Last Updated as of: March 27, 2023
The words “our”, “us”, “we” and “ExecOnline” refer to ExecOnline, Inc. and our affiliates. For purposes of this policy, “processing” or “process” mean any activity that involves the use of Personal Data, including collecting, organizing, using, transferring, disclosing, erasing or destroying, storing or carrying out any other operation or set of operations on the data.
132 W. 31st Street 17th Floor
New York, New York 10001
- What Personal Data does ExecOnline collect?
- Why does ExecOnline process Personal Data?
- Who has access to your Personal Data?
- How long will ExecOnline process your Personal Data?
- What measures does ExecOnline take to protect your Personal Data?
- Where does ExecOnline transfer and process your Personal Data?
- What rights can you exercise in relation to your Personal Data?
- What are the rights of California Residents?
- What if you have questions, requests or complaints?
- No one under 18. We do not knowingly process Personal Data from anyone under the age of 18. If we learn that Personal Data has been collected from a person under 18 years of age on or through the Products, we will take the appropriate steps to cause this information to be deleted.
- No obligation to provide Personal Data. The granting of any consent and the provision of any Personal Data by you to ExecOnline is entirely voluntary by you. However, there are circumstances where ExecOnline cannot act without certain Personal Data (e.g., because Personal Data is required to provide the Products you or your employer has purchased or provide).
2. What Personal Data does ExecOnline collect?
ExecOnline collects the minimum amount of information required to provide our Products to you or for you to access our Communities. When you choose to share the below Personal Data with us, we process it to provide you with access to the relevant Products or Communities. The Personal Data that you provide directly or indirectly to ExecOnline when accessing or using our Products or Communities may include:
- Products Account Information. Your name, work title, e-mail address, phone number and other registration information required or that you chose to provide to us when accessing the online Products you or your employer has purchased . Other users of the ExecOnline Products (“Users”) may provide information about you when they submit content to us for the Products. For example, your employer may provide Personal Data about you in order for you to register for our Products that it has purchased for your use.
- Voluntary Information. This may include information you voluntarily elect to provide while accessing or interacting with the ExecOnline Products or Communities, such as comments, posts, videos, photos, likes, platform contributions, program project deliverables, troubleshooting, assignments, projects and support data. If permitted by you, we may also capture your visual image, likeness and voice recording (e.g., via photographs and/or video) if you elect to participate in certain components of the Products and Communities, if activated by you. In participating in a cohort in certain of our Products, your posts may be visible to others. When you comment on or ‘like’ another’s content in our Communities or Products, others will be able to view these actions and associate them with you (e.g., your name, profile and photo, if you have provided it).
- Automatically Generated Information. We receive information when you view content on or otherwise interact with our Products or Communities, which we refer to as “Service Usage Data,” even if you have not created an account. For example, when you visit our Communities, request Products information, sign into our Products that require a login, use our mobile application, interact with our email campaigns and pitches or use your account to authenticate to a third-party service, we may receive information about you. This Service Usage Data also may include information such as your IP address, browser type, operating system, log data, the referring web page, pages visited, location, your interaction with collateral pages or emails, your mobile carrier and device information, authentication information for SSO purposes and cookie information. We use Service Usage Data to operate and improve our Products and Communities, to ensure their secure and reliable performance and to improve the Products.
- Recruiting, Applicant or Employment Information. Employment-related information includes your indicated job interests, preferences, work history and information provided on or relayed through one of our Communities.
- Other Data. “Other Data” is data that generally does not reveal your specific identity or does not directly relate to an individual. We may use and disclose Other Data for any purpose where permitted under applicable laws, regulations and sector specific guidelines, including all relevant data protection laws and regulations (“Applicable Laws”). To the extent Other Data reveals your specific identity or relates to an individual, we will treat Other Data as Personal Data. Other Data includes:
- Data collected through cookies, pixel tags and other technologies
- Demographic data and other data provided by you
- Aggregated or anonymized data
- Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers and is a way for users to inform websites and services that they do not want certain information about their webpage visits collected over time and across websites or online services. Please note that we do not currently respond to or honor DNT signals or similar mechanisms transmitted by web browsers.
4. Why does ExecOnline process Personal Data?
ExecOnline will only collect and process Personal Data about you where we have lawful bases. Lawful bases include to manage a contractual relationship with you, to comply with legal grounds and/or because we have a legitimate business purpose to do so.
- Contract with you.
The processing is necessary to perform our obligations under a Client agreement between you and ExecOnline and/or your employer and ExecOnline for provision of access to our Products, including:
- creation and management of Client Employee User accounts, provisioning of the Products, and providing Products technical and program support;
- providing identity verification and enabling you to avoid having to re-enter Personal Data on future visits to or subsequent use of our Products;
- tracking attendance, progress and completion of an Offering program;
- sharing your Personal Data and your performance with an Offering with school partners, content providers, program instructors and/or coaches (“Partners”);
- providing post-Offering analysis, receiving feedback from you on the Offering and sending notices and other disclosures as required by the Client contract; and
- during possible dispute resolution.
- Legal Grounds.
The processing is necessary for ExecOnline to comply with our obligations under any and all Applicable Laws, including:
- to comply with subpoenas or similar court orders and financial reporting obligations;
- to protect your vital interests or of those of other individuals (e.g. matching names of Clients and service providers against denied parties’ lists, or for fraud);
- to defend against threatened or actual claims;
- to establish or exercise our legal rights or to protect our or our Partners’ property, including intellectual property;
- to investigate, prevent, or take action regarding illegal or suspected illegal activities; and
- that necessary for the legitimate interests of ExecOnline, except where such interests are overridden by your interests or fundamental rights and freedoms.
- Where otherwise appropriate or required, we will ask for your consent.
- Business Purposes.
Where not strictly required or permitted by contractual or legal grounds, ExecOnline will only process Personal Data if the processing falls within the scope of one (or more) of the legitimate business purposes listed below:
- Improvement of ExecOnline Products. This includes the analysis, development and improvement of ExecOnline Products, solicitation of your feedback and performance of data analytics.
- Relationship management and marketing. This includes the management of a relationship with a prospective or current Client, performing of targeted marketing activities in order to promote Products, special events and promotions to a Client.
- Your use of ExecOnline Communities. This includes your posting of any Personal Data or other information of a personal or sensitive nature, whether relating to you or another person, within any ExecOnline Communities. If you choose to access or use our Communities, you are agreeing to be subject to ExecOnline’s Communities Guidelines and Terms.
- Business process execution and internal management. This includes the management of ExecOnline’s assets and resources, working with ExecOnline’s Partners, third-party contractors, licensors and service providers (collectively, “Providers”), the conduct of internal audits and investigations, finance and accounting, implementing business controls and management reporting and analysis.
- Safety and security. This includes the processing of Personal Data for activities such as those involving safety, the protection of ExecOnline, Clients or Partners (e.g. for fraud prevention and protection).
- Protecting the vital interests of individuals. This includes processing of Personal Data when necessary to protect your vital interests or of other individuals (e.g. for urgent medical reasons).
- Application for employment. This includes our use of your Personal Data to evaluate your candidacy and to communicate with you in a recruiting or application process. If you become a candidate, you will receive more information about how ExecOnline handles candidate Personal Data at the time of application.
5. Who has access to your Personal Data?
ExecOnline may share your Personal Data with:
- Your employer. If your employer offers you access to our Products, we will provide your employer access to your Personal Data so that your employer can review and manage your use of such Products.
- Law enforcement or other governmental agencies. If and when required to do so by law or other legal process (such as a court order or subpoena), we will provide information to such agencies and authorities. We will attempt to notify data subjects about legal demands for their Personal Data when appropriate in our judgment, unless prohibited by Applicable Laws, court order or when the request is an emergency. We may dispute such demands when we believe, in our discretion, that the requests are overbroad, vague or lack proper authority, but we do not promise to challenge any or every demand.
6. How long will ExecOnline process your Personal Data?
ExecOnline will retain your Personal Data as long as you use or access our Products or Communities, or as necessary to fulfill the purposes for which it was collected, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, satisfy Partner rights and comply with Applicable Laws. When we are no longer required to retain your Personal Data as described above, we will destroy, erase, or de-identify it in accordance with our data retention policies and Applicable Laws. Legal requirements, however, may require us to retain some or all of the Personal Data we hold for a period of time that is longer than that for which we might otherwise hold it.
7. What measures does ExecOnline take to protect your Personal Data?
- Technical and organizational measures.
ExecOnline takes and maintains appropriate technical and organizational measures to protect your Personal Data:
- Against unauthorized access;
- To assure its confidentiality;
- To maintain its integrity and availability;
- By training ExecOnline Personnel in information security requirements; and
- By reporting actual or suspected data breaches in accordance with Applicable Laws.
- Compliance with ISO/IEC 27001:2013.
ExecOnline is certified by a third party reviewer for compliance with ISO/IEC 27001:2013. Even with such technical and organizational measures, no data transmission or storage system can be guaranteed to be 100% secure. There is no guarantee that data may not be accessed, disclosed, altered or destroyed by breach of any of our physical, technical or managerial safeguards. If you have reason to believe that your interaction with us is no longer secure or has been compromised, please immediately notify us at firstname.lastname@example.org.
- Third-Party sites.
ExecOnline uses social and professional media widgets and sites as dynamic information sharing tools in certain of our Communities (such as Twitter, LinkedIn, YouTube) to engage in dialogue, share information and media, and collaborate with our visitors. Your activity on these Communities is governed also by the security and privacy policies of the respective third-party site owner or provider. ExecOnline does not control, moderate or endorse the comments or opinions provided by visitors to these sites, even if on or linked to our own Communities. You should review the privacy policies and information security of all sites before using them and ensure that you understand how your information may be used. You should also adjust privacy settings on your account on any third-party site to match your preferences.
- Links to third-party sites and integrations.
- Potential candidate for employment.
If you are a potential candidate for employment with ExecOnline, we may have received your Personal Data from third parties such as recruiters or external websites. We will use the Personal Data we receive to contact you about a potential opportunity or in evaluating your candidacy for ExecOnline employment. If you did not provide us your Personal Data directly, we will inform you of the source when we first contact you regarding your candidacy.
8. Where does ExecOnline transfer and process your Personal Data?
- Cross-border transfers.
- Transfers of Personal Data.
ExecOnline makes available the transfer mechanisms listed below, which shall apply to any transfers of Personal Data (“Transfers”) from the EU, the EEA and/or their respective member states, Switzerland and the United Kingdom, to the extent such Transfers are subject to privacy and data protection Applicable Laws (“Restricted Transfers”):
- Transfers to countries providing adequate data protection. Some countries are recognized by the European Commission, United Kingdom Information Commissioner’s Office (“UK ICO”) or the Swiss Federal Data Protection and Information Commissioner (“FDPIC”), as applicable, as providing an adequate level of data protection.
- SCCs. Where a transfer to a country recognized as providing an adequate level of protection is not possible, then we implement appropriate safeguards in accordance with Applicable Laws. These may include using the International Data Transfer Addendum or International Data Transfer Agreement issued by the UK ICO and the EU Standard Contractual Clauses (“SCCs”), adopted by the European Commission and by the Swiss FDPIC.
- Privacy Shield
ExecOnline complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (collectively, “Privacy Shield”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data (as defined below) from the European Union member countries (including EEA member countries) and the United Kingdom as well as Switzerland, respectively and as applicable to the United States, in reliance on Privacy Shield and our Privacy Shield certification is found here. ExecOnline has certified to the U.S. Department of Commerce that that it adheres to the Privacy Shield Principles with respect to such Personal Data, including without limitation, Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability. If there is any conflict between the policies in this ExecOnline Privacy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit: https://www.privacyshield.gov/. ExecOnline remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process Personal Data on its behalf do so in a manner inconsistent with the Principles, unless ExecOnline proves that it is not responsible for the event giving rise to the damage.
If you have an inquiry regarding our privacy practices in relation to our Privacy Shield certification, we encourage you to contact us. ExecOnline is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. You may also refer a complaint to your local data protection authority and we will work with them to resolve your concern. In certain circumstances, the Privacy Shield Framework provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the Privacy Shield Principles.
Following the Court of Justice of the European Union decision in July 2020 invalidating the EU-U.S. Privacy Shield as a mechanism for the transfer of Personal Data from the European Union to the United States, ExecOnline no longer relies on Privacy Shield for cross-border Personal Data transfers that originated in the EEA, the United Kingdom or Switzerland to the United States. ExecOnline relies on alternative data transfer mechanisms deemed appropriate by the relevant authorities, such as the SCCs, for cross-border Personal Data transfers from the EEA, Switzerland, and the United Kingdom to the United States.
9. What rights can you exercise in relation to your Personal Data?
Based on Applicable Laws, you may have rights that you can exercise in relation to your Personal Data. Note that in some cases we are not required to fully comply with your request, as such rights may be conditional or because we have to balance your rights against our rights and obligations to process your Personal Data and to protect the rights and freedoms of others. A number of the rights you may have in relation to your Personal Data are as follows:
- Right of access
You are entitled to a copy of the Personal Data we hold about you and to learn details about how we use it by contacting email@example.com. Your Personal Data will usually be provided to you digitally. We may require you to prove your identity before providing the requested information.
- Right to rectification
We take reasonable steps to ensure that the information we hold about you is accurate and complete. However, if you believe this is not the case, you have the right to request that any incomplete or inaccurate Personal Data that we process about you is amended.
- Right to erasure
You have the right to ask us to erase all or some of your Personal Data, for example where the Personal Data we collected is no longer necessary for the original purpose, where Personal Data has become obsolete or where you withdraw your consent. However, this will need to be balanced against other factors, such as certain legal or regulatory obligations.
- Right to restriction of processing
You are entitled to ask us to temporarily stop using your Personal Data, for example where you think that the Personal Data we hold about you may be inaccurate or where you think that we no longer need to use your Personal Data.
- Right to object to processing
You have the right to object to processing which is based on our legitimate interests. For purposes based on our legitimate interests, we will no longer process the Personal Data on that basis when you file an objection based on your grounds relating to your particular situation, unless we have a compelling legitimate ground for the processing. Note, however, that we may not be able to provide certain Products, Communities, programs or benefits to you if we are unable to process the necessary Personal Data for that purpose.
- Rights relating to automated decision-making
You have the right not to be subjected to automated decision-making, including profiling, which produces legal effect for you or has a similar significant effect.
- Right to withdraw consent
We may ask for your consent to process your Personal Data in specific cases. When we do this, you have the right to withdraw your consent at any time. ExecOnline will stop the further processing as soon as possible after the withdrawal of your consent. However, this does not affect the lawfulness of the processing before consent was withdrawn. Please be aware that you cannot opt-out of receiving service messages from us, including security and legal notices.
10. What are the rights of California Residents?
The California Consumer Privacy Act (“CCPA”) provides California residents with certain rights regarding their Personal Data. If the CCPA is applicable to your Personal Data, to exercise these rights, see the “Exercising Your CCPA Privacy Rights.”
- Right to Know. You may have the right to know and see what data we have collected about you over the past 12 months, including:
- The categories of Personal Data we have collected about you;
- The categories of sources from which the Personal Data is collected;
- The business or commercial purpose for collecting your Personal Data;
- The categories of Providers with whom we have shared your Personal Data; and
- The specific pieces of Personal Data we have collected about you.
- Right to Delete. Under the CCPA, you may have the right to request that we delete the Personal Data we have collected from you (and direct our Providers to do the same). There are a number of exceptions, however, including when the information is necessary for us or a third party to do any of the following:
- Provide you the Products;
- Perform a contract between us and you;
- Protect your security and prosecute those responsible for breaching it;
- Fix our system in the case of a malicious element;
- Protect the free speech rights of you or other Users;
- Comply with a legal obligation; or
- Make other internal and lawful uses of the information that are compatible with the context in which you provided it.
- No Sale of Personal Data. ExecOnline does not sell your Personal Data and will not do so in the future without providing you with notice and an opportunity to opt-out of such sale as required by Applicable Laws. Similarly, we do not offer financial incentives associated with our collection, use, or disclosure of your Personal Data.
- Exercising Your CCPA Privacy Rights. To request access to or deletion of your Personal Data, or to exercise any other data rights which is applicable to your Personal Data, please contact us via email at firstname.lastname@example.org. Please include (i) your full name, email address, and phone number associated with your use of our Products and (ii) the reason you are writing, so that we can process your request in an efficient manner.
- Response Timing and Format. If applicable, we aim to respond to a request for access or deletion within 45 days of receiving that request. If we require more time, we will inform you of the reason and extension period in writing.
11. What if you have questions, requests or complaints?
- Data Protection Officer. You also may contact our Data Protection Officer at email@example.com.
- Data Protection Authority. You also have the right to lodge a complaint with the competent local Data Protection Authority in the jurisdiction where you work, where you live or where an alleged infringement takes place. A listing of the European Data Protection Authorities can be found here. For the Swiss FDPIC, please refer here. For the UK ICO, please refer here.