Privacy Policy

Pavestep, Inc. Privacy Policy


This Privacy Policy describes how Pavestep, Inc. (the “Company” or “Pavestep”) protects your data and privacy. Any questions or concerns with respect to your data or privacy should be directed to

This Privacy Policy applies to Pavestep’s website located at, other Pavestep websites, and Pavestep domains (collectively, the "Websites"), Pavestep's performance management platform, including web and mobile applications (collectively, the "Services"), and any other interactions you may have with Pavestep. By visiting the Websites or using the Services, you accept the terms of this Privacy Policy and consent to Pavestep’s collection and use of data for the purposes described herein and applicable Client Agreements including but not limited to the User Agreement.

A separate agreement governs the delivery and use of the Services (the "Client Agreement"), including the processing of any "Client Data," which generally includes all data or information that Client and/or Users upload, process, store, or submit on or through the Services. The organization (e.g., your employer) that entered into the Client Agreement ("Client") controls its instance of the Services (their "Environment") and any associated Client Data. Client as well as individuals who have been authorized by Client, who access or use the Services via their Environment (e.g., Client's employees) are "Users". The Users’ use of the Services may be subject to their respective Clients’ (e.g. their employer's) policies. Pavestep is not responsible, can not be held responsible, and must disclaim any liability for the privacy or security practices of its Clients, which may differ from those set forth herein.

This Privacy Policy does not apply to third party applications or technologies that integrate with the Services or other third party products, services, or businesses ("Third Party Services"). While using the Websites or Services, you may be directed to a third party website via links or other references, which may take you to the respective third party website ("Third Party Websites"). This Privacy Policy does not apply to data collected from or provided by you to Third Party Websites. Always check the privacy policies and related documents of any Third Party Services or Third Party Websites before interfacing with them.

1. Data Pavestep Collects and Receives

Pavestep collects data to operate efficiently and provide you with the best experiences with its Websites and Services. You provide some of this data directly, such as when you create Pavestep accounts or contact Pavestep for support. Pavestep obtains some of the data automatically, for example, using technologies like cookies. Pavestep also obtains data from Third Party Services and Third Party Websites. To the extent data is associated with an identified or identifiable natural person and is protected as personal data under applicable data protection laws, it is referred to herein as "Personal Data." You acknowledge and agree that Pavestep may collect, process, store, and disclose Personal Data disclosed by you or your Client (e.g., your employer) to facilitate the provision of Services and related support in the manner described in this Privacy Policy and the applicable Client Agreement.


1.1 Client Data

Clients and Users submit Client Data to Pavestep when using the Services. Client Data is governed by the applicable Client Agreements. Client Data may include the following:

  • User Information. To create or update User accounts for the Services, you or your Client provide us with data about you, such as: your first name, your last name, unique identifier, department, job title, work email address, office location, your managers’ name, profile picture, organization band (your level within the organization), user name, password, and any other applicable Personal Data that may identify you individually.

  • Service Data. Pavestep may collect, process, and store any data that is created, posted, uploaded, stored, displayed, transmitted, or submitted on or through the Services (collectively, "Service Data"). Service Data may contain Personal Data to the extent a Client or User discloses Personal Data on or through the Services. Pavestep takes no active part in collecting, aggregating, or storing Service Data. Except to the extent necessary to provide the Services or related support, Pavestep does not intentionally access any Service Data or attempt to aggregate Service Data to create Personal Data. For example, if you provide feedback to another User, the Services passively processes and stores such feedback for the purpose of providing the Services, and Pavestep only accesses such data to the extent necessary to provide the Services and related support.

  • Integration Data. Pavestep makes tools available to integrate data from Third Party Services used by Client into the Services ("Integration Data"). For example, Client may integrate its Environment with Client's human capital management platform. When the Services are integrated with a Third Party Service, we will receive all data selected by the Client to sync with the Services. Integration Data is imported into the Services as either User Information, Service Data, or other Client Data.


1.2. Other Data

Pavestep may collect Other Data from Clients and Users related to their usage of the Services and interactions with Pavestep. Other Data includes:

  • Log Data. Like most websites and web-based technology services, Pavestep’s servers automatically collect data when you access or use its Websites or the Services and record it in log files ("Log Data"). The Log Data may include your Internet Protocol address, Internet service provider, browser type and settings, information about browser plugins, language preference, operating system, date and time stamp, cookie data, domain name system (DNS) requests, general browsing history – limited only to the time spent on the domain, time spent on the visit, number of clicks and referring links -- and certain user behavioral or usage information.

  • Metadata. When an User interacts with the Services, metadata is generated that provides additional context about the Services and the way Users use the Services ("Metadata"). Pavestep collects aggregated Metadata of the Services, so that the resulting data and statistics are not personally identifiable to any User.

  • Technical Data. Pavestep collects technical data, such as information about devices accessing the Services, including the type of device, device settings, operating system, and application software ("Technical Data").

  • Cookie Information. Pavestep uses cookies and similar technologies in our Websites and Services that help us collect Other Data. The Websites and Services may also include cookies and similar tracking technologies, which may collect Other Data about you via the Websites and Services. Cookies are small text files sent by Pavestep to your computer or mobile device for later retrieval. Pavestep uses these technologies to authenticate and authorize your access to various areas of its Websites, understand your interests, analyze web traffic, combat fraud, provide interest-based advertising, improve its Websites or Services. In messages Pavestep sends, it may use these technologies to track their effectiveness. Restricting cookies may impede your ability to use the Services or certain features of the Services.

  • Third Party Services. Clients may choose to permit or restrict integrations with Third Party Services for their Environment. Once enabled, the enabled Third Party Services may share certain data with Pavestep. You should check the privacy settings and notices of these Third Party Services to understand what data may be disclosed to Pavestep. When the Services are integrated with Third Party Services to enhance the Services, Pavestep may receive data regarding your credentials for and use of the applicable Third Party Services, such as your user name and your information transmitted from or made available with permissions by such Third Party Services (e.g., department, role, etc.). When the Services are integrated with Third Party Services for the login and authentication process, and a User logs in to the Services using a Third Party Services authenticator, Pavestep may receive data regarding your credentials for the applicable Third Party Services, such as your log-in, your user name, your email, and other information transmitted from or made available with permissions by such Third Party Services.


1.3. No Sensitive Personal Data

Pavestep does not intentionally collect, process, or store, and it requests that you do not post, upload, store, or submit Sensitive Personal Data on or through the Services or in Client Data. "Sensitive Personal Data" includes, but is not limited to: government-issued identification numbers, financial account numbers, credit card numbers, any password that could be used to gain access to other accounts, genetic or biometric data, any data revealing racial or ethnic origin, political or religious beliefs, or data concerning health, sex life, or sexual orientation. Pavestep is not responsible and will not be liable for any loss or damages you or another individual may experience due to your disclosure of Sensitive Personal Data while using the Services.


1.4. No Children's Data

Pavestep's business activities are directed to businesses and the Services are intended for use only by those who are eighteen (18) years of age and over. The Services are not directed to or intended for children, and Pavestep does not intentionally collect, process, or store any Personal Data from any person under thirteen (13) years of age. In the event Pavestep discovers that it has inadvertently collected, processed, or stored any Personal Data from a person under thirteen (13) years of age, it will promptly take steps to delete such data or seek the necessary consent in compliance with the Children's Online Privacy Protection Act ("COPPA").


2. How and Why We Use, Share, and Disclose Data

Client Data will be used by Pavestep in accordance with Client's instructions, including any applicable terms in the Client Agreements, Client's use of Services, and as required by applicable law.

Other Data will be used by Pavestep for its legitimate interests in operating its business and providing the Websites and Services, to perform contractual obligations, and/or pursuant to your express consent for a specific purpose. For example, Pavestep may use Other Data for these purposes:

  • Providing the Websites and Services. To make the Websites available and deliver the Services under a Client Agreement, manage Users requests interacting with the Services, hosting and back-end infrastructure, analyze and monitor usage, monitor and address service performance, security, and technical issues.

  • Improving the Websites and Services. To test features, to enhance the Website and Services, and to provide insights to its Clients. In some cases, Pavestep will work with third parties for these purposes.

  • Providing Support Services and Communications. To send service, technical, and administrative communications. Service-related communications about changes to the Services and important Services-related notices, such as maintenance and security announcements, are essential to the delivery of the Services and you cannot opt-out. Marketing communications are optional and you have the choice whether to receive them.

  • Managing Accounts. To contact for billing, account management, feedback, and other administrative matters.

  • Improving Security. To help prevent and investigate security issues and abuse.

  • Fulfilling Legal Obligations. To comply with legal obligations as required by applicable law, legal process, or regulations.


Pavestep may share and disclose data in the following ways:

  • Client's Instructions. Pavestep will share and disclose Client Data in accordance with a Client's instructions, including any applicable terms in the Client Agreement and Client's use of the Services functionality, and as required by applicable law. Pursuant to the Client Agreement, Client Data is generally treated as the confidential information of Client unless stated otherwise.

  • Client Access. Administrators, Users, and other Client representatives and personnel may be able to access, modify, or restrict access to your data. For example, Your Client may use administrative controls and features to access or modify your account details or view certain activities in their Environment. In regards to the anonymous feedback feature (i.e., when a User sends feedback to another User anonymously), Pavestep will not disclose this data to the Client, unless it is determined that such feedback violates the Client’s policies (e.g., inappropriate or offensive comments).

  • Displaying and Performing the Services. When a User submits data on the Services, it may be displayed to the Client and other Users in the same Environment. For example, a User's name and work email address, among other things, may be displayed with their profile accessible to the Client and other Users in the same Environment. While in some cases you can make certain data private to specific users, by default most data is public to other Users in the same Environment. You are solely responsible for all data you post, upload, store, display, transmit, or submit on the Services, including Personal Data, and the consequences thereof. Pavestep is not responsible and will not be liable for the data disclosed on the Services. Pavestep employees and contractors may have access to your data on a need-to-know and confidential basis to the extent necessary to provide the Services and related support.

  • Third Party Service Providers. Pavestep engages third parties to process data in support of delivering of the Services ("Third Party Service Providers"). Pavestep may share your data, including Personal Data, with Third Party Service Providers (e.g., email services, platform hosting, cloud computing services, and data storage) to the limited extent necessary to let them perform business functions and services for us or on our behalf in connection with the performance of the Services; provided that such Third Party Service Providers process data in a manner consistent with this Privacy Policy and applicable data protection laws and will not use or disclose Personal Data for any other purpose.

  • Third Party Services. Client may enable or permit integrations with or use of Third Party Services in connection with the Services. When enabled, Pavestep may share certain data with such Third Party Services as requested. Third Party Services are not owned or controlled by Pavestep and third parties that have been granted access to your data may have their own policies and practices for its collection and use.

  • Changes to Pavestep's Business. If Pavestep engages in a merger, acquisition, reorganization, sale of some or all of its assets or stock, financing, public offering of securities, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities (e.g. due diligence), Pavestep may share or disclose data in connection therewith, subject to standard confidentiality obligations.

  • Aggregated or De-identified Data. If any data is aggregated or de-identified so it is no longer reasonably associated with an identified or identifiable natural person, Pavestep may use or disclose such aggregated or de-identified data for any purpose. For example, we may share aggregated or de-identified data with prospects or partners for business or research purposes, such as statistical analysis to develop or improve the Services.

  • Protection of Rights. Pavestep may disclose data to protect and defend its rights and property, including intellectual property rights, and to ensure compliance with applicable laws and enforce third party rights.

  • Legal Compliance. If Pavestep is compelled by law, such as to comply with a subpoena or other lawful process, or in response to a lawful request by legal or regulatory authorities to meet law enforcement requirements, Pavestep may disclose data if it reasonably believes that disclosure is required by any applicable law, regulation, or legal process.

  • Safety and Security. Pavestep may disclose data to protect your safety and security, to protect the safety of Clients, and to protect the safety of Pavestep and its employees, agents, representatives, contractors, and other representatives.

  • Personal Data. Except as described in this Privacy Policy or the applicable Client Agreement, Pavestep will not use or disclose your Personal Data for any purpose other than to the extent necessary to perform the Services and related support for the Services, unless you expressly consent to any other disclosure.

  • Your Consent. Pavestep may disclose your data to third parties when we have your express consent to do so.


3. Data Retention

Pavestep will retain Client Data in accordance with a Client's instructions, including any applicable terms in the Client Agreement and Client's use of the Services functionality, and as required or permitted by applicable law. Pavestep may retain Other Data and any data pertaining to you, including Personal Data, for as long as your User account is active and thereafter for as long as necessary for the purposes described in this Privacy Policy, including for the period of time needed to pursue our legitimate business interests, provide Your Client with the Services, conduct audits, comply with contractual obligations (including but not limited to Client Agreements), and comply with legal obligations. For avoidance of doubt, cancellation or deactivation of User accounts does not ensure complete or comprehensive removal of the content or information you may have uploaded, processed, or stored on Websites or Services.


4. Security Measures

Security is Pavestep’s first priority. Pavestep maintains reasonable, industry-standard physical, technical, and administrative procedures to safeguard the data it collects. Pavestep works hard to protect data in its custody and control from unintended loss, misuse, access, use, disclosure, modification, and destruction. While Pavestep takes security very seriously and will take all commercially reasonable measures to protect your data, no data transmission over the Internet is guaranteed to be completely secure. Pavestep cannot guarantee that unauthorized access, hacking, data losses, or other breaches will never occur.


You are responsible for safeguarding your User account and password. If you believe your privacy has been breached, please contact Pavestep immediately at


5. Identifying the Data Controller and Data Processor

Data protection laws in certain jurisdictions differentiate between the "controller" and "processor" of data. In general, Client is the controller of Client Data. In general, Pavestep is the processor of Client Data and the controller of Other Data.


6. Global Privacy Considerations

Pavestep primarily processes and stores data in connection with the Services in the United States. However, the Services are global and all data, including Personal Data, may be processed and stored in any country where we have operations or where we engage Third Party Service Providers. We may transfer data to countries outside of your country of residence, which may have data protection laws that are different from those of your country. We will take measures to ensure that your Personal Data remains protected to the standards described in this Privacy Policy and any such transfers comply with applicable data protection laws. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your Personal Data.


Pavestep commits to investigate and attempt to resolve complaints and disputes regarding our collection, use, or disclosure of Personal Data in compliance with any protection laws in any respective country. Individuals with questions or complaints regarding the collection, use, or disclosure of their Personal Data or this Privacy Policy should first contact Pavestep at or contact information outlined below. Pavestep will respond to the inquiries within forty-five (45) days.


7. Your Rights

Individuals located in certain countries and jurisdictions have certain statutory rights in relation to their personal data. Subject to any exemptions provided by law, you may have the right to exercise your rights and request certain actions with respect to your Personal Data.


7.1. General Privacy Rights

Pavestep is committed to maintain accurate information that you or your Client share with it and will use commercially reasonable efforts to allow you to access your Personal Data. Upon request, Pavestep will provide you with information about whether we hold or process, on behalf of a third party, any of your Personal Data. To request this information, please contact Pavestep as Pavestep will respond to all reasonable written requests to access, modify, or remove Personal Data in a timely manner within thirty (30) business days.


If you seek to access, modify, or remove Personal Data held or processed by Pavestep on behalf of a Client, you should direct your inquiry to your Client. Upon receipt of a request from one of its Clients for Pavestep to remove the data, Pavestep will respond to their requests in a timely manner within thirty (30) business days.


7.2. Additional GDPR Rights

Individuals located in regions or countries covered by the General Data Protection Regulation (“GDPR”) have certain statutory rights under GDPR. To the extent that Pavestep's processing of your Personal Data is subject to the GDPR, Pavestep relies on its legitimate interests set forth in this Privacy Policy to process your Personal Data. If you are located the regions or countries covered by GDPR, you may have the right to exercise additional rights available to you under applicable laws. These laws can be found on European Commission’s official website,, and other related official government websites.


If you are entitled and would like to exercise such rights, please contact Pavestep at We will consider your request in accordance with applicable laws.


7.3. California "Shine the Light" Notice

Pavestep does not disclose Personal Data to third parties for any third parties' direct marketing purposes, unless the Client or Users affirmatively consents to such disclosure. Since Pavestep provides its California users with notice of its rights as described above, pursuant to Section 1798.83(c)(2) of the California Civil Code, Pavestep is in compliance with California's "Shine the Light" law and is not obligated to provide California users with the names and addresses of all the third parties that received Personal Data from Pavestep for the third parties' direct marketing purposes during the preceding calendar year.


8. Enforcement

Pavestep will actively monitor its relevant privacy and security practices to verify compliance to this Privacy Policy. Any agents, contractors, service providers, or other third parties subject to this Privacy Policy that Pavestep determines is in violation of this Privacy Policy or applicable data protection laws will be subject to disciplinary action, including potential termination of such services. If you believe there has been a violation of this Privacy Policy or applicable laws, please contact Pavestep immediately at In general, if this Privacy Policy and a Client Agreement conflict related to any use, processing, storing, or application of data, Client Agreement shall govern respect to such data.


9. Changes to this Privacy Policy

Pavestep may update this Privacy Policy from time to time, in Pavestep's sole discretion, at any time without prior notice by posting updated versions on the Pavestep Websites and/or Services. When Pavestep makes such changes, it will make commercially reasonable efforts to notify you (e.g., by e-mail). Any updates to this Privacy Policy will become effective immediately upon such posting. Your continued use of the Services constitutes your agreement to be bound by such changes to this Privacy Policy.


10. Contact Pavestep

Pavestep encourages you to reach out with any questions, complaints, or requests with respect to your Personal Data, this Privacy Policy, and/or its privacy practices.




Pavestep, Inc.

Attn: Chief Executive Officer

1 Dutch Street, 8C

New York, NY 10038 United States

Updated July 22, 2019