privacy Statement, or wish to submit a request to request that we not share your information with third parties, please contact us by completing the form located here, by emailing us at privacy@navexglobal.com or call us toll-free at 844-842-0916.

Identity verification requirement

The law requires us to verify that any request submitted was made by someone with the legal right to access the information. Therefore, before accessing or divulging any information pursuant to a data access request, we may request that you provide us with additional information so we can verify your identity and legal authority, particularly where the information provided with the request is insufficient to confirm legal authority and/or identity.

To make a request, please contact us by completing the form located here or by emailing us at privacy@navexglobal.com with “Personal Information Request” in the subject line and provide full details about your request, including your contact information and anything you believe is relevant. We will provide a response to an access request within the timeframes required by law. If we cannot substantively respond in a timely manner, we will notify you and provide the reason for the delay.

Under certain circumstances, we may not fulfill your request, such as when doing so would interfere with our regulatory or legal obligations, when we cannot verify your identity, if your request involves disproportionate cost or effort, or when the law allows us to retain that information. But we will respond to your request within a reasonable time, as required by law, and provide an explanation.

Updates

This Privacy Statement will be reviewed at least every 12 months and updated to reflect our personal information handling practices. We reserve the right to amend this Statement at any time, for any reason, without additional notice to you, other than through posting the updated Privacy Statement on our Website. We invite you to return to this page to ensure you are informed of any updates we make about how we collect, use, and protect customer information. You can see when this Privacy Statement was last updated by checking the “last updated” date displayed at the beginning of this Statement.

Contact Us

If you have questions or complaints about the way we handle personal information, please contact us via the below contact details. We will promptly manage any complaints received from an individual. Alternatively, and at your choice, if you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

NAVEX Global
Attention: Data Protection Officer
5500 Meadows Road, Suite 500
Lake Oswego, OR 97035
(866) 297-0224
privacy@navexglobal.com

Updated: November 2021

NAVEX Global and its affiliates and subsidiaries (“NAVEX Global,” “we,” “us,” etc.) offer guidance, software and technology for companies seeking to manage risk and reach their compliance goals. We are dedicated to improving workplace integrity worldwide and helping companies create a more resilient business by providing tools to identify and reduce risk and misconduct.

This Statement applies to our software related services and solutions, (the “Application” or “Applications”) and any sites or products that display these terms. It does not apply to any website, mobile app, service, or product that does not display or link to this Privacy Statement or that contains its own privacy Statement. For information about how we use personal information we receive in connection with operating our business, including our websites, please visit our Website Privacy Statement. If you do not agree with our policies and practices, please do not use the Applications. By accessing the Applications or using our software services, you agree to this Statement.

As part of the services we provide to our business customers, you may interact with us online (through the Applications) or by phone and in doing so, you will share your personal information with us. The information received by NAVEX Global in delivering the Applications is done on behalf of our business customers and is processed by us according to the contract with that customer.

How we collect personal information

We may collect personal information from you directly or indirectly. For example, when your employer or other related company purchases one of our technology solutions to manage risk or operate within applicable legal and ethical standards, you provide personal information directly to us through your participation in job training, reviewing policies and procedures or reporting a concern. Other times, personal information may be collected automatically as you use our Application as we outline in this Statement. In addition, we also may receive personal information from our business customers or other related third parties.

We collect information through the Application on behalf of business customers who use our software solutions including, without limitation: compliance training, policy and procedure management, ethics and incident management (including a hotline), vendor risk management, risk management software, claims management, and compliance analytics.

Our business customers determine why (the purpose) and what (the nature) personal information is collected, used, stored, or deleted within the Applications purchased. NAVEX Global acts as a service provider, or data processor, of this information under the terms of our contract with that customer, the data controller. We make no judgment or decision regarding the personal information we receive from any customer, company representative, or incident reporter. Questions about how business customers use, share, or process that information should be sent to them directly. Unless prohibited by law, NAVEX Global will honor and support our business customer’s instructions with respect to your personal information.

Legal Basis for Collection

When we collect personal information through our Applications, we do so as a processor, or service provider, as instructed by our business customer, the controller. Certain data protection laws require that controllers have a lawful or legal basis for collecting personal information. The lawfulness of our collection of personal information is determined by the controller, our business customer. If you have questions about the legal basis or lawfulness of our collection of personal information, please contact that business customer directly.

We collect personal information when you provide it

You may provide certain kinds of personal information directly by interacting with the Applications (whether you’re an employer or employee or other stakeholder) or offline (by phone, email, or in person--for example through discussions with your manager--or even through postal mail). Depending on the software service, users will provide different types of personal information, as outlined in the table below. The type of personal information we collect is determined by our business customer. Access to personal information is strictly limited and requires a usernames and password, or PIN, helping to secure the information and making ongoing training or incident tracking easier to access and complete.

Application	Types of information typically collected	Purpose
Policy Tech	Name (first and last), email address, job site, job title, department, supervisor, log-in credentials, completion status, time and date of policies.	Improves accessibility, version control, and delivery of company policies, tracks compliance and gauges employee comprehension.
NAVEX Engage	Name (first and last), email address, job site, job title, department, supervisor, log-in credentials, completion status, time and date of training media.	Delivers risk-based training, tracks completion, and supports behavior change with scenario-based learning.
Risk Rate	Name, job site, department, log-in credentials, and date of birth.	Performs around-the-clock automated third-party risk monitoring and due diligence.
NetClaim	Name (first and last), email address, job site, job title, department, supervisor, log-in credentials, details about the claim, address, date of birth, social security number.	Provides comprehensive and customisable claims intake and dissemination solution.
EthicsPoint/ AlertLine/ Integrilink/Suite Hotline/Data Subject Rights	Name, job location, department, details about the reported incident or request, personal PIN for report follow-ups and updates.	Allows companies to receive, investigate, and resolve ethics and compliance reports, concerns, data subject right requests, and questions.
COI Disclosures	Name (first and last), email address, job site, job title, department, supervisor, log-in credentials, completion status, details about the reported conflicts, time and date of disclosure.	Allows companies to gather, track and analyse disclosures, manage conflicts of interest, gifts and entertainment, board memberships, family business relationships and more.
Lockpath	Name (first and last), email address, log-in credentials, and other categories such as job title.	Provides businesses a comprehensive view of how they identify, assess, and prioritise risk.
ESG	Name (first and last), email address, log-in credentials, and other categories such as job title.	Allows companies to manage social, economic, and environmental decisions from one platform.

We collect personal information using automated technologies

In very limited circumstances, personal information is collected by automated technologies – such as cookies, beacons, tags, and scripts – within the Application being used. In most cases these Application cookies are required but, in some cases, they are optional and only set where you request that we store information. More information about our use of cookies associated with the Application is available here.

Other personal information, such as IP addresses, may be automatically collected from users of the Applications. Doing so protects and secures the integrity of our systems and the data we host. They may be shared with law enforcement to enforce our rights, ensure the security and integrity of our systems, or as otherwise required by law.

We collect personal information from third-party sources

When we provide our business customers with tools to improve their risk and compliance practices, that often requires them to share personal information about their employees and other stakeholders with us. The kinds of personal information typically collected are names, business contact details (such as email addresses), and job titles. When your employer or business partner gives us your information, we use it only for the specific purpose for which it was provided. Collecting this personal information helps us deliver our services and comply with customer contracts. Please see the table above for more information on what personal information we collect and the purpose for why we collect it.

How we use personal information

We know your personal information is important to you, so we want to be transparent about our use of that information.

As mentioned above, NAVEX Global’s business customers determine what personal information is collected by us and how it is used. We use the personal information collected, as a processor, in accordance with our business customer’s instructions. We primarily use it in these ways:

To provide access to the Application for both customers and their end users.
To maintain the security and integrity of the Application.
To communicate with customers and their end users about the Application.
To respond to support requests.
To develop and improve the Application.
To comply with legal and regulatory requirements applicable to our business and internal policies for maintaining records.
To protect all parties in the event of disputes.
To comply with court orders and legal processes, and to enforce our Terms of Use and this Privacy Statement.
For any other legal or business purposes that comply with the practices described in this Statement.

Collecting and using this information allows not only easier, quicker access to our Applications, content, and services on subsequent visits but also allows us to secure the information provided. As users (excluding hotline and incident management reporters) navigate through the Applications, their movements will be tracked and analysed, allowing us to improve our services, page response times and users’ experiences.

If you provide personal information about others when using our Applications, or others give us your information, its use is limited to the specific purpose for which it was provided. Typically, this includes your name and business contact information (email address, phone number, job title).

Please note that personal information we receive within any Application is never sold and only shared with our business customer as outlined in this Privacy Statement.

When we share personal information

Once your personal information is collected in the Application, as detailed above, we may share it with third parties for various reasons. As mentioned above, these third parties are typically your employer or business partner.

In some cases, we use third parties to help deliver our services to customers. These parties may not use any personal information except to provide and deliver those services. One such example is the use of translation and interpretation services when incident reports are received in languages other than English. Another example is the learning management system we use to deliver video trainings through our online learning portal.

Other third parties help us analyse how our software services are used. Doing so improves those services while assuring that we deliver them in a timely and functional manner. More than 14,000 businesses worldwide use our Applications to support their ethics and compliance goals. We may use de-identified and aggregated data generated by the Applications to create data sets. Those sets do not include personal information that could reasonably identify individuals.

As noted previously, we will share your personal information with the relevant business customer in accordance with our contract with that customer. Whenever we share personal information with third party service providers, we require that third party to protect the information consistent with this Statement and limit use of the information to performing the services they provide to us.

Eventual successors may access information

We need to comply with legal requirements

We may disclose your information to government authorities or other third parties if any lawful circumstances arise, including when:

You have given us permission to share your information;
We are required to do so by law, or in response to a subpoena or court order;
We believe in our sole discretion that disclosure is reasonably necessary to protect against fraud, or to protect our property or other rights or those of other users of the Application, third parties, or the public at large; or
We believe that you have misused the Application by using it to attack or gain unauthorised access to a system or to engage in spamming or other conduct that violates applicable laws or our Terms of Use.

How we secure personal information

NAVEX Global prohibits unauthorised access or use of personal information stored on our servers. Such access is a violation of law, and we will fully investigate and take appropriate legal action against any party that has illegally accessed information within our systems.

Data Retention

Personal information collected by NAVEX Global through our Applications will be retained as directed by our business customer. Should you have any questions about how long personal information is retained, please contact the applicable business customer directly.

Data Storage and International Transfers

NAVEX Global is headquartered in the United States. Your personal information may be transferred to, processed, and maintained in places other than where you live.

The United States currently is not a country the European Union (“EU”) has deemed “adequate” under applicable data protection laws. NAVEX Global collects, transfers, and processes personal information in accordance with its legal obligations under contracts with its business customers who, as we have noted previously in this Privacy Statement, determine the legal basis for our collection and processing of personal information, in particular from the European Economic Area, the United Kingdom, and Switzerland. If you want to know what legal basis is relied upon for NAVEX Global to receive and processes personal information, you will need to contact the relevant business customer directly.

NAVEX Global (and its subsidiaries The Network, Inc. and Lockpath, Inc.) are certified under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks (the “Frameworks”). However, in 2020, both Frameworks were declared invalid as a legal mechanism that could be relied on for the lawful transfer and processing of personal information from the European Economic Area, the United Kingdom, and Switzerland. Despite this, NAVEX Global continues to certify its compliance with the Frameworks as a means of evidencing its continued commitment to protecting personal information from the European Economic Area, the United Kingdom, and Switzerland and remains under the jurisdiction of the U.S. Federal Trade Commission. As required by the Frameworks, any personal information we receive under the Frameworks will be maintained in accordance with the Privacy Shield principles. NAVEX Global is responsible for the processing of personal information it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. NAVEX Global complies with the Privacy Shield Principles for all onward transfers of personal information from the European Economic Area, United Kingdom, and Switzerland, including the onward transfer liability provisions. In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

We have taken appropriate safeguards to require that the personal information we process will remain protected in accordance with this Statement when transferred internationally, including when processed internationally by third-party service providers and partners assisting us in delivery of the Applications. For personal information from the European Economic Area, the United Kingdom, or Switzerland, NAVEX Global relies on the European Commission's Standard Contractual Clauses, a third-party service provider’s Binding Corporate Rules or other legally approved mechanism, for any transfer of personal information to non-European Economic Area, United Kingdom, or Switzerland third-party service providers or business partners.

Personal information received by NAVEX Global following invalidation of the Frameworks will be transferred and processed by NAVEX Global in accordance with the applicable European Commission’s Standard Contractual Clauses. More information about Privacy Shield can be found here and more information about the Standard Contractual Clauses can be found here.

Your Rights

As mentioned above, we receive personal information through our Applications as processors for our business customers, who determine the lawfulness of our collection and the purpose for the processing. The data in our Applications is managed by the business customer according to their own internal policies and procedures.

Accordingly, anyone seeking to exercise data protection rights granted by applicable law should direct their request to the relevant company or organisation (typically their employer). Inquiries made to NAVEX Global requesting access, alteration, or deletion of personal information will be forwarded to our customer for resolution. NAVEX Global is not permitted to independently alter that information but will support a business customer’s request to do so, unless otherwise required by law.

For Data Subjects from the European Union, United Kingdom and Switzerland

Certain data protection laws of the European Union (General Data Protection Act), United Kingdom (Data Protection Act 2018) and Switzerland (Swiss Federal Data Protection Act) provide that controllers of personal data honor certain rights granted to data subjects who reside in the applicable country. As noted previously, NAVEX Global is a data processor to its business customers who are data controllers under these laws. NAVEX Global is fully committed to supporting its business customers in their compliance with applicable law. If you are a data subject from the European Union, United Kingdom or Switzerland, and wish to exercise your rights in relation to personal data NAVEX Global may have collected on behalf of its business customer, please contact that business customer directly to exercise your rights. If we receive a request from a data subject for one of our business customers, we will direct the request to the customer for review and response.

Notwithstanding the foregoing, if you have questions or complaints about the way we handle personal information, please contact us via the below contact details. We will promptly manage any complaints received from an individual. Alternatively, and at your choice, if you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

NAVEX Global
Attention: Data Protection Officer
5500 Meadows Road, Suite 500
Lake Oswego, OR 97035
(866) 297-0224
privacy@navexglobal.com

For California Consumers

The California Consumer Privacy Act (“CCPA”) provides specific rights to those who live in California and requires that businesses subject to CCPA ensure those rights are honored. Certain NAVEX Global business customers may be subject to CCPA and, while NAVEX Global may not be directly subject to CCPA as a service provider, it will support its business customers in their compliance with the law. If you are a California Consumer and wish to exercise your rights in relation to personal information NAVEX Global may have collected on behalf of its business customer, please contact that business customer directly to exercise your rights. If we receive a request under CCPA from a California consumer in relation to a business customer, we will direct the request to that customer for review and response.

Updates

This Privacy Statement will be reviewed at least every 12 months and updated to reflect our personal information handling practices. We reserve the right to amend this Statement at any time, for any reason, without additional notice to you, other than through posting the updated Privacy Statement within our Application. We invite you to return to this page to ensure you are informed of any updates we make about how we collect, use, and protect personal information on behalf of our business customers. You can see when this Privacy Statement was last updated by checking the “last updated” date displayed at the beginning of this Statement.

Contact Us

NAVEX Global
Attention: Data Protection Officer
5500 Meadows Road, Suite 500
Lake Oswego, OR 97035
(866) 297-0224
privacy@navexglobal.com