Privacy Policy

Published 26 June 2020

People are at the heart of Oyster, and you have entrusted us with your personal information. We respect your privacy and are committed to protecting your personal data. We believe that you should know what we do with your information, who we share it with, and why it is shared. We only collect and store the personal information we need to provide our services. Our business is bringing meaningful employment to talented people everywhere, not selling your information or compromising your privacy.

This Privacy Policy explains what Personal Data we collect, how we use and share that data, and your choices concerning our data practices. This Privacy Policy applies to the OysterHR.com website, the Oyster platform, and all other sites owned by Oyster HR, Inc. (together referred to as “Oyster,” “we,” “us”, “our,” and “Site”) and is incorporated into and forms part of our Terms and Conditions. Before using the Site or submitting any Personal Data, please review this Privacy Policy carefully.

BY USING THE SITE AND OUR SERVICES, YOU AGREE TO THE PRACTICES DESCRIBED IN THIS PRIVACY POLICY. IF YOU DO NOT AGREE TO THIS PRIVACY POLICY, PLEASE DO NOT ACCESS THE SITE OR OTHERWISE USE THE SERVICE.

Standards, we have them

Privacy standards differ depending on where you are in the world. At Oyster, we think that everyone deserves strong protection for their personal data regardless of where they live. To that end, we will collect, store, use and disclose Personal Data in accordance with all applicable laws relating to the protection of Personal Data, including the EU Data Protection Directive 95/46/EC, the EU General Data Protection Regulation 2016/679, the EU ePrivacy Directive 2002/58/EC as amended by Directive 2009/136/EC, as amended or superseded from time to time, and any national implementing legislation ("Data Protection Laws").

EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield

TriNet participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland, respectively, to the United States. TriNet has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms of this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield Framework, visit http://www.privacyshield.gov.

TriNet is responsible for the processing of personal information it receives under the Privacy Shield Framework and subsequently transfers to a third party acting as an agent on its behalf. TriNet complies with the Principles for all onward transfers of personal information from the EU, including the onward transfer liability provisions.

Notice: We will inform you of the purpose for which we collect and use your personal information and the types of non-agent third parties to which we disclose or may disclose that information. We will provide you with the choice and means to limit our use and disclosure of your personal information for a purpose other than that for which it was originally collected.

For the purpose of Data Protection Laws, in relation to any Personal Data you or any Users submit to our platform, you will be the data controller and we will be a data processor of such Personal Data.

What kind of data do we collect?

Personal Data. Personal data, or personal information, means any information about an individual from which that person can be identified. Personal data does not include: publicly available information from government records; data where the identity has been removed (anonymous, de-identified, or aggregated consumer information); information specifically excluded from the scope of relevant privacy and security laws and regulations.

We may collect, use, store, and transfer the following types of information that alone or in combination with other information in our possession could be used to identify you:

  • 👩🏽 Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
  • 🦄 Special Categories may include details about your race or ethnicity, religious beliefs, trade union membership, familial status, military service, information about your health, and the like. We only collect this type of personal data where required by law to enter into an employment relationship.
  • 🏠 Contact Data includes billing address, delivery address, email address and telephone numbers.
  • 💳 Financial Data includes bank account and payment card details.
  • 📑 Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
  • 💻 Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
  • 🛅 Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
  • 📊 Usage Data includes information about how you use our website, products and services.
  • 📧 Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

Aggregated Data. We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

No data, no dice. If you fail to provide personal data that we need by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, employment with the best company ever). In that case, we may have to cancel a job offer or access to a particular service or benefit, but we will notify you if this is the case. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

What do we do with your data?

To start, we will only use your personal data as allowed by the law. Depending on whether you are a Site Visitor, Customer, Vendor, or Employee, we use the information we collect to:

  1. Respond to your requests.
  2. Protect the security or integrity of our Site.
  3. Improve our marketing and promotional efforts
  4. Statistically analyze Site usage
  5. Improve our content product offerings
  6. Customize our Site's content, layout, and services
  7. Administer benefits, training, and occupational health and safety initiatives
  8. Authenticate eligibility for potential employees, contractors, vendors, or suppliers
  9. Maintaining business records, compiling audit trails, and implementing other reporting tools
  10. Other general administrative and operational tasks.

This chart illustrates how different categories of person data may be used by Oyster.

Category Example Business Purposes(s)
Identifiers A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers. 1, 2, 3, 4, 5, 6, 7, 8
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information. Some personal information included in this category may overlap with other categories. 1, 2, 3, 4, 6, 7, 8
Protected classification characteristics under California or federal law. Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). 1, 2, 3, 6, 7, 8
Commercial information. Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. Not Collected
Biometric information. Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical Patterns, and sleep, health, or exercise data. Not Collected
Internet or other similar network activity Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement. 1, 2, 3, 5, 6, 7, 8
Geolocation data Physical location or movements. 1, 2, 6, 7, 8
Sensory data Audio, electronic, visual, thermal, olfactory, or similar information. 1, 2, 6, 7, 8
Professional or employment-related information Current or past job history or performance evaluations. 1, 2, 7, 8
Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. 1, 2, 7, 8
Inferences drawn from other personal information. Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. Not Collected

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Aggregated Information. We may aggregate Personal Data and use the aggregated information to analyze the effectiveness of our Service, to improve and add features to our Service, and for other similar purposes. In addition, from time to time, we may analyze the general behavior and characteristics of users of our Services and share aggregated information like general user statistics with prospective business partners. We may collect aggregated information through the Service, through cookies, and through other means described in this Privacy Policy.

Marketing. We may use your Personal Data to contact you to tell you about products or services we believe may be of interest to you. For instance, if you elect to provide your email or telephone number, we may use that information to send you special offers. You may opt out of receiving emails by following the instructions contained in each promotional email we send you. In addition, if at any time you do not wish to receive future marketing communications, you may contact us. If you unsubscribe from our marketing lists, you will no longer receive marketing communications but we will continue to contact you regarding management of your account, other administrative matters, and to respond to your requests.

Sharing your data

In certain circumstances we may share your Personal Data with third parties without further notice to you, unless required by the law, as set forth below:

Affiliates. We may share Personal Data with our current and future affiliates, meaning an entity that controls, is controlled by, or is under common control with the Company. Our affiliates may use the Personal Data we share in a manner consistent with this Privacy Policy.

Vendors and Service Providers. To assist us in meeting business operations needs and to perform certain services and functions, we may share Personal Data with vendors and service providers, including providers of hosting services, cloud services, and other information technology services providers, event management services, email communication software and email newsletter services, advertising and marketing services, payment processors, customer relationship management and customer support services, and web analytics services. When we provide your information to vendors and service providers, we enter a contract that requires the recipient to keep that information confidential. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Legal Requirements: If required to do so by law or in the good faith belief that such action is necessary to (i) comply with a legal obligation, including to meet national security or law enforcement requirements, (ii) protect and defend our rights or property, (iii) act in urgent circumstances to protect the personal safety of users of the Services, or the public, (iv) to detect, prevent, or respond to fraud, intellectual property infringement, violations of this Privacy Policy, our Terms of Use, violations of law, or other misuse of our Site, or otherwise (v) protect against legal liability.

Business Transfer. If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or transition of service to another provider (collectively a “Transaction”), your Personal Data and other information may be shared in the diligence process with counterparties and others assisting with the Transaction and transferred to a successor or affiliate as part of that Transaction along with other assets. In such event, we will use commercially reasonable efforts to help ensure that your personal information will be subject to appropriate privacy protections, in accordance with applicable privacy law.

How did we get the data in first place

Self Provided Data. We collect Personal Data when you create an account on our Site, complete a contact form on our Site or request access to the Service, subscribe to our service or publications, request marketing to be sent to you, enter a competition, promotion or survey, or give us feedback or contact us. The Personal Data collected during these interactions may vary based on what you choose to share with us, but it will generally include your name, email address, location, and phone number.

Customers and Partner Provided Data: In order to provide the Service, we may receive information about you from our Customers or Partners, such as your name, email address, phone number, salary, tax identification number, etc.. We process that information pursuant to our Terms and Conditions and other agreements with our business customers.

Automatically Collected Information. Oyster automatically collects certain Technical Data when you access and interact with the Site, including your IP address, browser type, operating system, the type of device you are using, and the device identifier. We also use technologies such as cookies, beacons, tags, server logs, and scripts in order to gather information regarding your use of the Site. This includes information such as page views, which URL you just came from (whether on our site or not), and which URL you go to next (whether on our site or not). This allows us to analyze trends, administer the Site, and gather demographic information about our user base as a whole. We use cookies on certain pages of the Site. Some features of the Site may only be available through the use of a cookie. You are always free to decline cookies if your browser permits, although in that case you may not be able to use certain features of the Site and you may be required to reenter your password more frequently during a session. Visit our Cookie Policy for more information about your Cookie Choice.

Third Parties or Publicly Available Sources. We will receive personal data about you from various third parties [and public sources] as set out below:

Social Media Our Site may include social media features, such as the Facebook™ button, and widgets such as the ShareThis™ button, or interactive mini-programs that run on our Site. These features may collect your IP address and which page you are visiting on our Site. They may also set a cookie to enable the feature to function properly. The same is true of social media pages. Social media features, widgets, and pages are either hosted by a third party or hosted directly on our Site. Your interactions with these features are governed by the privacy policy of the company providing it. In addition, the companies that host our social media pages may provide us with aggregate information and analytics regarding your use.

  1. Analytics Providers [such as Google based outside the EU]
  2. advertising networks [such as [NAME] based [inside OR outside] the EU]; and
  3. search information providers [such as [NAME] based [inside OR outside] the EU].
  4. Contact, Financial and Transaction Data from providers of technical, payment and delivery services [such as [NAME] based [inside OR outside] the EU].
  5. Identity and Contact Data from data brokers or aggregators [such as [NAME] based [inside OR outside] the EU].
  6. Identity and Contact Data from publicly available sources [such as Companies House and the Electoral Register based inside the EU].
  7. [ANY OTHER WAYS YOU COLLECT PERSONAL DATA]

How long do we keep the data?

We will only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, and consistent with applicable law, to comply with our legal obligations, to resolve disputes, and to enforce our agreements.

In some circumstances you can ask us to delete your data, more on that below in Your Options. Please be aware that it is not always possible to completely remove or delete all of your personal information from our systems due to backups or technical constraints.

We may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Is my data secure?

We implement commercially reasonable technical, physical, administrative, and organizational measures to protect Personal Data both online and offline from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. Finally, we have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

However, no Internet or e-mail transmission is ever fully secure or error free. In particular, e-mail sent to or from us may not be secure. Therefore, you should take special care in deciding what information you send to us via the Site or e-mail. Please keep this in mind when disclosing any Personal Data via the Internet. In addition, we are not responsible for circumvention of any privacy settings or security measures contained on the Site, or third party websites.

Onward Transfers: Prior to disclosing personal information to a third party (other than the service providers referred to above), we will notify you of such disclosure and allow you a choice (opt out) regarding such disclosure. We will contractually require that any third party to which personal information may be disclosed will provide the same level of privacy protection as is required by the Principles.

Data Integrity and Purpose Limitation: We will only process and use personal information in a way that is compatible with and relevant to the purposes for which it was collected, or authorized by you, including the purposes to provide payroll, benefits, and related services. To the extent necessary for those purposes, we will take reasonable precautions to ensure that personal information is accurate, complete, and current. Additionally, personal information may be retained in a form identifying or making identifiable individuals only for as long as it serves a purpose for which the data was collected or as authorized by the individual.

Access: We will provide you access to your personal information and allow you to correct, amend, or delete inaccurate information, except, to the extent permitted by applicable law, where the burden or expense of providing access would be disproportionate to the risks to your privacy in the case in question, or where the rights of persons other than you would be violated. If access to personal information is denied, we will provide you with the reason for such denial. You may request the correction, amendment, or deletion of your inaccurate personal information by contacting TriNet customer support. We will respond to any such requests within a reasonable timeframe.

Enforcement: We use a self-assessment approach to assure compliance with this Privacy Policy. We will periodically verify that the policy is accurate, comprehensive for the information intended to be covered, prominently displayed, implemented, and accessible, and in conformity with the Principles. We encourage interested persons to raise any concerns using the contact information provided below. We will investigate and attempt to resolve any complaints and disputes regarding the collection, use, and disclosure of personal information in accordance with the Principles and this Privacy Policy.

In compliance with the Privacy Shield Principles, we commit to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints should first contact TriNet by emailing TriNet customer support or by contacting us using the details provided below. TriNet has further committed to refer unresolved Privacy Shield complaints to the panels established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC), alternative dispute resolution providers located in the EU and Switzerland. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit EU DPA or FDPIC for more information or to file a complaint. The services of EU DPA and FDPIC are provided at no cost to you

TriNet commits to cooperate with EU DPAs and the FDPIC and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.

TriNet is subject to the investigatory and enforcement powers of the Federal Trade Commission with respect to the statements in this Policy.

The thing about links

The Site and Service may contain links to other websites not operated or controlled by the Company, including social media services ("Third Party Sites"). The information that you share with Third Party Sites will be governed by the specific privacy policies and terms of service of the Third Party Sites and not by this Privacy Policy. By providing these links we do not imply that we endorse or have reviewed these sites. Please contact the Third Party Sites directly for information on their privacy practices and policies.

International data transfers

Personal information held by the Company is stored on and processed on computers situated in the United Kingdom, the European Economic Area (“EEA”), the United States, and in other jurisdictions. We and/or our service providers also process data in some other countries for customer care, account management and service provisioning.

If you are an EEA resident, your personal data held by the Company may be transferred to, and stored at, destinations outside the EEA that may not be subject to equivalent data protection laws, including the United States. When you sign up for service with the Company or inquire about our services, we transfer your information to the United States and other countries as necessary to perform our agreement with you or to respond to an inquiry you make. It may also be processed by staff situated outside the EEA who work for us or for one of our suppliers.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • 📜 Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
  • 🔒 Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US.

Accordingly, by using our services, you authorize the transfer of your information to the United States, where we are based, and to other locations where we and/or our service providers operate, and to its (and their) storage and use as specified in this Privacy Policy. Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

Your options

In certain jurisdictions, you have rights regarding how your personal data is handled. Specifically, you have the option to:

  • 📂 Request access to your personal data.
  • 📝 Request correction of the personal data that we hold about you.
  • 🧲 Request erasure of your personal data. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • ⛔ Object to processing of your personal data on the grounds you feel it impacts on your fundamental rights and freedoms.
  • 🛒 Opt out of marketing You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • ⏸ Request restriction of processing of your personal data in the following scenarios.
  • 🚛 Request the transfer of your personal data to you or to a third party.
  • ❌ Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, [please contact us OR [SPECIFIC DETAILS OF WHO TO CONTACT FOR SUBJECT ACCESS RIGHTS]].

We will not discriminate against you for exercising any of your rights related to accessing, restricting, transfering, or deleting your personal information. Unless permitted by applicable law, we will not:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Children

Our Service is not directed to children who are under the age of 16. Oyster does not knowingly collect Personal Data from children under the age of 16. If you have reason to believe that a child under the age of 16 has provided Personal Data to us through the Site or our provision of Services, please contact us and we will endeavor to delete that information from our databases.

Changes

The Service and our business may change from time to time. As a result we may change this Privacy Policy at any time. When we do we will post an updated version on this page, unless another type of notice is required by the applicable law. By continuing to use our Service or providing us with Personal Data after we have posted an updated Privacy Policy, or notified you by other means if applicable, you consent to the revised Privacy Policy and practices described in it. We encourage you to periodically review this page for the latest information on our privacy practices.

Contact

If you have any questions about our Privacy Policy or information practices, please feel free to contact Dan. He is our data protection officer and enjoys privacy more than pie. If you disagree with our approach or have a particular concern with how we handle your Personal Data, you may lodge a complaint with your country’s proper oversight agency (we have provided a list here). We would, however, appreciate the chance to deal with your concerns directly before you make a complaint so please contact us first.

Copyright © 2020 Oyster HR Inc. All rights reserved.