Obsidian Website Privacy Policy

Choices About Your Information

You can stop receiving promotional email communications from us by clicking on the “unsubscribe” link provided in such communications or emailing privacy@obsidiansecurity.com. We make every effort to promptly process all unsubscribe requests. You may not opt out of Platform-related communications (e.g., account verification, information about your orders, changes/updates to our products or features of the Platform, technical and security notices), unless you cease using the Platform.

If you are a user of the Platform, you may modify or delete your information by logging into your account. If you otherwise have any questions about reviewing, modifying or deleting your information, you can contact us directly at privacy@obsidiansecurity.com.

Security

We employ a number of technical, organizational and physical safeguards designed to protect the personal data we collect.  However, security risk is inherent in all internet and information technologies and we cannot guarantee the security of your personal data.

Links to Third-Party Sites

Our Websites or Platform may contain links to other websites, including links to our partners and to media web sites. In addition, our content may be integrated into web pages or other online services that are not associated with us. These links and integrations are not an endorsement of, or representation that we are affiliated with, any third party. We do not control websites, mobile applications or online services operated by third parties, and we are not responsible for their actions. Please be aware that our Privacy Policy does not apply to websites, mobile applications or online services controlled by third parties. We encourage you to read the privacy policies of the other websites, mobile applications and online services you use.

Age Limitations

The Platform and Websites are not directed to anyone under the age of 18. A parent or guardian who becomes aware that his or her child under the age of 18 has provided us with personal data may contact us using one of the methods in the Feedback and Contact Information section below and wewe will attempt to delete the child’s data as soon as possible.

Changes to the Policy

We may revise this Policy from time to time. The most current version of the Policy will always be at obsidiansecurity.com/privacy-policy.

If we make a change to our website privacy policy that, in our sole discretion, is material, we will notify you by updating the date of this Policy and posting it on the Service or other appropriate means.  Any modifications to this Policy will be effective upon our posting the modified version (or as otherwise indicated at the time of posting). In all cases, your use of the Websites or Platform after the effective date of any modified Policy indicates your acceptance of the modified Policy.

Notice to California Residents

This Policy contains a list of the categories of personal data we collect, and have collected for the past twelve months.

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”) that include the right to:

  • Request access, correction and deletion of your personal information;
  • Opt out of the sale or sharing of your personal information; and
  • Not be discriminated against for exercising one of your CCPA/CPRA privacy rights.

Please note that we do not sell the personal data that we collect.

To exercise your rights, please contact us as provided in the Feedback and Contact Information section. You will not be discriminated against for exercising your privacy rights under the CCPA and CPRA. In order to protect your personal data from unauthorized access or deletion, we may require you to provide additional information for verification. If we can’t verify your identity, we will not provide or delete your data.

Notice to EU and UK Residents

If you are located in the European Economic Area, Switzerland, or United Kingdom, you have additional data privacy rights outlined in this section.

Legal bases for processing

The legal bases of our processing of your personal data as described in this Privacy Policy will depend on the type of personal data and the specific context in which we process it. However, the legal bases we typically rely on are set out in the table below. If you have questions about the legal basis of how we process your personal data, contact us at privacy@obsidiansecurity.com.

Processing purpose
Details regarding each processing purpose listed below are provided in the section above titled “How we use your personal data”.		 Legal basis
For Websites and Platform delivery: We need to process your personal data to operate the Websites and Platform, including managing your account or transactions, responding to your requests or inquiries, providing you with access to content or information you requested, etc. Processing is necessary to perform the contract governing our provision of our Websites or Platform or to take steps that you request prior to signing up for the Platform.
For research and development: We may use your personal data for research and development purposes, including to analyze and improve the Websites, Platform, and our business. These activities constitute our legitimate interests. We do not use your personal data for these activities where our interests are overridden by the impact on you.
For additional purposes, such as:
  • To ensure access and maintenance of the Websites and Platform, and to ensure their proper functioning
  • For compliance, fraud prevention and safety
  • For sharing your personal data with third parties as described in this Policy
  • To disclose your personal data to a prospective or actual purchaser or seller in the context of a merger, acquisition or other reorganization or sale of our business or assets.
  • For the collection of statistical information about the use of the Platform and/or Websites
  • To protect our interests as a company, for different purposes, such as:
    • Enforcement of the Websites’ or Platform’s terms of service
    • Assessing claims that any content violates the rights of third-parties
    • Establishment or exercise our legal rights or defending against legal claims
 We rely on our legitimate interests to process your personal data when performing these processing activities. We do not use your personal data for these purposes where our interests are overridden by the impact on you.
For marketing and advertising purposes: We and our third-party advertising partners may collect and use your personal data for marketing and advertising purposes. Processing is based on your consent where that consent is required by applicable law. Where such consent is not required by applicable law, we process your personal data for these purposes based on our legitimate interests in promoting our business.
Compliance with legal obligations and protection purposes: We are subject to certain legal obligations that may oblige us to disclose your personal data to courts, law enforcement or regulatory authorities. Processing is necessary to comply with our legal obligations.
To comply with applicable law Processing is necessary to comply with our legal obligations.
Actions we take with your consent:
  • Allowing third party ad partners and advertisers to use tracking technologies while you use the Websites.
  • Inviting you to participate on a voluntary basis to our surveys about the Platform.
 In these scenarios, the processing of the personal data you voluntarily provide to us is based on your consent. Where we rely on your consent you have the right to withdraw it any time in the manner indicated when you consent or in the services.

Use for new purposes.
We may use your personal data for reasons not described in this Policy where permitted by law and the reason is compatible with the purpose for which we collected it.  If we need to use your personal data for an unrelated purpose, we will notify you and explain the applicable legal basis.

Special Categories of data / Sensitive personal data.
We ask that you not provide us with any sensitive personal data (e.g., social security numbers, information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background or trade union membership) on or through the Websites and/or Platform, or otherwise to us.

Your rights.
Subject to certain exemptions, and in some cases dependent upon the processing activity we are undertaking, you may have the following rights under data protection laws:

  • to request that we provide you with a copy of your personal data that we hold, and you have the right to be informed of; (a) the source of your personal data; (b) the purposes, legal basis and methods of processing; (c) the data controller’s identity; and (d) the entities or categories of entity to whom your personal data may be transferred;
  • to request that we cease processing your personal data, in whole or in part, as you direct us, for any purpose, save to the extent it is lawful to do so without consent;
  • to request that we restrict the processing of your personal data where: (a) the accuracy of the personal data is contested; (b) the processing is lawful but you object to the processing of the personal data; (c) we no longer require the personal data for the purposes for which it was collected, but it is required for the establishment, exercise or defense of a legal claim;
  • to request that we erase your personal data in limited circumstances where it is no longer necessary in relation to the purpose(s) for which it was collected or processed;
  • to challenge processing which we have justified on the basis of a legitimate interest;
  • to request that we not transfer your personal data to unaffiliated third parties for the purposes of direct marketing or any other purposes;
  • to request that we change the manner in which we contact you for marketing purposes;
  • to request that we correct any errors in your personal data;
  • to request that we update your personal data as required. Note that you may also correct, update or remove certain parts of such personal data by yourself, or completely deactivate your SodaStream account, through your account settings;
  • to obtain a copy of the safeguards under which your personal data is transferred outside the EU; and
  • to lodge a complaint with your local supervisory authority for data protection. However, we encourage you to first contact us.

You may submit these requests by email to privacy@obsidiansecurity.com or our postal address provided in the Feedback and Contact Information Section below. We may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal data requested to you. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.

  1. -EU/UK Representatives.  Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Obsidian Security, Inc, has appointed the European Data Protection Office (EDPO) as its GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:
  2. -by using EDPO’s online request form: https://edpo.com/gdpr-data-request/
  3. -by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium

Pursuant to Article 27 of the UK GDPR, Obsidian Security, Inc, has appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR:

  1. -by using EDPO’s online request form: https://edpo.com/uk-gdpr-data-request/
  2. -by writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom

Cross-border data transfer.
We may share your personal data with third parties who may be based outside of the EEA and/or UK. In such circumstances, those parties’ processing of your personal data will involve a transfer of your personal data outside of the EEA and/or UK where privacy laws may not be as protective as those in your state, province, or country.

You can obtain further information or a copy of or access safeguards under which your personal data is transferred outside of the EEA and/or UK by contacting us at privacy@obsidiansecurity.com.

Feedback and Contact Information

Obsidian is on a continual quest for improvement. We invite feedback from customers, interested third parties, and visitors to the Websites.

If you would like to provide feedback, have questions about this Policy, or if you would like to exercise your statutory rights, you may contact us using any of the options below:

Email — privacy@obsidiansecurity.com

Physical mail –
Obsidian Security
c/o Privacy Team
680 Newport Center Drive #200
Newport Beach, CA 92660

Anonymous feedback —  Submit here.

Last updated: 17 April 2024

This Cookie Notice explains how Obsidian Technologies Inc. (“Obsidian”, “we”, “us” or “our”) use cookies and similar technologies in connection with its digital properties that link to this Cookie Notice, including our websites (collectively, the “Websites”) and the purposes for using them.

For more information about how we collect, use and share your personal data, see our Privacy Policy.

Our Websites use cookies, in combination with other tracking technologies (collectively, “cookies unless otherwise noted) to distinguish you from other users of the Websites.

You do not need to allow cookies to visit most of the Websites. However, enabling cookies may allow for a more tailored browsing experience and is required for certain parts of the Websites to work. In the majority of cases, a cookie does not provide us with any of your personal data.

1. What are cookies?

Cookies are small data files containing a unique identifier that are placed on your computer or mobile device when you visit a Service. Cookies and similar technologies (which include pixels, tags, web beacons and software development kits (“SDKs”) and local browser storage technologies) (together “cookies”) enable operators of website/apps to recognize your device and collect information from it when you interact with them. They use this information to understand how the website is being used, letting you navigate between pages efficiently, remembering your preferences and generally improving your browsing experience. Cookies are also used to make the advertising you see online more relevant to your interests.

Our Websites may use both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer or mobile device until you delete them).

2. Who places cookies on your device?

When you visit our Websites, both first-party cookies and third-party cookies may be placed on your device:

(1) first party cookies, served directly by us to your computer or mobile device, which we use to recognize your computer or mobile device when it revisits our Websites; and

(2) third party cookies, which are served by service providers or business partners on our Websites, and can be used by these parties to recognize your computer or mobile device when it visits other websites. Third party cookies can be used for a variety of purposes, including service analytics, advertising and social media features. We do not control how these third parties use your information, which is subject to their own privacy policies.

3. What types of cookies and similar tracking technologies are used on the Service and why?

The cookies used on our Websites are categorized as follows:

  • Strictly Necessary cookies are necessary for the Websites to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the Websites will not then work. In particular, we use these Strictly Necessary cookies to remember your privacy choices and for security purposes. If you prevent these cookies, we cannot guarantee how the Websites or the security on the Websites will perform during your visit.
  • Functional cookies enable us to provide you with enhanced functionality and personalisation. These cookies may be set by third party providers whose services we have added to our pages. If you do not add these cookies, then some of these services may not function properly.
  • Performance/Analytics cookies collect information about how you use our Websites (e.g., which pages you visit and if you experience any errors). These cookies are used to help us improve how our Websites work, understand what interests our users and measure how effective our content is. Some of our performance/analytics cookies are managed for us by third parties.
  • Targeting cookies record your visit to our Websites, the pages you have visited and the links you have followed. We or third party providers may use this information to personalize the content you see on the internet. Our advertising third party providers may use this information to build a profile of your interests and show you relevant adverts on other sites. If you do not allow these cookies, you will experience less targeted advertising.
You can find more information regarding the cookies we use on our Websites below:
Name and link to cookie policy Company’s Location Types of Cookies Purpose of Cookies Which Obsidian Security media use these cookies?
Google Analytics Mountain View, CA Web cookies Gives Obsidian aggregate understanding of number of page views per page,
referring sites, time spent on site, whether content is read to completion and
helps us improve our
content		 obsidiansecurity.com
Rollworks San Francisco, CA Web cookies and tracking pixels Allows Obsidian to provide personalized advertising to you regarding our products and services on other sites and understanding of your usages of our site. obsidiansecurity.com
Adobe (Marketo) San Mateo, CA Web cookies, tracking pixels and/or
web beacons embedded in emails		 Gives Obsidian metrics
regarding how many of
the emails we send are
being opened and how
many links within the
emails are being clicked.
Obsidian can link
behavior to individual
email recipients.  Also provides information regarding site visits that helps us improve content.		 obsidiansecurity.com, emails sent by Obsidian
Glassdoor Mill Valley, CA Web cookies, web
beacons, flash cookies		 Helps Obsidian improve
our employee recruiting
and retention by
understanding how much interaction from whom
our Glassdoor account is
receiving		 Obsidian’s Glassdoor page and related posts,
including job posts
LinkedIn
(Owned by Microsoft)		 Sunnyvale, CA Web cookies Helps Obsidian recruit
and improve our web
content by understanding who is interacting with
our social media and job
posts		 Obsidian’s LinkedIn
profile, posts on
Obsidian’s LinkedIn
profile, and any posts that mention Obsidian Security on LinkedIn
Clearbit San Francisco, CA Web cookies and pixels Helps automate  and populate forms for your requests with information about you. obsidiansecurity.com

4. Your choices

Strictly necessary cookies do not require your consent.

For performance/analytical, functional and targeting cookies, we request your consent before placing them on your device. You can give your consent by clicking on the appropriate button on the banner displayed to you. If you wish to avoid cookies placed on Obsidian Security’s behalf,  simply check “I decline”.

Additionally, most browsers let you remove or reject cookies, or set rules to manage cookies on a site by site basis. To do this, follow the instructions in your browser settings. For more information about cookies, including how to see what cookies have been set on your computer or mobile device and how to manage and delete them.

To learn more about cookies, clear gifs/web beacons and related technologies and how you may opt-out of some of this tracking, you may wish to visit one or more of the following sites:

http://www.allaboutcookies.org

http://www.networkadvertising.org

‍http://www.aboutads.info/choices

For more information about how we collect, use and share your information, see our Privacy Policy.

5 .Changes to this Cookie Notice

Information about the cookies we use may be updated from time to time, so please check back on a regular basis for any changes.  In all cases, your use of the Service after the effective date of any modified Cookie Notice indicates your acceptance of the modified Cookie Notice.

6. Questions

If you have any questions about this Cookie Notice, please contact us by email at privacy@obsidiansecurity.com.

OBSIDIAN APPLICANT PRIVACY POLICY

Last updated: 17 April 2024

The purpose of this Applicant Privacy Policy (“Policy”) is to provide you with information about how Obsidian Security, Inc. (the “Company,” “Obsidian,” “we,” “us” and/or “our”) processes your personal data collected during the recruitment process.  This Policy describes the categories of personal information collected by the Company and the purposes for which such information may be collected and used. This Policy applies to any individuals who submit an application for an advertised position, provide their personal data for general employment inquiries, or otherwise seek to work for Obsidian, regardless of the manner in which you provide your personal data.  This Policy applies in addition to our general Privacy Policy. Please refer to the Privacy Policy for our practices related to personal data submitted for other purposes.

This Policy may be updated from time to time. We will post any changes to this page. For additional information about the Company’s data privacy practices, please review our Privacy Policy.

Categories of Personal Information Collected

During the recruitment process, we may need to collect certain data about you, either from you directly, or from third parties with your approval.  This data may include the following:

Identifiers and Contact information. This category includes names, addresses, telephone numbers, mobile numbers, email addresses, signatures, account names, dates of birth, bank account information, and other similar contact information and identifiers.

Protected Classification Information. This category includes characteristics of protected classifications under California or federal law.

Internet or Other Electronic Network Activity Information. This category includes, without limitation:

  • all activity on the Company’s information systems, such as internet browsing history, search history, intranet activity, email communications, social media postings, stored documents and emails, usernames and passwords
  • all activity on communications systems, including phone calls, call logs, voice mails, text messages, chat logs, app use, mobile browsing and search history, mobile email communications, and other information regarding an employee’s use of company-issued devices.

Geolocation Data. This category includes, without limitation, GPS location data from company-owned or issued mobile devices, applications, or vehicles.

Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information. This category includes, for example, information collected from cameras, thermometers, and similar devices.

Biometric Information. This category includes the use of biometric equipment, devices, or software to record your time worked, to enter or exit facilities or rooms, to access or use equipment, or for other business purposes.

Professional and Employment-Related Information. This category includes, without limitation:

  • data submitted with employment applications, including salary history, employment history, employment recommendations, etc.
  • background check and criminal history
  • work authorization
  • performance and disciplinary records
  • salary and bonus data
  • benefit plan enrollment, participation, and claims information
  • leave of absence information, including religious and family obligations, and physical and mental health data, concerning employees and their family members

Education Information. This category includes, without limitation, education history.

Sensitive Personal Information. This category includes sensitive information such as:

  • social security, driver’s license, state identification card, or passport number
  • financial account information that allows access to an account, including log-in credentials, financial account numbers, passwords, etc.
  • precise geolocation
  • racial or ethnic origin,
  • content of mail, email, and text messages (unless the Company is the intended recipient of the communication) and
  • health information.

Purposes Personal Information, Including Sensitive Personal Information, Is Used

Data we collect about you as part of our recruitment process may be used for the following purposes:

  • Collecting and processing employment applications, including confirming eligibility for employment, background and related checks, onboarding, and related recruiting efforts.
  • Processing payroll, other forms of compensation, and employee benefit plan and program design and administration including enrollment and claims handling, and leave of absence administration.
  • Maintaining physician records and occupational health programs.
  • Maintaining personnel records and record retention requirements.
  • Communicating with employees and/or employees’ emergency contacts and plan beneficiaries.
  • Complying with applicable state and federal health, labor, employment, benefits, workers compensation, disability, equal employment opportunity, workplace safety, and related laws, guidance, or recommendations.
  • Preventing unauthorized access to, use, or disclosure/removal of the Company’s property, including the Company’s information systems, electronic devices, network, and data.
  • Ensuring and enhancing employee productivity and adherence to the Company’s policies.
  • Providing training and development opportunities.
  • Investigating complaints, grievances, and suspected violations of Company policy.
  • Designing, implementing, and promoting the Company’s diversity and inclusion programs.
  • Facilitating the efficient and secure use of the Company’s information systems.
  • Ensuring compliance with the Company information systems policies and procedures.
  • Improving safety of employees, customers and the public with regard to use of Company property and equipment.
  • Improving efficiency, logistics, and supply chain management.
  • Improving accuracy of time management systems and attendance, including vacation, sick leave, and other leave of absence monitoring.
  • Evaluating an individual’s appropriateness for a particular position at the Company, or promotion to a new position.
  • Managing customer engagement and other legitimate business purposes.
  • Responding to and managing legal claims against the Company and/or its personnel, including civil discovery in litigation.
  • Facilitating other business administrative functions and strategic activities, such as risk management, information technology and communications, financial management and reporting, workforce and succession planning, merger and acquisition activities, and maintenance of licenses, permits and authorization applicable to Company operations.

Retention.

If you accept a position with Obsidian, your data will become part of your employment records. At that point, your data will be subject to our applicable employee privacy policies. If you are not hired, or elect to withdraw or decline our employment offer, we will retain your applicant data for three years unless a longer period is required by applicable law or to establish, exercise, or defend legal challenges related to our recruitment processes. We hold your data for three years so that we may consider you for other positions that arise within our organization and to comply with our regulatory requirements.

We retain your personal information for as long as is necessary to process your application for employment, process your payroll, administer your benefits, etc. and in accordance with the Company’s data retention schedule.  We may retain your personal information for longer if it is necessary to comply with our legal or reporting obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, enforce our legal agreements and policies, address other legitimate business needs, or as permitted or required by applicable law.  We may also retain your personal information in a deidentified or aggregated form so that it can no longer be associated with you.  To determine the appropriate retention period for your personal information, we consider various factors such as the amount, nature, and sensitivity of your information; the potential risk of unauthorized access, use or disclosure; the purposes for which we collect or process your personal information; and applicable legal requirements.  Personal information does not include certain categories of information, such as publicly available information from government records, and deidentified or aggregated consumer information.

Disclosure. 

To carry out the purposes outlined above, the Company may disclose personal information to service providers or other third parties, such as background check vendors, third-party staffing vendors, information technology vendors, outside legal counsel, and state or federal governmental agencies. In addition to the parties listed in the Privacy Policy, we may share your personal data with your references and your previous or current employers to perform professional reference and employment checks.   The Company does not sell or share, as those terms are defined under applicable law, the above categories of personal information. The Company may add to the categories of personal information it collects and the purposes for which it uses that information.

California Resident Individual Rights Requests.

Individuals who are residents of the State of California have certain individual rights, which are outlined below.

Right To Know About Personal Information Collected or Disclosed. As a California resident, you have the right to request additional information, beyond that disclosed above, regarding the following, to the extent applicable:

  • the categories of personal information the Company collected about you
  • the categories of sources from which that personal information was collected
  • the business or commercial purposes for which that information was collected, sold, or shared
  • the categories of third parties to whom the information was disclosed
  • the specific pieces of personal information collected

Upon receipt of a verifiable request to know (see below), and as required by applicable law, we will provide a response to such request.

Right To Request Deletion of Your Personal Information. You have the right to request that we delete the personal information we collected or maintain about you. Once we receive your request, we will let you know what, if any, personal information we can delete from our records, and will direct any service providers and contractors to whom we disclosed your personal information to also delete your personal information from their records.

There may be circumstances where we cannot delete your personal information or direct service providers or contractors to delete your personal information from their records.  Such instances include, without limitation, when the information at issue is maintained: (a) to enable solely internal uses that are reasonably aligned with your expectations based on your relationship with the Company and compatible with the context in which you provided the information, or (b) to comply with a legal obligation.

Upon receipt of a verifiable request to delete (see below), and as required by applicable law, we will provide a response to such requests.

Right to Request Correction. You have the right to request that the Company correct any inaccurate personal information we maintain about you, taking into account the nature of that information and purpose for processing it. Upon receipt of a verifiable request to correct (see below), and as required by the CCPA, we will provide a response to such requests.

Right to Limit Use or Disclosure of Sensitive Personal Information.  You have the right, subject to certain exceptions, to request that we limit the use and disclosure of your sensitive personal information, as that term is defined in the CCPA.  Upon receipt of a verifiable consumer request, and as required by the CCPA, we will take appropriate steps to respond to your request.

Right to Non-Discrimination for the Exercise of Your Privacy Rights. We will not discriminate or retaliate against you for exercising any of the rights described above.

Submitting CCPA Rights Requests. To submit a CCPA Rights request as outlined above, please contact us at privacy@obsidiansecurity.com or submit a General Inquiry form on https://www.obsidiansecurity.com/contact/. We reserve the right to only respond to verifiable consumer requests that are submitted as instructed.

We reserve the right to amend this notice at any time without advance notice.  Please direct questions about this notice to privacy@obsidiansecurity.com.

European Union, UK or European Economic Area Residents.

If you are a resident of the European Union, UK or European Economic Area we may rely on one or more of the following lawful bases for processing your applicant data:

  • Our legitimate interests, which are summarized above in the section titled “Purposes Personal Information, Including Sensitive Personal Information, Is Used”;
  • To comply with applicable laws and regulations;
  • To take steps to enter into an employment contract with you; and/or
  • Where we have your consent to process your data.

Spouses, Dependents, and Associates.

If you have knowledge that the Company collected personal information related to your spouse, dependent, or associate, please share a copy of this notice with all such individuals.