Modified: October 14, 2020
How Cultivate Processes Personal Data
Customer (your employer) is using a “self-hosted” version of Cultivate’s software, which means that the software is installed and running directly on Customer-owned or controlled servers, where most of the analytics also occur. Therefore, Cultivate does not seek or require access to a Customer or user’s emails, chats, or calendar content, unless directed by the Customer or user, for example, technical and support issues. However, this is rare because support issues generally don’t require Cultivate to access such content. In general, Cultivate’s access to your personal data will be limited to statistics and persistent online identifiers.
Cultivate is a “processor” of your personal data. This means that Cultivate will collect and process your personal data only as instructed or permitted by our Customer (your employer). In this case, Cultivate’s use of such information is limited to the purpose of providing the service for which the Customer has engaged Cultivate. For example, providing or improving the leadership and coaching tools, preventing or addressing service or technical problems, in accordance with Customer’s other instructions and the relevant agreement between the Customer and Cultivate, or as may be required by law.
Customer (your employer) is responsible for complying with any privacy laws that require providing notice, disclosure, and/or obtaining consent prior to using Cultivate’s software or collecting or transferring any of your personal data to Cultivate.
How Cultivate Discloses Your Personal Data
Cultivate does not proactively display your personalized leadership and coaching content to our Customer (your employer). Theoretically, it may be viewable by others within your organization, for example, if your employer takes control of your login credentials.
Cultivate will disclose personal data when instructed by our Customer. We may disclose your personal data to our affiliates and third party processors as needed to provide the services that you and our Customer have requested. These entities are contractually bound to limit the use of your personal data as needed to perform the services.
Cultivate will refer any request for disclosure of personal data by a law enforcement authority to the Customer. Cultivate may, where it concludes that it is legally obligated to do so, disclose personal data to law enforcement or other government authorities. Cultivate will notify Customer of such request unless prohibited by law.
General Data Protection Regulation “GDPR”
Cultivate has obtained a GDPR Validation from TrustArc to further demonstrate its ability to assist Customers in complying with their relevant privacy obligations. A copy of the validation letter can be provided to Customers upon request.
Cultivate Technology Inc. participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We are committed to subjecting all personal data received from European Union (EU) member countries, the United Kingdom and Switzerland, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List.
Cultivate Technology Inc. is responsible for the processing of personal data it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Cultivate Technology Inc. complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, the United Kingdom and Switzerland, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Cultivate Technology Inc. is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
We have implemented technical and organizational measures to protect your personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access. However, no method of transmission over the Internet, and no means of electronic or physical storage, is absolutely secure. Thus, we cannot guarantee the absolute security of that information.
Additionally, to facilitate our operations, we may transfer, store and process your personal data in jurisdictions other than where you live, including in the United States. Laws in these countries may differ from the laws applicable to your country of residence. For instance, if you are a European Economic Area (EEA) data subject and your personal data is shared with our affiliates, partners, or third-party service providers acting on our behalf outside of the EEA, then it is done so pursuant to necessary means to ensure an adequate level of protection.
Additional information about the security settings and configurations can be found in the Cultivate documentation made available to Customers.
Cultivate maintains a SOC II Type II certification, a copy of which can be provided to Customers upon request.
Cultivate may amend this Policy from time to time, at its sole discretion. Use of any personal data we collect now or in the future will be subject to the Policy in effect at the time Cultivate uses such personal data. If we make material changes to the way we use personal data, we will notify you by posting an announcement on our website and service or by sending an email to the address you have registered with us. We encourage you to periodically review this Policy for any changes. For new Customers, changes or updates are effective upon posting. For existing Customers, changes or updates are effective 30 days after posting.
Talk to us
We welcome your comments and questions regarding our Policy.
An individual who seeks to exercise any data subject rights under applicable local laws, including the ability to access, delete, rectify, transfer, restrict, or object to the processing of personal data, should direct their request to the Customer (your employer or another entity or person, called the “data controller”). Cultivate will honor and support any Customer instructions with respect to your personal data, as required by law. Alternatively, clicking the “Delete Account” button located in your account’s settings will delete your (i) email and chat messages, calendar data, and other content submitted through the software and (ii) your personalized leadership and coaching content.
Please contact us at:
Cultivate Technology Inc.
326 Ritch Street
San Francisco, CA 94107
For EEA data subjects, our data protection officer is Joshua Pittel, who may be reached at our principal place of business or by emailing firstname.lastname@example.org. Our EU Data Protection Representative is DPR Group who may be contacted via the instructions here.
EEA data subjects have the right to lodge a complaint with a supervisory authority concerning Cultivate’s data processing activities.