WHO WE ARE
CLIENTS AND THIRD PARTIES
Aspen is a full service HR solutions and benefits service provider for organizations (our “Clients”) and their employees and covered dependents (“Employees”). When our Services is provided pursuant to a Client agreement, we may process Personal Data (defined below) relating to a Client’s internal users of the Services (“Client Users”), as well as Employees who may use our Services.
PROCESSING OF PERSONAL DATA
Personal Data We Collect
In order to provide our Services, we may collect and process information that relates to identified or identifiable individuals (“Personal Data”). We collect and process the following categories of Personal Data (note, specific Personal Data elements are examples and may change):
Personal Data about you and your identity, such as your name, ID or account number, username and password, and other Personal Data you may provide on various forms or in an account profile (e.g. biographical information).
Personal Data used to contact an individual, e.g. email address(es), physical address(es), phone number(s), or social media or communications platform usernames/handles, etc.
Personal Data relating to your use of the Services, such as consumption of Services, price paid, or other related data.
Personal Data relating to tax identification, financial accounts or services, e.g. bank account or other financial account number, billing accounts, and other relevant information you provide in connection with a financial transaction.
Personal Data relating to your device, browser, or application e.g. IP addresses, MAC addresses, application ID/AdID/IDFA, session navigation history and similar browsing metadata, and other data generated through applications and browsers, including cookies and similar technologies.
Information about your education, professional and employment history, qualifications, and similar biographic information, as well as job, title, hours worked, or other general information relating to employment relationship.
Personal Data and other user content provided by a user relating to our Services, such as data included in a free form text field, or other unstructured format.
Sensitive Data relating to your health and wellness, health insurance, health benefits, and other information relating to your health, including information subject to the Health Insurance Portability and Accountability Act (“HIPAA”).
Refers to Health Data and “Personal Information” as defined in Cal Civil Code §1798.80(e), and information regarding criminal history and background.
Sources of Personal Data
We collect Personal Data from various sources based on the context in which the Personal Data will be processed:
We collect Personal Data from you directly, for example, when you input information into an online form, sign up for a list, or contact us directly.
We may collect certain Personal Data automatically from your devices. For example, we collect Device/Network Data automatically using cookies and similar technologies when you use access our Services or when you open our marketing communications.
We collect Personal Data from our Clients with whom we have a relationship, and who may provide us, or grant us access to systems providing, information about users, personnel, account information, etc.
We receive Personal Data from third parties with whom we have a relationship in connection with their performance of services or processing of transactions on our behalf.
Data we create:
We (or third parties operating on our behalf) create and infer Personal Data based on our observations or analysis of other Personal Data we process, and we may correlate this data with other data we process about you.
HOW WE PROCESS PERSONAL DATA
Subscription and Account Registration
If you subscribe to or contract for our Services, we collect Identity Data, Financial Data, and Commercial Data in connection with that transaction. This data is used in order to fulfill the transaction and complete the subscription or contracting process. We may share certain information with our service providers in order to complete the transaction.
Additionally, Client Users may be able to register and create an account on our Services. When users register, we will process Identity Data and Contact Data. We use the Identity Data and Contact Data as necessary to create, maintain, and provide you with important information about your account. Subject to your rights and choices, we may also use the Identity Data as part of our efforts to improve our Services, and we may process the Identity Data and Contact Data in connection with marketing communications.
We may process Identity Data, Contact Data, Financial Data, Professional Data, User Content, and certain Sensitive Data (including Health Data) to the extent provided by the Client or the Client’s employee and dependents in relation to benefits enrollment, as part of the HR administration platform and/or other Services we provide to or on behalf of our Clients.
We process the Identity Data, Contact Data, Financial Data, Professional Data, User Content, and Sensitive Data on behalf of the Clients and Employees as necessary to carry out the processes and transactions we provide to the Client and employee (e.g. pursuant to a services agreement, or as part of an employee enrolment). For example, we may process benefits applications, changes, and enrollments, create reports, or provide other similar services.
In addition, and subject to your rights and choices, we may also use this information (excluding Financial Data and Sensitive Data) as part of our legitimate interests in improving the design of our Services, and for ensuring the security and stability of the Services. Sensitive Data is used only in accordance with the consent of the employee and/or employee, as appropriate, and in accordance with applicable law.
Note, our Clients are the owners and controllers of information we process on their behalf under a Service Agreement. Further, certain data, such as Health Data, may be subject to additional restrictions or processing operations not described in this Policy. Supplemental policies, including Clients’ or other third parties’ privacy policies, may apply to the processing of such Personal Data. Please review the appropriate applicable privacy policies for information on how your Personal Data is used and the rights you may have in that Personal Data.
Contact Us Forms
We process Identity Data, Contact Data, and User Content if you choose to contact us through our Site. We may receive that data from a third party if and to the extent provided to us by a third party (e.g. contact or communications platforms). We use Identity Data, Contact Data, and User Content as necessary to communicate with you about the subject matter of your request and related matters. Subject to your rights and choices, we may also use Identity Data and Contact Data to in connection with Marketing Communications, if relevant to your request, such as when you request more information about our Services.
We may process Identity Data, Device/Network Data, and Contact Data when you are enrolled to receive, and when you open or interact with, our electronic marketing communications. Note, you may be enrolled with your consent or, where allowed, in connection with an information request or other interaction with our Services and services. Subject to your rights and choices, we may use the Identity Data, Device/Network Data, and Contact Data to improve our services and in connection with marketing communications.
Internal Employment Applications
We may process Identity Data, Contact Data, Professional Data, and User Content in connection with your application to be an employee, contractor, or otherwise join the Aspen team. We process this Personal Data primarily in connection with the assessment and creation of the personnel relationship, and to the extent permitted by applicable law, or with your consent or where authorized by law, and subject to your rights and choices, we may process Personal Data in accordance with our legitimate business interests, as follows:
We may use your Contact Data as necessary to process your application, contact you regarding this or other future application/vendor/work opportunities, or similar matters.
The assessment of your application may involve the creation and processing of data we create in order to evaluate your prospective engagement, assess skills alignment, qualifications, and similar matters.
To the extent permitted under applicable law, the processing of your Personal Data in connection with application evaluation may involve the use of automated technologies that may extract relevant information and rate applications based on their conformity with our requirements. In some cases, automated processing may reject or place a low rating on applications that are found to not meet requirements of a given engagement.
Please Note: Once you are engaged or employed, your Personal Data may be subject to applicable internal privacy policies.
Cookies and Similar Tracking Technologies
We, and certain third parties, may automatically collect and process Identity Data, Contact Data, and Device/Network Data when you interact with cookies and similar technologies on our Services. We may receive this data from third parties to the extent allowed by that party. Please note that the privacy policies of third parties may also apply to these technologies and the Personal Data collected through them.
Subject to your rights & choices, we may use this information as follows:
for “essential” or “functional” purposes, such as to enable certain features of the Services, or keeping you logged in during your session;
for “analytics” and “personalization” purposes, consistent with our business interest in how the Services are used or perform, how users engage with and navigate through our Services, what sites users visit before visiting the Services, how often they visit the Services, and other similar information, as well as to greet users by name and modify the appearance of the Services to usage history, tailor the Services based on geographic location or Client, and understand characteristics of users in various technical and geographic contexts; and
for “retargeting” or similar advertising purposes on our Site, so that you can see advertisements from us on other websites. These technologies and the data they collect, may be used by advertisers to deliver ads that are more relevant to you based on content you have viewed, including content on our Sites. These tracking technologies may also help prevent you from seeing the same advertisements too many times, and help us understand whether you have interacted with or viewed ads we’ve delivered to you. This data collection may take place both on our Sites, as well as and on third-party websites that participate in the ad network (e.g. including as part of advertisements delivered by that ad network on a third party website).
Some of these technologies can be used to identify you across platforms, devices, sites, and services.
Business Purposes of Processing
In addition to the processing described above, we generally process Personal Data for several common purposes in connection with certain business purposes, and in accordance with our legitimate interests, as described below.
Service Provision and Contractual Obligations
We process any Personal Data as is necessary to provide the Services, and as otherwise necessary to fulfill our obligations to you, e.g. to provide you with the information, features, and services you request. We may also use Personal Data to fulfill any contracts we have with you.
Internal Processes and Services Improvement
We may use any Personal Data we process through our Services as necessary in connection with our legitimate business interest in improving the design of our Services, understanding how our Services are used or function, for customer service purposes, in connection with the creation and analysis of logs and metadata relating to Services use, and for ensuring the security and stability of the Services. Additionally, we may use Personal Data to understand what parts of our Services are most relevant to users, how users interact with various aspects of our Services, how our Services perform or fail to perform, etc., or we may analyze use of the Services to determine if there are specific activities that might indicate an information security risk to the Services or our Users. This processing is subject to users' rights and choices.
We process certain Personal Data as necessary in connection with our legitimate business interest in personalizing our Services. For example, aspects of the Services may be customized to you so that it displays your or a Client’s name, to reflect appearance or display preferences, display recent or commonly used features or data, or other similar functionality.
We process Personal Data as necessary in connection with our legitimate business interest in the creation of aggregate analytics relating to how our Services are used, the products and services our users purchase, to create service delivery metrics, and to create other reports regarding the use of our Services, and other similar information and metrics. The resulting aggregate data will not contain information from which an individual may be readily identified.
Security and Incident Detection
Whether online or off, we work to ensure that our Services are secure, and we work to prevent fraud on our Services. We may process any Personal Data we collect in connection with our legitimate business interest in ensuring that our properties and locations are secure, to identify and prevent crime, security events, and ensure the security of our users, Client Data, and our IT systems. Similarly, we process Personal Data on our Services as necessary to detect security incidents, protect against, and respond to malicious, deceptive, fraudulent, or illegal activity. We may analyze network traffic, device patterns and characteristics, maintain and analyze logs and process similar Personal Data in connection with our information and physical security activities.
Compliance, Health, Safety & Public Interest
Other Processing of Personal Data
Information we collect may be shared with a variety of parties, depending upon the purpose for and context in which that information was provided. We generally transfer data to the following categories of recipients:
We process data on behalf of Clients, and may share your Personal Data with Clients to the extent such information was provided to us for processing on the Client’s behalf. For example, any communications sent using our Platform and all other Personal Data processed on behalf of the Client may be available to the Client and its users. These parties may engage in direct marketing, or other activities that are outside our control.
In limited cases, we may share your Personal Data, such as Identity Data or Contact Data with business or marketing partners in connection with promotions, events, products, and services that are promoted, managed, supported, or otherwise undertaken with that third party. If appropriate, these parties may engage in marketing communications.
In connection with our general business operations, product/service improvements, to enable certain features, and in connection with our other lawful business interests, we may share Personal Data with service providers or subprocessors who provide certain services or process data on our behalf. For example, we may use cloud-based hosting providers to host our Services or disclose information as part of our own internal operations, such as security operations, internal research, etc.).
Your Personal Data may be processed in the event that we go through a business transition, such as a merger, acquisition, liquidation, or sale of all or a portion of our assets. For example, Personal Data may be part of the assets transferred, or may be disclosed (subject to confidentiality restrictions) during the due diligence process for a potential transaction.
In order to streamline certain business operations, marketing activities, services, offers, and other content we believe would be of interest to you, and develop products and services that better meet the interests and needs of our customers, we may share your Personal Data with any of our current or future affiliated entities, subsidiaries, and parent companies.
YOUR RIGHTS & CHOICES
Applicable law may grant you rights in your Personal Data. These rights vary based on your location, state/country of residence, and may be limited by or subject to our or our Clients’ rights in your Personal Data. In cases where we process Personal Data on our own behalf, you may exercise rights you have by contacting us at Aspen HR, LLC, 750 Battery Street, 6th Floor, San Francisco, CA 94111 (attn: Rights Requests) or email@example.com (subject line: Rights Request)
All rights requests we receive directly must be verified to ensure that the individual making the request is authorized to make that request, to reduce fraud, and to ensure the security of your Personal Data. We may require that you log in to your account or verify that you have access to your account or the email on file in order to verify your identity.
Please contact the Client directly for data rights requests regarding Client-controlled information, and we will assist the Client as appropriate in the fulfillment of your request. While we may notify Clients of your request, we are unable to directly fulfill rights requests regarding Personal Data we control or for which we have the necessary rights of access, and we may not have access to or control over all or some Personal Data controlled by Clients.
For information regarding your California Privacy Rights, please see below.
It is possible for you to use some of our Services without providing any Personal Data, but you may not be able to access certain features or view certain content. You have the following choices regarding the Personal Data we process, which you may exercise by contacting us as described above.
If you consent to processing, you may withdraw consent any time, to the extent required by law.
You have the choice to opt-out of processing related to marketing communications or to withdraw your consent if marketing communication was initiated through consent. You may exercise your choice via the “unsubscribe” links in our communications or by contacting us re: direct marketing.
Cookies & Similar Tech:
You may have the right under applicable law to object to our processing of your Personal Data for certain purposes. Note that we may not be required to cease processing based solely on an objection.
YOUR CALIFORNIA PRIVACY RIGHTS
Under the California Consumer Privacy Act (“CCPA”) and other California laws, California residents may have the following rights, subject to your submission of an appropriately verified request (see below for verification requirements). Please note, as a B2B provider and employer, we may not be obligated under CCPA to fulfill these rights in some contexts, and we reserve the right to deny requests to the extent allowed by applicable law.
Right to Know
You may have the right to request any of following, for the 12 month period preceding your request: (1) the categories of Personal Data we have collected about you, or that we have sold, or disclosed for a commercial purpose; (2) the categories of sources from which your Personal Data was collected; (3) the business or commercial purpose for which we collected or sold your Personal Data; (4) the categories of third parties to whom we have sold your Personal Data, or disclosed it for a business purpose; and (5) the specific pieces of Personal Data we have collected about you.
Right to Delete
You may have the right to delete certain Personal Data that we hold about you, subject to exceptions under applicable law.
Right to Non-Discrimination
You may have the right to not to receive discriminatory treatment as a result of your exercise of any rights conferred by the CCPA.
You may request a list of Personal Data we have disclosed about you to third parties for direct marketing purposes (if any) during the preceding calendar year.
Opt-Out of Sale
If we engage in sales of Personal Data (as defined by applicable law), you may direct us to stop selling or disclosing Personal Data to third parties for commercial purposes. At this time, we do not sell (as defined by the CCPA) Personal Data.
Submission of Rights Requests
You may submit requests to firstname.lastname@example.org (subject line: Rights Request) (see below for summary of required verification information).
Verification of Rights Requests
All rights requests must be verified to ensure that the individual making the request is authorized to make that request, to reduce fraud, and to ensure the security of your Personal Data. We may require that you provide the email address we have on file for you (and verify that you can access that email account) as well as an address, phone number, or other data we have on file, in order to verify your identity.
Agents should submit requests to the email above, along with information supporting their authorization to act on the consumer’s behalf. We may contact individuals to validate the agent’s authority to act on their behalf, and may require that individuals to validate their identity directly if the agent does not have property authority or for any appropriate security or compliance purposes.
Supplemental Data Processing Disclosures
Categories of Personal Data Disclosed for Business Purposes
For purposes of the CCPA, we may disclose to Service Providers for “business purposes” the following categories of Personal Data: Identity Data, Contact Data, Transaction Data, Device/Network Data, Biographical Data, and User Content.
For purposes of the CCPA, we do not “sell” your Personal Data.
Right to Know
We follow and implement reasonable security measures to safeguard the Personal Data you provide us. However, we sometimes share Personal Data with third parties as noted above, and we do not have control over third parties’ security processes. Please note, we do not warrant perfect security and we do not provide any guarantee that your Personal Data or any other information you provide us will remain secure.
We retain information for so long as it, in our discretion, remains relevant to its purpose, and in any event, for so long as is required by law. We will review retention periods periodically, and may sometimes pseudonymize or anonymize data held for longer periods, if appropriate and requested.
Our Services are neither directed at nor intended for use by minors under the age of majority in the relevant jurisdiction. Further, we do not knowingly collect Personal Data from such individuals. If we learn that we have inadvertently done so, we will promptly delete it.
We operate in and use service providers located in the United States. If you are located outside the U.S., your Personal Data may be transferred to the U.S. The U.S. may not provide the same legal protections guaranteed to Personal Data in foreign countries. Contact us for more information regarding transfers of data to the U.S.
750 Battery Street, 6th Floor
San Francisco, CA 94111