- Context 1: Visitors to Bluecore.com and other Bluecore, Inc. owned and operated websites
- Context 2: Customers of Bluecore’s corporate clients, and/or visitors to websites utilizing Bluecore’s product and services
- Context 3: Corporate clients utilizing Bluecore’s products and services
- Context 4: Employee, Contractor and Applicant Data at Bluecore, Inc.
Overview: Definitions, Scope and Applicable Regulatory Information
About this Policy
What is personal information?
As used herein, the term “personal information” or “personal data”means information that specifically identifies an individual (such as a name, address, telephone number, e-mail address, or other account number), and information about that individual’s activities, such as information about his or her use of Bluecore sites, products or services, when directly linked to personally identifiable information. Personal information also includes demographic information such as date of birth, gender, geographic area and preferences when such information is linked to other personal information that identifies you.
Personal information does not include “aggregate” information, which is data we collect about the use of the Site or about a group or category of products, services or users, from which individual identities or other personal information has been irreversibly removed. In other words, information about how you use a service may be collected and combined with information about how others use the same service. Aggregate data helps Bluecore understand trends and users’ needs so that we can better consider new features or otherwise tailor our offerings. This Policy in no way restricts or limits our collection and use of aggregate information.
International Data Transfer – Privacy Shield Frameworks
Bluecore complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. Bluecore has certified that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/
In compliance with the Privacy Shield Principles, Bluecore commits to resolve complaints about your privacy and our collection or use of your personal information. European Union or Swiss individuals with inquiries or complaints regarding this Policy should first contact us at: email@example.com. If contacting us does not resolve your complaint, we are further committed to refer unresolved privacy complaints under the Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint. Please note that if your complaint is not resolved through the aforementioned channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
As described in the Privacy Shield Principles, Company is accountable for personal information that it receives and subsequently transfers to third parties. If third parties that process personal information on our behalf do so in a manner that does not comply with the Privacy Shield Principles, we are accountable and potentially liable.
EU General Data Protection Regulation
The EU General Data Protection Regulation (GDPR) is a comprehensive data protection directive going into effect May 25, 2018 in participating member states within the EU. Upon implementation, GDPR will replace Directive 95/46/EC. The GDPR applies to all Data Controllers and Data Processors who collect, process and/or store personal data of Data Subjects who reside in the EU, regardless of the Data Controller’s or Data Processor’s location. The objective of GDPR is to strengthen the protection of personal data to address increased globalization and complex international flows of personal data. GDPR will instantiate a consistent set of privacy rules and will be directly enforceable in each EU member state. GDPR enhances previous data privacy rights for EU individuals, data breach notification requirements and security requirements, as well as addressing the topics of customer profiling and monitoring requirements.
Federal Trade Commission
Bluecore, Inc. is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
Use, Retention and Storage of Personal Information
The duration for which Bluecore retains Personal Information depends on the purposes for which it is used. Bluecore will maintain Personal Information for as long as a user is a registered subscriber to Bluecore products, is a user that has supplied data processing consent to an active Bluecore client or partner, or for as long as Bluecore has a legal basis and business purpose to do so and, thereafter, for no longer than is required or permitted by law, or Bluecore’s Data Retention Policy, reasonably necessary for internal reporting and reconciliation purposes, or to provide users with feedback or information that is requested. The information Bluecore collects will be stored and processed in servers in the United States.
Security of Personal Information
Bluecore aims to protect the confidentiality, integrity and availability of data by taking reasonable steps given the context of the engagement in which data is provided to protect personal information from loss, misuse, interference, unauthorized access, disclosure, alteration, and destruction.
Bluecore adheres to a strict “data privacy by design” process that requires security and privacy diligence at all stages of the development, implementation, and operation of a product. This process ensures that the collection, use, storage, transmission or deletion of personal data is conducted in accordance with the GDPR, including data minimization, limited retention or appropriate data security. From the earliest stage of conception and development, risks are identified and documented and sound security measures are identified and encoded in the software as part of the service. The resulting security posture ensures adequate security is present within the entire product life cycle.
Use of personal information
Bluecore may use your personal information to:
- operate, maintain, and improve our sites, products, and services;
- process and deliver contest entries and rewards;
- respond to comments and questions and provide customer service;
- send information including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages;
- communicate promotions, upcoming events, and other news about products and services offered by us and our selected partners;
- link or combine user information with other personal information;
- protect, investigate, and deter against fraudulent, unauthorized, or illegal activity; and
- provide and deliver products and services requested by clients.
Sharing of personal information
- With user consent
- Bluecore may share personal information when we do a business deal, or negotiate a business deal, involving sale or transfer of all or a part of our business or assets. These deals can include any merger, financing, acquisition, or bankruptcy transaction or proceeding.
- Bluecore may share personal information for legal, protection, and safety purposes.
- Bluecore may share personal information to comply with laws.
- Bluecore may share personal information to respond to lawful requests and legal process, including to meet national security or law enforcement requirements.
- Bluecore may share personal information in an emergency. This includes protecting the safety of our employees and agents, our customers, or any other person.
- Bluecore may also share aggregated and/or anonymized data with others for its own uses.
Bluecore’s products and services are not targeted to or intended for children. If a user is not of sufficient age to enter legally binding agreements in the applicable jurisdiction, that user may not use Bluecore products unless necessary parental consent has been obtained. If it is believed that Bluecore has received information from a person protected under child protection laws where necessary parental consent was not obtained, please notify Bluecore immediately, and steps will be taken to securely remove that information. Bluecore does not knowingly use Personal Information from children for any purpose except to deliver the products that are committed to Bluecore clients. If you believe we have collected information from your child in error or have questions or concerns about our practices relating to children, please notify us using the contact details below.
How to Request Action on Personal Information
With respect to personal information gathered within any of the four contexts included below, an individual who seeks access or who seeks to correct, amend, or delete inaccurate personal information, or limit the processing or sharing of their personal information, should contact firstname.lastname@example.org.
In such a request, please make clear: (i) what personal information is concerned; and (ii) which of the above rights (i.e. access, correct, or delete) you would like to enforce. For your protection, Bluecore may only implement requests with respect to the personal information associated with the email address that was used to send the request, and Bluecore may need to verify the identity of the user behind a request before taking action. Bluecore will comply with privacy-related requests as soon as reasonably practicable and in any event, within 30 days of the request. Please note that Bluecore may need to retain certain information for recordkeeping purposes and/or to complete any transactions that began prior to requesting such change or deletion.
Individuals submitting requests should refrain from providing additional personal information such as address, phone number, government identifiers, photos or any type of personal documentation. Any such data does not need to accompany the request for action.
Context 1: Visitors to Bluecore.com and other Bluecore, Inc. owned and operated websites
Data Collected by Bluecore, Inc. websites
We may collect your personal information, specifically your email address, in a variety of ways, including:
- Personal Information delivered upon Account Creation
- Personal Information directly give to Bluecore on a Bluecore site
- Personal Information Bluecore receives from its clients
- Personal Information Automatically Collected with a web browser (activity, browser, time spent)
Bluecore may log personal information using digital images called Web beacons on our Site or in emails. Web beacons are used to manage cookies, count visits, and to learn what marketing works and what does not. Web Beacons are also used to determine if a user opens or acts on a Bluecore email message.
Information choices and changes
Bluecore marketing emails include instructions on how to “opt-out,” or you can send an email at email@example.com to unsubscribe. If you opt out, we may still send you non-marketing emails. Non-marketing emails include emails about your accounts and our business dealings with you. You can request to change contact choices, opt-out of our sharing with others, and update your personal information at that same email address. You can typically remove and reject cookies from our Site with your browser settings. Many browsers are set to accept cookies until you change your settings. If you remove or reject our cookies, it could affect how our Site works for you.
Context 2: Customers of Bluecore’s corporate clients, and/or visitors to websites utilizing Bluecore’s product and services
Lawful Basis for Processing Your Data
Depending on your country of residence, the processing of your Personal Information is lawful only if it is permitted under data protection legislation. Bluecore’s lawful processing permission is rooted in the following valid business cases:
- Legitimate Interest. Bluecore will process your data based on Legitimate Interest described in service agreements with its contracted clients.
Collection of Information
Bluecore collects Personal Information from individuals when the user browses a website of one of its clients, or when a client shares historical information about a user. This may include:
- Providing information during a purchase of a product or service,
- Request information about or otherwise use the website of a Bluecore client
- Enter a contest, leverage a promotion, sign-up for a notification service, such as marketing emails
- Voluntarily provide information to a Bluecore client
Web Browser Data
Bluecore also records information from your web browser. This may include information that does not identify you personally (such as browsing activity when examining a website anonymously). The information received depends on the settings on the web browser. Please review the settings on the web browser to learn how to change the browser settings to enable or disable relevant tracking and data collection mechanisms.
Cookie and Related Technologies
Bluecore tracks users by their email address and 1st party cookie ID. Bluecore maps all on-site behaviors and email engagement activity to the email address and cookie ID in order to create a single unified user view. Bluecore can collect as much data as is generated by user activity. Bluecore may also ingest purchase history, email database and its clients’ customer data to enhance the product’s performance. No other parties are given access to the data that is captured as Bluecore currently has no downstream data processors.
Data Collected by Bluecore products and services
The personal data typically collected by Bluecore consists of:
- Email Addresses
- Identifiers that identify a specific hardware device
- IP Addresses
- Customer IDs, provided by the client
- Derived and predictive data in the Bluecore query engine
- Sent Emails
In some cases, a Bluecore client provides additional personal data directly to Bluecore. Bluecore’s Terms of Service stipulate that clients cannot upload sensitive data.
Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
If a user accesses a website containing Bluecore technology via a smart phone, mobile device or computer to access a website, Bluecore may collect information about physical location such as the geography of an IP address and billing/postal code.
How Data is Used
Bluecore’s lawful basis for processing data on behalf of its clients in rooted in the objective of helping commerce organizations find, message, and gain insights for their customers.
As permitted by law, Bluecore may disclose Personal Information when disclosure is appropriate to:
- comply with the law or a regulatory requirement,
- comply with governmental, administrative or judicial process, requirement or order (such as a court order),
- cooperate with law enforcement or other governmental investigations or report any activities that may be in violation of legal or regulatory requirements,
- service a contract,
- protect the legal rights of you, our employees, clients, business partners and the public in general
If a third party has acquired the Bluecore business or specific assets, your Personal Information will be transferred to that company, unless prohibited by law.
Deleting, Accessing and Updating Data
Users have the right, depending on jurisdiction to request the following actions related to Persona Information stored by Bluecore:
- Review the data by requesting export and delivery of a machine-readable format
- Correct the data if the data is found to be in error
- Restrict the processing of data in any manner
- Decline inclusion in marketing activities
- Request deletion of Personal Data
To request the actions described, please refer to earlier section of this document entitled “How to Request Action on Personal Information”
Under the EU GDPR, you have the right to report to your local Supervisory Authority if you believe your rights under data protection legislation have not been appropriately considered. However, before doing so, please contact us directly at firstname.lastname@example.org as we are committed to working with you to help resolve any concerns about your privacy.
Context 3: Corporate clients utilizing Bluecore’s products and services
Bluecore is committed to helping its brands successfully comply with the GDPR. The increased responsibilities for Data Controllers and Data Processors, particularly around data management, introduces a shared responsibility requiring business partners to cooperate on many aspects of data privacy. It is critical to recognize that not just European organizations that are affected, but also those outside of the EU who process data in connection with the offering of goods and services to, or monitoring the behavior of, EU residents. As such, it’s important to understand the obligations related to GDPR regardless of where an organization resides.
Collection of end-user consent is paramount to GDPR compliance. Bluecore’s corporate clients qualify as Data Controllers under GDPR, whereas, Bluecore qualifies as a Data Processor. The core element of this distinction entails the direct consumer relationship that Bluecore’s clients have with their customers. Bluecore, via contractual agreement with its clients, has obtained a legal basis to process customer data on behalf of its clients. For this reason, Bluecore clients must give in-scope EU residents a mechanism to disable behavioral tracking, per session, on their websites. The consent model required by the EU GDPR calls for explicit opt in, rather than implicit opt in + explicit unsubscribe.
Bluecore’s clients must maintain a valid inventory of consent from the users of its websites and communicate any changes in the state of individual user consent to downstream Data Processors, including Bluecore, Inc. The consent must be clearly inclusive of all downstream Data Processors and clearly state the legal basis for collection and transfer of personal information.
End-users have the right to interrogate any organization holding personal information records. If an individual contacts Bluecore clients with requests requiring the export, deletion or correction of an end-user’s data or consent this notice should be communicated to email@example.com. Likewise, should end users contact Bluecore directly with data-related requests, these communications will be passed to applicable Bluecore clients (and any future sub-processors, of which none exist as of this publication) via their advertised privacy activity intake mechanism.
Partnering on security is critical. Bluecore has granted access via username and password for access to certain parts of its Site or services. Each user is responsible for keeping access credentials confidential. It is required that users of the Bluecore services not share access credentials with anyone, including members of their own organization. Each user of the system must have a unique set of credentials. To protect the security of partner data or consumer data, Bluecore may suspend use of a Site or service, without notice, pending an investigation, if any breach of security is suspected. Access to and use of password-protected and/or secure area of the Site or services is restricted to authorized users only. Unauthorized access to such areas is prohibited and may lead to criminal prosecution.
Bluecore may collect and process Client, Vendor or Business Partner Data when you conduct business with Bluecore on behalf of a Client or prospective client, or as, or on behalf of, a vendor, supplier, consultant, professional adviser or other third party. Customer, Vendor or Business Partner Data means information relating to an identified or identifiable natural person that Bluecore receives on behalf of a client or prospective client, or from or on behalf of a vendor, supplier, consultant, professional adviser or any other third parties that do business with Bluecore, whether or not such natural person is also a Website user. Examples of Client, Vendor or Business Partner Data include:
- Contact details of points of contact for Customers, Vendors or Business Partners (such as name, business phone numbers, business address);
- Business contact information (such as job title, responsibilities, department and name of organization);
- Financial information (such as financial account information) if needed to take payment or fulfill contractual obligations or for related purposes;
- Information necessary to evaluate Bluecore’s performance and that of Business Partners
Context 4: Employee, Contractor and Applicant Data at Bluecore, Inc.
Bluecore is committed to protecting information collected from employees, contractors, temporary workers and employment candidates. This applies to Personal Information provided to Bluecore by individuals applying for employment and employees, contractors and temporary employees during employment.
Bluecore collects Personal Data based on individual employment responsibilities, citizenship and location of employment. Personal Data collected includes but is not limited to: name, address, government identification number (i.e., social security number, national identification number, tax payer identification number, driver’s license, etc.), date of birth, phone number, email address, gender, race, ethnicity, health and disability information, criminal history, resume information including but not limited to educational background, employment history, areas of expertise, job type preferences, and other related information.
How Data is Used
Bluecore uses data collected on employees, contractors, temporary workers and employment candidates for the following purposes:
- Process employment applications and conduct background investigations
- Administer compensation benefits and related human resources programs
- Communicate with personnel
- Comply with employment reporting regulations
- Design, evaluate and implement education programs
- Plan and manage budgets
- Monitor and manage business related travel and expenses
- Monitor and evaluate conduct and performance
The use of Personal Data includes storing, recording, transferring, summarizing, sharing and destroying Personal Data as necessary under the circumstances or as required by law. Bluecore will not process Personal Information in a way that is inconsistent with the purposes for which it was collected.
Disclosure of Data
Bluecore will not disclose, sell or otherwise distribute Personal Information without an individual’s permission except under the following circumstances:
- Third Party Service Providers: Bluecore discloses Personal Information to third parties such as suppliers, contractors and service agents providing services such as processing compensation, administering benefits, conducting background checks and performing legal and professional services.
- Legal Request and Investigations: Bluecore may disclose Personal Information to third parties if disclosure is necessary to protect Bluecore legal interests including but not limited to defending or prosecuting a lawsuit or administrative proceeding, to prevent fraud, to comply with an investigation of suspected or actual illegal activity, or to comply with any statute, law, rule or regulation.
- Protecting Bluecore and its Partners: Bluecore may disclose Personal Information to third parties to protect the rights, property, or safety of Bluecore and its associates, in an emergency situation where the health or security of an associate or applicant may be endangered, and when Bluecore believes disclosure is necessary or appropriate to prevent physical harm or financial loss.
- Business Transfers: As Bluecore continues to grow, companies, subsidiaries or business units may be sold or purchased. Under such transactions, Personal Information generally is one of the transferred business assets but remains subject to the promises made in any pre-existing privacy statement.
Accessing and Updating Data
Bluecore will use reasonable efforts to correct any reported factual inaccuracies in Personal Information. Associates should notify HR immediately about changes to an individual’s legal name, address, dependents, beneficiaries under a benefits plan, and other such status changes. Personnel may request a copy of Personal Information stored by Bluecore at any time.
Bluecore welcomes your comments or questions about this Policy. You may contact Bluecore at the following email address: firstname.lastname@example.org, or by mail at this address:
116 Nassau Street
New York, NY 10038
Changes to this Policy
Bluecore may change this Policy at its discretion. Any updates will result in a change to the last updated date below.
This Policy was last updated on April 18th, 2018.