Where applicable, a separate agreement may govern the delivery, access, and use of the Platform, Services and Mobile Apps (the “Client Agreement”), including the processing of Personal Information and data submitted through employer-based accounts (“Clients”). The Client that entered into the Client Agreement with Namely may authorize Us to collect, process, and store your Personal Information and associated Client data. If you have any questions about specific Platform settings or what information Namely has been authorized by Client to process on your behalf, you may contact Namely at the contact information in this notice or your Client administrator for the Platform and/or Services applicable to you and the collection of your Personal Information.
We generally collect and process the following types of Personal Information:
Account-Related Personal Information. When using the Site, Platform, or Services, you or your employer may choose to provide Us with certain Personal Information, such as your name, profile photograph, employment details, email address, phone number, and other contact information. While provision of much of your Personal Information is mandatory for use of the Platform and Services, certain Personal Information collected for account-related purposes is elective and you or your employer may choose to provide or not at your discretion. Any account-related Personal Information you or your employer provide is used to: (i) provide login information to the Platform as well as to carry out Platform processing functions and the Services Namely has been contracted to provide by your employer; (ii) communicate with you by responding to your requests, comments and questions; (iii) improve the Site; and (iv) perform various account functions provided by Namely. The GDPR and UK GDPR legal basis for processing this information is: (a) the legitimate interest in communicating with you and improving the Site; and (b) the contractual obligation to perform the Services.
Contact Information When you express an interest in obtaining additional information about the Site, Platform, or Services, Namely may ask you to provide your personal contact information, such as your name, email address, and phone number. This information is used to communicate with you by responding to your requests, comments, and questions. The GDPR and UK GDPR legal basis for processing this information is the legitimate interest in communicating with you and answering your questions.
Device Information. When using the Platform, We may request access to your device’s camera and photo storage. This allows you to take and upload pictures and such access would only be used in ways you choose. You may at any time revoke access at the device level. We do not access your device’s camera and photo storage without your permission. We use mobile analytics software to allow Us to better understand the functionality of the Platform on your phone or computer. This software may record information such as how often you use the application, the events that occur within the application, aggregated usage, performance data, and where the application was downloaded from. We do not link the information We store within the analytics software to any Personal Information you submit within the Platform. When you download or access the Platform, We automatically collect your device information such as operating system version, type, hardware usage statistics, etc. The GDPR and UK GDPR legal basis for processing this information is the contractual obligation to your employer to provide access to the Platform and to perform certain Services.
Log Data. As is true of most websites and platforms, We gather certain information automatically when you visit the Site or access the Platform. This information may include Internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring/exit pages, the files viewed on Our Site (e.g., HTML pages, graphics, etc.), operating system, date/time stamp, and/or clickstream data to analyze trends in the aggregate and administer the site. The GDPR and UK GDPR legal basis for processing this information is the legitimate interest in improving the relevance of the Site, the Platform, and performing certain Services.
Single Sign-On. You can log in to the Platform using sign-in services such as Log in With Google or an Open ID provider. These services will authenticate your identity and provide you the option to share certain Personal Information with Us such as your name and email address to pre-populate Our sign-up form.
Blog, Testimonials, and Referrals. The Site offers publicly accessible blogs or community forums. You should be aware that any information you elect to provide in these areas (including comments) may be read, collected, and used by others who access them. We display personal testimonials of satisfied customers on the Site in addition to other endorsements. With your consent, We may post your testimonial along with your name. In addition to your other rights, if you wish to update or delete your testimonial, you can contact Us at email@example.com. If you choose to use Our referral service to tell a friend about the Site, We will ask you for your friend’s name and email address. You must have the consent of your friend before using this service. We will automatically send your friend a one-time email inviting them to visit the Site. Namely stores this information for the sole purpose of sending this one-time email and tracking the success of Our referral program In addition to their other rights, your friend may contact Us at firstname.lastname@example.org to request that We remove this information from our database. The GDPR and UK GDPR legal basis for processing this information is your consent.
Information Shared with Our Subprocessors.
We employ and contract with individuals and other entities that perform certain tasks on Our behalf. These individuals and entities may in some instances collect your data on Our behalf and pursuant to their contractual obligations with Us and in accordance with Our established privacy and security standards (collectively, “Subprocessors”). Our subprocessors include, but are not limited to email service providers, data storage providers, and other services that support the Site, Platform and certain Services provided to you or your employer. We may need to share Personal Information with Our Subprocessors in order to provide the Site, access to the Platform, or the Services to you. Unless We tell you differently, Our Subprocessors do not have any right to use Personal Information or other information We share with them beyond what is necessary to assist Us in the provision of Services on your or your employer’s behalf. Transfers of your data to Subprocessors are carried out pursuant to subprocessor agreements between Namely and each Subprocessor. A list of Namely Subprocessors that process Personal Information of individuals located in the EU, the UK, and Switzerland may be found here and may be updated from time to time at our discretion and, where applicable, pursuant to a processing agreement between Namely and your employer.
Information Shared with Our Service Providers.
We may share your information with entities with which Namely has contracted to provide certain services to Us (“Service Providers”) on your or your employer’s behalf. These Service Providers are authorized to use your Personal Information only as necessary to provide the contracted services to Namely, and in furtherance of such services, and may not collect, sell, retain or use your Personal Information except in such context. These services may include, but are not limited to the provision of: (i) email services to send marketing communications; (ii) mapping services; (iii) customer service or support; and (iv) verification of your income and employment.
Information Disclosed Pursuant to Business Transfers.
Information Disclosed for Our Protection and the Protection of Others.
We require all Third Parties, Subprocessors, Service Providers and subcontractors to respect the security of your Personal Information and to treat it in accordance with applicable laws. We do not allow Subprocessors and subcontractors to use your Personal Information for their own purposes and only permit them to process your Personal Information for specified purposes in accordance with Our instructions or the provision of services on Namely’s behalf, and strictly as detailed herein.
Subject to applicable law or regulation, in certain cases, We will retain your Personal Information and the Personal Information We process on your or your employer’s behalf for as long as your account is active or as needed to provide you or your employer’s access to the Platform or to perform certain Services in accordance with Namely data retention policies, and as necessary to comply with Our legal obligations, resolve disputes, and enforce Our agreements. In certain cases, and as detailed further herein, you may request removal of your Personal Information by contacting email@example.com. In order to determine whether or not we are required to retain your Personal Information, your right to removal of your Personal Information is subject to applicable law or regulation, and may be further subject to Namely’s obligation on behalf of your employer who authorized the collection of your Personal Information to provide access to the Platform or to provide certain Services.
The security of your Personal Information and Our Clients’ information is important to Us. We put in place appropriate technical and organizational measures to ensure your Personal Information is kept secure and protected from unauthorized access, use, disclosure, alteration or destruction, in accordance with applicable laws and regulations. When you enter sensitive information (such as login credentials), We encrypt the transmission of that information using Transport Layer Security (TLS). We follow generally accepted standards to protect the Personal Information submitted to Us, both during transmission and once We receive it. When We share your Personal Information with Subprocessors, Service Providers, subcontractors or other Third Parties, We base our selection on said partners having adequate safeguards in place as detailed herein and that meet Our data protection standards. We ensure their compliance with such standards and incorporate contractual provisions ensuring compliance with: (i) such standards; and (ii) applicable data privacy laws and regulations.
If you have any questions about security on the Site, the Platform, or in Our provision of Services, you can contact Us at firstname.lastname@example.org.
Certain EU and UK residents have additional privacy rights as provided in the GDPR or the UK GDPR. For such residents, We will collect, process, and store your Personal Information strictly in accordance with the applicable GDPR regulation. The GDPR further governs the transfer of subject personal information from certain countries outside of the EU, while the UK GDPR governs the transfer of subject Personal Information from the UK to jurisdictions outside of the UK, including the US. Namely is based in the US, the Site and Platform servers are hosted in the US, and many of Namely’s suppliers and Subprocessors are also based in the US or otherwise outside of the EU and the UK. In providing your Personal Information to Namely, your Personal Information will be sent to the US (or otherwise outside of the EU or the UK). In such cases, Namely will transfer such data in accordance with the GDPR or the UK GDPR and the following transfer mechanisms:
European Union Model Clauses. At your employer’s request, Namely shall enter into European Union Model Contractual Clauses, also known as Standard Contractual Clauses, to meet the adequacy, privacy, and security requirements for organizations that operate in the EU or the UK, and other international transfers of Personal Information (as provided in the Agreement between Namely and Client).
The EU-US and Swiss-US Privacy Shield Frameworks as designed by the US Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide subject-organization with a mechanism to comply with data protection requirements when transferring Personal Information from the European Union and Switzerland to the United States in support of transatlantic commerce.
Namely continues to participate in and remains certified in its compliance with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework. Although this framework as implemented in 2018 was invalidated by the Court of Justice of the EU (“CJEU”) in July 2020 and the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) in September 2020, We will continue to maintain Privacy Shield certification. We will rely, where applicable and as instructed by your employer, on the Standard Contractual Clauses, and secondarily, and only as may be permitted by applicable law, on the Privacy Shield as Our transfer mechanism for EU - US, UK - US, and Swiss - US data transfers. Should you or your employer wish to understand which transfer mechanism applies to the transfer of the Personal Information collected on behalf of your organization by Namely, please contact Us at email@example.com. In certain situations, We may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. To address the CJEU decision of July 2020 as it relates to state authority to access Personal Information by law enforcement agencies, Namely has adopted the following law enforcement policy.
Namely is responsible for the processing of Personal Information it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Namely complies with the Privacy Shield Principles for all onward transfers of Personal Information from the EU, the UK, and Switzerland, including the onward transfer liability provisions.
With respect to Personal Information received or transferred pursuant to the Privacy Shield Frameworks, Namely is subject to the regulatory enforcement powers of the US Federal Trade Commission. To learn more about the Privacy Shield Frameworks and their adequacy, and to view Our certification, visit the US Department of Commerce’s Privacy Shield List.
If you have an unresolved privacy or data use concern that We have not addressed satisfactorily, please contact Our US-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Under certain conditions, more fully described on the Privacy Shield Website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
In addition to the lawful transfer, processing and storage of your Personal Information, the GDPR gives certain individuals residing in the EU, the UK, or Switzerland additional rights over Our use of your Personal Information. Namely respects your control over your information and, in the event that you have provided Personal Information to Us in your use of the Site, We will, in consultation with your employer provide you with information about whether We hold any of your Personal Information as We detail below. If you are located in the EU, UK, or Swiss citizen or national, you may access, correct, or request deletion of your Personal Information by contacting Us at firstname.lastname@example.org. We will respond to your request within a reasonable timeframe, and subject to applicable law or regulation.
As a preliminary matter, when providing access to the Platform or in Our provision of certain Services to you or your employer and/or when collecting your Personal Information at the direction and instruction of your employer in order to provide access to the Platform or in Our provision of certain Services, Namely may have no direct relationship with the individuals whose Personal Information is provided to Namely through the Platform and/or the provision of Services. If you seek access to, seek to correct, amend, object to the processing or profiling of, or to delete your Personal Information in the Platform, you should first direct your query to your employer’s HR department to understand if the collection of your Personal Information is required by your employer to be processed by Us in providing you or your employer access to the Platform or the provision of certain Services. If your query is directed to Us, in certain cases, Namely may direct your subject access rights request to your employer for further instructions as to whether Namely may carry out such request.
If located in the EU, the UK, or Switzerland, you have the following rights regarding your Personal Information We control:
Right of Access.
You can request details of your Personal Information We hold. In coordination with your employer, We will confirm whether We are processing your Personal Information and We will disclose additional information including the types of Personal Information, the sources it originated from, the purpose and legal basis for the processing, the expected retention period and the safeguards regarding data transfers, subject to the limitations set out in applicable laws and regulations. Where applicable We will provide you free of charge with a copy of your Personal Information but We may charge you a fee to cover Our administrative costs if you request further copies of the same information.
Right of correction.
At your request, and in coordination with your employer, We will correct incomplete or inaccurate parts of your Personal Information, although We may need to verify the accuracy of the new information you provide to Us.
Right to be forgotten.
At your request, and in coordination with your employer, We will delete your Personal Information if:
We will decline your request for deletion if processing of your Personal Information is necessary: (i) for Us to comply with Our legal obligations; (ii) for the establishment, exercise or defense of legal claims; (iii) for the performance of a task in the public interest; or (iv) we are directed by your employer to continue to use your Personal Information to provide access to the Platform or to perform certain Services on your or your employer’s behalf.
We may continue to store your Personal Information to the extent required to ensure that your request to restrict processing is respected in the future.
Right to object.
Where We rely on Our legitimate interests (or that of a third party) to process your Personal Information, you have the right to object to this processing on grounds relating to your particular situation if you feel it impacts on your fundamental rights and freedoms. We will coordinate with your employer to comply with your request unless We have compelling legitimate grounds for the processing which override your rights and freedoms, or where the processing is in connection with the establishment, exercise or defense of legal claims. We will always comply with your objection to processing your Personal Information for direct marketing purposes.
Right not to be subject to decisions based solely on automated processing.
You will not be subject to decisions with a legal or similarly significant effect (including profiling) that are based solely on the automated processing of your Personal Information, unless you have given Us your explicit consent or where they are necessary for the performance of a contract with Us and at the direction of your employer.
Usually, We will not charge you any fees in connection with the exercise of your rights. If your request is manifestly unfounded or excessive, for example, because of its repetitive character, We may charge a reasonable fee, taking into account the administrative costs of dealing with your request. If We refuse your request We will, in coordination with your employer, notify you of the relevant reasons.
In so far as practicable, We will notify your employer and third parties to whom We have disclosed your Personal Information with any correction, deletion, and/or restriction to the processing of your Personal Information. Please note that We cannot guarantee your employer or other third parties will comply with your requests and We encourage you to contact them directly.
Please note that if you decide to exercise some or all of your rights, We may be unable to perform the actions necessary to achieve the purposes set out above or you may not be able to use or take full advantage of the Site, Platform, and Services.
If you are not satisfied with Our response, you have the right to complain or seek advice from a supervisory authority and/or bring a claim against Us in any court of competent jurisdiction.
VeraSafe has been appointed as Our representative in the European Union for data protection matters relating to Personal Information of persons located in the EU, pursuant to Article 27 of the GDPR and Article 27 of the UK GDPR. VeraSafe can be contacted only on matters related to the processing of Personal Information of persons located in the EU or the UK as provided below. To make such an inquiry, please contact VeraSafe using this contact form:
Alternatively, VeraSafe can be contacted at, for individuals residing in the EU:
VeraSafe Ireland Ltd Unit 3D North Point House North Point Business Park New Mallow Road Cork T23AT2P Ireland
And VeraSafe may be contacted at, for individuals residing in the UK:
Alternatively, VeraSafe may be contact at, for individuals residing in the UK:
VeraSafe United Kingdom Ltd. 37 Albert Embankment London SE1 7TL United Kingdom
Namely uses your contact information to send marketing communications from Us, such as communications relating to promotions. You may opt out of receiving such communications at any time by using the “Unsubscribe” link found in such emails, or by emailing Us at email@example.com. In the context of Us providing you marketing, We may analyze your preferences to make sure the information We provide you is relevant.
Namely collects various categories of California Personal Information when you or your employer use the Namely Platform or Services, including location information, log data, tracking information, and personal information related to your employment. Namely may use your California Personal Information for permitted business purposes, such as providing services requested by you or your employer, improving our product, protecting the rights, property or safety of Namely, our Clients or others, and responding to law enforcement requests. A more detailed description of the information Namely collects or shares, or has collected or shared in the past twelve months, and how We use it is provided above in the sections entitled:Information We Collect and Receive About You and How We Use It, Other Information, and How, and With Whom, Your Information Is Shared. In the preceding twelve months, Namely collected the following categories of California Personal Information:
|Category||Examples||Collected ? (Y/N)|
|A. Identifiers||A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.||Y|
|B. Personal Information as defined in Cal. Civ. Code § 1798.80(e)||A name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information (see Cal. Civ. Code § 1798.80(e)).||Y|
|C. Protected Classification||Characteristics of protected classifications under California or federal law (i.e., age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).||Y|
|D. Commercial Information||Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.||N|
|E. Biometric Information||Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.||N|
|F. Internet or other similar activity||Browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.||Y|
|G. Geolocation Data||Physical location or movements.||N|
|H. Sensory Data||Audio, electronic, visual, thermal, olfactory, or similar information||N|
|I. Professional or employment related information||Current or past job history or performance evaluations.||Y|
|J. Non-public education information||Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.||N|
|K. Inferences drawn from other PI||Profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.||Y|
|L. Sensitive Personal Information||Social Security Number, Driver’s License Number, State ID or Passport Number; Racial or ethnic origin, religious or philosophical belief, or union membership||Y|
Namely may disclose your California Personal Information to Third Parties, Subprocessors, Service Providers and subcontractors for a business purpose. In the preceding twelve months, Namely has disclosed California Personal Information in categories A, B, C, F, I, K and L to these Third Parties, Subprocessors, Service Providers and subcontractors. In the preceding twelve months, Namely has not sold or shared any California Personal Information.
Your Rights and Choices. California privacy laws provide California consumers with specific rights regarding their California Personal Information. This section describes your rights under those laws and explains how to exercise those rights.
Right of Access to Specific Information and Data Portability Rights. You have the right to request that We disclose certain information to you about our collection and use of your personal information over the past twelve months. Once We receive and confirm your verifiable consumer request (see “Exercising Your California Consumer Privacy” section below), We will disclose to you:
To the extent a business sells or shares California Personal Information, a consumer shall have the right to request the business to identify, during the past 12 months: (1) categories of Personal Information that the business sold or shared, and (2) categories of Personal Information disclosed for business purpose and each category of recipient. The sale or sharing California Personal Information as defined under the California Privacy Laws is not applicable to how We collect or use your Personal Information. However, We have described this right as it is a core part of your rights as a California consumer.
Right to Deletion. You have the right to request that We delete any of your California Personal Information that We collected from you and retained, subject to certain exceptions and as permitted under the California Privacy Laws. Once We receive and confirm your verifiable consumer request (see “Exercising Your California Consumer Privacy” section below), We will delete (and direct our service providers to delete) your California Personal Information from our records, unless an exception applies.
Right to Opt-out of “Sale” and Certain “Sharing” Practices: You have the right to opt-out of certain data sharing practices with third parties, who may use your California Personal Information solely for their own purposes. Your right to opt-out is limited to information We “sell” or “share” to these third parties. “Sell” in this case does not mean providing data in exchange for money – we don’t do that. “Sell” or “sharing” instead means the disclosure or release of Personal Information, including technical device data that does not identify you directly but can be attributed back to identify you, when a third party might use that data for its own purposes, such as for personalized advertising or cross-context behavioral advertising, whether or not for monetary or other valuable consideration. You may opt out by using the contact information set out in the section “Exercising Your California Consumer Privacy Rights” below.
If you are sixteen (16) years of age or older, you have the right to direct us to not sell your California Personal Information at any time (the “right to opt-out”). Our business, as a business-to-business provider, is targeted to business professionals. Therefore, We do not knowingly collect or sell the California Personal Information of consumers We actually know are less than sixteen (16) years of age. Consumers who opt-in to California Personal Information sales may opt out of future sales at any time.
Right to Correct. You have the right to correct inaccurate Personal. Our goal is to keep your Personal Information accurate, current and complete. If you believe your Personal Information is not accurate (other than Personal Information stored in your account that you may modify at any time), you may submit a request by using the contact information set out in the section “Exercising Your California Consumer Privacy Rights” below.
Right to Limit Use and Disclosure of Sensitive Personal Information. In cases where We collect “sensitive personal information” as defined under California Privacy Laws, you have a right to limit the use of sensitive personal information to uses necessary to perform services or provide goods reasonably expected by an average consumer.
Right to Non-Discrimination. Namely will not discriminate against you for exercising any of your CCPA rights. To this end, unless permitted by the CCPA, Namely will not:
Exercising Your California Consumer Privacy Rights. To exercise your rights under the CCPA please submit a verifiable consumer request to Namely by either calling Namely at 1-855-626-3591 by or emailing us at firstname.lastname@example.org. Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf may make a verifiable consumer request related to your Personal Information. You may only make a verifiable consumer request for access to your data twice within a twelve (12) month period. Your verifiable consumer request must:
In certain cases, Namely collects and processes Personal Information on you at the contractual obligation of your employer. In order to respond to a verified request, Namely may be required to provide notice to your employer of your request, and to follow your employer’s instructions as they relate to carrying out your request. Namely cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm that the Personal Information relates to you. Making a verifiable request does not require you to create an account, but we may ask you to verify your request by logging into your account if you have one. We will only use Personal Information provided by a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Effective Date: December 20, 2022.