A separate agreement governs the delivery and use of the Services (the "Client Agreement"), including the processing of any "Client Data," which generally includes all data or information that Client and/or Users upload, process, store, or submit on or through the Services. The organization (e.g., your employer) that entered into the Client Agreement ("Client") controls its instance of the Services (their "Environment") and any associated Client Data. Client as well as individuals who have been authorized by Client, who access or use the Services via their Environment (e.g., Client's employees) are "Users". The Users’ use of the Services may be subject to their respective Clients’ (e.g. their employer's) policies. Pavestep is not responsible, can not be held responsible, and must disclaim any liability for the privacy or security practices of its Clients, which may differ from those set forth herein.
1. Data Pavestep Collects and Receives
1.1 Client Data
Clients and Users submit Client Data to Pavestep when using the Services. Client Data is governed by the applicable Client Agreements. Client Data may include the following:
User Information. To create or update User accounts for the Services, you or your Client provide us with data about you, such as: your first name, your last name, unique identifier, department, job title, work email address, office location, your managers’ name, profile picture, organization band (your level within the organization), user name, password, and any other applicable Personal Data that may identify you individually.
Service Data. Pavestep may collect, process, and store any data that is created, posted, uploaded, stored, displayed, transmitted, or submitted on or through the Services (collectively, "Service Data"). Service Data may contain Personal Data to the extent a Client or User discloses Personal Data on or through the Services. Pavestep takes no active part in collecting, aggregating, or storing Service Data. Except to the extent necessary to provide the Services or related support, Pavestep does not intentionally access any Service Data or attempt to aggregate Service Data to create Personal Data. For example, if you provide feedback to another User, the Services passively processes and stores such feedback for the purpose of providing the Services, and Pavestep only accesses such data to the extent necessary to provide the Services and related support.
Integration Data. Pavestep makes tools available to integrate data from Third Party Services used by Client into the Services ("Integration Data"). For example, Client may integrate its Environment with Client's human capital management platform. When the Services are integrated with a Third Party Service, we will receive all data selected by the Client to sync with the Services. Integration Data is imported into the Services as either User Information, Service Data, or other Client Data.
1.2. Other Data
Pavestep may collect Other Data from Clients and Users related to their usage of the Services and interactions with Pavestep. Other Data includes:
Log Data. Like most websites and web-based technology services, Pavestep’s servers automatically collect data when you access or use its Websites or the Services and record it in log files ("Log Data"). The Log Data may include your Internet Protocol address, Internet service provider, browser type and settings, information about browser plugins, language preference, operating system, date and time stamp, cookie data, domain name system (DNS) requests, general browsing history – limited only to the time spent on the domain, time spent on the visit, number of clicks and referring links -- and certain user behavioral or usage information.
Metadata. When an User interacts with the Services, metadata is generated that provides additional context about the Services and the way Users use the Services ("Metadata"). Pavestep collects aggregated Metadata of the Services, so that the resulting data and statistics are not personally identifiable to any User.
Technical Data. Pavestep collects technical data, such as information about devices accessing the Services, including the type of device, device settings, operating system, and application software ("Technical Data").
Third Party Services. Clients may choose to permit or restrict integrations with Third Party Services for their Environment. Once enabled, the enabled Third Party Services may share certain data with Pavestep. You should check the privacy settings and notices of these Third Party Services to understand what data may be disclosed to Pavestep. When the Services are integrated with Third Party Services to enhance the Services, Pavestep may receive data regarding your credentials for and use of the applicable Third Party Services, such as your user name and your information transmitted from or made available with permissions by such Third Party Services (e.g., department, role, etc.). When the Services are integrated with Third Party Services for the login and authentication process, and a User logs in to the Services using a Third Party Services authenticator, Pavestep may receive data regarding your credentials for the applicable Third Party Services, such as your log-in, your user name, your email, and other information transmitted from or made available with permissions by such Third Party Services.
1.3. No Sensitive Personal Data
Pavestep does not intentionally collect, process, or store, and it requests that you do not post, upload, store, or submit Sensitive Personal Data on or through the Services or in Client Data. "Sensitive Personal Data" includes, but is not limited to: government-issued identification numbers, financial account numbers, credit card numbers, any password that could be used to gain access to other accounts, genetic or biometric data, any data revealing racial or ethnic origin, political or religious beliefs, or data concerning health, sex life, or sexual orientation. Pavestep is not responsible and will not be liable for any loss or damages you or another individual may experience due to your disclosure of Sensitive Personal Data while using the Services.
1.4. No Children's Data
Pavestep's business activities are directed to businesses and the Services are intended for use only by those who are eighteen (18) years of age and over. The Services are not directed to or intended for children, and Pavestep does not intentionally collect, process, or store any Personal Data from any person under thirteen (13) years of age. In the event Pavestep discovers that it has inadvertently collected, processed, or stored any Personal Data from a person under thirteen (13) years of age, it will promptly take steps to delete such data or seek the necessary consent in compliance with the Children's Online Privacy Protection Act ("COPPA").
2. How and Why We Use, Share, and Disclose Data
Client Data will be used by Pavestep in accordance with Client's instructions, including any applicable terms in the Client Agreements, Client's use of Services, and as required by applicable law.
Other Data will be used by Pavestep for its legitimate interests in operating its business and providing the Websites and Services, to perform contractual obligations, and/or pursuant to your express consent for a specific purpose. For example, Pavestep may use Other Data for these purposes:
Providing the Websites and Services. To make the Websites available and deliver the Services under a Client Agreement, manage Users requests interacting with the Services, hosting and back-end infrastructure, analyze and monitor usage, monitor and address service performance, security, and technical issues.
Improving the Websites and Services. To test features, to enhance the Website and Services, and to provide insights to its Clients. In some cases, Pavestep will work with third parties for these purposes.
Providing Support Services and Communications. To send service, technical, and administrative communications. Service-related communications about changes to the Services and important Services-related notices, such as maintenance and security announcements, are essential to the delivery of the Services and you cannot opt-out. Marketing communications are optional and you have the choice whether to receive them.
Managing Accounts. To contact for billing, account management, feedback, and other administrative matters.
Improving Security. To help prevent and investigate security issues and abuse.
Fulfilling Legal Obligations. To comply with legal obligations as required by applicable law, legal process, or regulations.
Pavestep may share and disclose data in the following ways:
Client's Instructions. Pavestep will share and disclose Client Data in accordance with a Client's instructions, including any applicable terms in the Client Agreement and Client's use of the Services functionality, and as required by applicable law. Pursuant to the Client Agreement, Client Data is generally treated as the confidential information of Client unless stated otherwise.
Client Access. Administrators, Users, and other Client representatives and personnel may be able to access, modify, or restrict access to your data. For example, Your Client may use administrative controls and features to access or modify your account details or view certain activities in their Environment. In regards to the anonymous feedback feature (i.e., when a User sends feedback to another User anonymously), Pavestep will not disclose this data to the Client, unless it is determined that such feedback violates the Client’s policies (e.g., inappropriate or offensive comments).
Displaying and Performing the Services. When a User submits data on the Services, it may be displayed to the Client and other Users in the same Environment. For example, a User's name and work email address, among other things, may be displayed with their profile accessible to the Client and other Users in the same Environment. While in some cases you can make certain data private to specific users, by default most data is public to other Users in the same Environment. You are solely responsible for all data you post, upload, store, display, transmit, or submit on the Services, including Personal Data, and the consequences thereof. Pavestep is not responsible and will not be liable for the data disclosed on the Services. Pavestep employees and contractors may have access to your data on a need-to-know and confidential basis to the extent necessary to provide the Services and related support.
Third Party Services. Client may enable or permit integrations with or use of Third Party Services in connection with the Services. When enabled, Pavestep may share certain data with such Third Party Services as requested. Third Party Services are not owned or controlled by Pavestep and third parties that have been granted access to your data may have their own policies and practices for its collection and use.
Changes to Pavestep's Business. If Pavestep engages in a merger, acquisition, reorganization, sale of some or all of its assets or stock, financing, public offering of securities, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities (e.g. due diligence), Pavestep may share or disclose data in connection therewith, subject to standard confidentiality obligations.
Aggregated or De-identified Data. If any data is aggregated or de-identified so it is no longer reasonably associated with an identified or identifiable natural person, Pavestep may use or disclose such aggregated or de-identified data for any purpose. For example, we may share aggregated or de-identified data with prospects or partners for business or research purposes, such as statistical analysis to develop or improve the Services.
Protection of Rights. Pavestep may disclose data to protect and defend its rights and property, including intellectual property rights, and to ensure compliance with applicable laws and enforce third party rights.
Legal Compliance. If Pavestep is compelled by law, such as to comply with a subpoena or other lawful process, or in response to a lawful request by legal or regulatory authorities to meet law enforcement requirements, Pavestep may disclose data if it reasonably believes that disclosure is required by any applicable law, regulation, or legal process.
Safety and Security. Pavestep may disclose data to protect your safety and security, to protect the safety of Clients, and to protect the safety of Pavestep and its employees, agents, representatives, contractors, and other representatives.
Your Consent. Pavestep may disclose your data to third parties when we have your express consent to do so.
3. Data Retention
4. Security Measures
Security is Pavestep’s first priority. Pavestep maintains reasonable, industry-standard physical, technical, and administrative procedures to safeguard the data it collects. Pavestep works hard to protect data in its custody and control from unintended loss, misuse, access, use, disclosure, modification, and destruction. While Pavestep takes security very seriously and will take all commercially reasonable measures to protect your data, no data transmission over the Internet is guaranteed to be completely secure. Pavestep cannot guarantee that unauthorized access, hacking, data losses, or other breaches will never occur.
You are responsible for safeguarding your User account and password. If you believe your privacy has been breached, please contact Pavestep immediately at firstname.lastname@example.org.
5. Identifying the Data Controller and Data Processor
Data protection laws in certain jurisdictions differentiate between the "controller" and "processor" of data. In general, Client is the controller of Client Data. In general, Pavestep is the processor of Client Data and the controller of Other Data.
6. Global Privacy Considerations
7. Your Rights
Individuals located in certain countries and jurisdictions have certain statutory rights in relation to their personal data. Subject to any exemptions provided by law, you may have the right to exercise your rights and request certain actions with respect to your Personal Data.
7.1. General Privacy Rights
Pavestep is committed to maintain accurate information that you or your Client share with it and will use commercially reasonable efforts to allow you to access your Personal Data. Upon request, Pavestep will provide you with information about whether we hold or process, on behalf of a third party, any of your Personal Data. To request this information, please contact Pavestep as support@Pavestep.com. Pavestep will respond to all reasonable written requests to access, modify, or remove Personal Data in a timely manner within thirty (30) business days.
If you seek to access, modify, or remove Personal Data held or processed by Pavestep on behalf of a Client, you should direct your inquiry to your Client. Upon receipt of a request from one of its Clients for Pavestep to remove the data, Pavestep will respond to their requests in a timely manner within thirty (30) business days.
7.2. Additional GDPR Rights
If you are entitled and would like to exercise such rights, please contact Pavestep at support@Pavestep.com. We will consider your request in accordance with applicable laws.
7.3. California "Shine the Light" Notice
Pavestep does not disclose Personal Data to third parties for any third parties' direct marketing purposes, unless the Client or Users affirmatively consents to such disclosure. Since Pavestep provides its California users with notice of its rights as described above, pursuant to Section 1798.83(c)(2) of the California Civil Code, Pavestep is in compliance with California's "Shine the Light" law and is not obligated to provide California users with the names and addresses of all the third parties that received Personal Data from Pavestep for the third parties' direct marketing purposes during the preceding calendar year.
10. Contact Pavestep
Attn: Chief Executive Officer
1 Dutch Street, 8C
New York, NY 10038 United States
Updated July 22, 2019