Galvanize Privacy & Cookies
Galvanize respects privacy and is committed to protecting our customer’s personal data.
“Personal information” is generally considered to be any information about an identified individual or that can be used (directly or indirectly) to identify an individual. For example, an individual’s name, e-mail address, phone number, online identifier, IP address or photo. Information that has been anonymized, and from which no individual can be identified either directly or in combination with other data, is not personal information.
Personal Information We Collect
Galvanize collects personal information that you provide to us directly, that we collect automatically when you access and use Galvanize websites and products, and that is provided to us by third parties or through publicly available sources.
Personal information you provide to us directly:
- Contact Information. We collect contact information, such as your name, email address, company or organization, job level and function, industry, telephone number and/or country when you fill out online forms, register online, set-up a user account or make a support enquiry.
- Billing Information. If you make a purchase, such as an online training course or attendance at an event, we will collect your billing address and payment preferences. If you choose to pay by credit card, your credit card details (number, expiration date, card verification value (cvv)) will be provided directly to our payment processor. We do not keep or store credit card information.
- Career Information. We will collect your resume and work eligibility if you submit a job application or sign-up for job alerts through the Careers section of our web sites. You may, optionally, provide us with your social profiles (such as Facebook and LinkedIn) and any other information you choose to provide with your application.
- Other Information. We collect other information that you provide to us at your option, such as survey responses, contest submissions, user profile information (which may include a photo) or special notes you have asked us to include with your account information.
Personal information collected when you access and use Galvanize websites or products:
- Log and Device Information. Galvanize collects information about how you access our websites and products in order to optimize them for the types of connections, browsers and devices being used. We collect your browser type and settings, language preferences, access times, Internet Service Provider and IP address. Your IP address is a unique 32-bit numeric address that distinguishes your computer from another computer. If you access Galvanize websites or products through your mobile device, we collect the type, brand and model of device, the operating system and version, unique device identifiers, mobile network information or platform information (to the extent permitted) and device settings, such as screen resolution, browser or mobile input selector (i.e., touchscreen, mouse, clickwheel).
- Product Usage Information. Galvanize collects aggregated data about use of the Galvanize products, including applications and features used, number and size of attached files, number and types of devices used to access Galvanize products, and content accessed and used. Usage information does not contain any customer data.
Personal information provided by third parties or publicly available sources:
- Galvanize Channel Partners and Resellers. We collect information you or your organization provide to Galvanize channel partners or resellers in order to fulfill your organization’s order for Galvanize products and services.
- Data Providers. From time to time, we may collect business contact information and contact lists from third party data providers, provided they have demonstrated compliance with applicable privacy and data protection laws.
- Social Media. We may collect contact information you provide to third party social media services and make publicly available (such as LinkedIn).
How We Use Personal Information
Galvanize uses the personal information we collect for the following purposes:
- Fulfill Your Requests. We use your personal information to fulfill your requests to download materials, such as ebooks, webinars, analyst reports or product details; to register for a webinar,
event or course; to obtain further information about our products; to access products and services you are authorized to use; to receive job alerts; and to process your purchase and payment.
- Sales and Marketing. We use your personal information to provide you with information about our products and services that may be of interest to you, such as new features, newsletters, offers, promotions, contests, and events; to host and carry out events and contests; to improve our websites and web-based services to meet visitor and user needs; and to seek information about your use of our products and services to better understand your needs and as input to future product development or marketing activities.
- Products and Services. We use personal information to set up individual user accounts for our customers and verify users’ identity for access to Galvanize products and related resources, such as technical support, online training, tools and templates; to communicate with our customers about their product subscription through emails and in-app notifications to their individual users, including notices regarding scheduled maintenance, updates, security alerts, support and administrative messages and issues concerning use of our products and services; to make it easier to use our websites or web-based services (for instance, by collecting cookies of your email address and password so that you will not need to re-enter your password to log on); and to carry out research and development in order to improve our products and services.
- Job Applications. We use your personal information to process job applications made through the Careers section of our web site.
- Community Forums. We use your personal information to give you access to our community forums and allow you to create your own user profile. Please be aware that:
- Your name, title, organization and “about me” information are publicly displayed in the community forums and user groups.
- Your profile photo will not be publicly displayed unless you choose to show your photo on publicly accessible pages by checking a box for this.
- Your profile is searchable by other community users and the public, even if they are not part of your organization.
- Content that you share or post may be seen by other users of the community or the public.
We will also use personal information for other purposes of which we have notified you, or as legally required.
Legal Basis (GDPR)
For personal information that is subject to the General Data Protection Regulation (GDPR), the lawful basis for collecting and using your personal information is consent, where you have given consent, or our legitimate interests (which are not overridden by your data protection interests), such as operating our business, understanding and improving our products, direct marketing related to our products and services, hosting events, communicating with our customers and their users about our products, services, events or related resources, improving our websites and protecting our legal rights and interests.
Where consent is the legal basis, you may withdraw that consent at any time. Where we are using your personal information for our legitimate interests, you have the right to object to that use. See below under Your Rights for how to withdraw consent or object. If you have any questions about the lawful basis upon which we collect and use your personal data, please Contact us as noted below.
Sharing Your Personal Information
Galvanize does not sell or distribute personal information to third parties. Galvanize will only share your personal information as provided below.
- Vendors and Service Providers. Galvanize may share your personal information with third party vendors and service providers who provide products and services that we use to operate our business and carry out the purposes listed above. These include customer relationship management systems, contract signing applications, in-app notifications, website hosting, website analysis, marketing campaigns, email services, event registration, billing and payment processing, cloud-hosted document storage, job applications and alerts, surveys and contests, and other contractors or consultants that work on our behalf. Before sharing your personal information, we ensure that the third parties receiving the personal information have provided appropriate safeguards, and that your privacy rights are protected and preserved.
- Corporate Transactions. Galvanize may share your personal information in connection with, or during negotiations of, any merger, amalgamation, sale of company assets, financing, purchase or acquisition, subject to a commercially reasonable confidentiality or non-disclosure agreement.
- Compliance with Laws. Galvanize may disclose your personal information to a third party if we are required to do so in order to comply with applicable laws, government request, a court order or other quasi-government request to assist with an investigation. We may also be required to disclose your personal information to enforce our legal rights, to enforce security requirements, or to respond to an emergency which we believe, in good faith, requires us to disclose your personal information. In such instances, if permissible, we will make every reasonable effort to give you as much notice as possible regarding the disclosure of your personal information, what information was disclosed and why.
Storage and Retention
We retain personal information only for as long as necessary to achieve our stated purposes, or as required by applicable law. After such time, we will delete, archive or anonymize your personal information. We will store your personal information securely until it is deleted.
- User Account Information is kept for as long as your user account is active and for a reasonable period after it has been deactivated in the event you or your organization wish to re-activate your user account. User account information may also be retained as necessary to comply with our legal obligations, resolve disputes or maintain our relationship with your customer organization. Credit card information is never kept or stored by us.
- Career Information is kept until your job application has been reviewed and may be kept on file as required by law and for future consideration as new job opportunities arise.
- Log and Device Information regarding your use of our websites or products will be kept for up to three (3) years.
- Marketing Contact Information will be kept after your initial consent until you delete your information or request that we do so. You may opt-out or unsubscribe from our mailing lists and marketing messages at any time by updating your email preferences in your account settings. You may also opt out or unsubscribe from future email communications from a link within each email we send to you.
You may delete your personal information, or request that we do so, at any time. See below under Your Rights for further information on how to do this.
Security and Shared Responsibility
Galvanize takes reasonable steps to ensure the security of your personal information against loss, misuse and unauthorized disclosure. We have implemented policies, standardized procedures, training, and physical and logical access controls. Our websites and sub-domains are protected by an SSL (Secured Sockets Layers) certificate to ensure all information is transmitted over a secured connection between your browser and our web server. We use PCI compliant third party payment processors to process credit card transactions in a secure manner.
While we follow, and often exceed, industry standards to protect your information, no electronic communication is ever completely secure. You share responsibility for protection of your personal information by keeping your username and password confidential and by changing passwords regularly.
Galvanize will notify affected parties of any security incident involving personal information in accordance with Galvanize’s Security Incident Response Plan and applicable legal and regulatory requirements.
Personal information may be transferred to and processed in Canada and the United States.
Before transferring your personal information, we ensure that appropriate safeguards are in place and that your privacy rights are protected and preserved. Such safeguards may include the existence of an EU adequacy decision, certification and adherence to EU-US Privacy Shield and Swiss-US Privacy Shield Frameworks, the Standard Contractual Clauses approved by the European Commission, binding corporate rules, or other legal mechanisms to safeguard the personal information being transferred.
Information about the Privacy Shield Frameworks can be found at www.privacyshield.gov
You have certain rights in respect of your personal information. These rights are set out below.
- Correction and Deletion. Galvanize will make reasonable efforts to ensure that the personal information we collect from you is accurate and complete. You may update, correct or delete your personal information at any time by logging into your user account and modifying your personal information, including your preferences to receive messages from us. You may also update, correct or delete information. To exercise your rights with respect to personal information held by Galvanize, please complete the Personal Information Request form. If you wish to deactivate your product user account, please contact your organization’s administrator.
- Withdrawing Consent. Where we have relied on your consent to use your personal information, you have the right to withdraw that consent at any time by contacting us as noted below. In addition, all our marketing email messages contain the ability to automatically “opt-out” or unsubscribe from our mailing lists and marketing messages. You may also elect not to receive communication from us by updating your preferences in your account settings or sending an email to email@example.com to request that we remove your email, address and name from our mailing lists. We will continue to send you messages of a non-promotional nature related to your organization’s product subscription or your user account, such as security alerts, maintenance notices, updates, renewal or suspension notices, or notifications to comply with legal requirements or applicable law.
- Access and Portability. You have the right to request a record of the personal information that we have collected about you. In addition, you have the right to request that we provide that information in a structured, commonly used electronic format for transmission to another company (where applicable and technically feasible). There may be some cases where we cannot provide you with certain information about you if it would mean disclosure of personal information of another person or other confidential information, or if it would compromise our security systems. If you require access to your personal information, please Contact Us. We will respond to you within thirty (30) days of receiving your request. We may charge a fee where permitted by applicable law.
- Restriction and Objection. In certain limited circumstances, individuals in the EU may request that we restrict our use of their personal information and, where we rely on legitimate interests as the legal basis for using your personal information, you have the right to object to such use. In these cases, we can be required to no longer use your personal information; however, this may mean that certain products, services or information cannot be made available to you. If you wish to exercise your right to restrict or object, please Contact Us.
- Complaints. You have the right to lodge a complaint with a supervisory authority (i.e., the independent public authority responsible for monitoring data protection laws in your country). You may also contact the Privacy Commissioner of Canada (for international matters and inter-provincial matters) (http://www.priv.gc.ca/) or the Information and Privacy Commissioner of British Columbia (for British Columbian matters) (http://www.oipc.bc.ca/).
ACL Services Ltd. dba Galvanize
1500, 980 Howe Street
Canada, V6Z 0C8
Attention: Privacy Officer
Galvanize and EU-US Privacy Shield
This document is intended for informational purposes and is not intended to provide legal advice. Galvanize encourages Customers to obtain independent legal advice with respect to compliance obligations specific to the Customer.
Galvanize is committed to maintaining the security of Customer Data and ensuring its compliance with GDPR. In light of the recent decision passed down by the European Court of Justice that invalidated the EU-US Privacy Shield, we understand that some Customers may have questions about how this affects their relationship with Galvanize. We hope that the following information provides answers to some of your concerns.
Does this decision affect Galvanize Customers?
- Most Customers will not experience any changes in their contracts with Galvanize or in their use of the Galvanize products. Even though the EU-US Privacy Shield was invalidated, personal data may still be transferred outside the EU through the Galvanize products pursuant to the EU adequacy decision for Canada and the Standard Contractual Clauses. Please note that the EU Standard Contractual Clauses (“SCC’s”) are already incorporated by reference in the standard Galvanize Data Processing Addendum (“DPA”), which forms part of the Galvanize Master Subscription Agreement.
- If you have an older agreement with Galvanize that does not incorporate a DPA and the SCC’s, or would like to execute an updated DPA, please get in touch with your Account Manager or Client Partner.
How does Galvanize comply with the GDPR for International data transfers?
- ACL Services Ltd. dba Galvanize (“Galvanize”) is a British Columbia corporation headquartered in Vancouver, Canada. As a British Columbia Corporation, Galvanize may receive International data transfers from the EU under the European Commission adequacy decision. There is no requirement to have SCC’s or another transfer mechanism to legally transfer personal data from an EU controller to Galvanize.
- Relational Security Corporation dba. Galvanize (“RSAM”) is a Delaware Corporation and a subsidiary of ACL Services Ltd. RSAM contracts with some US customers who purchase RSAM products. International data transfers may also be completed within RSAM products under the EU SCC’s, which are incorporated by reference in the standard Galvanize Data Processing Addendum. If you are unsure about whether or not your company has a current DPA with RSAM or Galvanize, please contact your Account Manager or Client Partner.
Where is Customer data stored?
- Galvanize utilizes Amazon Web Services as a sub-processor to host the Galvanize products. AWS has designated data centers hosted locally in the EU, US, Canada, and Singapore. Each Customer is responsible for designating the data center location for hosting their Customer Data for use in the Galvanize products. Galvanize holds the encryption keys for storage of Customer Data at rest. If a Customer has selected the EU region as their hosting center, data and encryption keys are stored locally in Germany (with the exception of user login details – see next paragraph). AWS US does not have access to Customer Data stored in the EU.
- Galvanize uses SalesForce as a Customer Relationship Management Service and a sub-processor for storage of user login details (ie, email, first name and last name) via our Launchpad portal. User login details are stored in the United States. Galvanize holds the encryption keys for storage at rest for Customers’ user login details and basic Customer business information. The only personal data that is accessed in the US or passes through the US, is a user’s email address, first name and last name.
- Galvanize and RSAM have written agreements with its sub-processors which meet the requirements of GDPR and the SCC’s. These agreements include both DPA’s and SCC’s with each sub-processor.
How does Galvanize respond to Government requests?
- A government order or subpoena can only be issued in accordance with the appropriate legal processes in the appropriate jurisdictions. All such orders would be reviewed by Galvanize and, where applicable, by AWS, to determine to what extent, if any, Galvanize or AWS is required to comply with such order. Galvanize will seek legal advice on the required disclosure and to determine if we are permitted to notify customers when we receive such orders or subpoenas. Unless Galvanize or AWS is prohibited from doing so by applicable laws or the governmental order, Galvanize or AWS will notify customers before disclosing Customer Data, so the customer may take the necessary steps to object or seek protection from disclosure.
If you have any questions regarding Galvanize’s Privacy and Data Protection, please visit https://www.wegalvanize.com/trust/privacy.html or email us at firstname.lastname@example.org.