Privacy and Data Security Statement – COMMERCIAL CUSTOMERS
1. Customer and Customer Data
For the purposes of this Statement, “Customer” means the commercial customers of Sylogist who have entered into agreements with Sylogist for services. “Customer Data” includes the following entered into the Sylogist’s software by the Customer , that may be accessed by Sylogist in connection with or incidental to the performance of services for or on behalf of Customer or by any other means: any information relating to an identified or identifiable individual irrespective of whether such individual is a Customer, customer employee or other status (such as name, postal address, email address, telephone number, date of birth, social insurance number, driver’s license number, account number, credit or debit card number, health or medical information, or any other unique identifier) (“Personal Information”). Any information defined as “Confidential Information” by an agreement for services which the Customer has entered into with Sylogist (“Customer Agreement”) will be treated in accordance with the confidentiality provisions in the Customer Agreement.
2. Personal Information
2.1 Consent. We ask that before providing Personal Information to Sylogist, Customer will obtain all required consents from third parties (including Customer’s contacts, customers, and employees) under applicable privacy and data protection laws.
2.2 Compliance with Privacy Laws. Sylogist takes reasonable steps to comply with (i) all applicable legal requirements (federal, state, provincial, local and international laws, rules and regulations and governmental requirements) currently in effect and as they become effective, relating in any way to the privacy, confidentiality or security of Customer Data, including but not limited to as applicable, the laws and regulations of the United States, Canada, the European Union, the European Economic Area and their member states, and the United Kingdom, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), California Privacy Rights Act of 2020, Cal. Civ. Code § 1798.100 et seq. (“CPRA”), Virginia Consumer Data Protection Act, Va. Code, 59.1-571 et seq. (“VCDPA”); Colorado Privacy Act, Col. Rev. Stat. § 6-1-1301 et seq. (“CPA”), Children’s Online Privacy Protection Act (COPPA) (15 U.S.C. §§ 6501-6508), the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99), and the Health Information Technology for Economic and Clinical Health Act (HITECH Act); and the Personal Information Protection and Electronic Documents Act (Canada) and substantially similar provincial laws, as amended or supplemented from time to time, and any other applicable law now in force or that may in the future come into force governing the collection, use, disclosure and protection of personal information applicable to either party or to any information collected, used or disclosed in the course of providing or receiving the Services.
2.3 Limitation on use; ownership. Any use of Customer Data by Sylogist is limited to the sole purpose expressly authorized by a Customer Agreement (i.e., providing the Services). Any Customer Data, including in any reconfigured format, shall at all times be and remain the sole property of Customer, unless agreed otherwise in writing by Customer.
2.4 Limitation on transfer. Sylogist does not share, transfer, disclose or otherwise provide access to any Customer Data to any third party unless Customer has authorized Sylogist to do so in writing. Sylogist does ensure that any third party it may authorize to perform any of the Services shall be obligated to have a Security Program equivalent to that set forth in this Statement. Further, regarding any Data Incident (as this term is defined in section 3.1.4), Sylogist shall contractually preserve for itself – or Customer – all such rights as Sylogist has under section 4 and enforce such rights at Customer’s request for Customer’s benefit.
2.5 Cross-border Transfers. Unless expressly authorized by Customer, Sylogist does not store Customer Data outside the country where the Customer resides and shall not transfer or otherwise provide access to Customer Data to any person, albeit Sylogist’s affiliate or subsidiary, outside the country where Customer resides.
2.6 De-identified Information. Sylogist may derive aggregated, statistical, anonymized and/or de-identified information from Personal Information (“De-identified Information. Without limiting the generality of the foregoing, Sylogist takes commercially reasonable measures to avoid the re-identification of the De-identified Information, including: (a) not bringing any other data in the environment of the De-identified Information in order to avoid increasing the risk of re-identification by linkage; and (b) destroying any accidentally re-identified Personal Information and informing Customer of any cases of re-identified Personal Information.
2.7 Data Subjects’ Requests under Privacy Laws. If Sylogist receives a data subject request regarding its Personal Data under applicable privacy laws, Sylogist shall promptly redirect the individual to Customer and shall assist Customer in responding to such request, if applicable.
2.8 Notice of Process. In the event Sylogist receives a governmental or other regulatory request for any Customer Data, it agrees to immediately notify Customer to allow Customer to have the option to defend such action. Sylogist shall reasonably cooperate with Customer in such defense.
3. Data Security Program
Sylogist maintains a written information security program that contains reasonable administrative, technical, and physical safeguards that is designed to: (a) protect the confidentiality, integrity, and availability of Customer Data in Sylogist’s possession or control or to which Sylogist has access; (b) protect against any anticipated threats or hazards to the confidentiality, integrity, and availability of Customer Data; (c) protect against unauthorized or unlawful access, use, disclosure, alteration, or destruction of Customer Data; and (d) Safeguard Customer Data in compliance with applicable laws, as set forth by section 2.1.
4. Data Incidents
4.1. Informing Customer of Data Incident. For the purposes of this section “Data Incident” means any actual or reasonably suspected unauthorized use of, loss of, access to or disclosure of Customer Data. Sylogist notifies Customer of any reasonably suspected or actual Data Incident. While the initial phone notice may be in summary form, a comprehensive written notice shall be given within 48 hours to Customer. The notice shall summarize in reasonable detail the nature and scope of the Data Incident (including each data element type that relates to a customer or Customer employee, if any) and the corrective action already taken or to be taken by Sylogist. The notice shall be timely supplemented in the detail reasonably requested by Customer, inclusive of relevant forensic reports. Sylogist shall promptly take all necessary and advisable corrective actions and shall cooperate fully with Customer in all reasonable efforts to mitigate the adverse effects of Data Incident and to prevent its recurrence.
4.2. Notice of Data Incident. Sylogist collaborates with Customers on whether any notice of the Data Incident is required to be given to any person, and if so, the content of that notice.
5. Interpretation, Termination and Secure Disposition
5.1. Sylogist either returns or disposes of Customer Data if no longer needed for Customer’s business or legal purposes or upon contract termination or upon Customer’s direction which may be given at any time. Any disposal will ensure that Customer Data is rendered permanently unreadable and unrecoverable. Upon reasonable notice and if requested by Customer, Sylogist shall provide Customer a certification of compliance with this section by an officer.
SylogistEd Privacy and Data Security Statement
In addition to the items set out in the Sylogist Privacy and Data Security Statement the following apply to Customers of SylogistEd:
Applicability of Laws and Compliance. Sylogist is not a school, a school official, a school district, a municipal government or a governmental agency, an educational institution, an office of registrar, or a learning center. Therefore, state and federal law applicable to such institutions, specific provisions, requirements, or guidelines set forth therein, may not apply to Sylogist.
Disclaimer. It should be noted that Sylogist’s actions to model its rules, policies, disclosures, practices, and procedures with all applicable state and federal laws relating to privacy, shall in no way be interpreted as an admission relating to the applicability of such laws to Sylogist, nor shall such be interpreted as or deemed to be an agreement, implied or otherwise, that such laws are applicable to Sylogist.
Information of Children Under 13 and FERPA
Sylogist asks that customers not submit to Sylogist any personally identifiable information for anyone under the age of 13. Sylogist does not seek to use, disseminate, or collect such information.
Sylogist does not input, record, or review educational information or educational records. Additionally, Sylogist does not store or obtain hard copies of educational information or educational records. Sylogist cannot dispute or verify the accuracy of the information input or uploaded to the service by Customers. Requests to exercise rights provided by FERPA, relating to amending records, must be made directly to the school district or educational institution.
We reserve the right to change this policy from time to time as industry practice, the law, and our procedures in this area may change from time to time. We will post the current version of this policy at: www.sylogist.com.
WHAT IS PERSONAL INFORMATION?
WHAT DOES THIS POLICY APPLY TO?
If the policies and procedures outlined in this document do not address a specific situation, individuals are advised to contact the Company's Privacy Officer email@example.com for guidance or clarification.
Our websites may provide links to third party websites and our services may be integrated with those of third parties. In such cases the provision of personal information to those parties will be covered by their policies.
WHAT PERSONAL INFORMATION DO WE COLLECT AND FOR WHAT PURPOSE?
The Company collects and uses only the personal information that we need for providing services and operating our business. Generally, the Company collects the following personal information from individuals for the various purposes set out below:
Details of visits to our website and the pages and resources that are accessed, including, but not limited to, traffic data, country location data and other communication data that may assist us in understanding the visitors that use our websites (please see the Cookies Section below for more details)
Information that you provide us as a result of filling in forms on our website, we use ClickDimensions software to collect the information
Information provided to us when you communicate electronically for any reason
Employment information provided as part of an application
The Company collects, uses and discloses personal information for the following purposes:
to manage services
to manage the Company's business and operations, including customer relationships and matters
to meet legal and regulatory requirements
to inform individuals about the Company's products and services that we believe may be of interest to them, when we have consent to do so
to better understand an individual’s interests in our products and services
to deliver, develop, enhance or improve products and services
to evaluate suitability of candidates
to provide information on future opportunities
to verify access rights to our website
to contact clients about appointments and meetings
to conduct market research
to enforce our legal relationship with you
as is necessary in contemplation of a business transaction
We normally collect information directly from you. We may collect your information from other persons with your consent or as authorized by law. Before or at the time of collecting personal information, we identify the purposes for which we are collecting the information. If we wish to use or disclose your information for a new purpose not included in this policy, we will notify you and seek your consent.
In addition, we also receive and send data from our servers and from your browser when you visit our website, including your IP address, the time and information about the page you requested and the website through which you were linked to our site, if any. We may use tracking technologies, such as Google® Analytics in a variety of ways, including the following: keeping count of return visits to our site; accumulating and reporting anonymous, aggregate (data collected in mass), statistical information on website usage; and determining which features users like best.
Finally, your Internet browser has a feature called "cookies," which stores small amounts of data on your computer about your visit to our site. Cookies tell us nothing about who you are, however, unless you specifically give us personal information. You do not need to have cookies turned on to visit our websites. You may also elect not to allow cookies to be collected by selecting certain options on your browser.
If we use any cookies for the purposes of marketing to you we will seek your consent before using these cookies.
Ordinarily we ask for consent to collect, use or disclose personal information, except in specific circumstances where collection, use or disclosure without consent is authorized or required by law. We may assume your consent in cases where you volunteer information for an obvious purpose.
You may withdraw consent to the use and disclosure of personal information at any time, unless the personal information is necessary for us to fulfil our reasonable business or legal obligations. We will respect your decision, but we may not be able to provide you with certain products and services if we do not have the necessary personal information.
The purpose for collecting personal information is set out in this policy. Any necessary consents shall be obtained before personal information is collected, used or disclosed.
We ask for your express consent for some purposes and may not be able to provide certain services if you are unwilling to provide consent to the collection, use or disclosure of certain personal information. Where express consent is needed, we will normally ask clients to provide their consent orally (in person, by telephone), in writing (by signing a consent form), or electronically (by clicking a button).
The amount and type of personal information collected by the Company shall be limited to what is necessary to fulfill the identified purpose. Personal information shall only be used or disclosed for the purposes for which it is collected. Exceptions may be made with the consent of the individual or if authorized or required by law.
HOW DO I OBTAIN ACCCESS TO MY PERSONAL INFORMATION?
Upon request received by the Company in writing, individuals shall be informed of the existence, use, and disclosure of their personal information records and shall be given access to that information. Requests to access personal information held by the Company should be directed to the Company's Privacy Officer.
Requests must be made in writing or by e-mail. Individuals may be required to verify their identity in order to access their personal information. Any such documentation provided shall be used for verification purposes only.
The Company responds to requests for access to personal information within thirty (30) days of receipt of the request, or as may be permitted in accordance with applicable privacy or data protection legislation.
A fee for reasonable costs incurred may be charged when responding to more complex requests. The individual will be informed of the applicable fee.
Requested information will be provided in a form that is generally understandable.
The Company will be as specific as possible when describing third parties to whom it has disclosed personal information about an individual. When it is not possible to provide a list of the organizations to which it has actually disclosed information, the Company will provide a list of organizations to which it is likely to have disclosed information.
LIMITATIONS ON ACCESS
The Company will only refuse access to information about you in those circumstances permitted or required by applicable privacy and data protection legislation.
In the event that the Company refuses to provide access to information, it will provide you with the reasons for its refusal upon request. Exceptions may include information that contains references to or opinions of other individuals, information that cannot be disclosed for legal, security or commercial proprietary reasons, or information that is subject to solicitor-client or litigation privilege. The Company will respond to your requests for access in accordance with applicable privacy legislation.
HOW WILL MY PERSONAL INFORMATION BE MAINTAINED?
Personal information shall be kept as accurate, complete, and up-to-date as necessary for the purposes for which it is to be used.
Individuals have the right to challenge the accuracy and completeness of the personal information that is maintained by the Company and have it amended as appropriate.
Individuals seeking a correction or amendment to their personal information should direct their requests in writing to the Company's Privacy Officer.
All formal requests to amend personal information must be accompanied by appropriate supporting documentation. The Company’s Privacy Officer will manage any exceptions. The amended information will be transmitted to third parties, as appropriate.
If the individual is not satisfied with the results of the request, the Company shall internally document the issue, and provide a response. The existence of the unresolved challenge will be transmitted to third parties, as appropriate.
HOW IS MY PERSONAL INFORMATION STORED AND SECURED?
Personal information will be retained only as long as necessary and will be disposed of in a manner that is appropriate to the sensitivity of the information. We render client personal information non-identifying, or destroy records containing personal information once the information is no longer needed. We use appropriate security measures when destroying client personal information, including shredding paper records and permanently deleting electronic records.
Personal information will be protected by security safeguards, appropriate to the sensitivity of the personal information.
We use cloud-based services to store information in the following countries: Canada, and the United States of America. Where personal information is stored or processed outside of Canada, it is subject to the laws of that foreign jurisdiction, and may be accessible to that jurisdiction’s governments, courts or law enforcement or regulatory agencies and subject to foreign laws.
We will notify you and the authorities as required by law, including the Office of the Information and Privacy Commissioner of Alberta and the Federal Privacy Commissioner as applicable, of a security breach affecting personal information if it creates a real risk of significant harm to individuals.
The following are applicable to residents of Quebec:
You have the right to be forgotten, which means you can restrict organizations from disseminating your personal information or can have hyperlinks associated with your name and that provide access to personal information, de-indexed in certain situations.
You have the right to data portability, this is a supplementary right to receive computerized personal information collected from them in a structured, commonly used and technological format and to have this information transferred directly to “any person or body authorized by law to collect such information”
You have the right to be informed of automated decision-making. You have a right to be informed of the fact that your personal information is used to render a decision based exclusively on automated processing.
You have the right to request information about data processing, namely what personal information was collected from you and how it is being processed by us.
If you are a visitor from the European Economic Area and/or to the extent required by applicable law, you have the following additional data protection rights:
You can object to processing of your personal information, ask us to restrict processing of your personal information, or request portability of your personal information.
If we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
You have the right to lodge a complaint with an applicable data protection authority. You have the right to lodge such a compliant in the European country of your habitual residence, place of work, or place of an alleged infringement if you consider that the processing of your personal information infringes applicable EU data protection laws. A list of all European supervisory authorities and their respective contact information is available here: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.
If you are a visitor from California and/or to the extent required by applicable law, you have the following additional data protection rights:
These additional disclosures for California residents apply only to individuals who reside in California. The CCPA provides additional rights to know, delete and opt out, and requires businesses collecting or disclosing personal information to provide notices and means to exercise rights.
A. Notice of Collection.
In the past 12 months, we have collected the following categories of personal information listed in the CCPA:
Identifiers, including name, email address, phone number, account name, IP address, and an ID or number assigned to your case or case assessment conducted on our Service.
Customer records, billing and shipping address.
Commercial information, including purchases and engagement with the Company.
For more information about what information we collect, including the sources we receive information from and the business purposes we use it for review the “What Personal Information Do We Collect and For What Purpose?” section.
Company does not generally sell information as the term “sell” is traditionally understood. However, to the extent “sale” under the CCPA is interpreted to include advertising technology activities such as those disclosed herein as a “sale,” we will comply with applicable law as to such activity. Company discloses the following categories of personal information for commercial purposes: identifiers, demographic information, commercial information, internet activity, and inferences. We use and partner with different types of entities to assist with our daily operations and manage our business. Please review the “What Personal Information Do We Collect and For What Purpose?” section for more detail about the parties we have shared information with.
B. Right to Know and Delete.
If you are a California resident, you have the right to delete the personal information we have collected from you and the right to know certain information about our data practices in the preceding 12 months. In particular, you have the right to request the following from us:
The categories of personal information we have collected about you;
The categories of sources from which the personal information was collected;
The categories of personal information about you we disclosed for a business purpose or sold;
The categories of third parties to whom the personal information was disclosed for a business purpose or sold;
The business or commercial purpose for collecting or selling the personal information; and
The specific pieces of personal information we have collected about you.
To exercise any of these rights, please submit a request firstname.lastname@example.org. In the request, please specify which right you are seeking to exercise and the scope of the request. We will confirm receipt of your request within 10 days. We may require specific information from you to help us verify your identity and process your request. If we are unable to verify your identity, we may deny your requests to know or delete.
C. Right to Opt Out of Sale of Personal Information.
We will not sell your personal information.
D. Authorized Agent.
You can designate an authorized agent to submit requests on your behalf. However, we will require written proof of the agent’s permission to do so and verify your identity directly.
E. Right to Non-Discrimination.
You have the right not to receive discriminatory treatment by us for the exercise of any of your rights.
F. Shine the Light.
Individuals who are residents of California may request (i) a list of the categories of personal information disclosed by us to third parties during the immediately preceding calendar year for those third parties’ own direct marketing purposes; and (ii) a list of the categories of third parties to whom we have disclosed such information. To exercise a request, please write to us at the email or postal address set out in the “Question and Complaints” section below and specify that you are making a “California Shine the Light Request.” We may require additional information from you to allow us to verify your identity and are only required to respond to requests once during any calendar year.
If you are not satisfied with the response from our Privacy Officer after making a complaint, you may have recourse to additional remedies under applicable privacy legislation. For further information, please contact the Canadian Federal Privacy Commissioner or your provincial Privacy Commissioner, or data protection supervisory authority as applicable. A list of Canadian privacy commissioners may be found here: https://www.priv.gc.ca/en/about-the-opc/what-we-do/provincial-and-territorial-collaboration/provincial-and-territorial-privacy-laws-and-oversight/.
QUESTIONS AND COMPLAINTS
If you have a question or concern about any collection, use or disclosure of personal information by the Company, or would like to request access to your own personal information, please contact:
Privacy Officer: email@example.com.