1. INTRODUCTION AND SCOPE

This privacy policy (this “Privacy Policy”) covers and describes how Obsidian Security, Inc. and its subsidiaries and affiliates (“Obsidian”, “We” or “Us”) collect, use, share, secure and disclose the personal data we collect from individuals who interact with www.obsidiansecurity.com and our websites that link to this Privacy Policy or who initiate communications with us (“Visitors”), individuals who register to use our products and services on behalf of a Subscriber (“Subscribers”), individuals who register for or attend our marketing events or receive our marketing emails (“Attendees”), and individuals who submit an application for a career opportunity at Obsidian (“Job Applicants”).

Our websites, apps, and services are designed for businesses and their representatives. We do not target consumers – individuals who seek to use products and services for their personal or household use.  Accordingly, we treat all personal data we collect as pertaining to individuals in their business capacity and not their individual capacity.

Business and marketing partners

In their use of our products and services, Subscribers may submit data and information to Obsidian to be processed. When processing such data, Obsidian acts as a data processor (or service provider, as that term is used under the California Consumer Privacy Act) on behalf of our Subscribers. The security and privacy practices governing our Subscribers’ use of our services and how we store, process, transmit and disclose the data submitted to the services by our Subscribers are described in and governed by our service contracts with our Subscribers, including any applicable Data Processing Agreement. To the extent a Subscriber submits to the services the personal data of European persons (including the United Kingdom and Switzerland) or other persons who are protected by similar data privacy laws, Obsidian processes that personal data as a data processor or as the Subscriber’s sub-processor (as the case may be). Subscribers are solely responsible for establishing the policies governing, and ensuring compliance with all applicable laws and regulations related to, the Subscriber’s collection and submission of personal data to our services. Obsidian processes Subscriber data only on the instructions of the Subscriber and only as necessary, appropriate, and customary to provide our services. Any personal data about an individual (i.e., a “data subject”) provided to us by a Subscriber is the responsibility of the Subscriber (as the data controller) and is not covered by this Privacy Policy.

Obsidian acknowledges that you may have the right to access your personal data. Obsidian has no direct relationship with the data subjects whose personal data we process on behalf of our Subscribers. An individual who seeks to access, correct, amend, or delete personal data about them that we process on behalf of our Subscribers should direct their requests or queries to our Subscriber (i.e., the data controller). In addition, we will forward to the applicable Subscriber any request by a data subject received by Obsidian regarding personal data processed on behalf of that Subscriber.

Obsidian as a Data Controller

Please read this Privacy Policy carefully to understand the categories and specific pieces of personal data we collect and how we collect, use, disclose, and protect the personal data of our Visitors, Subscribers, Attendees, and Job Applicants, as well as the choices available to you regarding that information.

International Data Transfers

When Obsidian operates as a data controller (i.e., when we determine the manner, purposes and means of the processing of others’ personal information), Obsidian may collect from, transfer to, or process, and store your personal information in the United States and other countries other than the country where you live. When we transfer personal data from the EU, Switzerland, or UK to any other country, we will do so according to an adequate mechanism of transfer as required by applicable laws or regulations.

2. OBSIDIAN COLLECTION AND USE OF PERSONAL INFORMATION

2.1. What categories and specific types of personal data does Obsidian collect?

Information that we collect from or about you includes the following:

We do not collect any “Special Categories of Personal Data” or Sensitive Information as defined by California Consumer Privacy Act about you. This includes details about your race or ethnicity, religious or philosophical beliefs, financial account information, precise geo-location data, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data. We do not collect any information about criminal convictions and offenses.
‍
Legal Basis and Purpose for Processing Personal Data
‍
Where we process personal data as a processor or a service provider pursuant to service contracts with our Subscribers, we only process personal data on the instructions of the Subscriber, and only as necessary, appropriate and customary to provide our services.
‍
If you are an individual located in the European Economic Area (EEA) or an individual whose personal data is protected by laws similar to the General Data Protection Regulation (“GDPR”), our legal basis and purpose for collecting and using the personal data described above in this Section 2.1 will depend on the personal data concerned and the specific context in which we collect it. However, we will normally collect personal data from you only where: (a) we have your consent to do so, (b) where we need the personal data to perform a contract with you (e.g. to deliver the services you have requested), or (c) where the processing is in our or a third party’s legitimate interests (and not overridden by your data protection interests or fundamental rights and freedoms). In some cases, we may also have a legal obligation to collect personal data from you or may otherwise need the personal data to protect your vital interests or those of another person.
‍
Examples of Legitimate Basis and Purpose for Collecting Your Personal Data
‍
In connection with your use of our services, we collect and process personal data to perform our contractual obligations related to the services that you have requested. Where we collect personal data in connection with operating our websites and services, we have a legitimate interest in ensuring our websites, services and associated networks and IT systems operate properly and securely. Where you have requested to receive information about our products, services and business or other marketing communications, then we process personal data based upon our legitimate interest in engaging in direct marketing with Visitors, Subscribers, Attendees, individuals and companies that have requested to receive information from us.
‍
Where you have responded to a job posting on our websites, we collect and process personal data as part of our consideration of your application. Where we rely on your consent to process the personal data, you have the right to withdraw or decline your consent at any time. Please note that this does not affect the lawfulness of the processing based on consent before its withdrawal.
‍
Where we collect data about online behavior, including through the use of cookies, we have a legitimate interest in providing you with an optimal user experience and understanding and analyzing how Visitors interact with our website. You can find more about the use of cookies in our websites, please read and review our Cookie Policy.

2.2 How does Obsidian collect my personal data?

Obsidian collects your information both actively and passively (in accordance with our Cookie Policy) as you interact with our websites or contact us.
‍
Obsidian may directly collect personal data you provide us in the following ways:

• When you complete forms on our websites, such as requesting a demo, or applying for a job.
• When you perform search queries on our websites.
• When you use our publicly accessible blogs.
• When you contact us outside of our websites, such as via email or LinkedIn.
• When you request assistance from our support team.
• When you respond to surveys we ask you to complete for research purposes.
• When you register for or attend our marketing activities.
• When you submit an entry to a sweepstakes or contest that we sponsor.

2.3 Does Obsidian collect personal data automatically?

As is true of most websites and services provided using the Internet, we gather certain information automatically. This information may include Internet protocol (IP) addresses, browser type, Internet service provider (ISP), the referring page that you navigated to our websites from, the page that you navigated to from our websites, the files viewed on our site (e.g. HTML pages, graphics, etc.), operating system, date/time stamp, and/or clickstream data to analyze trends in the aggregate and administer the site.

The information we collect automatically is statistical data, which we may associate with personal data we collect in other ways or receive from third parties. This information helps us to improve our websites and to deliver better and more personalized service.

Obsidian and our partners use cookies or similar technologies (such as web beacons) to gather information, analyze trends, administer our websites, track users’ movements around our websites, and to gather demographic information about our user base as a whole. These technologies may provide us with personal data, information about devices and networks you utilize to access our websites, analytics information and other information regarding your interactions with our websites. Users can control the use of cookies at the individual browser level but if you choose to disable cookies, it may limit your use of certain features or functions on our website or service. For detailed information about the use of cookies and related technologies in our websites, please read and review our Cookie Policy.

We partner with a third party to manage our advertising on other sites. Our third party partner may use technologies such as cookies to gather information about your activities on our websites and other sites in order to provide you advertising based upon your browsing activities and interests. If you wish to not have this information used for the purpose of serving you interest-based ads, you may opt-out by clicking here (or if located in the European Union, click here). Please note that this does not opt you out of being served ads, you will continue to receive generic ads.

2.4 How does Obsidian use my personal data?

We use your information to enhance your experience using our websites and services.
‍
We use personal data that we collect about you or that you provide to us, including any personal data about Visitors, Subscribers, and Attendees:

• To present our websites and their content to you.
• To provide you with access to our services and to maintain access controls over secured areas of our websites.
• To provide you services for which you have engaged us.
• To provide you with information, products, or services that you request from us, including technical instructions for implementing your service and responding to customer support and sales inquiries.
• To fulfill any purpose for which you provide it.
• To provide you with notices about your account and/or subscription, including expiration and renewal notices.
• To provide you with information or services that you request from us.
• To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collections.
• To save your preferences (including requests to not receive communications).
• To allow you to participate in interactive features on our websites.
• To personalize our websites to optimize your experience and match your preferences.
• To send you promotional materials about our services and events, including newsletters, product updates, information about and invitations to marketing events.
• To process and deliver contests or sweepstakes entries and rewards.
• To plan and host marketing activities.
• To communicate with you about corporate marketing events, which may include promotional information.
• In any way we describe when you provide or we collect the information.
• To comply with applicable legal and regulatory requirements.
• To assure the safety of your account and our platform.
• For any other purpose with your consent.

2.5 How long does Obsidian retain my information?

We retain your information for as long as needed to provide you our services or perform our contractual obligations. The retention period shall not exceed the duration of our business relationship with you plus seven (7) years, unless a longer retention period is required or permitted by law or we have a legitimate business need to retain the information for a longer period. Legitimate business needs include maintaining a record of your preferences, securing the integrity of databases, conducting audits, complying with our legal and contractual obligations, resolving disputes, and enforcing our agreements. When we no longer have a legitimate business need to process your personal data, we will either delete or anonymize it, or, if this is not possible (for example, because your personal data has been stored in backup archives), we will securely store your personal data and isolate it from any further processing until deletion is possible.

3. THIRD PARTY COLLECTION AND USE OF PERSONAL DATA

3.1 Does Obsidian share my personal data with others?

Third-Party Service Providers

‍We engage third-party service providers in the operation of our business or to support our business. We consequently share information, including personal data, with these contracted third-party service providers in connection with using their services. These include cloud-based productivity and collaboration tools, customer relations management, security tools, staffing service providers, backup, storage, payment processing, analytics and other services. We also engage and share information with third-party service providers for fraud protection, credit risk reduction and payment collection associated with our accounts. Our service providers may have access to, process or store your personal data for the purpose of providing us with their contracted-for services.

Our service providers are not authorized to process your personal data for purposes other than as necessary, appropriate or reasonable to provide the service we have purchased.

‍Affiliates

‍Obsidian and its subsidiaries and affiliates share information, including personal data, in the operation of our global business because Obsidian and/or our subsidiaries and affiliates may provide you services under our contracts or other functions, consistent with the purposes described in Section 2.4 above.

‍Third Party Cookies

‍As described in our Cookie Policy, we collect and share information through the use of cookies.

‍Consent

‍We may disclose your personal data to any third party with your consent and appropriate notice.

‍Compliance with Laws; Law Enforcement Requests; Protection of Our Rights

‍In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet law enforcement requirements. We may disclose personal data to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information if we believe it is necessary or appropriate in order to protect our rights, property, or safety of Obsidian, our Visitors, Subscribers, or Attendees, Job Applicants, our personnel or others, to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our contracts, or as otherwise required by law.

‍Corporate Events

‍We may share your personal data to a potential buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Obsidian’s assets, whether as a going concern or as part of bankruptcy, liquidation or similar proceeding, in which personal data held by Obsidian about our websites users is among the assets transferred. We may also share your personal data with potential investors, financing sources, auditors or agents that may conduct due diligence of our business. You will be notified via email and/or a prominent notice on our websites of any change in ownership or uses of your personal data, as well as any choices you may have regarding your personal data.

‍Referrals

‍If you provide us with contact information for persons you would like to refer, we will communicate with the referred persons and may disclose you as the source of the referral. If you believe that one of your contacts has provided us with your personal data and you would like to request that it be removed from our databases, please contact us at privacy@obsidiansecurity.com.‍

3.2 Data Supplementation

We may receive information about you from other sources, including publicly available databases, data brokers, or third parties from whom we have purchased data (such as business contact information providers), and combine this data with information we already have about you. This helps us to update, expand, and analyze our records, identify new customers, and provide products and services that may be of interest to you. We use this supplemental data only for business-to-business marketing purposes and do not use it to market to you as a private individual. If you provide us personal data about others, or if others give us your information, we will only use that information for the specific reason for which it was provided to us. If we receive personal data about you from a third party in order to engage in marketing of our services, we will market to you only in your capacity as a representative of a company we wish to sell to and we will present you an opportunity to opt-out of future communications. You may opt out of these communications at any time by clicking the unsubscribe link provided in the email or by sending a request to privacy@obsidiansecurity.com.

Examples of the types of personal data that may be obtained from public sources or purchased from third parties and combined with information we already have about you, may include:

• Contact information about you, including your name, email address telephone number, from third party sources to verify your address so we can properly prevent fraud or communicate with you; or
• Data purchased from third parties, such as social networking sites and conference attendee lists, that is combined with information we already have about you, to create more tailored advertising and products. If you receive a marketing communication or promotion from us, you may opt-out of these communications at any time by clicking the unsubscribe link provided in the email.

3.3 How is my personal data handled by third-party sites?

Our websites may include links to other websites whose privacy practices may differ from those of Obsidian. If you submit personal data to any of those sites, your information is governed by their privacy policies. We encourage you to carefully read the privacy policy of any website you visit.

4. YOUR CHOICES AND RIGHTS

4.1 The following table explains your rights with respect to your Personal Data that Obsidian controls:

4.2 How can I report abuse?

If you need to report abuse, please contact us by email at privacy@obsidiansecurity.com. Obsidian’s language for official communications is English.

5. SECURITY AND PRIVACY MEASURES

5.1 How does Obsidian protect my information and data?

We have implemented measures designed to secure your personal data from accidental loss and from unauthorized access, use, alteration, and disclosure.

Information you provide to us is stored on our secure servers behind firewalls. Any sensitive information is encrypted using Transport Layer Security (TLS) (sometimes referred to as Secure Sockets Layer or SSL).

You must also make sure that your personal data is safe and secure. Even if we give you (or you have chosen) a password for access to certain parts of our websites, you are responsible for keeping this password confidential. Do not share your password with anyone. We urge you to be careful about giving out information in public areas of our websites, for example, message boards. The personal data you share in public areas may be viewed by any user of our websites.

Information that is transmitted via the Internet is not completely secure. We cannot guarantee the security of your personal data transmitted to our websites. Any transmission of personal data is at your own risk. We are not responsible if you circumvent any privacy settings or security measures on our websites.
‍

5.2 How does Obsidian limit access to my personal data?

We limit access to certain pages on our websites and allow you to set certain privacy settings via your account profile; however, be aware that no security measures are perfect or impenetrable.
Additionally, we cannot control the actions of other users of our websites with whom you may choose to share your user contributions. Given that, we cannot and do not guarantee that your user contributions will not be viewed by unauthorized persons.
‍

6. OTHER IMPORTANT INFORMATION

6.1 Children Under the Age of 16

Our websites are not intended for children under 18 years of age. No one under age 18 may provide any personal data to or on the websites.

We do not knowingly collect personal data from children under 18. If you are under 18, do not use or provide any information on our websites or on or through any of their features, register on the websites, make any purchases through the websites, use any of the interactive or public comment features of our websites or provide any information about yourself to us, including your name, address, telephone number, e-mail address or any screen name or user name you may use. If we learn we have collected or received personal data from a child under 18, we will delete that information immediately.

If you believe we might have any information from or about a child under 16, please contact us via the Contact Information section below.
‍

6.2 California Privacy Rights

California Civil Code Section § 1798.83 permits users of our websites that are California residents to request certain information regarding our disclosure of personal data to third parties for their direct marketing purposes. To make such a request, please send an e-mail or write to us at our mailing address noted in the Contact Information section below.
‍

7. DATA PRIVACY FRAMEWORK NOTICE: EU, UK AND SWISS INDIVIDUALS

Obsidian complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce (collectively “the Data Privacy Framework”).

Obsidian has certified to the U.S. Department of Commerce that it adheres to the EU-US DPF Principles with regard to the processing of Personal Data received from the European Union, and the United Kingdom (and Gibraltar) and to the Swiss-US DPF Principles with regard to the processing of Personal Data received from Switzerland. If there is any conflict between this Privacy Policy and the DPF Principles, the DPF Principles will govern. To learn more about the Data Privacy Framework, and to view our certification, please visit https://www.dataprivacyframework.gov/.

If you are located in the EU, UK or Switzerland, you have the right to request access to the Personal Data that we hold about you and request that we correct, amend or delete your Personal Data if it is inaccurate or processed in violation of the DPF Principles. We will give you an opportunity to opt out where Personal Data we control about you is to be disclosed to an independent third party or used for a purpose that is materially different from those set out in this Privacy Policy. If you would like to exercise any of your rights, please contact us via the details provided below.

In compliance with the DPF Principles, Obsidian commits to resolve DPF Principles-related complaints about our collection and use of your Personal Data. We will investigate and attempt to resolve any DPF Principles-related complaints within 45 days. EU, UK and Swiss individuals with inquiries or complaints regarding our handling of Personal Data received in reliance on the DPF Principles should first contact Obsidian at legal@obsidiansecurity.com.

In compliance with the Data Privacy Framework, Obsidian commits to refer unresolved complaints concerning our handling of personal data received in reliance on the Data Privacy Framework to an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.

Under certain conditions, more fully described on the DPF website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. The Federal Trade Commission has jurisdiction over Obsidian’s compliance with the DPF Principles.

In the context of an onward transfer, Obsidian is responsible for the processing of Personal Data it receives under the DPF Principles and subsequently transfers to a third party acting as an agent on our behalf. Obsidian will remain liable under the DPF Principles if our agent processes your Personal Data in a manner inconsistent with the DPF Principles, unless Obsidian is not responsible for the event giving rise to the damage.

Please note that under certain circumstances, we may be required to disclose your Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
‍

8. EU/UK REPRESENTATIVES.

Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Obsidian Security, Inc. has appointed the European Data Protection Office (EDPO) as its GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:

• by using EDPO’s online request form: https://edpo.com/gdpr-data-request/
• by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium

Pursuant to Article 27 of the UK GDPR, Obsidian Security, Inc. has appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR:

• by using EDPO’s online request form: https://edpo.com/uk-gdpr-data-request/
• by writing to EDPO UK at Unit 33, Waterside, Schooner Court, 44-48 Wharf Road, London, N1 7UX, United Kingdom

9. CONTACT INFORMATION

If you have any questions or comments about this Privacy Policy and our privacy practices, contact us at: privacy@obsidiansecurity.com. or by mail at Obsidian Security, Inc., Attn: Legal Department, 577 College Ave, Suite 200, Palo Alto, CA 94306.

Obsidian’s language for official communications is English.

10. CHANGES TO THIS PRIVACY POLICY

It is our policy to post any changes we make to this Privacy Policy on this page that this Privacy Policy has been updated. The date this Privacy Policy was last revised is identified at the top of the page and will be reviewed, and revised if required, in accordance with applicable law.
‍

This Cookie Notice explains how Obsidian Technologies Inc. (“Obsidian”, “we”, “us” or “our”) use cookies and similar technologies in connection with its digital properties that link to this Cookie Notice, including our websites (collectively, the “Websites”) and the purposes for using them.

For more information about how we collect, use and share your personal data, see our Privacy Policy.

Our Websites use cookies, in combination with other tracking technologies (collectively, “cookies” unless otherwise noted) to distinguish you from other users of the Websites.

You do not need to allow cookies to visit most of the Websites. However, enabling cookies may allow for a more tailored browsing experience and is required for certain parts of the Websites to work. In the majority of cases, a cookie does not provide us with any of your personal data.

1. What are cookies?

Cookies are small data files containing a unique identifier that are placed on your computer or mobile device when you visit a Service. Cookies and similar technologies (which include pixels, tags, web beacons and software development kits (“SDKs”) and local browser storage technologies) (together “cookies”) enable operators of website/apps to recognize your device and collect information from it when you interact with them. They use this information to understand how the website is being used, letting you navigate between pages efficiently, remembering your preferences and generally improving your browsing experience. Cookies are also used to make the advertising you see online more relevant to your interests.

Our Websites may use both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer or mobile device until you delete them).

2. Who places cookies on your device?

When you visit our Websites, both first-party cookies and third-party cookies may be placed on your device:

• first party cookies, served directly by us to your computer or mobile device, which we use to recognize your computer or mobile device when it revisits our Websites; and 
• third party cookies, which are served by service providers or business partners on our Websites, and can be used by these parties to recognize your computer or mobile device when it visits other websites. Third party cookies can be used for a variety of purposes, including service analytics, advertising and social media features. We do not control how these third parties use your information, which is subject to their own privacy policies. 

3. What types of cookies and similar tracking technologies are used on the Service and why?

The cookies used on our Websites are categorized as follows:

• Strictly Necessary cookies are necessary for the Websites to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the Websites will not then work. In particular, we use these Strictly Necessary cookies to remember your privacy choices and for security purposes. If you prevent these cookies, we cannot guarantee how the Websites or the security on the Websites will perform during your visit.
• Functional cookies enable us to provide you with enhanced functionality and personalisation. These cookies may be set by third party providers whose services we have added to our pages. If you do not add these cookies, then some of these services may not function properly.
• Performance/Analytics cookies collect information about how you use our Websites (e.g., which pages you visit and if you experience any errors). These cookies are used to help us improve how our Websites work, understand what interests our users and measure how effective our content is. Some of our performance/analytics cookies are managed for us by third parties.
• Targeting cookies record your visit to our Websites, the pages you have visited and the links you have followed. We or third party providers may use this information to personalize the content you see on the internet. Our advertising third party providers may use this information to build a profile of your interests and show you relevant adverts on other sites. If you do not allow these cookies, you will experience less targeted advertising.

You can find more information regarding the cookies we use on our Websites below:

4. Your choices

Strictly necessary cookies do not require your consent.

For performance/analytical, functional and targeting cookies, we request your consent before placing them on your device. You can give your consent by clicking on the appropriate button on the banner displayed to you. If you wish to avoid cookies placed on Obsidian Security’s behalf,  simply check “I decline”.

Additionally, most browsers let you remove or reject cookies, or set rules to manage cookies on a site by site basis. To do this, follow the instructions in your browser settings. For more information about cookies, including how to see what cookies have been set on your computer or mobile device and how to manage and delete them.

To learn more about cookies, clear gifs/web beacons and related technologies and how you may opt-out of some of this tracking, you may wish to visit one or more of the following sites:

https://www.allaboutcookies.org
https://www.networkadvertising.org
https://www.aboutads.info/choices

For more information about how we collect, use and share your information, see our Privacy Policy.

5. Changes to this Cookie Notice

Information about the cookies we use may be updated from time to time, so please check back on a regular basis for any changes. In all cases, your use of the Service after the effective date of any modified Cookie Notice indicates your acceptance of the modified Cookie Notice.

6. Questions

If you have any questions about this Cookie Notice, please contact us by email at privacy@obsidiansecurity.com.

The purpose of this Applicant Privacy Policy (“Policy”) is to provide you with information about how Obsidian Security, Inc. (the “Company,” “Obsidian,” “we,” “us” and/or “our”) processes your personal data collected during the recruitment process. This Policy describes the categories of personal information collected by the Company and the purposes for which such information may be collected and used. This Policy applies to any individuals who submit an application for an advertised position, provide their personal data for general employment inquiries, or otherwise seek to work for Obsidian, regardless of the manner in which you provide your personal data. This Policy applies in addition to our general Privacy Policy. Please refer to the Privacy Policy for our practices related to personal data submitted for other purposes.

This Policy may be updated from time to time. We will post any changes to this page. For additional information about the Company’s data privacy practices, please review our Privacy Policy.

Categories of Personal Information Collected

During the recruitment process, we may need to collect certain data about you, either from you directly, or from third parties with your approval.  This data may include the following:

Identifiers and Contact information. This category includes names, addresses, telephone numbers, mobile numbers, email addresses, signatures, account names, dates of birth, bank account information, and other similar contact information and identifiers.

Protected Classification Information. This category includes characteristics of protected classifications under California or federal law.

Internet or Other Electronic Network Activity Information. This category includes, without limitation:

• all activity on the Company’s information systems, such as internet browsing history, search history, intranet activity, email communications, social media postings, stored documents and emails, usernames and passwords
• all activity on communications systems, including phone calls, call logs, voice mails, text messages, chat logs, app use, mobile browsing and search history, mobile email communications, and other information regarding an employee’s use of company-issued devices.

Geolocation Data. This category includes, without limitation, GPS location data from company-owned or issued mobile devices, applications, or vehicles.

Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information. This category includes, for example, information collected from cameras, thermometers, and similar devices.

Biometric Information. This category includes the use of biometric equipment, devices, or software to record your time worked, to enter or exit facilities or rooms, to access or use equipment, or for other business purposes.

Professional and Employment-Related Information. This category includes, without limitation:

• data submitted with employment applications, including salary history, employment history, employment recommendations, etc.
• background check and criminal history
• work authorization
• performance and disciplinary records
• salary and bonus data
• benefit plan enrollment, participation, and claims information
• leave of absence information, including religious and family obligations, and physical and mental health data, concerning employees and their family members

Education Information. This category includes, without limitation, education history.

Sensitive Personal Information. This category includes sensitive information such as:

• social security, driver’s license, state identification card, or passport number
• financial account information that allows access to an account, including log-in credentials, financial account numbers, passwords, etc.
• precise geolocation
• racial or ethnic origin,
• content of mail, email, and text messages (unless the Company is the intended recipient of the communication) and
• health information.

Purposes Personal Information, Including Sensitive Personal Information, Is Used

Data we collect about you as part of our recruitment process may be used for the following purposes:

• Collecting and processing employment applications, including confirming eligibility for employment, background and related checks, onboarding, and related recruiting efforts.
• Processing payroll, other forms of compensation, and employee benefit plan and program design and administration including enrollment and claims handling, and leave of absence administration.
• Maintaining physician records and occupational health programs.
• Maintaining personnel records and record retention requirements.
• Communicating with employees and/or employees’ emergency contacts and plan beneficiaries.
• Complying with applicable state and federal health, labor, employment, benefits, workers compensation, disability, equal employment opportunity, workplace safety, and related laws, guidance, or recommendations.
• Preventing unauthorized access to, use, or disclosure/removal of the Company’s property, including the Company’s information systems, electronic devices, network, and data.
• Ensuring and enhancing employee productivity and adherence to the Company’s policies.
• Providing training and development opportunities.
• Investigating complaints, grievances, and suspected violations of Company policy.
• Designing, implementing, and promoting the Company’s diversity and inclusion programs.
• Facilitating the efficient and secure use of the Company’s information systems.
• Ensuring compliance with the Company information systems policies and procedures. 
• Improving safety of employees, customers and the public with regard to use of Company property and equipment.
• Improving efficiency, logistics, and supply chain management.
• Improving accuracy of time management systems and attendance, including vacation, sick leave, and other leave of absence monitoring.
• Evaluating an individual’s appropriateness for a particular position at the Company, or promotion to a new position.
• Managing customer engagement and other legitimate business purposes.
• Responding to and managing legal claims against the Company and/or its personnel, including civil discovery in litigation.
• Facilitating other business administrative functions and strategic activities, such as risk management, information technology and communications, financial management and reporting, workforce and succession planning, merger and acquisition activities, and maintenance of licenses, permits and authorization applicable to Company operations.

Retention. If you accept a position with Obsidian, your data will become part of your employment records. At that point, your data will be subject to our applicable employee privacy policies. If you are not hired, or elect to withdraw or decline our employment offer, we will retain your applicant data for three years unless a longer period is required by applicable law or to establish, exercise, or defend legal challenges related to our recruitment processes. We hold your data for three years so that we may consider you for other positions that arise within our organization and to comply with our regulatory requirements.  

We retain your personal information for as long as is necessary to process your application for employment, process your payroll, administer your benefits, etc. and in accordance with the Company’s data retention schedule. We may retain your personal information for longer if it is necessary to comply with our legal or reporting obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, enforce our legal agreements and policies, address other legitimate business needs, or as permitted or required by applicable law. We may also retain your personal information in a deidentified or aggregated form so that it can no longer be associated with you. To determine the appropriate retention period for your personal information, we consider various factors such as the amount, nature, and sensitivity of your information; the potential risk of unauthorized access, use or disclosure; the purposes for which we collect or process your personal information; and applicable legal requirements. Personal information does not include certain categories of information, such as publicly available information from government records, and deidentified or aggregated consumer information.

Disclosure. To carry out the purposes outlined above, the Company may disclose personal information to service providers or other third parties, such as background check vendors, third-party staffing vendors, information technology vendors, outside legal counsel, and state or federal governmental agencies. In addition to the parties listed in the Privacy Policy, we may share your personal data with your references and your previous or current employers to perform professional reference and employment checks.  The Company does not sell or share, as those terms are defined under applicable law, the above categories of personal information. The Company may add to the categories of personal information it collects and the purposes for which it uses that information.

California Resident Individual Rights Requests. Individuals who are residents of the State of California have certain individual rights, which are outlined below.

Right To Know About Personal Information Collected or Disclosed. As a California resident, you have the right to request additional information, beyond that disclosed above, regarding the following, to the extent applicable:

• the categories of personal information the Company collected about you
• the categories of sources from which that personal information was collected
• the business or commercial purposes for which that information was collected, sold, or shared
• the categories of third parties to whom the information was disclosed
• the specific pieces of personal information collected

Upon receipt of a verifiable request to know (see below), and as required by applicable law, we will provide a response to such request.

Right To Request Deletion of Your Personal Information. You have the right to request that we delete the personal information we collected or maintain about you. Once we receive your request, we will let you know what, if any, personal information we can delete from our records, and will direct any service providers and contractors to whom we disclosed your personal information to also delete your personal information from their records.

There may be circumstances where we cannot delete your personal information or direct service providers or contractors to delete your personal information from their records. Such instances include, without limitation, when the information at issue is maintained: (a) to enable solely internal uses that are reasonably aligned with your expectations based on your relationship with the Company and compatible with the context in which you provided the information, or (b) to comply with a legal obligation.

Upon receipt of a verifiable request to delete (see below), and as required by applicable law, we will provide a response to such requests.

Right to Request Correction. You have the right to request that the Company correct any inaccurate personal information we maintain about you, taking into account the nature of that information and purpose for processing it. Upon receipt of a verifiable request to correct (see below), and as required by the CCPA, we will provide a response to such requests.

Right to Limit Use or Disclosure of Sensitive Personal Information. You have the right, subject to certain exceptions, to request that we limit the use and disclosure of your sensitive personal information, as that term is defined in the CCPA. Upon receipt of a verifiable consumer request, and as required by the CCPA, we will take appropriate steps to respond to your request.

Right to Non-Discrimination for the Exercise of Your Privacy Rights. We will not discriminate or retaliate against you for exercising any of the rights described above.

Submitting CCPA Rights Requests. To submit a CCPA Rights request as outlined above, please contact us at privacy@obsidiansecurity.com or submit a General Inquiry form on https://www.obsidiansecurity.com/contact/. We reserve the right to only respond to verifiable consumer requests that are submitted as instructed.

We reserve the right to amend this notice at any time without advance notice. Please direct questions about this notice to privacy@obsidiansecurity.com.

European Union, UK or European Economic Area Residents. If you are a resident of the European Union, UK or European Economic Area we may rely on one or more of the following lawful bases for processing your applicant data:

• Our legitimate interests, which are summarized above in the section titled “Purposes Personal Information, Including Sensitive Personal Information, Is Used”;
• To comply with applicable laws and regulations;
• To take steps to enter into an employment contract with you; and/or
• Where we have your consent to process your data.

Spouses, Dependents, and Associates. If you have knowledge that the Company collected personal information related to your spouse, dependent, or associate, please share a copy of this notice with all such individuals.