Last Updated: February 8, 2023
Reciprocity is committed to protecting your privacy. Our most important asset is you and your trust, and we want you to have confidence in the way we use your Personal Information.
In this Privacy Notice, “us”, “we” and “our” refers to Reciprocity, Inc. and our affiliates listed on this page (collectively “Reciprocity”).
“Communications information” mean records of any correspondence and communications including the content of your message, the date and time and our response if you contact us or raise a question with us.
“Contact information” means information that is typically used to contact you, such as your first and last name, business and/or personal e-mail address, and your employer’s physical address.
“Information about your Services usage or Site visit” includes information that lets us know how you navigate and use our Site and Services. This may include mouse movements, clicks, and scrolls. This may also include Uniform Resource Locators (URL), Clickstream to and through our Site (but not from our Site), Page response times and download errors, Page interaction information (such as scrolling, clicks, frequency and length of visits, types of content viewed or engaged with).
“Marketing information” means your marketing communication preferences.
“Personal Information” means any information relating to an identified or identifiable individual. Please read the following carefully to understand our views and practices regarding your Personal Information and how we will treat it.
“Professional Information” may include job title, title level, title function, company name, which subject matter you are interested in.
“Sensitive Personal Information” means information related to racial or ethnic origin, political opinions, religious or philosphical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life, or sexual orientation. Included within this definition shall also be any information that relates to a person’s finances, including financial accounts, financial ownership, financial transactions, and/or financial credit. Lastly, Sensitive Information shall also mean a person’s government issued identification number as well as a person’s date of birth.
“Screen and/or voice recordings” means in limited instanced, after we have provided notice and obtained your consent, we may record your voice and screen (i.e., information displayed by your device) information during Zoom meetings with us.
“Technical identifiers/information” means Internet protocol (IP) address, Browser type and version, Device IDs, Google ID, Time zone setting, Operating system and platform, Hardware version, Device language settings, account identification number. We do not collect geolocation information.
“Voluntary user submitted information” means any other Personal Information that you choose to provide to us.
Reciprocity and our Privacy Notice
Reciprocity is a computer software company that offers Governance, Risk, and Compliance (GRC) software (both ZenGRC and the ROAR product suite) (“Services”) as a service that helps our customers to manage different business risks more effectively.
This Privacy Notice describes how we collect, use, disclose and otherwise process Personal Information about you when:
- You visit our website at www.reciprocity.com (the “Site”);
- Submit Personal Information directly to us for marketing and/or informational purposes;
- You apply for an employment or independent contractor position with or on behalf of Reciprocity; or
- Otherwise contact or inquire or otherwise engage with us through our products and services which we market (our “Services”).
Where Reciprocity hosts Customer Personal Information within the Reciprocity Services we do so in our capacity as a processor on the Customer’s behalf. Our Customer is the controller in respect of Personal Information they supply to us when using Reciprocity Services.
By visiting and using our Site and Services, you acknowledge that you have read, understood, and agree to this Privacy Notice.
Categories of Personal Information Collected, the Purposes for such Collection, and Legal Bases for Collection
Personal Information Collected for Marketing and/or Informational Purposes
You may provide us with the following categories of Personal Information about you: (1) contact information; (2) professional information; (3) communications information; and/or (4) marketing information. We may also collect any other personal information that you choose to provide to us. These categories of personal information that are collected for the purposes of marketing our products to you. This information is collected with your consent, and it is also collected for our legitimate interests, which is to market our products and provide information to you.
You may object to further marketing at any time by selecting the “unsubscribe” link at the end of all our marketing and promotional update communications to you or contact us directly. To opt-out of our marketing calls:
- Outside of Europe: Call E-mail us at [email protected]
- Within Europe: E-mail us at [email protected]
Personal Information Collected for Employment Purposes
When you apply for employment with us, we collect the following categories of personal information: (1) contact information; (2) professional information; (3) communications information; and (4) screen, visual, and/or voice recordings of any meetings, interviews, and/or discussions had with us. This information is collected with your consent and is collected for us considering you for an employment position with us.
Personal Information Collected when you Use our Services
We receive and store the Personal Information you provide directly to us. When you are a Customer of us, by using either ZenGRC or the ROAR product suite, we collect the following categories of personal information: (1) contact information; (2) professional information; (3) communications information; (4) technical information; and screen, audio, and/or visual recordings when you have meetings with us.
By default, we do not process Sensitive Personal Information; however, we may collect and store media, documents or other information you voluntarily provide to us. We do not recommend that you provide us with Sensitive Personal Information when utilizing our Services.
These categories of personal information are collected for the following purposes: (1) to identify and authenticate individuals who utilize our Services; (2) to provide the Service in a safe and secure manner; (3) for customer relations management, customer service, and customer communication; (4) to provide business intelligence information to us; and (5) to provide workflow automation to our customers.
These categories of personal information with the exception of technical identifiers are provided by the customer. Technical information is collected from the Customer’s device when utilizing the Services. The legal basis for collecting this personal information is for the performance of the contract between us and the Customer.
Personal Information Collected when You Use Our Site
We may collect by automated means the following categories of personal information about you or that relates to your use of our site: (1) technical information and (2) information about your visit.
This information is used to ensure our legitimate interests that (1) content from our Site is presented in the most effective manner for you and for your device to provide you with a better experience; (2) to communicate with you and respond to your inquiries; (3) to process your job applications to us; (4) for internal operations, including troubleshooting, data analysis, testing, research, statistical analysis purposes; (5) to keep our Site safe and secure; and/or (6) to measure and understand the effectiveness of our advertising and to deliver relevant advertising to you. This information is also used to enter into any contract or carry out our obligations arising from any contract entered into between you and us including administering an account you have with us and notifying you about changes or updates to our Service. Finally, this information is used to provide you with information about our Services we believe may interest you and which may be tailored to you, in our legitimate interests (provided these interests do not override your right to object to such communications) or if you have given your consent to receiving marketing material from us at the point we collected your information, where such consent is required by law or otherwise.
More on Legitimate Interest Processing
Data protection law allows us to use Personal Information for our genuine and legitimate reasons if we respect your rights and freedoms. This lawful basis for using your information is called ‘legitimate interests’. When we rely on our legitimate interests as the legal basis for processing your Personal Information for the purposes set out above, we will specify what our legitimate interests are, and carefully consider and balance any possible effect this may have on you and your rights. You have the right to object to this processing; however, please bear in mind if you object this may affect our ability to carry out certain activities.
Sharing of Personal Information
If you are located within the European Economic Area, we may transfer your personal information outside of Europe (1) to store it; (2) to enable us to provide our Service to you and fulfill any contract with you; (3) where we are legally required to do so; and (4) to facilitate the operation of our group of businesses, where it is in our legitimate interests and have concluded these are not overridden by your rights.
Collected personal information may be shared with the following categories or organizations and/or individuals:
- Our subprocessors to provide the Services to our Customers. Information regarding our subprocessors can be found at https://www.reciprocity.com/subprocessors/;
- Companies within our group including Reciprocity Europe who may support us in any of the purposes set out in this Privacy Notice;
- Our Affiliates
- Analytics and Search engine providers
- Business partners, suppliers and subcontractors performing services on our behalf
- Any company or prospective buyer of all or substantially all our assets in connection with a sale or transfer or assets to any prospective buyer
- Another party where required to do so by court order or where we are under a duty to disclose or share your information to comply with (and/or where we believe we are under a duty to comply with) any legal obligation.
Collected personal information may be transferred to organizations and/or individuals located in the United States, European Union, and Argentina. If you are in the European Economic Area, information will be transferred to these countries through approved Standard Contractual Clauses mechanisms and in accordance with the security measures stated within this Privacy Notice.
Personal Information is only shared with third parties through an encrypted transmission.
We are committed to ensuring that your Personal Information is adequately protected. In order to prevent unauthorized access to or disclosure of your Personal Information, we have implemented appropriate administrative, physical and technical controls to safeguard our systems, applications and information, as well as robust standard operating procedures in the event of a security incident. We also maintain procedural safeguards to further restrict access to your Personal Information to employees who need it to perform their tasks or people working on our behalf and under confidentiality agreements.
Where We Store Your Personal Information
The servers used to process your Personal Information are located in the following regions:
- For Personal Information collected from the Customer of ZenGRC: United States, the European Union, and Australia
- For Personal Information collected from Customers of the ROAR product suite: United States.
For Personal Information collected for all other purposes, such Personal Information is stored in the United States.
Data Retention and Deletion
Personal Information is retained for only as long as it is needed; however, in the following instances, the maximum retention timeframe is:
- Information collected for employment purposes: 24 months
- Information collected when you use our services: 30 days after the contract with the Customer is terminated
- Information collected related to user sessions when you use our Site: 14 months.
We take measures to delete your personal information or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it, unless we are required by law to keep this information for a longer period.
When determining the retention period, we take into account various criteria, such as the type of products and services requested by or provided to you, the nature and length of our relationship with you, possible re-enrollment with our products or services, the impact on the services we provide to you if we delete some information from or about you, mandatory retention periods provided by law and the statute of limitations.
Your Rights and Choices
You have options and choices over how we use your personal information. You may have the right under applicable laws to ask for details of the personal information we hold about you, or to amend, limit or delete your personal information. You may also have the right to object to further processing under certain circumstances. We also respect the rights you may have under applicable laws to receive that information in a commonly used electronic format (or ask for this information to be provided in that format to a third party where feasible).
Specifically, you have the right under certain circumstances to:
- To be provided with a copy of your personal information held by us;
- To request the correction or erasure of your personal information held by us;
- To request that we delete any personal information held by us about you;
- To request that we restrict the processing of your personal information (while we verify or investigate your concerns with this information, for example);
- To object to the further processing of your personal information, including the right to object to marketing (as mentioned in our promotional updates and marketing section;
- To request that your provided personal information be shared with to a third party; and
- To withdraw consent. Where the processing of your personal information by us is based on consent, you have the right to withdraw that consent without detriment at any time by contacting us. You can also change your marketing preferences at any time as described in our promotional updates and marketing section and below.
Our Customers will typically act as data controllers for any Personal Information related to them or Personal Information that third parties upload to our Services. We will act as a data processor in accordance with the Service and/or data processing agreements. Please note that if your request relates to Personal Information processed and/or stored by us as a result of you utilizing our Services, we will refer your request to the organization that contracts with us for our Services. We will then act according to the instructions of that organization since that organization is deemed to be the controller of that personal information.
If you are located within the European Economic Area and are unhappy with a response you receive from us, you can also refer the matter to your data protection supervisory authority which can be found here.
Special Circumstances of Processing of Personal Information
We do not knowingly store and/or process personal information for individual 16 years of age or less. Additionally, we do not engage in profiling or processing of personal information by automated decision making.
How to Make a Complaint or Request
If you are making a request, please complete our request form here.
Federal Trade Commission and EU Supervisory Authorities Enforcement
We are subject to the investigation and enforcement actions of the Federal Trade Commission. We may be required to share your personal information with such enforcement authorities, including the disclosure of UK, Switzerland, and European Union residents’ personal information to public authorities and law enforcement agencies in response to lawful requests, including requests to meet national security and law enforcement requirements.
Links to Other Websites
This Privacy Notice covers the privacy practices of Reciprocity and it does not cover the privacy practices of third parties on their websites and other features. We are not responsible for the privacy notices and/or practices of third parties.
Our Site may provide links that can take you to other websites, which may include partner websites. You should review the privacy and other policies that govern the websites you visit, since those websites are not bound by our Privacy Notice, and we have no control over the content of those Websites, nor the usage of information they gather.
Modifications to the Privacy Notice
Any changes we make to our privacy notice will be posted on this page https://reciprocity.com/privacy and, in relation to substantive changes, Customers of our Services will be notified by e-mail.
E-mail: [email protected]
Privacy Request Form: The Privacy Request Form is located here.
You may also write to us at:
- Attn: Privacy Officer
- Reciprocity, Inc.
- 548 Market St, #73905
- San Francisco, CA 94104
Our EU Representation:
- Attn: Privacy Officer
- Reciprocity d.o.o.
- Celovška cesta 130
- 1000 Ljubljana