Privacy and Cookies Policy

 

 

Last Updated October 10, 2024

ComplianceLine, LLC, doing business as Ethico, (“Ethico,” “we,” “our,” or “us”) is committed to complying with all applicable data privacy laws, including protecting the security and confidentiality of any information that is personally identifiable to an individual (“Personal Data”). Ethico’s Privacy and Cookies Policy is comprised of two parts: 1) Ethico’s Privacy Policy, which sets forth how we collect, use, share, and retain (collectively, “process”) Personal Data in situations where we, as a Controller, determine how Personal Data is processed and 2) Ethico’s ECOsystem Privacy Policy, which sets forth how we process Personal Data as a Processor on behalf of our clients who use our products and services. Collectively, we refer to both policies as Ethico’s Privacy and Cookies Policy. Ethico’s Privacy and Cookies Policy also provides information on your data privacy rights and how to exercise them. The most current version of Ethico’s Privacy and Cookies Policy can be found on Ethico’s website at https://ethico.com/privacy-policy/.

Who We Are

Ethico is a leading provider of software solutions to professionals in compliance, human resources, and risk management. We provide a suite of corporate integrity services via our ECOsystem platform, which includes compliance management and hotline & sanctions screening solutions. We also offer training and educational resources and host in-person and online events, including our Ethicsverse webinars.

We process Personal Data as a Controller in connection with our core business activities, such as marketing, sales activity, and account management. We process Personal Data as a Processor (or service provider) when we process Personal Data on behalf of and at the direction of our clients, such as providing intake for hotline calls, conducting exit interviews, or running background checks. The Personal Data processed on behalf of our clients are often the clients’ workforce, but may also be their vendors, business partners, customers, and other relevant stakeholders. 

Ethico is headquartered at 8615 Cliff Cameron Dr Ste 290, Charlotte, North Carolina 28269 in the United States of America. Questions about our privacy practices may be addressed to privacy@ethico.com.

Ethico’s Privacy Policy

Ethico’s Privacy Policy sets forth how we collect, use, share, and retain (collectively, “process”) Personal Data in situations where we, as a Controller, determine how Personal Data is processed.

Categories of Personal Data We May Collect

Ethico may collect the collecting categories of Personal Data from business contacts in our industry:

  • Your name and contact details such as your phone number and email address;
  • Information related to your current or past work, such as your employer, job title, company address, and conferences, webinars, or training that you have attended;
  • Information related to your interactions with our website and webinar platforms, such as cookies, the pages you have visited, and the date and time of your visit, and comments that you leave in online webinar, training, or blogs hosted by Ethico;
  • Information related to your interactions with our products and services, such as how often you log in, the tools that you utilize, and your interactions with our personnel such as customer service; and
  • Information related to your communications with us, such as your video calls and email communications related to product demos, attendance at webinars or training sessions hosted by Ethico, or your feedback on our products or services.

Our marketing materials, content, and products and services are intended for adults working in the professional fields of compliance, human resources, and risk management. We do not knowingly collect or maintain Personal Data from or about anyone under eighteen (18) years of age.

Why We Need Your Personal Data

We process your Personal Data for the following reasons:

  • To offer you and provide you with Ethico’s products and services;
  • To improve upon our products and services;
  • To offer you industry-related content and information, including in-person and online events;
  • To communicate with you during the business relationship, including providing you with customer service; 
  • To operate and improve our overall business operations, such as understanding market trends, developing new products and services, and carrying out internal administrative functions;
  • To protect parties in the event of a legal dispute; and
  • To comply with court orders and legal or regulatory processes.

We may also transfer Personal Data in the event of an actual or potential sale or transfer of our business or assets (such as a merger, acquisition, or reorganization). 

We do not engage in automated decision-making with your Personal Data.

What If I Decide Not to Provide My Personal Data?

You are not obligated to provide us with your Personal Data. If you opt-out of marketing emails, you will not receive emails related to our products and services, training and educational resources, and our events, including our Ethicsverse webinars. (Note that you must affirmatively reach out to privacy@ethico.com asking to opt back into these emails.)  Also, please note that if you exercise any right to delete your Personal Data, and you currently work for an organization that is a client of Ethico, we may not be able to provide your organization with the services for which they have contracted if your role is integral to the performance of that contract.

How We Collect Personal Data

We may collect Personal Data from you in the following ways:

  • Via registration forms, such as when you provide us with your Personal Data when you sign-up for a seminar or download content on our website;
  • Via in-person interactions, such as when we we scan your badge at an industry conference or you provide us with your business card; 
  • Via online interactions such as the chat room for Ethico’s Ethicsverse webinars;
  • Via Google Meet calls with prospective and current clients, which we record for quality assurance (and which you have the option to opt-out of at the start of the call);
  • Via Cookies and other data analytics, if you visit our website;
  • Where permitted, via social media channels such as LinkedIn, when you interact with or comment on our content or engage with our personnel; and
  • From third-party sources such as conferences who may provide us with a list of names of attendees.

Our Legal Basis for Processing Your Personal Data

When we process Personal Data, including the data of any residents located in the United Kingdom, the European Union, or Switzerland, we rely upon a legal basis for such processing. The legal bases upon which we rely are:

  • Where we have obtained your consent to process your Personal Data;
  • Where we have a legitimate business interest in processing your Personal Data and that interest does not interfere with any Personal Data rights that you may have (such as, for example, when the processing takes place in the context of a client relationship or for direct marketing purposes to share our products and services with professionals in the compliance, Human Resources, and risk management industry);
  • Where it is necessary for the performance of a contract; and
  • In certain instances where we determine we have a legal obligation to do so.

Who Do We Share Personal Data With?

We will never sell your Personal Data or “share” it as defined under the California Consumer Protection Act/California Privacy Rights Act (“CCPA/CCRA”). 

We may share your Personal Data with third-party service providers in order to fulfill our contractual relationships with you and/or to offer you products or services that you have requested. For example, we may provide a list of email addresses to a marketing vendor for the limited purpose of fulfilling an email campaign, or if you contact us to have an investigation outsourced, we may provide your contact information to our outsourced investigation services firm so that they may provide you with the service.

Other instances where we may disclose Personal Data is if we are required to do so under applicable laws or regulations, we need to establish or defend our legal rights or the rights of other individuals or business partners, or instances where we are acting in order to prevent an illegal activity or harm.

Data Privacy Framework for Data Transfers and Data Storage

Our offices and employees are located in the United States of America (“U.S.”). Personal Data from residents in the United Kingdom (“UK”), European Economic Area (“EEA”), and Switzerland and other countries may be transferred to the U.S. and stored in our U.S. servers.

Ethico has certified compliance with the EU-U.S. Data Privacy Framework (“DPF”), the UK Extension to the EU-U.S. DPF, and Swiss-UK DPF. The DPF was developed by the U.S. Department of Commerce, the European Commission, the UK Government, and the Swiss Federal Administration to provide a reliable transfer mechanism for Personal Data transferred to the U.S. from the EU, UK, and Switzerland, while ensuring data protection that is consistent with EU, UK, and Swiss law. 

We are committed to following DPF Principles for all Personal Data received from the EU, UK, and Switzerland. If there is any conflict between the terms in this Privacy Policy and the DPF, the DPF shall govern. To learn more about the DPF, please visit https://www.dataprivacyframework.gov/s/. To view our certification on the Data Privacy Framework List, please visit https://www.dataprivacyframework.gov/s/participant-search and search for ComplianceLine. 

In adherence to DPF Principles, Ethico is responsible for Personal Data it receives from the EU, UK, and Switzerland, including any Personal Data it subsequently transfers to a third party acting as an agent on our behalf. With respect to Personal Data received or transferred pursuant to the DPF, Ethico is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission and any other regulatory authorities authorized under the DPF. In certain situations, Ethico may be required to disclose Personal Data response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the DPF Principles, we have designated an independent dispute resolution body to address complaints and provide appropriate recourse free of charge to an individual who has a complaint or inquiry that is unresolved by Ethico. If you have an unresolved complaint or inquiry related to your Personal Data that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider, JAMS, at https://www.jamsadr.com/DPF-Dispute-Resolution. This service is at no cost to you. In certain conditions, it is possible to invoke binding arbitration when other dispute resolution procedures have been exhausted.

Data Retention

We will retain your Personal Data for as long as your organization is a client and/or email address is active and you do not request to have your Personal Data deleted.

Security Measures

Ethico utilizes industry accepted security measures to protect against loss, misuse, unauthorized access, disclosure, alteration, and destruction of data submitted to our systems, both during transmission and when we receive it. Access to your Information is strictly limited and we take reasonable measures to ensure that your Information is not accessible to the public. We restrict access to Personal Data to only those persons who need access to perform or provide their job or service, both internally and with our third-party service providers. We utilize industry standard access controls and detection capabilities for our internal networks in order to prevent unauthorized network access. We regularly undergo third-party audits, including an annual SOC 2 Type 2 audit. Information is encrypted with advanced TLS (Transport Layer Security) when collected and transmitted and is also encrypted at rest.

While Information Security is of paramount importance to Ethico, no method of transmission over the Internet, or method of electronic storage, is 100% secure, and we cannot guarantee its absolute security. As required under applicable data protection laws, we shall notify you via email, and any applicable regulatory agencies, if we learn of an information security breach of your Information. Please be advised that notice may be delayed in order to address the needs of law enforcement, determine the scope of network damage, and to engage in remedial measures.

Opting-Out of Marketing

When you provide us with your Personal Data, such as signing up to one of our Ethicsverse webinars, and you consent to receive marketing communications related to our products and services and events, we will use that information to send those communications to you. If you wish to opt-out of receiving communications from us, contact us at privacy@ethico.com. Please allow several days for us to process your opt-out request. Note that we may retain your name and contact information on a list for the sole purposes of ensuring we comply with your request. If you feel your opt-out request was not properly honored or you would like to request to opt-in to marketing communications after a prior request to opt-out, please contact us again at privacy@ethico.com.

Cookies

A cookie is a small file of letters and numbers that is downloaded onto your computer when you visit a website. Cookies are used by many websites and can do a number of things, including remembering your preferences, recording what you have put in your shopping basket, and counting the number of people looking at a website. Ethico utilizes web logging and Cookies to gather data about visitors to our site in order to gather insights and improve our services. 

We may use Google Analytics and similar tools to help analyze how users interact with our website and to display customized ads and other content to our users during a current browsing session or in the future when the user is online. These analytics are performed by using the technological means described above to monitor a user’s interactions with the website and do not involve the collection of any additional Information. 

Most browsers are initially set up to accept Cookies, but users can reset their browsers to refuse all Cookies or to indicate when a Cookie is being sent or to refuse online tracking. To disable and reject certain Cookies, follow the instructions associated with your Internet browser. If you would like to clear, delete, or block your cookies, you can do so via settings on your webpage browser. 

Even where you reject a Cookie, you may still use the Website, but your ability to use certain features or offerings may be impaired. For example, if you return to the Website, you may have to re-enter Information you previously supplied to us. We may retain Cookie data indefinitely.

Data Privacy Rights

Certain countries, states, and territories have set forth data privacy rights for residents. 

In the UK, EEA, and Switzerland, these rights are:

  • The right to withdraw consent. To the extent you provide consent to the processing of your Personal Data, including marketing communications, you can withdraw your consent at any time. Your withdrawal will not affect the lawfulness of our processing based on consent before your withdrawal.
  • Right of access to and rectification of your Personal Data. If you would like to request access or correct your Personal Data, you can submit a written request to privacy@ethico.com
  • Right to erasure (or, “Right to be forgotten”). You can ask us to stop processing and delete your Personal Data in certain circumstances (for example where it was processed on the basis of your consent and you withdraw such consent or where it is no longer necessary for us to process it).
  • Right to data portability. You can request to receive your Personal Data from us in a machine-readable, commonly used format of our choosing and/or have us transfer your Personal Data directly to another controller.
  • Right to object to, or restrict, processing. Where the processing of your Personal Data is based on consent, contract, or legitimate interests, you may restrict or object, at any time, to the processing of your Personal Data, as permitted by applicable law. Note that you will never need to opt-out of the sale of your Personal Data because Ethico does not sell your Personal Data.
  • Right to not be the subject of automated individual decision-making, including profiling. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on you, except as allowed under applicable data protection laws.

Many U.S. states are also enacting data privacy laws. Even where these state laws are not currently applicable to Ethico (for example, the CCPA/CPRA), we value your privacy rights. Regardless of where you are located, we will honor your request to access, correct, or delete your Personal Data.

To make a request regarding your data rights, please contact privacy@ethico.com. In your email, please write “Data Privacy Rights” in the subject line and in the body of the email state the right you would like to exercise. We will promptly review your request, determine how we can process your request in compliance with applicable laws, and provide you with an explanation on how we are taking action on your request. Note that we may need to seek additional details from you in order to process your request and that, if you request to have your Personal Data deleted, we may retain your name and contact information on a list for the purpose of ensuring we comply with your request. Residents of the UK, EEA, and Switzerland also have the right to lodge a complaint with their relevant supervisory authority if they feel their data privacy rights are not being respected.

Changes to This Privacy Policy

We may update this Policy from time to time. The most current version of the Policy will always be available via a link on Ethico’s homepage. If we make significant changes to how we process your Personal Data, we will notify you via email.

Contacting Us with Questions or Concerns

If you have questions or complaints regarding our privacy policy or practices, or would like to exercise your data privacy rights, contact us at privacy@ethico.com

You may also send us mail at the following address:

Ethico
Attention: Privacy 
8615 Cliff Cameron Drive, Suite 290
Charlotte, NC 28269
USA

Ethico’s ECOsystem Privacy Policy

Ethico’s ECOsystem Privacy Policy sets forth how we process Personal Data as a Processor on behalf of our clients that use our products and services. Each client who purchases our products or services acts as a Controller of any Personal Data, which means that they determine how that Personal Data is collected, used, shared, stored, and retained (“processed”). As a Processor, we only process Personal Data at the written instructions of the Controller.

Categories of Personal Data We May Collect

The type of Personal Data we collect depends on which of our products and services a client has purchased and how they decide to use it within their organization. It may include the following:

  • Identifiers such as first and last name, employee identification number, Social Security Number, gender, birthdate, contact information such as address, e-mail address, and telephone number;
  • Information related to employment such as job title, job position, employer, relationship with the Controller, employee identification number, and opinions related to the employment experience;
  • Information related to the the facts and circumstances surrounding a violation or alleged violation of law or company policies, which may include Personal Data about the reporter and other individuals alleged to have been involved in the reported incident;
  • Other categories of personal information about an individual which a reporter voluntarily provides to Ethico while making a report or providing an interview, which could include Personal Data that is considered Sensitive Personal Data under applicable laws and regulations (such as information that relates to individuals’ racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, information concerning health, or information concerning a natural person’s sex life or sexual orientation);
  • Information found in the public records such as aliases, criminal background history, information found on sanctions lists, and information related to any restrictions or penalties imposed by a regulatory agency or licensing board;
  • Information related to an employee’s training records, such as training accessed and completion dates, and metadata that might be obtained from an employee’s interaction with training platforms; and
  • Other information which a client organization, as the Controller, decides will reside on Ethico’s platform, such as information related to annual financial disclosures, conflicts of interest, gifts and entertainment, and other Personal Data that may be gathered by organizations in the course of implementing and operating an effective compliance and ethics program or other risk-management program.

Why We Need Your Personal Data

We process Personal Data on behalf of our clients for the purposes of facilitating their compliance and/or ethics program, human resources program, or other risk-management program, which may include assisting clients in complying with applicable laws, rules, and regulations such as whistleblower laws, sanctions laws, and disclosures. We may also process Personal Data for business purposes, such as improving our products and services, conducting product research and development, and complying with our internal and contractual record retention requirements. Personal Data may also be processed in the event of a dispute between parties and to comply with legal processes and court orders.

We will never sell Personal Data processed on behalf of our clients, nor will we share that Personal Data with anyone other than the client or their authorized contractors and agents, unless required to do so under applicable laws and regulations. We may transfer Personal Data in the event of an actual or potential sale or transfer of our business or assets (such as a merger, acquisition, or reorganization). 

We may use Personal Data for statistical research purposes, such as determining how many complaints were made in a particular region related to a particular topic. When we run such reports, we de-identify Personal Data and do not make any attempt to later re-identify it with any individual.

What If I Decide Not to Provide My Personal Data?

We are a service provider to various organizations and we process Personal Data only at their direction. If you do not wish to have Ethico process your Personal Data, please contact your organization. If you reach out to us directly, we will, in compliance with our legal obligations, forward your request to your organization and await their written instructions on how to proceed.

How We Collect Personal Data

We may collect Personal Data from you in the following ways:

  • When you call one of our hotline numbers or log into our online platforms to make a report or enter information, we make a record of the call and its contents;
  • When we reach out to your directly and ask you to complete materials over the phone or online, such as in the case of an exit interview;
  • When an employee at or contractor for your organization provides information about you or enters Personal Data about you into our platform for ethics, compliance, or risk management purposes (such as a disclosures form, an investigation report, or for sanctions screening); and
  • Via Cookies and other data analytics, if you visit our website.

Our Legal Basis for Processing Your Personal Data

It is the responsibility of each of our clients, as the Controller, to ensure a legal basis for processing your Personal Data. Prior to acting as Processor for any organization, we ensure that we have a written contract in place. We act in accordance with this contract and will only deviate from it if we believe that it will violate an applicable law or regulation (in which case we will notify the client in writing). If you have a concern about the legal basis for processing of your Personal Data, please contact your organization directly.

Who Do We Share Personal Data With?

We share your Personal Data with each client organization, who is the Controller, and for whom we are acting as Processors of Personal Data. We may also share Personal Data with our service providers (Subprocessors), who are contractually obligated to keep Personal Data secure and process it only for the purpose stated in the contract. 

Other instances where we may disclose Personal Data is if we are required to do so under applicable laws or regulations, we need to establish or defend our legal rights or the rights of other individuals or business partners, or instances where we are acting in order to prevent an illegal activity or harm. We will never sell your Personal Data or “share” it as defined under the California Consumer Protection Act/California Privacy Rights Act (“CCPA/CCRA”).

Data Privacy Framework for Data Transfers and Data Storage

Our offices and employees are located in the United States of America (“U.S.”). Personal Data from residents in the United Kingdom (“UK”), European Economic Area (“EEA”), and Switzerland and other countries may be transferred to the U.S. and stored in our U.S. servers.

Ethico has certified compliance with the EU-U.S. Data Privacy Framework (“DPF”), the UK Extension to the EU-U.S. DPF, and Swiss-UK DPF. The DPF was developed by the U.S. Department of Commerce, the European Commission, the UK Government, and the Swiss Federal Administration to provide a reliable transfer mechanism for Personal Data transferred to the U.S. from the EU, UK, and Switzerland, while ensuring data protection that is consistent with EU, UK, and Swiss law. 

We are committed to following DPF Principles for all Personal Data received from the EU, UK, and Switzerland. If there is any conflict between the terms in this Privacy Policy and the DPF, the DPF shall govern. To learn more about the DPF, please visit https://www.dataprivacyframework.gov/s/. To view our certification on the Data Privacy Framework List, please visit https://www.dataprivacyframework.gov/s/participant-search and search for ComplianceLine. 

In adherence to DPF Principles, Ethico is responsible for Personal Data it receives from the EU, UK, and Switzerland, including any Personal Data it subsequently transfers to a third party acting as an agent on our behalf. With respect to Personal Data received or transferred pursuant to the DPF, Ethico is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission and any other regulatory authorities authorized under the DPF. In certain situations, Ethico may be required to disclose Personal Data response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the DPF Principles, we have designated an independent dispute resolution body to address complaints and provide appropriate recourse free of charge to an individual who has a complaint or inquiry that is unresolved by Ethico. If you have an unresolved complaint or inquiry related to your Personal Data that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider, JAMS, at https://www.jamsadr.com/DPF-Dispute-Resolution. This service is at no cost to you. In certain conditions, it is possible to invoke binding arbitration when other dispute resolution procedures have been exhausted.

Data Retention

We will retain Personal Data for as long as we are instructed by the client acting as Controller. This time frame varies depending on applicable laws and regulations and the needs of each organization. In keeping with data minimization principles, we delete Personal Data pursuant to our data retention schedules shortly after a client terminates services with us.

Security Measures

Ethico utilizes industry accepted security measures to protect against loss, misuse, unauthorized access, disclosure, alteration, and destruction of data submitted to our systems, both during transmission and when we receive it. Access to your Information is strictly limited and we take reasonable measures to ensure that your Information is not accessible to the public. We restrict access to Personal Data to only those persons who need access to perform or provide their job or service, both internally and with our third-party service providers. We utilize industry standard access controls and detection capabilities for our internal networks in order to prevent unauthorized network access. We regularly undergo third-party audits, including an annual SOC 2 Type 2 audit. Information is encrypted with advanced TLS (Transport Layer Security) when collected and transmitted and is also encrypted at rest.

While Information Security is of paramount importance to Ethico, no method of transmission over the Internet, or method of electronic storage, is 100% secure, and we cannot guarantee its absolute security. In compliance with the requirements of applicable data protection laws, we shall notify you via email, and any applicable regulatory agencies, if we learn of an information security breach of your Information. Please be advised that notice may be delayed in order to address the needs of law enforcement, determine the scope of network damage, and to engage in remedial measures.

Cookies

A cookie is a small file of letters and numbers that is downloaded onto your computer when you visit a website. Cookies are used by many websites and can do a number of things, including remembering your preferences, recording what you have put in your shopping basket, and counting the number of people looking at a website. Ethico utilizes web logging and Cookies to gather data about visitors to our site in order to gather insights and improve our services. 

We may use Google Analytics and similar tools to help analyze how users interact with our website and to display customized ads and other content to our users during a current browsing session or in the future when the user is online. These analytics are performed by using the technological means described above to monitor a user’s interactions with the website and do not involve the collection of any additional Information. 

Most browsers are initially set up to accept Cookies, but users can reset their browsers to refuse all Cookies or to indicate when a Cookie is being sent or to refuse online tracking. To disable and reject certain Cookies, follow the instructions associated with your Internet browser. If you would like to clear, delete, or block your cookies, you can do so via settings on your webpage browser. 

Even where you reject a Cookie, you may still use the Website, but your ability to use certain features or offerings may be impaired. For example, if you return to the Website, you may have to re-enter Information you previously supplied to us. We may retain Cookie data indefinitely.

Data Privacy Rights

Certain countries, states, and territories have set forth data privacy rights for residents. 

In the UK, EEA, and Switzerland, these rights are: the right to withdraw consent; the right of access to and rectification of your Personal Data; the right to erasure (or, “Right to be forgotten”); the right to data portability; the right to object to, or restrict, processing; and the right to not be the subject of automated individual decision-making, including profiling. Many U.S. states are also enacting data privacy laws. While some laws, like CCPA/CPRA, are currently not directly applicable to Ethico, if these laws are applicable to our clients, we enter into contractual provisions necessary to ensure their continued compliance with these laws.

If you wish to exercise any of your applicable data privacy rights, you must contact your organization, who is the Controller. As a Processor, we cannot make any changes to Personal Data without the written instructions of the Controller. We will promptly respond to any written requests from the Controller related to any Personal Data. Any requests from data subjects directly to us will be forwarded to our client and we will await their written instructions.

Changes to This Privacy Policy

We may update this Policy from time to time. The most current version of the Policy will always be available on a link on Ethico’s homepage. Please also visit the website of the relevant organization acting as Controller of your data to review their privacy policy.

Contacting Us with Questions or Concerns

If you have questions or complaints regarding our privacy policy or practices, you may also contact us at privacy@ethico.com. Please keep in mind that as a Processor, we are only permitted to process Personal Data at the written instructions of the Controller and we will forward any data privacy requests to the relevant client organization. If you have an unresolved privacy or data use concern regarding EU, UK, or Swiss resident Personal Data that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

You may also send us mail at the following address:

Ethico
Attention: Privacy
8615 Cliff Cameron Drive, Suite 290
Charlotte, NC 28269
USA