1. Privacy principles
Factorial follows these principles in order to protect your privacy. These principles are common in both the General Data Protection Regulation 2016/679 (hereinafter, “GDPR”), and the California Consumer Privacy Act (hereinafter, “CCPA”), applicable if you are resident of the state of California:
- We do not collect any more personal data than is necessary to provide the Services
- We do not keep your personal data if it is no longer needed
2. Factorial HR’ Services
Factorial is a cloud-based HR management platform used by organisations in their capacity of employers (hereinafter, “Customers”) to optimise their HR processes by centralising and digitising administrative tasks relating to their employees (hereinafter, “End-Users”).
3. Controller or Processor
Factorial HR can be both a Controller and a Processor of personal data for the purposes of GDPR. For example, Factorial will be the Controller of personal data when a Customer enters into a contract directly with us, for the processing of said Customer’s data.
However, in most instances due to the nature of our business Factorial has no direct relationship with the data subjects and exclusively processes the End User’s personal data on behalf of the Customers and according to their instructions. Thus, if you are an employee using our platform we act solely as a data processor with respect to the processing of your data. Our Customers decide the purposes for which they use our Platform, as well as the means for collecting data from our platform’s magnitude of features.
In the case of users who browse our website, Factorial will be processor for the processing of data collected here, such as cookies, or any data that is interesting to enjoy our content.
Example: if you are a user of our website and you need to access a particular service, such as subscribing to a newsletter, we will manage your personal data for the intended purpose.
On the other hand, in the case of those employees of the Client or third parties (such as their self-employed professionals, candidates in selection processes, former employees, etc.) who want to report a situation through the web complaints channel and do not opt for anonymity, Factorial will be the Processor of personal data introduced in the said channel, with the Client being the one who decides the purposes for which said channel is used.
4. End-Users’ personal data received from our Customers
Before you can access to our Platform, one of our Customers, as your employer, has already created an End-User account for you and provided us certain data about yourself, including:
- Basic information: Full name, work e-mail, identity number, etc.
- Other information: Social security number, date of birth, gender, nationality, phone number, office to which you are assigned, time-off policy, bank account number, working hours, salary, term of the contract, full address, emergency contacts, etc.
5. End-Users’ personal data received from Google
If you choose to access our Platform via website using Google’s sign-in tool, Google Ireland Limited will share with us your full name, your e-mail address, your language preferences, and your profile picture for authentication purposes.
6. End Users’ data collected by our Platform
For the purposes of providing the services to our Customers’, Factorial’s Platform collects the following information from the End-Users:
- Data on device: We automatically collect device information such as your device ID, model and manufacturer, operating system, version information and IP address, etc.
- Geo-Location Information (in App): If you choose to activate the clock-in or clock-out reminders (Settings>Notifications>Enable Notifications>Workplace proximity reminders), Factorial HR will request access or permission to and gather location-based information from your mobile device continuously (i.e., also when the Platform is closed and not in use).
This will allow our App version of the Platform to detect when you are getting close or leaving the office address you are assigned to in Factorial, which will trigger the corresponding push notification. Your location data is stored on your phone and never sent to Factorial HR.
If you wish to change our access or permissions, you may do so using our Platform or in your device’s settings.
- Clock-in information: If you use the Platform to time track your working hours, we will collect the clock-in and clock-out time and date, duration of your shift. If your company has geo-location clock in enabled and you have given the Platform permission to access to it, we will also collect your location information.
In those cases where the Customer has activated it, the clock-in can take place through our facial recognition function, in this event we will collect facial data (End-User face image, End-User face vector). The image is provided on-site by the Employee and the vector is an auto-generated data. This data qualifies as sensitive data as it meets the definition of article 9.1 GDPR "biometric data intended to uniquely identify a natural person" and of Section 1798.140, b) CCPA.
The data will be used by the face recognition tool until the Client notifies Factorial of (a) the termination of the Employee from the organisation; (b) the termination of the Client as a user of Factorial or (c) the termination of the Employee from the face recognition tool. The use by Factorial of the aforementioned personal data will only be in accordance with the Client's instructions and for the purpose of providing the service contracted by the Client.
- Time-off data: If you use the Platform to request time-offs we will collect information regarding the category of time-off to requested (e.g., holidays, sickness, etc.), duration of the requested time-off, and any other data you wish to provide in the description of the request.
In the event that the Client has contracted the reporting channel service, the information provided by the Employee and/or third parties through said channel will be absolutely confidential and anonymous (in the event that the Employee has requested it). Factorial guarantees that all the necessary security measures have been adopted to avoid the alteration, loss, treatment or unauthorized access by third parties to said information that can be used for different purposes for which they have been requested by the Client. In any case, Factorial will not have access to the content of the complaint.
7. End-user data collected by our Website.
- Free offer of digital content:
- Data collected: email address, surname, first name, title, title.
- Intended use: personalised sending of the requested content.
- Events created by Factorial: in order to be able to participate in our events, we manage the following personal data (name, surname, email address, telephone number).
- Request for a demo of our software: If you request an appointment for a Webdemo, we will use your data to contact you and set a date for the demo together.
- Trial account If you register for a test account, we will use your data to provide you with the necessary information and to introduce you to the test account and the functionalities of the software.
Data collected: e-mail address, last name, first name, first name, telephone number.
Intended use: to make the requested test account available to you and to explain the functionalities of the software.
Storage period: the data will only be stored for as long as is necessary to achieve the purpose. At the end of the test phase, your data will be deleted if you do not become a customer.
8. Purposes and basis of the processing of your personal data under GDPR
Factorial HR processes your personal data:
- To reply to your request of demo, contact, or further information as a Customer, provider or End-User.
- For the drafting, negotiation or signature of contracts or other agreements with you.
- For securing and presenting our website or Platform (log files).
- So that Employees and / or third parties can send their complaints through our complaints channel.
- For the purposes determined by our Customers - as data controllers - and under their instructions as established in the Data Processing Agreement (DPA) entered into between us and our Customers.
- Example: if you’re an employee of Company A, you are an End-User, and Company A might decide to use our platform for employee time and attendance management, time-off management, task management, etc.
Factorial HR does not process your personal data for its own purposes. When we process usage and analytics information, as well as some statistical and aggregate data derived from personal data for the improvement and further development of our services, we do so in an anonymized manner.
- We use “Quora Tracking Pixel” on our website, which is supplied by Quora Inc., 650 Castro Street, Suite 450, Mountain View, CA 94041, USA (“Quora”).
The user behaviour can be tracked after forwarding on our websites by clicking on a Quora ad. This allows to track the effectiveness of ads for statistical and market research purposes. The data collected in this way is anonymous to us, i.e., we do not see any personal data of individual users.
9. Legal Basis
The processing of your data is carried out in accordance with the following legal bases: your consent in accordance with Art. 6 para. 1 lit. a) GDPR or, as the case may be, Art. 9 para. 2 lit. a) GDPR, for the performance of a contract with you in accordance with Art. 6 para. 1 lit. b) GDPR, for the fulfilment of legal obligations in accordance with Art. 6 para. 1 lit. c) GDPR or for a legitimate interest in accordance with Art. 6 para. 1 lit. f) GDPR.
The legal basis for processing your data in accordance with the stated processing purposes is:
- Contacts: if you wish to contact us, for example because you send us an email or write to us via a contact form, the legal basis is Art. 6 para. 1 lit. f) GDPR. We have a legitimate interest in the complete processing of your contact. Since you are contacting us, we assume that there are no interests on your part that conflict with the processing of your request. If the contact is for the purpose of concluding a contract or the performance of a contract, the legal basis for the processing is § 6 (1) lit. b) GDPR. If consent is given, the legal basis for processing the contact is Art. 6 para. 1 lit. a) GDPR or, where applicable, Art. 9 para. 2 lit. a) GDPR.
- Contracts: The legal basis for processing your personal data for the performance or initiation of contracts is Art. 6 (1) lit. b) GDPR. This includes, in particular, the processing of data through the use of our Platform, unless another described processing purpose (and corresponding legal basis) applies and is relevant. In addition, we also process your data in accordance with legal provisions resulting, for example, from tax law. This type of processing is lawful according to Art. 6 (1) c) GDPR. In the case of requests that do not give rise to a contractual relationship, we have a legitimate interest pursuant to § 6 (1) (f) GDPR to keep track of the request data for a limited period of time in order to assert our legal claims or defend ourselves against lawsuits.
- Security and presentation of our website: Each time our website is accessed, usage data is transmitted by the respective internet browser and stored in log files, so-called server log files. The data records that are stored are the name of the website accessed, the file, the date and time of access, the amount of data transferred, the notification of successful access, the type and version of the browser, the operating system of the user, the referrer URL (the previously visited page), the IP address and the requesting provider. These log file data records are evaluated to protect our website against attacks, to find and correct errors and to monitor server utilisation. This is also our legitimate interest according to Art. 6 para. 1 lit. f) GDPR. Cookies and other technologies may be necessary for the complete and correct display of our website. Unless otherwise specified, the complete and correct display is a legitimate interest on our part in this data processing in accordance with Art. 6 (1) (f) GDPR. The legal basis for the use of the Quora service is Art. 6. Para. 1 lit.f) GDPR. To disable the tracking feature via Quora Pixel, please visit this page: Security and presentation of our website: Each time our website is accessed, usage data is transmitted by the respective internet browser and stored in log files, so-called server log files. The data records that are stored are the name of the website accessed, the file, the date and time of access, the amount of data transferred, the notification of successful access, the type and version of the browser, the operating system of the user, the referrer URL (the previously visited page), the IP address and the requesting provider. These log file data records are evaluated to protect our website against attacks, to find and correct errors and to monitor server utilisation. This is also our legitimate interest according to Art. 6 para. 1 lit. f) GDPR. Cookies and other technologies may be necessary for the complete and correct display of our website. Unless otherwise specified, the complete and correct display is a legitimate interest on our part in this data processing in accordance with Art. 6 (1) (f) GDPR. The legal basis for the use of the Quora service is Art. 6. Para. 1 lit.f) GDPR. To disable the tracking feature via Quora Pixel, please visit this page: https://www.quora.com/optout..
- Complaints: The legal basis for the processing of your personal data for the filing of complaints through the complaints channel is Art. 6 (1) lit. c) of the GDPR. This includes, in particular, the processing of data through the use of our Platform and website.
- Video calls: Every time you attend a video call with our Customer Experience or Sales team and the call is recorded through the Gong application, the basis of legitimacy that we will take into account is the consent of the interested party.
Factorial HR implements state of the art security standards to prevent unauthorized access, maintain data accuracy, and ensure the correct use of information. We also implement appropriate organizational measures to protect your information.
We apply our security standards also when working with business and technology partners. We only select and contract with processors and third parties who use appropriate security measures and provide sufficient guarantees, including technical and organizational measures, to ensure the appropriate protection of the data we entrust with them.
Moreover, Factorial HR’s employees have signed a Non-Disclosure Agreement or clause in connection to their employment and we have set internal processes such as continuous training and policies that are frequently updated to ensure the availability and resilience of our systems and services. Additionally, Factorial has a defined an incident response plan in case of a physical or technical incident.
11. Sharing of your personal data
Data processed by Factorial HR is hosted in the EU and processed either within the EU or such third country deemed to offer an adequate level of security by the European Commission, or by service providers that have entered into binding agreements that fully comply with the lawfulness of third country transfers. In this sense, your data will be stored in EU-West1 region of Amazon Web Services (AWS), more specifically in Frankfurt.
The current list of subprocessors is this:
- Amazon Web Services (AWS) - Web hosting - Frankfurt (DE)
- Amazon Web Services Rekognition (AWS) - Facial Recognition - Frankfurt (DE)
- Amazon Cognito - Authentication and management of users - Frankfurt (DE)
- Hubspot - Inbound marketing, sales and customer service - USA
- Sendgrid - E-mail services - USA
- Getsite control - Web traffic conversion - Cyprus
Other recipients of your data may include government agencies and administrations, to the extent that we are legally obliged to do so and service companies, such as tax advisors or lawyers.
In some cases, we may need to transfer your data to third parties in order to process your request, such as booking a meeting with us through Videoask.
12. International data transfers
The information we collect from you may be processed in third countries as understood in article 44 GPDR. Some third countries, such as the United States, have not currently received an adequacy decision from the European Union under Article 45 of the GDPR, which means that your data may not receive the same level of protection there as under the GDPR.
13. Retention period
We keep personal data for different periods, depending on the type of information, the period of our contract with our Clients, legal requirements regarding certain types of data, and other factors.
Generally speaking, we will stop processing your information when (a) your employer is no longer a Customer of Factorial HR; or (b) you are no longer an employee of our Customer. If circumstance (a) or (b) occurs and we are under no legal or contractual duty to preserve your information for a longer period, we will delete your data.
If we have to retain your information for the purposes of complying with a contractual or legal obligation of retention, or to resolve disputes or enforce our rights we will restrict is access by specific persons or role.
In relation to the information communicated through the complaints channel, it will be stored for no longer than it is necessary and proportionate in order to comply with the requirements imposed by the Whistleblowers Directive. After that time, the complaints will be suppressed with the pertinent security measures, without applying any blocking obligation.
14. Your rights
A) California Consumer Privacy Act (CCPA)
If you are a resident of the state of California, under the California Consumer Privacy Act (CCPA), you have the following rights:
- Right of access: the right to know what personal information is being collected from you and how it is used and shared.
- Right to delete: the right to delete the personal information we hold from you (with some exceptions).
- Right to opt out: of the sale of their personal information.
- Right to non-discrimination: the right not to receive discriminatory or differentiated treatment from us because you exercises a right conferred by the CCPA.
To submit a right to know, delete or opt-out request, click here or send an email to CCPA@factorial.co. You may only make a verifiable customer request for access twice within a 12-month period. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
If you submit a right to know or deletion request, Factorial will attempt to verify your identity with a reasonably high degree of certainty. If we cannot verify your identity, in accordance with our obligations under the CCPA, we will decline to comply with your request.
According to our obligations under CCPA, we endeavour to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (for a maximum total of 90 days), we will inform you of the reason and extension period by email. We do not charge a fee to process or respond to your verifiable consumer request unless the request is excessive, repetitive or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we mandate that decision and provide you with a cost estimate before completing your request.
Alternatively, we may decline to respond to the request and notify you of our reason for doing so.
Under the CCPA, the personal information of California consumers who are acting as employees of a company are exempted from most requirements of the CCPA in their interactions with businesses who process their personal information in their role as employees or officers of a company.
Such users hold the following rights under CCPA:
- The right to opt-out of the sale or transfer of user personal information for consideration by a business (“do not sell my information”)
- The right not to receive discriminatory or differentiated treatment by a business because you exercised a right conferred by the CCPA.
B) General Data Protection Regulation (GDPR)
Under the GDPR you have certain rights when it comes to our processing of your personal data:
- Right to be informed: You have the right to be provided with clear, transparent and easily understandable information about how we use your personal data and your rights.
- Right of access: You have the right to obtain access to your personal data.
- Right to rectification: You are entitled to have your personal data rectified if they are inaccurate or incomplete.
- Right to erasure: This right enables you to request the deletion or removal of your personal data where there is no compelling reason for us to keep using it. This is not an absolute right to erasure and exceptions apply.
- Right to restrict processing: You have rights to ‘block’ or suppress further use of your personal data. When processing is restricted, we can still store your personal data, but may not use it further.
- Right to data portability: You have a right to obtain and reuse your personal data for your own purposes across different services.
- Right to object to processing: You have the right to object to certain types of processing.
- Right to lodge a complaint: You have the right to lodge a complaint about the way we handle or process your personal data with your national data protection authority.
- Right to withdraw consent: If you have given your consent to anything we do with your personal data, you have the right to withdraw your consent at any time.
- Right not to be subject to automated-decision making: You have the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal (or similarly significant) effects to you.
Factorial HR usually acts on requests and provide information free of charge, but may charge a reasonable fee to cover our administrative costs of providing the information for:
- baseless or excessive/repeated requests; or
- further copies of the same information.
You can address your communications and exercise your rights by sending written communication to the following e-mail address GDPR@factorial.co. In some cases, the request may be refused if you ask for the deletion of data necessary for the fulfilment of legal obligations.
Last update: 2nd March 2022
Try it for free
Sign up and start improving your company's Human Resources management!