Definitions

In this Privacy Notice, “us”, “we” and “our” refers to RiskOptics, Inc. and our affiliates listed on this page (collectively “RiskOptics”).
“Communications information” means records of any correspondence and communications including the content of your message, the date and time and our response if you contact us or raise a question with us.

“Background check information” means a comprehensive collection of data that encompasses an individual’s criminal information, previous employment details, previous educational history, and a social security trace. It includes records of arrests, convictions, pending charges, court proceedings, employment dates, job titles, responsibilities, performance evaluations, references, reasons for leaving previous positions, schools attended, degrees earned, areas of study, academic achievements, certifications obtained, and a verification of the individual’s social security number (SSN) with associated names, addresses, and employment history.

“Contact information” means information that is typically used to contact you, such as your first and last name, business and/or personal email address, business and/or personal telephone number(s), and your employer’s physical address.

“Information about your Services usage or Site visit” includes information that lets us know how you navigate and use our Site and Services. This may include mouse movements, clicks, and scrolls. This may also include Uniform Resource Locators (URL), Clickstream to and through our Site (but not from our Site), Page response times and download errors, Page interaction information (such as scrolling, clicks, frequency and length of visits, types of content viewed or engaged with).

“Marketing information” means your marketing communication preferences.
“Personal Information” means any information relating to an identified or identifiable individual. Please read the following carefully to understand our views and practices regarding your Personal Information and how we will treat it.

“Process” means the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Information.

“Professional Information” may include job title, title level, title function, company name, and which subject matter you are interested in.
“Sensitive Personal Information” means information related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life, or sexual orientation. Included within this definition shall also be any information that relates to a person’s account login, finances, including financial accounts, debit or credit card in combination with any required security or access code, password, or credentials allowing access to an account, financial ownership, financial transactions, and/or financial credit. Lastly, Sensitive Information shall also mean a person’s social security, driver’s license, state identification card, or passport number, date of birth, precise geolocation, the contents of a consumer’s mail, email, and text messages unless RiskOptics is the intended recipient of the communication, genetic data, biometric information for the purpose of uniquely identifying a consumer, information concerning a person’s health, sex life, or sexual orientation. Excluded from this definition is information that is publicly available.

“Screen and/or voice recordings” means in limited instances, after we have provided notice and obtained your consent, we may record your voice and screen (i.e., information displayed by your device) information during Zoom meetings with us.

“Technical identifiers/information” means Internet protocol (IP) address, Browser type and version, Device IDs, Google ID, Time zone setting, Operating system and platform, Hardware version, Device language settings, account identification number.

“Voluntary user submitted information” means any other Personal Information that you voluntarily and freely choose to provide to us.

RiskOptics and our Privacy Notice

RiskOptics is a computer software company that offers both risk management and Governance, Risk, and Compliance (“GRC”) software (through the ZenGRC and the ROAR product suite) (“Services”) as a service that helps our customers manage business risks more effectively.
This Privacy Notice describes how we collect, use, disclose and otherwise process Personal Information about you when:

• You visit our website at www.RiskOptics.com and/or www.reciprocity.com (collectively the “Site”);
• Submit Personal Information directly to us for marketing, sales, and/or informational purposes;
• You apply for an employment or independent contractor position with or on behalf of RiskOptics; or
• Otherwise contact or inquire or otherwise engage with us through Site or our products and services which we market (our “Services”).

Where RiskOptics hosts Customer Personal Information within the RiskOptics Services, we do so in our capacity as a service provider and/or subprocessor on the Customer’s behalf. Our Customer is the controller and/or business in respect of Personal Information they supply to us when using RiskOptics’ Services.

By visiting and using our Site and/or Services, you acknowledge that you have read, understood, and agree to this Privacy Notice.

Categories of Personal Information Collected, the Purposes for such Collection, and Legal Bases for Collection

More on Legitimate Interest Processing

Data protection law allows us to use Personal Information for our genuine and legitimate reasons if we respect your rights and freedoms. This lawful basis for using your information is called ‘legitimate interests’. When we rely on our legitimate interests as the legal basis for processing your Personal Information for the purposes set out above, we will specify what our legitimate interests are, and carefully consider and balance any possible effect this may have on you and your rights. You have the right to object to this processing; however, please bear in mind if you object this may affect our ability to carry out certain activities.

Sharing of Personal Information

We may transfer your personal information outside of Europe (1) to store it; (2) to enable us to provide our Service to you and fulfill any contract with you; (3) where we are legally required to do so; and (4) to facilitate the operation of our group of businesses, where it is in our legitimate interests and have concluded these are not overridden by your rights.

Personal Information may be shared with the following categories or organizations and/or individuals:

• Our subprocessors to provide the Services to our Customers. Information regarding our subprocessors can be found at https://www.reciprocity.com/subprocessors/;
• Companies within our group including RiskOptics Europe who may support us in any of the purposes set out in this Privacy Notice;
• Our Affiliates
• Analytics, advertising partners, and Search engine providers
• Business partners, suppliers and subcontractors performing services on our behalf
• Any company or prospective buyer of all or substantially all our assets in connection with a sale or transfer or assets to any prospective buyer
• Any person to whom disclosure is necessary to enable us to enforce our rights under this Privacy Notice or under the terms of use or to protect our rights or the rights of third parties. This includes exchanging information with law enforcement agencies or other similar government bodies.
• Another party where required to do so by court order or where we are under a duty to disclose or share your information to comply with (and/or where we believe we are under a duty to comply with) any legal obligation.

Collected personal information may be transferred to organizations and/or individuals located in the United States, European Union, Mexico, Columbia, Uruguay, and Argentina. If you are in the European Economic Area, information will be transferred to these countries through approved Standard Contractual Clauses mechanisms and in accordance with the security measures stated within this Privacy Notice.

Security

We are committed to ensuring that your Personal Information is adequately protected. In order to prevent unauthorized access to or disclosure of your Personal Information, we have implemented appropriate administrative, physical and technical controls to safeguard our systems, applications and information, as well as robust standard operating procedures in the event of a security incident.
Our security safeguards can be viewed at https://www.reciprocity.com/dpa/.

We also maintain procedural safeguards to further restrict access to your Personal Information to employees who need it to perform their tasks or people working on our behalf and under confidentiality agreements.

Where We Store Your Personal Information

The servers used to process your Personal Information are located in the following regions:

• For Personal Information collected from the Customer of ZenGRC: United States, European Union, and Australia
• For Personal Information collected from Customers of the ROAR product suite: United States.

For Personal Information collected for all other purposes, such Personal Information is stored in the United States.

Data Retention and Deletion

Personal Information is retained for only as long as it is needed; however, in the following instances, the maximum retention time frame is:

• Information collected for employment purposes: 24 months
• Information collected when you use our services: 30 days after the contract with the Customer is terminated
• Information collected related to user sessions when you use our Site: 14 months.
• For marketing, sales, or informational purposes: 18 months from the date of last interaction from the individual to RiskOptics.

We take measures to delete your personal information or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it, unless we are authorized or required by law to keep this information for a longer period.

When determining the retention period, we take into account various criteria, such as the type of products and services requested by or provided to you, the nature and length of our relationship with you, possible re-enrollment with our products or services, the impact on the services we provide to you if we delete some information from or about you, mandatory retention periods provided by law and the statute of limitations.

RiskOptics retains limited information that demonstrates it has met its contractual obligations with customers. This could include any documentation related to the terms of the contract, the scope of the services provided, and any relevant communication between RiskOptics and its customers.

Your Rights and Choices

You have options and choices over how we use your personal information. You may have the right under applicable laws to ask for details of the personal information we hold about you, or to amend, limit or delete your personal information. You may also have the right to object to further processing under certain circumstances. We also respect the rights you may have under applicable laws to receive that information in a commonly used electronic format (or ask for this information to be provided in that format to a third party where feasible).

Specifically, you have the right under certain circumstances to:

• To be provided with a copy of your personal information held by us;
• To know and access various aspects of your personal information, which include the categories of information collected, the sources from which it is obtained, the business purposes for collecting, selling, or sharing your information, the categories of third parties with whom your information is shared, and the specific pieces of personal information collected about you by RiskOptics.
• To opt-out of the selling or sharing of your personal information.
• To request the correction or erasure of your personal information held by us;
• To request that we delete any personal information held by us about you;
• To request that we restrict the processing of your personal information (while we verify or investigate your concerns with this information, for example);
• To object to the further processing of your personal information, including the right to object to marketing (as mentioned in our promotional updates and marketing section);
• To request that your provided personal information be shared with to a third party; and
• To withdraw consent. Where the processing of your personal information by us is based on consent, you have the right to withdraw that consent without detriment at any time by contacting us. You can also change your marketing preferences at any time as described in our promotional updates and marketing section and below.
• To not receive discriminatory treatment for the exercise of these rights.

Our Customers will typically act as data controllers for any Personal Information related to them or Personal Information that third parties upload to our Services. We will act as a data processor in accordance with the Service and/or data processing agreements. Please note that if your request relates to Personal Information processed and/or stored by us as a result of you utilizing our Services, we will refer your request to the organization that contracts with us for our Services. We will then act according to the instructions of that organization since that organization is deemed to be the controller of that personal information.

Special Circumstances of Processing of Personal Information

We do not knowingly store and/or process personal information for individuals 16 years of age or less nor do we process Sensitive Personal Information. Additionally, we do not engage in profiling or processing of personal information by automated decision making.

Selling Personal Information

According to the California Attorney General’s Office, a business is considered a seller of Personal Information if it utilizes cookies that facilitate targeted advertising. Because RiskOptics utilizes targeted advertising cookies on its website, and on that basis alone, RiskOptics is considered a seller of Personal Information. RiskOptics does not sell your Personal Information for a monetary amount to third parties, and it does not sell any information obtained through your use of ZenGRC or the ROAR product suite.

RiskOptics utilizes the software platform Cookiebot to manage its cookie preferences. Cookiebot adheres to browser global privacy controls which can automatically instruct our website to not allow targeted advertising cookies to be placed on your device. This is performed in a frictionless manner. To learn how to implement global privacy controls for your browser, you can visit this resource.

To change your Cookiebot preferences, click on the paperclip icon at the bottom left side of the browser:

You may also make a request to opt-out of the selling or sharing of your Personal Information by emailing [email protected] or you can complete our data privacy request form here.

How to Make a Request or Complaint

We commit to respond to requests and resolve complaints about our collection or use of your personal information. You may contact us at [email protected] if you have a question about our privacy practices, this Privacy Policy, or if you wish to make a request regarding your Personal Information. You may also submit your request by completing this form here.

Please note that when a request is made that relates to your privacy rights, RiskOptics will contact you separately to attempt to verify your identity. If we cannot verify your identity within a reasonable amount of time, we will be unable to process your privacy request.

You may also make a request through an authorized agent. Before processing your request, we will separately contact you to verify the legitimacy of the request by examining documentation demonstrating agency between the person making the request and the subject of which the personal information relates. If we cannot verify the agency relationship, we will be unable to process the request.

If you are located within the European Economic Area and are unhappy with a response you receive from us, you can also refer the matter to your data protection supervisory authority which can be found here.

Federal Trade Commission and EU Supervisory Authorities Enforcement

We are subject to the investigation and enforcement actions of the Federal Trade Commission. We may be required to share your personal information with such enforcement authorities, including the disclosure of UK, Switzerland, and European Union residents’ personal information to public authorities and law enforcement agencies in response to lawful requests, including requests to meet national security and law enforcement requirements.

Links to Other Websites

This Privacy Notice covers the privacy practices of RiskOptics and it does not cover the privacy practices of third parties on their websites and other features. We are not responsible for the privacy notices and/or practices of third parties.

Our Site may provide links that can take you to other websites, which may include partner websites. You should review the privacy and other policies that govern the websites you visit, since those websites are not bound by our Privacy Notice, and we have no control over the content of those Websites, nor the usage of information they gather.

Modifications to the Privacy Notice

Any changes we make to our privacy notice will be posted on this page https://reciprocity.com/privacy and, in relation to substantive changes, Customers of our Services will be notified by email.

Contacting RiskOptics

If you would like to contact us with questions or concerns about this Privacy Policy, our privacy practices, or would like to exercise your privacy rights, you may contact us via any of the following methods:

E-mail: [email protected]

Privacy Request Form: The Privacy Request Form is located here.