Where applicable, a separate agreement may govern the delivery, access, and use of the Platform, Services and Mobile Apps (the “Client Agreement”), including the processing of Personal Information and data submitted through employer-based accounts (“Clients”). The Client that entered into the Client Agreement with Namely may authorize Us to collect, process, and store your personal information and associated Client data. If you have any questions about specific Platform settings or what information Namely has been authorized by Client to process on your behalf, you may contact Namely at the contact information in this notice or your Client administrator for the Platform and/or Services applicable to you and the collection of your Personal Information.
We generally collect and process the following types of Personal Information:
Account-Related Personal Information. When using the Site, Platform, or Services, you or your employer may choose to provide Us with certain Personal Information, such as your name, profile photograph, employment details, email address, phone number, and other contact information. While provision of much of your Personal Information is mandatory for use of the Platform and Services, certain Personal Information collected for account-related purposes is elective and you or your employer may choose to provide or not at your discretion. Any account-related Personal Information you or your employer provide is used to: (i) provide login information to the Platform as well as to carry out Platform processing functions and the Services Namely has been contracted to provide by your employer; (ii) communicate with you by responding to your requests, comments and questions; (iii) improve the Site; and (iv) perform various account functions provided by Namely. The GDPR and UK GDPR legal basis for processing this information is: (a) the legitimate interest in communicating with you and improving the Site; and (b) the contractual obligation to perform the Services.
Contact Information When you express an interest in obtaining additional information about the Site, Platform, or Services, Namely may ask you to provide your personal contact information, such as your name, email address, and phone number. This information is used to communicate with you by responding to your requests, comments, and questions. The GDPR and UK GDPR legal basis for processing this information is the legitimate interest in communicating with you and answering your questions.
Device Information. When using the Platform, We may request access to your device’s camera and photo storage. This allows you to take and upload pictures and such access would only be used in ways you choose. You may at any time revoke access at the device level. We do not access your device’s camera and photo storage without your permission. We use mobile analytics software to allow Us to better understand the functionality of the Platform on your phone or computer. This software may record information such as how often you use the application, the events that occur within the application, aggregated usage, performance data, and where the application was downloaded from. We do not link the information We store within the analytics software to any Personal Information you submit within the Platform. When you download or access the Platform, We automatically collect your device information such as operating system version, type, hardware usage statistics, etc. The GDPR and UK GDPR legal basis for processing this information is the contractual obligation to your employer to provide access to the Platform and to perform certain Services.
Log Data. As is true of most websites and platforms, We gather certain information automatically when you visit the Site or access the Platform. This information may include Internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring/exit pages, the files viewed on Our Site (e.g., HTML pages, graphics, etc.), operating system, date/time stamp, and/or clickstream data to analyze trends in the aggregate and administer the site. The GDPR and UK GDPR legal basis for processing this information is the legitimate interest in improving the relevance of the Site, the Platform, and performing certain Services.
Single Sign-On. You can log in to the Platform using sign-in services such as Log in With Google or an Open ID provider. These services will authenticate your identity and provide you the option to share certain Personal Information with Us such as your name and email address to pre-populate Our sign-up form.
Blog, Testimonials, and Referrals. The Site offers publicly accessible blogs or community forums. You should be aware that any information you elect to provide in these areas (including comments) may be read, collected, and used by others who access them. We display personal testimonials of satisfied customers on the Site in addition to other endorsements. With your consent, We may post your testimonial along with your name. In addition to your other rights, if you wish to update or delete your testimonial, you can contact Us at firstname.lastname@example.org. If you choose to use Our referral service to tell a friend about the Site, We will ask you for your friend’s name and email address. You must have the consent of your friend before using this service. We will automatically send your friend a one-time email inviting them to visit the Site. Namely stores this information for the sole purpose of sending this one-time email and tracking the success of Our referral program In addition to their other rights, your friend may contact Us at email@example.com to request that We remove this information from our database. The GDPR and UK GDPR legal basis for processing this information is your consent.
Information Shared with Our Subprocessors.
We employ and contract with individuals and other entities that perform certain tasks on Our behalf. These individuals and entities may in some instances collect your data on Our behalf and pursuant to their contractual obligations with Us and in accordance with Our established privacy and security standards (collectively, “Subprocessors”). Our subprocessors include, but are not limited to email service providers, data storage providers, and other services that support the Site, Platform and certain Services provided to you or your employer. We may need to share Personal Information with Our Subprocessors in order to provide the Site, access to the Platform, or the Services to you. Unless We tell you differently, Our Subprocessors do not have any right to use Personal Information or other information We share with them beyond what is necessary to assist Us in the provision of Services on your or your employer’s behalf. Transfers of your data to Subprocessors are carried out pursuant to subprocessor agreements between Namely and each Subprocessor. A list of Namely Subprocessors that process Personal Information of individuals located in the EU, the UK, and Switzerland may be found here and may be updated from time to time at our discretion and, where applicable, pursuant to a processing agreement between Namely and your employer.
Information Shared with Our Service Providers.
We may share your information with entities with which Namely has contracted to provide certain services to Us (“Service Providers”) on your or your employer’s behalf. These Service Providers are authorized to use your Personal Information only as necessary to provide the contracted services to Namely, and in furtherance of such services, and may not collect, sell, retain or use your Personal Information except in such context. These services may include, but are not limited to the provision of: (i) email services to send marketing communications; (ii) mapping services; (iii) customer service or support; and (iv) verification of your income and employment.
Information Disclosed Pursuant to Business Transfers.
Information Disclosed for Our Protection and the Protection of Others.
We require all Third Parties, Subprocessors, Service Providers and subcontractors to respect the security of your Personal Information and to treat it in accordance with applicable laws. We do not allow Subprocessors and subcontractors to use your Personal Information for their own purposes and only permit them to process your Personal Information for a specified purposes in accordance with Our instructions or the provision of services on Namely’s behalf, and strictly as detailed herein.
Subject to applicable law or regulation, in certain cases, We will retain your Personal Information and the Personal Information We process on your or your employer’s behalf for as long as your account is active or as needed to provide you or your employer’s access to the Platform or to perform certain Services in accordance with Namely data retention policies, and as necessary to comply with Our legal obligations, resolve disputes, and enforce Our agreements. In certain cases, and as detailed further herein, you may request removal of your Personal Information by contacting firstname.lastname@example.org. In order to determine whether or not we are required to retain your Personal Information, your right to removal of your Personal Information is subject to applicable law or regulation, and may be further subject to Namely’s obligation on behalf of your employer who authorized the collection of your Personal Information to provide access to the Platform or to provide certain Services.
The security of your Personal Information and Our Clients’ information is important to Us. We put in place appropriate technical and organizational measures to ensure your Personal Information is kept secure and protected from unauthorized access, use, disclosure, alteration or destruction, in accordance with applicable laws and regulations. When you enter sensitive information (such as login credentials), We encrypt the transmission of that information using Transport Layer Security (TLS). We follow generally accepted standards to protect the Personal Information submitted to Us, both during transmission and once We receive it. When We share your Personal Information with SSubprocessors, Service Providers, subcontractors or other Third Parties, We base our selection on said partners having adequate safeguards in place as detailed herein and that meet Our data protection standards. We ensure their compliance with such standards and incorporate contractual provisions ensuring compliance with: (i) such standards; and (ii) applicable data privacy laws and regulations.
If you have any questions about security on the Site, the Platform, or in Our provision of Services, you can contact Us at email@example.com.
Certain EU and UK residents have additional privacy rights as provided in the GDPR or the UK GDPR. For such residents, We will collect, process, and store your Personal Information strictly in accordance with the applicable GDPR regulation. The GDPR further governs the transfer of subject personal information from certain countries outside of the EU, while the UK GDPR governs the transfer of subject Personal Information from the UK to jurisdictions outside of the UK, including the US. Namely is based in the US, the Site and Platform servers are hosted in the US, and many of Namely’s suppliers and Subprocessors are also based in the US or otherwise outside of the EU and the UK. In providing your Personal Information to Namely, your Personal Information will be sent to the US (or otherwise outside of the EU or the UK). In such cases, Namely will transfer such data in accordance with the GDPR or the UK GDPR and the following transfer mechanisms:
European Union Model Clauses. At your employer’s request, Namely shall enter into European Union Model Contractual Clauses, also known as Standard Contractual Clauses, to meet the adequacy, privacy, and security requirements for organizations that operate in the EU or the UK, and other international transfers of Personal Information (as provided in the Agreement between Namely and Client).
The EU-US and Swiss-US Privacy Shield Frameworks as designed by the US Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide subject-organization with a mechanism to comply with data protection requirements when transferring Personal Information from the European Union and Switzerland to the United States in support of transatlantic commerce.
Namely continues to participate in and remains certified in its compliance with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework. Although this framework as implemented in 2018 was invalidated by the Court of Justice of the EU (“CJEU”) in July 2020 and the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) in September 2020, We will continue to maintain Privacy Shield certification. We will rely, where applicable and as instructed by your employer, on the Standard Contractual Clauses, and secondarily, and only as may be permitted by applicable law, on the Privacy Shield as Our transfer mechanism for EU - US, UK - US, and Swiss - US data transfers. Should you or your employer wish to understand which transfer mechanism applies to the transfer of the Personal Information collected on behalf of your organization by Namely, please contact Us at firstname.lastname@example.org. In certain situations, We may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. To address the CJEU decision of July 2020 as it relates to state authority to access Personal Information by law enforcement agencies, Namely has adopted the following law enforcement policy.
Namely is responsible for the processing of Personal Information it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Namely complies with the Privacy Shield Principles for all onward transfers of Personal Information from the EU, the UK, and Switzerland, including the onward transfer liability provisions.
With respect to Personal Information received or transferred pursuant to the Privacy Shield Frameworks, Namely is subject to the regulatory enforcement powers of the US Federal Trade Commission. To learn more about the Privacy Shield Frameworks and their adequacy, and to view Our certification, visit the US Department of Commerce’s Privacy Shield List.
If you have an unresolved privacy or data use concern that We have not addressed satisfactorily, please contact Our US-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Under certain conditions, more fully described on the Privacy Shield Website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
In addition to the lawful transfer, processing and storage of your Personal Information, the GDPR gives certain individuals residing in the EU, the UK, or Switzerland additional rights over Our use of your Personal Information. Namely respects your control over your information and, in the event that you have provided Personal Information to Us in your use of the Site, We will, in consultation with your employer provide you with information about whether We hold any of your Personal Information as We detail below. If you are located in the EU, UK, or Swiss citizen or national, you may access, correct, or request deletion of your Personal Information by contacting Us at email@example.com. We will respond to your request within a reasonable timeframe, and subject to applicable law or regulation.
As a preliminary matter, when providing access to the Platform or in Our provision of certain Services to you or your employer and/or when collecting your Personal Information at the direction and instruction of your employer in order to provide access to the Platform or in Our provision of certain Services, Namely may have no direct relationship with the individuals whose Personal Information is provided to Namely through the Platform and/or the provision of Services. If you seek access to, seek to correct, amend, object to the processing or profiling of, or to delete your Personal Information in the Platform, you should first direct your query to your employer’s HR department to understand if the collection of your Personal Information is required by your employer to be processed by Us in providing you or your employer access to the Platform or the provision of certain Services. If your query is directed to Us, in certain cases, Namely may direct your subject access rights request to your employer for further instructions as to whether Namely may carry out such request.
If located in the EU, the UK, or Switzerland, you have the following rights regarding your Personal Information We control:
Right of Access.
You can request details of your Personal Information We hold. In coordination with your employer, we will confirm whether We are processing your Personal Information and We will disclose additional information including the types of Personal Information, the sources it originated from, the purpose and legal basis for the processing, the expected retention period and the safeguards regarding data transfers, subject to the limitations set out in applicable laws and regulations. Where applicable We will provide you free of charge with a copy of your Personal Information but We may charge you a fee to cover Our administrative costs if you request further copies of the same information.
Right of correction.
At your request, and in coordination with your employer, We will correct incomplete or inaccurate parts of your Personal Information, although We may need to verify the accuracy of the new information you provide to Us.
Right to be forgotten.
At your request, and in coordination with your employer, We will delete your Personal Information if:
We will decline your request for deletion if processing of your Personal Information is necessary: (i) for Us to comply with Our legal obligations; (ii) for the establishment, exercise or defense of legal claims; (iii) for the performance of a task in the public interest; or (iv) we are directed by your employer to continue to use your Personal Information to provide access to the Platform or to perform certain Services on your or your employer’s behalf.
We may continue to store your Personal Information to the extent required to ensure that your request to restrict processing is respected in the future.
Right to object.
Where We rely on Our legitimate interests (or that of a third party) to process your Personal Information, you have the right to object to this processing on grounds relating to your particular situation if you feel it impacts on your fundamental rights and freedoms. We will coordinate with your employer to comply with your request unless We have compelling legitimate grounds for the processing which override your rights and freedoms, or where the processing is in connection with the establishment, exercise or defense of legal claims. We will always comply with your objection to processing your Personal Information for direct marketing purposes.
Right not to be subject to decisions based solely on automated processing.
You will not be subject to decisions with a legal or similarly significant effect (including profiling) that are based solely on the automated processing of your Personal Information, unless you have given Us your explicit consent or where they are necessary for the performance of a contract with Us and at the direction of your employer.
Usually, We will not charge you any fees in connection with the exercise of your rights. If your request is manifestly unfounded or excessive, for example, because of its repetitive character, We may charge a reasonable fee, taking into account the administrative costs of dealing with your request. If We refuse your request We will, in coordination with your employer, notify you of the relevant reasons.
In so far as practicable, We will notify your employer and third parties to whom We have disclosed your Personal Information with any correction, deletion, and/or restriction to the processing of your Personal Information. Please note that We cannot guarantee your employer or other third parties will comply with your requests and We encourage you to contact them directly.
Please note that if you decide to exercise some or all of your rights, We may be unable to perform the actions necessary to achieve the purposes set out above or you may not be able to use or take full advantage of the Site, Platform, and Services.
If you are not satisfied with Our response, you have the right to complain or seek advice from a supervisory authority and/or bring a claim against Us in any court of competent jurisdiction.
VeraSafe has been appointed as Our representative in the European Union for data protection matters relating to Personal Information of persons located in the EU, pursuant to Article 27 of the GDPR and Article 27 of the UK GDPR. VeraSafe can be contacted only on matters related to the processing of Personal Information of persons located in the EU or the UK as provided below. To make such an inquiry, please contact VeraSafe using this contact form:
Alternatively, VeraSafe can be contacted at, for individuals residing in the EU:
VeraSafe Ireland Ltd Unit 3D North Point House North Point Business Park New Mallow Road Cork T23AT2P Ireland
And VeraSafe may be contacted at, for individuals residing in the UK:
Alternatively, VeraSafe may be contact at, for individuals residing in the UK:
VeraSafe United Kingdom Ltd. 37 Albert Embankment London SE1 7TL United Kingdom
Namely uses your contact information to send marketing communications from Us, such as communications relating to promotions. You may opt out of receiving such communications at any time by using the “Unsubscribe” link found in such emails, or by emailing Us at firstname.lastname@example.org. In the context of Us providing you marketing, We may analyze your preferences to make sure the information We provide you is relevant.
California residents have certain privacy rights as specified under California law, including the California Consumer Privacy Act of 2018 (“CCPA”). If you are a resident of California, you have the right to know what Personal Information has been collected about you, and to access that information. You have the right to request deletion of your personal information, though exceptions under the CCPA may allow Namely to retain and use certain personal information notwithstanding your deletion request.
Namely collects various categories of Personal Information when you or your employer use the Namely Platform or Services, including location information, log data, tracking information, and personal information related to your employment. A more detailed description of the information Namely collects and how we use it is provided above in the sections entitled: Information We Collect and Receive About You and How We Use It, Other Information, and How, and With Whom, Your Information Is Shared.
In addition to Our collection of your Personal Information, Namely may engage certain Subprocessors, Service Providers, Third Parties and subcontractors to perform a function or provide services to you on behalf of Namely including hosting and maintenance, error monitoring, debugging, performance monitoring, billing, customer and account relationship management, database storage and management, and direct marketing campaigns. Namely may share your Personal Information with these Third Parties, Subprocessors, Service Providers and subcontractors, but only to the extent necessary to perform these functions and provide access to the Site, or Platform, and to provide such Services as detailed herein. Namely requires these organizations to maintain the privacy and security of the Personal Information they process on our behalf, as detailed further in the section entitled: Information We Collect and Receive About You and How We Use It.
Namely does not sell your Personal Information when you use the Namely Platform or when you use a Namely Service and will not do so in the future without providing you with notice and an opportunity to opt-out of such sale as required by law. Namely does not offer financial incentives associated with the collection, use, or disclosure of your personal information.
Service Providers Namely may share Personal Information with organizations or individuals that provide certain services to Us. These services may include, but are not limited to the following activities: (i) email services to send marketing communications; (ii) mapping services; (iii) customer service or support; and (iv) verification of your income and employment. Service Providers may only process Personal Information as instructed by Namely and are expressly obligated not to use, disclose, or retain such Personal Information for any other purpose except as strictly instructed by Namely.
Namely will not discriminate against you for exercising any of your CCPA rights. To this end, unless permitted by the CCPA, Namely will not:
To exercise your rights under the CCPA please submit a verifiable consumer request to Namely by either calling Namely at 1-855-626-3591 by or emailing us at email@example.com. Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf may make a verifiable consumer request related to your Personal Information. You may only make a verifiable consumer request for access to your data twice within a twelve (12) month period. Your verifiable consumer request must:
In certain cases, Namely collects and processes Personal Information on you at the contractual obligation of your employer. In order to respond to a verified request, Namely may be required to provide notice to your employer of your request, and to follow your employer’s instructions as they relate to carrying out your request. Namely cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm that the Personal Information relates to you. Making a verifiable request does not require you to create an account, but we may ask you to verify your request by logging into your account if you have one. We will only use Personal Information provided by a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Effective Date: March 1, 2021.