Privacy Policy

Last Modified: 05/21/2024

1 Introduction

1.1 Scope

This policy sets forth the privacy principles that Sphera Solutions, Inc., a Delaware corporation (“Sphera”, “we”, “us”, “our,” or “Company”) follows when processing Personal Data received from customers or prospective customers located in the European Economic Area (“EEA”), the United Kingdom, and Switzerland.

We take your privacy very seriously. Please read this policy carefully as it contains important information on who we are and how and why we collect, receive, store, use, manage, share, transfer, or maintain (collectively, “Process”) your Personal Data, as well as how we protect it. It also explains your rights in relation to your Personal Data and how to contact us or supervisory authorities in the event you have a complaint.

1.2 Definitions

Personal Data – Any information relating to an identified or identifiable individual as further defined under Applicable Data Protection Laws – all applicable legislation and regulatory requirements in force from time to time which apply to the use of Personal data including but not limited to the GDPR.

UK GDPR – the UK General Data Protection Regulation.

EU GDPR – the EU General Data Protection Regulation.

Swiss-US DPF– the Swiss-US Data Privacy Framework.

2 Policy

The use of Sensitive Data should always be treated with the utmost care and is governed according to Sphera’s Data Classification policy and the DPF Principles. As the safeguarding of Personal Data is critical to Sphera’s business, all questions regarding proper care of Personal Data should be directed to Sphera’s Data Protection Officer at dpo@sphera.com.

2.1 Data Protection

Sphera will comply with Applicable Data Protection Laws when processing Personal Data in relation to the good and services we offer to individuals and our wider operations in the European Economic Area (EEA), the United Kingdom (UK), and Switzerland, which means that Personal Data will be:

  • Used lawfully, fairly, and in accordance with this Privacy Policy.
  • Collected only for those valid purposes identified herein and not used in any way that is incompatible with those purposes
  • Used lawfully, fairly, and in accordance with this Privacy Policy.
  • Kept accurate and up-to-date, to the best of our knowledge.
  • Maintained only for as long as necessary to fulfil the purposes for which the Personal Data was collected.
  • Kept securely and protected against unauthorized or unlawful Processing and against loss or destruction using appropriate technical and organizational measures.

2.2 Data Transmittal

We cannot promise that your use of our websites, apps, or services will be completely safe. Any transmission of your data to our websites or apps is at your own risk. We encourage you to use caution when using the Internet. We keep Personal Data as long as it is necessary or relevant for the practices described in this Privacy Policy, including, for example, for legal compliance, dispute resolution, contract enforcement, backup, archival, and other internal operations purposes. We also keep information as otherwise required by law. Personal Data may be accessed by persons within our organization, or our vendors, and those other parties described in this Privacy Policy, including those who require such access to carry out the purposes described in this Privacy Policy, and such other purposes as permitted or required by applicable law.

2.3 Data Privacy

Sphera ensures it only uses third parties and personnel who:

  • Are bound to observe data and telecommunications secrecy under Applicable Data Protection Laws,
  • Have received appropriate training on their responsibilities,
  • Are required to keep Personal Data strictly confidential and subject to confidentiality obligations that survive the termination of their Sphera shall not permit any person to process Personal Data who is not under such a duty of confidentiality.

2.4 Data Retention and Destruction

Sphera recognizes that the efficient management of its data and records is necessary to support its core business functions, to comply with its legal, statutory, and regulatory obligations, to ensure the protection of Personal Data and to enable the effective management of the organization.

Sphera’s data retention and destruction practices meet the standards and expectations set out by contractual, audit, and legal requirements and have been developed to meet the best practices of business records management, with the aim of ensuring a structured approach to document control.

2.5 What kinds of information does Sphera Process?

We Process a different kind of information depending on how you are engaging with us. The data we Process includes Personal Data, Usage Information, and User Generated Information.

  • Personal Data is any data that identifies or describes you or another individual. Personal Data often relates to an individual’s person, communications, movements, and surroundings, and behaviors online and in the real world. This information need not directly connect to a known or identifiable individual. Data associated with proxies for individuals like a device serial number or an account number can also be Personal Data when it describes or otherwise relates to the person, communications, movements, surroundings, and behaviors of the person or people who use the device, account, or other proxy. Some examples of Personal Data we may process include your name and contact information, your government ID numbers, your payment card or bank information, photos of you, and so on. We obtain Personal Data by collecting it directly from you, such as through online forms on our websites or through our product registration and User service systems; through reports created using our products and services; through automated methods integrated into our products, services, and websites; and from third parties we have contracted with.
  • Usage Information is data generated by your use of a Sphera product, service, or website. When you visit a Sphera website, your browsing generates information like logs that include information about what pages you visited, what content you interacted with, and when you visit pages and interact with elements on them. Sphera products and services and their associated software like web portals, mobile applications, and other tools may also generate information when you use them. We may collect this information and use it as described in this policy. This information can include data about how often you use our products, performance related information like crashes and memory consumption, information about how you interact with our user interfaces, and other information related to the way our products and services are performing.
  • Our websites, products, and services, as well as the tools, applications, and software associated with them, may let you create your own content and upload it to your Sphera products or incorporate it into work product generated by your use of Sphera services. This User Generated Information      varies depending on what products, services, or websites you are interacting with, but examples include messages you send to us via our websites; search queries; photos, videos, and sound recordings you create with our mobile applications; and reports, charts, and other documents you create using our products; and the work product produced by engaging Sphera services. User Generated Information may also include Personal Data, for example when a user of one of our products submits a report relating to an incident you and others may have been involved in.
  • When logging onto Sphera systems, Sphera will collect your name, your email address, and related user profile information. This information may reveal your identity and includes information about the specific computer or device you are using, such as your computer’s operating system and Internet Protocol (IP) address. We also automatically collect and store information about your activities on our Site, such as information about how you came to and used our Site, event information (like access times and browser type and language) and data collected through cookies and other similar technologies that uniquely identify your browser, computer, and/or another device. We may share information about your computer or other device with our third-party service providers for information and network security, including fraud detection.

2.6 What do we do with the Personal Data that we Process?

When we Process Personal Data, we do so in order to fulfil our legitimate business purposes. These include:

  • Delivering requested functionality. Many features of our products, services, and websites process information in response to your requests. For example, when you create an account, we collect Personal Data like your email address, password, and profile information so you can log into our websites and use our products and services. If you use our websites to communicate with us, we collect Personal Data and User Generated information like your name, contact information, and message content and make it available to the people who will be responding to you. When you browse our websites or use our tools, applications, and other software we collect User Generated Information you make available to us in order to incorporate it into reports and other documents you wish to create (which are themselves User Generated Information). If you use LinkedIn’s EasyApply to apply to a job opening, we’ll receive a link to your profile. This is used by our HR and Recruiting team to help us efficiently assess your skills and qualifications for the role you’ve applied for.
  • Protecting our rights. When we license software products to you, we reserve the right to collect Personal Data like your account credentials and information about the computers and mobile devices you use to access licensed products and Usage Information like the number of unique users logging into our software in order to monitor compliance with the terms of our license agreements with our users.
  • Supporting our users. We collect Usage Information like errors that occur when you use our products, services, and websites and logs that describe when and how you interact with our user interfaces so we can better diagnose and resolve technical problems you may experience.
  • Improving our products, services, and websites. We may use Personal Data we have collected to ask you to participate in surveys, focus groups, and other forums where we will solicit feedback about your user experience. We may also collect and use anonymous Usage Information about errors and interactions with our user interfaces and excerpts from User Generated Information like support and service requests. We use this information to identify, prioritize, and develop patches, enhancements, and other improvements to our products, services, and websites as well as to create new products and services responsive to our users’ needs.
  • Promoting our products, and services. We use Personal Data we collect from our websites, events we sponsor online and in person, from downloads of publications we make available ourselves or through partners to identify potential users for our products and services and to contact them to initiate sales efforts. We also use Personal Data we have collected from existing users along with Usage Information about how their users interact with our products and services and User Generated Information like issues you have raised with our support teams to identify other Sphera products and services our users might be interested in and to reach out to them to discuss new business. We may supplement Personal Data we have collected with information we get from third parties in order to improve our data about potential leads.

2.7 How do we secure Personal Data that we Process?

When we collect and store Personal Data on our systems as described in this policy, we apply reasonable and appropriate administrative, physical, and technical safeguards to detect and prevent unauthorized access, disclosure, use, and loss of Personal and User Generated Information. These safeguards include monitoring and auditing of our IT infrastructure, encryption of files in transit and at rest, strong password policies, limiting access to User Generated and Personal Data to designated personnel with a legitimate business purpose, and, where applicable, periodic data privacy protection and compliance training for our personnel.

No safeguards are 100 percent effective. While our safeguards offer a reasonable and appropriate level of protection to information that we Process, we do not warrant or guarantee that data we Process will never be affected by a security incident.

2.8      How do we use cookies and other online tracking technologies?

Cookies, web beacons, and similar local objects are small files that record or collect information. Our websites place them on your computer when you visit them. In some cases, our service providers collect information that these local objects place on your computer and use that information as described by this policy. We also use local objects to record personalized preferences like saving your login information for the next time you visit our site or to set language preferences. You can learn more about the way we use local objects by reviewing our Cookies Policy.

2.9      What do we do with children’s Personal Data?

Our products, services, and websites are not intended for use by children. We never intentionally collect information from children. If we discover that we have collected a child’s Personal Data, we will delete it promptly.

2.10      Who do we share Personal Data with?

We will make Personal Data we have collected available to third parties under the following circumstances:

  • Where we have relationships with service providers. We may partner with third parties in the ordinary course of our business to perform services or provide product functionality on our behalf. Examples include recruitment software providers; payment processors; hosting providers; marketing and market research providers; resellers of our products and services; data brokers who help us supplement our records with publicly available information; and a call center or other service providers supporting our User service personnel. Our contracts with service providers require them to implement reasonable and appropriate safeguards for Personal Data we share with them and limit their rights to use that Personal Data to purposes consistent with this policy. Where we transfer your Personal Data to a service provider, we remain liable for damages resulting from the unauthorized Processing of your Personal Data if the service provider fails to meet their contractual obligations to us.
  • In order to protect our rights or the rights of third parties. We may share information with legal counsel, auditors, and related service providers in the course of evaluating or pursuing potential claims involving enforcement of our or third parties’ contractual and other legal rights. We will take steps to ensure that we disclose only the information necessary for this purpose and impose confidentiality obligations and use restrictions consistent with this policy where appropriate.
  • With Sphera affiliates around the world. We have personnel and operations in countries around the world who work together to deliver products and services and process information as described in this policy. These affiliates may be located in countries other than the one where you reside, including the United States. Laws governing Processing of information, including Personal Data, vary from country to country and may differ from the laws applicable in your home country. All Sphera affiliates and personnel comply with the terms of this policy when Processing your Personal Data. Your use of our products, services, and websites constitutes your permission for us to share information with our affiliates without restriction.
  • Sphera may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

2.11      Special Category Data

Owing to the products, services, or treatments that we offer, Sphera sometimes needs to Process more sensitive      Personal Data (known as special category data) as carrying out the performance of a specific contract on behalf of the controller. Where such Personal Data is Processed, we will only  do that for the specified purpose for which the Personal Data was collected.

2.12      What are my rights under this policy?

  • You have the right to access, modify, and object to the Processing of Personal Data we have collected from you.
  • Your Personal Data is available by logging into your account. You can update your Personal Data whenever you like.
  • You also have the right to restrict any Personal Data we Process and can make other changes or delete your account and the Personal Data associated with it by contacting us via the Sphera Customer Network at https://scn.spherasolutions.com/.
  • You have the right to export Personal Data and Customer Generated Information we Process for you as a Customer. Your customer care representative can assist you with these requests.
  • You have the right to opt into and out of receiving marketing communications from us. When we collect Personal Data, we will give you the opportunity to decide whether or not you want to receive marketing communications from us. No matter what you decide, you will have the opportunity to change your mind later. Your decisions with respect to marketing communications will not affect your ability to receive communications that are based on existing business relationships like customer satisfaction outreach, acknowledgement of transactions, customer service follow-up, and so on.
  • You have the right to lodge a complaint with the supervising authority where applicable. A list of Supervisory Authorities is available here:  https://edpb.europa.eu/about-edpb/board/members_en.
  • You have the right to withdrawal your consent at any time.
  • You have a right to be notified of changes to this policy. If we make material changes that affect the rights and/or responsibilities described in this policy, we will publish notice of changes to our websites. Sphera users will also receive notices via the Sphera Customer Network. If you continue to use our products, services, or websites we will consider that acceptance of the changes.

2.13 Data Subject Request

To exercise the rights afforded to you under this policy, you can click the online webform here, by emailing us at dpo@sphera.com, by calling us at (312) 796-7160 or submitting a Data Subject Access Right request at https://sphera.com/data-subject-access-rights/.  We may deny certain requests, or fulfil a request only in part, based on our legal rights and obligations. For example, we may retain Personal Data as permitted by law, such as for tax or other record keeping purposes, to maintain an active account, and to Process transactions and facilitate customer requests.  We will take reasonable steps to verify your identity prior to responding to your requests. The verification steps may vary depending on the sensitivity of the personal information and whether you have an account with us.

3 User Data

Sphera is committed to protecting and respecting its Users privacy. This section (along with any other documents mentioned) lays out how Personal Data is collected, the various ways in which it is provided, and how Personal Data flows throughout Sphera. Please read the following section carefully.

3.1 The Categories of Personal Data Sphera Collects

Sphera will collect, use, and store the following categories of personal data:

Processing Purpose Categories of Personal Data Legal Basis
Employment with Sphera:  Personal information may be collected from several sources including online job portals, resume, and directly from the data subject for the following purposes:

-Assess if the user’s skills will be able to fulfil the role that they applied to.
-Carry out background and reference checks where applicable.
-Communicate relevant recruitment process details via email or phone.
-Validate employment eligibility.
-Enrol in employment benefits and payroll.
-Used for future job opportunities.

-Personal Data e.g. First/Last name.
– Contact details e.g. Telephone number.
-Address information.
-Current office and Job information e.g. Current Job Title.
-Emergency contacts
-Tax forms and other government required documents
The legal basis is consent and compliance with legal obligations.
Use of Sphera SaaS Applications:  Authentication and authorization data is collected to facilitate access to Sphera SaaS applications -Business contact information including First Name, Last Name and Business Email address.
-Data system authorization and authentication logs when accessing Sphera systems.
The legal basis is compliance with contractual obligations.
Marketing:  Personal information is collected to advertise and market Sphera products and services to customers and potential customers. -Business contact information including First Name, Last Name and Business Email address.
– Internet data such as IP address, country of origin, and other data based directed sales materials
The legal basis is data subject consent as applicable by law.  Where not applicable by law, we have a legitimate interest in promoting our business.

 

3.2 What are local objects?

Local objects are small files that our websites download to your device when you visit us online. They are linked to your browser and hold a small amount of information about the way you interact with our websites.

3.2.1 What does Sphera do with local objects?

We use local objects for the various purposes. Here are some examples.

  • To save your preferences and settings. You can, if you wish, choose to save certain website settings based on your preferences. Examples include saving your username and password to make future logins easier and remembering other preferences. These objects are tied to your browser. If you delete cookies and other local objects with your browser settings, you will lose any stored preferences you might have set up.
  • To help us learn how well our websites are working. We collect information about pages you visit, how long you spend on our pages, and the way you interact with content. We use this information to help us improve our websites and display the best content.
  • To enable you to communicate with us. Local objects enable us to connect you with chat operators to get answers to your questions about our products and services. These objects ensure that we have your name and contact information in case we need to follow up.
  • To promote our products and services. If you visit one of our websites, we may place a local object on your device that enables us to display ads for our products and services on other websites you visit.

3.3 What are my choices?

In addition to the instructions outlined in Section 2.13 above, you can always use your browser settings and other tools you can choose to install to control how your devices interact with cookies and other local objects. Your browser may also allow you to set a “Do Not Track” setting. If you block local objects like cookies, you may not be able to use certain features of our websites. Our websites may not be able to respond to Do Not Track settings from all browsers. If you want to learn more about how you can control different types of local objects, you can visit any of the following links.

3.4 How do I contact you with questions or requests relating to this policy?

If you are a registered Sphera customer, the best way to contact us is to via the Sphera Customer Network at https://scn.spherasolutions.com/. Our customer service team will open a case number and get your question or request to the right personnel who can assist you. They will also track progress of your case to ensure that it gets resolved. If you don’t have an account on the Sphera Customer Network, you can use the “Contact Us” form on the home page.

You may also reach us by mail at:

Sphera Solutions, Inc.
ATTN: Legal Department
130 E Randolph Street #1900
Chicago, IL 60601

3.5 How do I make a complaint:

Please contact us if you have any queries or concerns about our use of your Personal Data (see above ‘How do I contact you with questions or requests relating to this policy’). We hope we will be able to resolve any issues you may have. You may also have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction.

Sphera complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  Sphera has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) regarding the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Sphera has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) regarding the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit Data Privacy Framework website, http://www.dataprivacyframework.com.

Pursuant to the DPF Program, EU, UK, and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under the DPF, should direct their query to DPO@Sphera.com If requested to remove data, we will respond within a reasonable timeframe.

We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to DPO@Sphera.com

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Sphera commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.

In compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), Sphera commits to resolve complaints about our collection or use of your personal information transferred to the U.S. pursuant to the EU-U.S. DPF, the UK extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. EU, UK, and Swiss individuals with inquiries or complaints should first contact Sphera’s Data Protection Office at DPO@Sphera.com

Sphera has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf

In accordance with the DPF Principles, Sphera is also subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”) or any other U.S. authorized statutory body, for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website.

Ready to learn more?

Tell us how we can help.