NAVEX has acquired WhistleB. WhistleB’s Privacy Policy is available here: https://whistleb.com/privacy-policy.
Overview
NAVEX and its affiliates and subsidiaries (“NAVEX,” “we,” “us,” etc.) offer guidance, software and technology products for companies to manage risk and reach their compliance goals. We provide risk and compliance solutions including, without limitation: compliance training, policy and procedure management, ethics and incident management (including a hotline), vendor risk management, risk management software, claims management, and compliance analytics. We also offer various resources and ways for compliance professionals to connect through our websites.
We are dedicated to improving workplace integrity worldwide. We help our business customers create a more resilient business by providing tools to identify and reduce risk and misconduct. When it comes to handling your personal information, then, it is not enough for us to simply abide by the law. We believe it is important to set an example for other companies to follow, which includes transparency about how we process information that identifies, relates to, describes, or can be associated with you. This Privacy Statement is part of our effort to provide that transparency.
We want you to be confident that we are handling your personal information with care and respect, whether you’re completing job training, delivering or receiving corporate policies that shape how your job gets done, or filing a complaint, concern or question. We also want to explain the tools and options available to you to manage and protect that information within the bounds of law, your rights, and your company’s risk and compliance goals.
We will collect personal information in different ways and for different purposes as we run our business and deliver services to our business customers. NAVEX does not process personal information for any purposes that are materially different from the purpose for which it was originally collected.
We have created separate Privacy Statements, one for our corporate business operations and one for our service Applications, intended to provide you with information about what personal information we collect, why we collect it, how we use it, with whom we share it, how we protect it, and how long we keep it.
Go to Applications Privacy Statement
Privacy Statement
Updated: August 2023
NAVEX and its affiliates and subsidiaries (“NAVEX,” “we,” “us,” etc.) offer guidance, software and technology for companies to manage risk and reach their compliance goals. We are dedicated to improving workplace integrity worldwide and helping companies create a more resilient business by providing tools to identify and reduce risk and misconduct.
This Statement applies to personal information NAVEX collects, uses and discloses as a “controller” in connection with operating our business and in connection with the representatives of NAVEX’s business customers and business partners, including (1) on our Websites https://www.navex.com, https://www.netclaim.com, and all subdomains hosted by NAVEX) and any sites or products that display these terms (collectively “Website”); (2) through webinars or online events we may host or sponsor; and (3) at in-person events, such as trade shows or conferences, and other outreach and marketing activities and communications.
This Privacy Statement does not apply to any website, mobile app, service, or product that does not display or link to this Privacy Statement or that contains its own privacy notice.
Our Applications Privacy Statement covers our privacy practices in connection with the use of the software applications and related services that we provide to our business customers.
How we collect personal information
We may collect personal information from you directly or indirectly. For example, when you register for one of our web seminars or virtual events or sign up to receive our email communications, you provide personal information directly to us. Other times, personal information is collected automatically as you use our Website. In addition, we also may receive personal information from third parties with whom we work.
We collect personal information when you provide it
You may provide certain kinds of personal information directly by interacting with NAVEX online and offline (via social media or Web forms, by phone, email, in person – or even through postal mail). Personal information may also be provided to us directly or indirectly through the use of our customer relationship management systems, in order for us to track support for the service in our role as a controller.
When you register for a web seminar or download white papers available on our Website, for example, you typically provide your email address, phone number and geographic location. Or, to become a member of Compliance Next, you may provide your name and email address and then create a username and password, information that on subsequent visits helps us confirm your identity and grant you access to member-exclusive content.
We may also collect personal information, including your name and contact information that you voluntarily provide at industry events.
We collect personal information from third-party sources
We may collect personal information about you from third parties, including from conference partners, public databases or third parties from whom we have purchased data, including advertising companies that specialize in interest-based ads. We may combine this with information we already have about you.
This helps us update, expand, and analyze our records, identify new customers, and provide information tailored to products and services that may interest you. You may opt out of receiving interest-based advertising by clicking here (or if you are in the European Union, the United Kingdom, or Switzerland click here.) Opting out of interest-based advertising will not prevent ads from being served to you; the ads will simply be more general.
We also work with third parties to support delivery of our online services (such as email and content streaming), or those that help us manage events. Your personal information may be provided to us by those third parties.
We also may collect personal information from online social networks if you take part in a forum, for example, on LinkedIn. We may collect personal information when you click “Share This” or “Like” buttons or otherwise use social media buttons or plug-ins.
We collect personal information using automated technologies
Sometimes personal information is collected by automated technologies and shared with us when Website visitors navigate through our products and services online. We may track your browsing actions and log your IP address. We track product preferences and content downloads, to make future visits to our Website more efficient.
Other automated collection technologies – such as cookies, beacons, tags, and scripts – are used by us to analyze trends, administer the Website, and track users’ movements around the Website. We, and our third-party partners, may also use these technologies to gather demographic information about our user base as individuals and in the aggregate. You may opt out of us sharing your information with our advertising partners by not accepting our cookies on your internet browser. Keep in mind that declining certain cookies may decrease the functionality of the Website or disable some features. Read more about our use of cookies associated with the applicable components of our Websites https://www.navex.com, https://www.netclaim.com/, and all subdomains hosted by NAVEX) here.
We will not knowingly collect information from anyone younger than 16 years
Our Website and services associated with our Website are not intended for use by anyone younger than 16 years old, and we do not knowingly collect personal information from anyone younger than that. If we become aware that personal information of anyone younger than 16 has been provided to us, for any purpose, we will delete the information from our files.
Our legal basis for collection
Certain data protection laws require that we have a legal basis for collecting your personal information. The legal basis we rely upon may be different in each circumstance or we may have one or more legal basis for the collection. When accessing our Website, for example, we collect personal information from you where 1) we have your consent, 2) where your personal information is necessary for us to provide a service (for example, when you register for a webinar), or 3) where we have a legitimate interest to process your information and that legitimate interest is not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may have a legal obligation to process your personal information, or to process your personal information to exercise, establish or defend legal claims.
Do-not-track requests
Some browsers offer a “Do Not Track” privacy preference. Generally, when a user turns on the Do Not Track Signal, their browser sends a message to websites requesting that the user not be tracked. Our Website currently does not respond to “Do Not Track” signals. For California residents, please refer to the California Consumer Privacy Statement for information on using the Global Privacy Control signal.
How we use personal information
As users navigate through the Website, their movements may be tracked and analyzed. We use the personal information we obtain:
- To provide our products and services, including our Website.
- To market our products and services, including through email and phone.
- To respond to support requests.
- To personalize your experience with the Website.
- To provide access to and maintain the security and integrity of the Website and services, which include personal information associated with logs generated from our service Applications.
- To provide updates regarding the Website and marketing information, such as special promotions or surveys, etc.
- To perform analytics (including market and consumer research, trend analysis, financial analysis, and anonymization of personal information).
- Operate, evaluate, develop, manage and improve our business (including operating, administering, analyzing and improving our products and services; developing new products and services; managing and evaluating the effectiveness of our communications; performing accounting, auditing, billing reconciliation and collection activities and other internal functions).
- To manage professional relationships with our business customers and partners.
- To comply with legal and regulatory requirements applicable to our business and internal policies for maintaining records.
- To protect all parties in the event of disputes.
- To comply with court orders and legal processes, and to enforce our Terms of Use and this Privacy Statement.
- For any other legal, business, or marketing purposes that comply with the practices described in this Statement.
As noted above, this Privacy Statement applies to the personal information we process as a controller. In contrast, when processing information in connection with the delivery of our Applications, including providing guidance and services to our business customers, we act as a processor. The information we receive through our Applications and related services is subject to our Applications Privacy Statement.
When we share personal information
We may share your personal information amongst our affiliates for the purposes described in this Privacy Statement. We also may share your personal information with third-party service providers that provide services on our behalf and under our instructions, such as email delivery, data hosting, analytics, payment processing and content streaming. In addition, we may share your personal information with other third-party service providers, such as our advertising partners that provide services on our behalf and under our instructions, that help us with our marketing efforts, including sending and analyzing our marketing efforts by measuring whether recipients have opened an email and clicked on any content within it. We do not authorize such service providers to retain, use or disclose the information except as necessary to perform the services they provide to us or comply with legal requirements. Our service providers and advertising partners may collect browsing data that includes IP addresses, referring pages, and users’ movements as they navigate the Website.
We also may disclose personal information about you (1) if we are required to do so by law or legal process (such as a court order or subpoena); (2) to establish, exercise or defend our legal rights; (3) when we believe disclosure is necessary or appropriate to prevent physical or other harm or financial loss; (4) in connection with an investigation of suspected or actual illegal activity; (5) when we believe disclosure is reasonably necessary to protect against fraud, or to protect our property or other rights or those of other individuals, third parties, or the public at large; or (6) otherwise with your consent.
We reserve the right to transfer any personal information we have about you in the event of a potential or actual sale or transfer of all or a portion of our business or assets (including in the event of a merger, acquisition, joint venture, reorganization, divestiture, dissolution or liquidation).
How we secure personal information
We have implemented and maintain administrative, physical, and technology-based security measures to protect against loss, misuse, unauthorized access or disclosure, destruction and alteration of personal information.
Data retention
Where NAVEX collects your personal information for its own independent business purpose, such as through our Websites, or in connection with webinars and events, we will retain your information in accordance with our data retention practices and in accordance with applicable law. To the extent required by applicable law, we will retain your personal information for the time necessary to serve the purpose for which it was originally collected or you subsequently authorized. For example, we will retain your information for as long as your account is active, as necessary to comply with our legal obligations and rights, to resolve disputes, and to enforce our agreements.
Data storage and international transfers
NAVEX is headquartered in the United States. Your personal information may be transferred to, processed, and maintained in places other than where you live.
This means that we may transfer, access, or store personal information about you outside of the European Economic Area (“EEA”), Switzerland, the United Kingdom, Japan, or another jurisdiction that requires legal protections for international data transfers. When we do, we will ensure that an adequate level of protection is provided for the personal information by utilizing appropriate safeguards and terms in accordance with applicable law. Specifically, NAVEX will use one or more of the following approaches:
- We may transfer personal information to jurisdictions that have privacy laws that have been recognized by the jurisdiction from which the data are transferred as providing similar protections for the data.
- We may enter into written agreements, such as standard contractual clauses and other data transfer agreements, with recipients where required to help ensure the same level of protection for the data is provided.
- We may seek consent for transfers of your personal information for specific purposes.
- We may rely on other transfer mechanisms approved by authorities in the country from which the data are transferred.
Data Privacy Framework
NAVEX complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF (“UK Extension”), and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”), including the onward transfer liability provisions, as set forth by the U.S. Department of Commerce (the “Frameworks”). NAVEX Global, Inc. has certified to the U.S. Department of Commerce that it adheres to the Data Privacy Framework Principles (“DPF Principles”) with regard to the processing of personal data received from the European Union, United Kingdom (including Gibraltar) and Switzerland in reliance on the DPF. If there is any conflict between the terms in this Privacy Statement and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (the “DPF Principles”), the DPF Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, please visit https://www.dataprivacyframework.gov.
As required by the Frameworks, any personal information we receive under the Frameworks will be maintained in accordance with the DPF Principles. NAVEX is responsible for the processing of personal information it receives, under each of the Frameworks, and subsequently transfers to a third party acting as an agent on its behalf. In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
The Federal Trade Commission has jurisdiction over NAVEX’s compliance with the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF.
Data Privacy Framework Inquiries & Complaints (data from the EEA, Switzerland, or the United Kingdom (and Gibraltar))
In compliance with the Frameworks, NAVEX commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF should first contact NAVEX at: privacy@navex.com.
In compliance with the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF, NAVEX commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF to the TRUSTe Privacy Dispute Resolution program, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://feedback-form.truste.com/watchdog/request for more information or to file a complaint. The services of the TRUSTe Privacy Dispute Resolution program are provided at no cost to you.
Under certain conditions, described more fully on the Data Privacy Framework website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
Your Rights
We understand that you want to protect and control your personal information. This section details how you may review, update, correct, or delete that information.
Viewing or updating your personal information
You may contact us to update your name, contact information, email preferences, job title and other business information by completing the form located here or by emailing us at privacy@navex.com and including “Update My Information” in the subject line. For our Compliance Next members, please access your account on the Website to update your contact information, or email us at info@compliancenext.com with “Update My Compliance Next Account Information” in the subject line.
Opting out of promotional emails
If you do not wish to receive promotional e-mails from us, you may follow the unsubscribe process at the bottom of the promotional e-mail you received or by emailing us at privacy@navex.com. For our Compliance Next members, please access your account on the Website to update your email subscription preferences, or email us at info@compliancenext.com. Please keep in mind that you still may receive transactional e-mails from us (such as e-mails related to the completion of your registration, correction of user data, password reset requests, reminder e-mails you have requested, and other similar communications) that may be necessary for us to make the Website available to you or respond to your inquiries and support requests.
Deactivating your account
You may deactivate your Compliance Next account any time. To deactivate your account, please edit your account on the Website by clicking “Email Compliance Next to delete my account” or send an email to info@compliancenext.com with “Deactivate Compliance Next Account” in the subject line. Upon receiving your request, NAVEX will deactivate your account and delete personal information where required by applicable law.
California
If you are a California resident, for more information about your privacy rights, please see the California Consumer Privacy Statement available here.
Individual data subject rights
Depending on your location, you may have certain rights associated with your personal information based on applicable law.
Subject to any exceptions or limitations under applicable law, you may have the following data protection rights:
- You can request access to, correction of, updates to, or request deletion of your personal information based on information collected from accessing our Website or participating in our web seminars, forums or events.
- You can request more information about how we process your personal information, where and how we collected that information, the categories of that information, with whom we share it, and how long we retain it.
- You can object to the processing of your personal information, ask us to restrict the processing, or request portability of your personal information.
- You have the right to opt out of marketing communications we send at any time. You can opt out by clicking on the “unsubscribe” or “opt-out” link in any marketing email we send you.
- When we have collected and processed your personal information based upon your consent, then you can withdraw your consent at any time. However, withdrawing your consent will not affect the lawfulness of any processing we conducted before your withdrawal, nor will it affect processing of your personal information when we have relied on other legal grounds for the processing.
- Upon your request, and where it is technically feasible, NAVEX will provide you with a copy of your personal information or transmit it directly to another controller.
- You have the right to make a complaint to the data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority. Contact details are available here.
To make a request, please contact us by completing the form located here or by emailing us at privacy@navex.com with “Personal Information Request” in the subject line. Provide full details relating to your request, including your contact information and any other details you believe are relevant. We are committed to responding to requests to exercise data protection rights in accordance with applicable laws.
Identity verification requirement
The law may require us to verify that any request submitted was made by someone with the legal right to access the information. Therefore, before accessing or divulging any information pursuant to a data access request, we may request that you provide us with additional information so we can verify your identity and legal authority, particularly where the information provided with the request is insufficient to confirm legal authority and/or identity.
We will provide a response to an access request within the timeframes required by law. If we cannot substantively respond in a timely manner, we will notify you and provide the reason for the delay.
Under certain circumstances, we may not fulfill your request, such as when doing so would interfere with our regulatory or legal obligations, when we cannot verify your identity, if your request involves disproportionate cost or effort, or when the law allows us to retain that information. But we will respond to your request within a reasonable time, as required by law, and provide an explanation.
Other Online Services and Third-Party Features
For your convenience and information, our Website may contain links to other online services, and may include third-party features such as apps, tools, widgets and plug-ins. These online services and third-party features may operate independently of NAVEX. The privacy practices of these third parties, including details on the information they may collect about you, is subject to their own privacy policies or notices, which we strongly suggest you review.
In addition, if you make a post on a third-party social media site, such as LinkedIn, or by identifying us in your social media feed by tagging us using a hashtag (#) or “at” (@), your personal information may be publicly available and is subject to the privacy policies of those third-party social media sites.
We are not responsible for the content of any online services that are not affiliated with NAVEX, any use of those services, or the privacy practices of those services. We recommend you review the privacy policies or notices of any third-party sites you visit to understand their data collection and practices.
Updates
We reserve the right to amend this Statement at any time, for any reason, without additional notice to you, other than through posting the updated Privacy Statement on our Website. We invite you to return to this page to ensure you are informed of any updates we make about how we collect, use, and protect customer information. You can see when this Privacy Statement was last updated by checking the “last updated” date displayed at the beginning of this Statement.
Contact us
If you have questions or complaints about the way we handle personal information, please contact us via the below contact details. Alternatively, and at your choice, if you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
NAVEX
Attention: Data Protection Officer
5500 Meadows Road, Suite 500
Lake Oswego, OR 97035
(866) 297-0224
privacy@navex.com
Applications Privacy Statement
Updated: August 2023
NAVEX and its affiliates and subsidiaries (“NAVEX,” “we,” “us,” etc.) offer guidance, software and technology for companies seeking to manage risk and reach their compliance goals. We are dedicated to improving workplace integrity worldwide and helping companies create a more resilient business by providing tools to identify and reduce risk and misconduct.
This Statement applies to our software related services and solutions, (the “Application” or “Applications”) and any sites or products that display these terms. It does not apply to any website, mobile app, service, or product that does not display or link to this Privacy Statement or that contains its own Privacy Statement. For information about how we use personal information we receive in connection with operating our business, including our websites, please see our Privacy Statement.
As part of the services we provide to our business customers, you may interact with us online (through the Applications) or by phone and in doing so, you may share your personal information with us. The information received by NAVEX in delivering the Applications is done on behalf of our business customers and is processed by us according to the contract with that business customer.
How we collect personal information
We may collect personal information from you directly or indirectly. For example, when your employer or other related company purchases one of our technology solutions to manage risk or operate within applicable legal and ethical standards, you may provide personal information directly to us through your participation in job training, reviewing policies and procedures or reporting a concern. Other times, personal information may be collected automatically as you use our Application as we outline in this Statement. In addition, we also may receive personal information from our business customers or other related third parties.
We collect information through the Application on behalf of business customers who use our software solutions including, without limitation: compliance training, policy and procedure management, ethics and incident management (including a hotline), vendor risk management, risk management software, claims management, and compliance analytics.
Our business customers determine why (the purpose) and what (the nature) personal information is collected, used, stored, or deleted within the Applications purchased. NAVEX acts as a service provider, or data processor, of this information under the terms of our contract with that customer, the data controller. Questions about how business customers use, share, or process that information should be sent to them directly. Unless prohibited by law, NAVEX will honor and support our business customer’s instructions with respect to your personal information.
Legal basis for collection
When we collect personal information through our Applications, we do so as a processor, or service provider, as instructed by our business customer, the controller. Certain data protection laws require that controllers have a lawful or legal basis for collecting personal information. The lawfulness of our collection of personal information is determined by the controller, our business customer. If you have questions about the legal basis or lawfulness of our collection of personal information, please contact that business customer directly.
We collect personal information when you provide it
You may provide certain kinds of personal information directly by interacting with the Applications (whether you’re an employer or employee or other stakeholder) or offline (by phone, email, or in person–for example through discussions with your manager–or through postal mail). Depending on the software service, users may provide different types of personal information, as outlined in the table below. The type of personal information we collect is determined by our business customer.
Application | Types of information typically collected | Purpose |
Policy Tech | Name (first and last), email address, job site, job title, department, supervisor, log-in credentials, completion status, time and date of policies. | Improve accessibility, version control, and delivery of company policies, tracks compliance and gauges employee comprehension. |
NAVEX Engage | Name (first and last), email address, job site, job title, department, supervisor, log-in credentials, completion status, time and date of training media. | Deliver risk-based training, tracks completion, and supports behavior change with scenario-based learning. |
Risk Rate | Name, job site, department, log-in credentials, and date of birth. | Perform around-the-clock automated third-party risk monitoring and due diligence. |
NetClaim | Name (first and last), email address, job site, job title, department, supervisor, log-in credentials, details about the claim, address, date of birth, social security number. | Provide comprehensive and customizable claims intake and dissemination solution. |
EthicsPoint/ Data Subject Rights | Name, job location, department, details about the reported incident or request, personal PIN for report follow-ups and updates. | Allow companies to receive, investigate, and resolve ethics and compliance reports, concerns, data subject right requests, and questions. |
COI Disclosures | Name (first and last), email address, job site, job title, department, supervisor, log-in credentials, completion status, details about the reported conflicts, time and date of disclosure. | Allow companies to gather, track and analyze disclosures, manage conflicts of interest, gifts and entertainment, board memberships, family business relationships and more. |
IRM | Name (first and last), email address, log-in credentials, and other categories such as job title. | Provide businesses a comprehensive view of how they identify, assess, and prioritize risk. |
NAVEX WhistleB | Name, job location, department, details about the reported incident or request, personal PIN for report follow-ups and updates. | Allow companies to receive, investigate, and resolve ethics and compliance reports, concerns, data subject right requests, and questions. |
We collect personal information using automated technologies
Personal information may be collected by automated technologies – such as cookies, beacons, tags, and scripts – within the Application being used. In most cases these Application cookies are required but, in some cases, they are optional and only set where you request that we store information. More information about our use of cookies associated with the Application is available here.
Other personal information, such as IP addresses, may be automatically collected from users of the Applications. Doing so helps us protect and secure the integrity of our systems and the data we host. They may be shared with law enforcement to enforce our rights, ensure the security and integrity of our systems, or as otherwise required by law.
We collect personal information from third-party sources
When we provide our business customers with tools to improve their risk and compliance practices, this may require them to share personal information about their employees and other stakeholders with us. The kinds of personal information typically collected are names, business contact details (such as email addresses), and job titles. When your employer or business partner gives us your information, we use it only for the specific purpose for which it was provided. Collecting this personal information helps us deliver our services and comply with customer contracts. Please see the table above for more information on what personal information we collect and the purpose for why we collect it.
How we use personal information
As mentioned above, NAVEX’s business customers determine what personal information is collected by us and how it is used. We use the personal information collected, as a processor, in accordance with our business customer’s instructions. We may use it in these ways:
- To provide the Applications for both customers and their end users.
- To maintain the security and integrity of the Applications.
- To communicate with customers and their end users about the Applications.
- To respond to support requests.
- To develop and improve the Applications.
- To comply with legal and regulatory requirements applicable to our business and internal policies for maintaining records.
- To protect all parties in the event of disputes.
- To comply with court orders and legal processes, and to enforce our Terms of Use and this Privacy Statement.
- For any other legal or business purposes that comply with the practices described in this Statement.
When we share personal information
Once your personal information is collected in the Application, as detailed above, we may share it with third parties, including your employer or business partners for various reasons.
We may share your personal information with third parties to help deliver our services to customers. We do not authorize such third parties to retain, use or disclose the information, except as necessary to provide and deliver those services.
As noted previously, we may share your personal information with the relevant business customer in accordance with our contract with that customer.
We also may disclose personal information about you (1) if we are required to do so by law or legal process (such as a court order or subpoena); (2) to establish, exercise or defend our legal rights; (3) when we believe disclosure is necessary or appropriate to prevent physical or other harm or financial loss; (4) in connection with an investigation of suspected or actual illegal activity; (5) when we believe disclosure is reasonably necessary to protect against fraud, or to protect our property or other rights or those of other individuals, third parties, or the public at large; or (6) otherwise with your consent.
We reserve the right to transfer any personal information we have about you in the event of a potential or actual sale or transfer of all or a portion of our business or assets (including in the event of a merger, acquisition, joint venture, reorganization, divestiture, dissolution or liquidation).
How We Secure Personal Information
We have implemented and maintain administrative, physical, and technology-based security measures to protect against loss, misuse, unauthorized access or disclosure, destruction and alteration of personal information in our systems.
Data retention
Personal information collected by NAVEX through our Applications will be retained as directed by our business customer. Should you have any questions about how long personal information is retained, please contact the applicable business customer directly.
Data storage and international transfers
NAVEX is headquartered in the United States. Your personal information may be transferred to, processed, and maintained in places other than where you live.
NAVEX collects, transfers, and processes personal information in accordance with its legal obligations under contracts with its business customers who, as we have noted previously in this Privacy Statement, determine the legal basis and applicable transfer mechanisms for our collection and processing of personal information, in particular from the European Economic Area (“EEA”), the United Kingdom, Switzerland, Japan, or another country that requires legal protections for international data transfer. If you want more information on what legal basis or transfer mechanism is relied upon for NAVEX to receive and processes personal information, you will need to contact the relevant business customer directly. NAVEX supports its business customers with appropriate safeguards and terms required by applicable law.
Data Privacy Framework
NAVEX complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF (“UK Extension”), and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”), including the onward transfer liability provisions, as set forth by the U.S. Department of Commerce (the “Frameworks”). NAVEX Global, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union, United Kingdom (and Gibraltar) and Switzerland in reliance on the Frameworks. If there is any conflict between the terms in this Privacy Statement and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (the “DPF Principles”), the DPF Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, please visit https://www.dataprivacyframework.gov.
As required by the Frameworks, any personal information we receive under the Frameworks will be maintained in accordance with the DPF Principles. NAVEX is responsible for the processing of personal information it receives, under each of the Frameworks, and subsequently transfers to a third party acting as an agent on its behalf. In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
The Federal Trade Commission has jurisdiction over NAVEX’s compliance with the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF.
Data Privacy Framework Inquiries & Complaints (data from the EEA, Switzerland, or the United Kingdom (and Gibraltar)
In compliance with the Frameworks, NAVEX commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF should first contact NAVEX at: privacy@navex.com.
In compliance with the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF, NAVEX commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF to the TRUSTe Privacy Dispute Resolution program, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://feedback-form.truste.com/watchdog/request for more information or to file a complaint. The services of the TRUSTe Privacy Dispute Resolution program are provided at no cost to you.
Under certain conditions, described more fully on the Data Privacy Framework website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
Your rights
As mentioned above, we receive personal information through our Applications as processors for our business customers, who determine the lawfulness of our collection and the purpose for the processing. The data in our Applications is managed by the business customer according to their own internal policies and procedures.
Accordingly, anyone seeking to exercise data protection rights granted by applicable law should direct their request to the relevant company or organization (typically their employer). Inquiries made to NAVEX requesting access, alteration, or deletion of personal information will be forwarded to our business customer for resolution. NAVEX is not permitted to independently alter that information but will support a business customer’s request to do so, unless otherwise required by law.
For data subjects from the European Union, United Kingdom and Switzerland
Certain data protection laws of the European Union (General Data Protection Regulation), United Kingdom (Data Protection Act 2018) and Switzerland (Swiss Federal Data Protection Act) provide that controllers of personal data honor certain rights granted to data subjects who reside in the applicable country. As noted previously, NAVEX is a data processor to its business customers who are data controllers under these laws. NAVEX is fully committed to supporting its business customers in their compliance with applicable law. If you are a data subject located in the European Union, United Kingdom or Switzerland, and wish to exercise your rights in relation to personal data NAVEX may have collected on behalf of its business customer, please contact that business customer directly to exercise your rights. If we receive a request from a data subject for one of our business customers, we will direct the request to the business customer for review and response.
Notwithstanding the foregoing, if you have questions or complaints about the way we handle personal information, please contact us via the below contact details. We will promptly manage any complaints received from an individual. Alternatively, and at your choice, if you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
NAVEX
Attention: Data Protection Officer
5500 Meadows Road, Suite 500
Lake Oswego, OR 97035
(866) 297-0224
privacy@navex.com
For California Consumers
The California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively “CCPA/CPRA”) provides specific rights to those who live in California and requires that businesses subject to CCPA/CPRA ensure those rights are honored. Certain NAVEX business customers may be subject to the CCPA/CPRA. As a service provider to those business customers, Navex will support them in their compliance with the law. If you are a California Consumer and wish to exercise your rights in relation to personal information NAVEX may have collected on behalf of its business customer, please contact that business customer directly to exercise your rights. If we receive a request under CCPA/CPRA from a California consumer in relation to a business customer, we will direct the request to that business customer for review and response.
Updates
We reserve the right to amend this Statement at any time, for any reason, without additional notice to you, other than through posting the updated Privacy Statement within our Application. We invite you to return to this page to ensure you are informed of any updates we make about how we collect, use, and protect personal information on behalf of our business customers. You can see when this Privacy Statement was last updated by checking the “last updated” date displayed at the beginning of this Statement.
Contact us
If you have questions or complaints about the way we handle personal information, please contact us via the below contact details. Alternatively, and at your choice, if you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
NAVEX
Attention: Data Protection Officer
5500 Meadows Road, Suite 500
Lake Oswego, OR 97035
(866) 297-0224
privacy@navex.com