Lightspeed Systems Applicant and Employee Privacy Policy

This Applicant and Employee Privacy Policy (“Policy”) describes how Lightspeed Systems (“Lightspeed,” “Company,” “we,” “us,” “our”) collects, uses, and discloses personal information as defined under applicable law from and about (1) job applicants and (2) our employees and contractors (and their beneficiaries and emergency contacts) in the context of our recruiting and working relationship with the relevant individuals. We may update this Policy at any time. We may also provide you additional privacy notices regarding our collection, use, or disclosure of information. If you are a resident of the United Kingdom or European Economic Area, please also refer to the additional notice at the bottom of this Policy (the “EU/UK Notice”).

This Policy does not form part of any employment contract or contract to provide services. If you provide services to us through or in connection with another company, we are not responsible for that company’s privacy practices.

This Policy does not apply to our handling of data gathered about you in your role as a user of our consumer-facing services. When you interact with us as in that role, the Lightspeed Privacy Policy applies.

1. Types of Personal Information We Handle and How We Use This Information

We collect, store, and use various types of personal information through the application and recruitment process or during the relevant engagement or employment with us. We collect such information either directly from you or (where applicable) from another person or entity, such as an employment agency or consultancy, background check provider, or other referral sources.

A. Applicants

Information we collect. The type of information we collect about you may include:

  • Identification and contact information such as full name, physical address, telephone number, and email address.
  • Professional or employment-related information, including:
    • Recruitment, employment, or engagement information such as application forms and information included in a resume, cover letter, or otherwise provided through any application or engagement process.
    • Career information such as job titles; work history; work dates and work locations; information about skills, qualifications, experience, publications, speaking engagements, and preferences; and professional memberships.
  • Education information such as institutions attended, degrees, certifications, training courses, publications, and transcript information.
  • Assessment information such as performance on applicant personality and cognitive assessments.
  • Audio or visual information such as CCTV footage as well as other information relating to the security of our premises; and photographs submitted.
  • Other information that you voluntarily choose to share with us in connection with your application.

How we use this personal information. We collect, use, share, and store personal information from job applicants for our and our service providers’ business and operational purposes in our recruitment and hiring process such as: processing your application; assessing your skills, qualifications, and interests; tracking your application through the recruitment process; contacting references; conducting background checks you authorize; evaluating you for current and future job opportunities, including matching your skills and interest to applicable job requirements; communicating with you throughout the hiring process; making hiring decisions; and fulfilling your requests. We will also use job applicant information for internal analysis purposes to understand the applicants who apply and to improve our recruitment process, including improving our diversity and inclusion efforts. We may sometimes need to use applicant information for legal purposes, such as in connection with any challenges made to our hiring decisions.

B. Employees and Contractors

Information we collect. The type of information we have about you (and potentially your beneficiaries and emergency contacts) depends on your role with us and may include, where applicable:

  • Identification and contact information and related identifiers such as full name, date and place of birth, citizenship and permanent residence, home and business addresses, telephone numbers, email addresses, and such information about your beneficiaries or emergency contacts.
  • Professional or employment-related information, including:
    • Recruitment, employment, or engagement information such as application forms and information included in a resume, cover letter, references, or otherwise provided through any application or engagement process; and copies of identification documents, such as driver’s licenses, passports, visas, and other government-issued documents; and background screening results and references.
    • Career information such as job titles; work history; work dates and work locations; employment, service or engagement agreements; appraisal and performance information; information about skills, qualifications, experience, speaking engagements, and preferences (e.g., mobility); absence and leave records; professional memberships; disciplinary and grievance information; and termination information.
    • Financial information such as salary, payroll, pension or retirement contribution information; and bank account and tax information.
    • Business travel and expense information such as travel itinerary information, corporate expenses and Company credit card usage.
  • Education information such as institutions attended, degrees, certifications, training courses, publications, and transcript information.
  • Internet, electronic network, and device activity and device information and related identifiers such as information about your use of the Company network, information, and communication systems, including user IDs, passwords, IP addresses, device IDs, web logs, and audit trails of system access.
  • Geolocation information for device recovery if you use a Company-issued device and when you handle Company property.
  • Audio or visual information such as CCTV footage, as well as other information relating to the security of our premises; recorded meetings or presentations in which you participate; call recordings from Company system; photographs submitted from and photographs taken at Company functions.
  • Potentially protected classification information such as race, sex/gender, gender identity/expression, sexual orientation, marital status, military service, nationality, ethnicity, request for family care leave, political opinions, criminal history, and other information to help us monitor compliance with equal opportunity legislation.
  • Health information about you, and, if applicable, your beneficiaries, such as medical conditions and other information provided in statement of health forms, disability status, health and safety incidents or accidents, sickness records, and health issues requiring adaptations to your working environment or working practices.

How we use this personal information. We collect, use, share, and store personal information for the Company’s and our service providers’ business purposes, which include, where applicable:

  • HR management and administration including training, compensation and benefits, invoices, leave, scheduling, career development, performance appraisals and recognition, investigating and resolving inquiries and complaints, providing references, succession planning, organizational changes, fraud prevention and investigation, preparing analyses and reports, and communicating with our workforce about updates or relevant information about perks, benefits and discounts, and changes to Company products and services.
  • Performance of business operations, including providing and monitoring IT systems for any lawful purpose, maintaining accounts and internal directories, crisis management, protecting occupational health and safety, participating in due diligence activities related to the business, business succession planning, and conducting internal analyses and audits.
  • Recruitment, including interviewing, selecting and hiring new staff.
  • Security operations, including detecting security incidents, debugging and repairing errors, preventing unauthorized access to our computer and electronic communications systems and vehicles and preventing malicious software distribution, and monitoring and controlling access to company premises and locations (including through use of CCTV).
  • Safeguarding Lightspeed and the service, including the protection of the Company, our workforce, users, partners, and others.
  • Legal compliance, such as complying with anti-bribery, tax, social security, and immigration obligations, and responding to and cooperating with legal or regulatory requests and investigations.
  • At your request, in order to fulfil your requests.

2. With Whom We Share Personal Information

We will disclose job applicant, employee, and contractor personal information to the following types of entities or in the following circumstances (where applicable):

  • Internally: to people within the Company and its affiliates to carry out the purposes described in this Policy, including to human resources and personnel involved in the recruiting and hiring process, and (if you are hired) your manager, as well as personnel within the Company, such as payroll, IT, legal and finance.
  • Service Providers: technology service providers, travel management providers, human resource suppliers, group benefit plan carriers, background check companies, and employment agencies or recruiters, where applicable as well as service providers such as compensation and benefits providers, tax and other professional advisors, technology service providers, corporate card issuers, travel management providers, travel providers, human resources suppliers, group benefit plan carriers, background check companies, and employment businesses (in relation to contractors or agency workers).
  • For business operations: to provide another entity (such as a potential or existing business counterparty or customer) with a means of contacting you in the normal course of business, for example, by providing your contact details, such as your phone number and email address.
  • Legal advice and compliance: to seek legal advice from our external lawyers, or when required to do so by law, regulation, or court order or in response to a request for assistance by the police or other law enforcement agency, including to meet national security requirements.
  • Business transaction purposes: in connection with the sale, purchase, or merger of a business.
  • At your request: in order to fulfil your requests.

3. How to Contact Us About This Policy

If you have questions about this Policy, please email Privacy Department at [email protected]

4. Additional Notice for Residents of the UK and European Economic Area

This EU/UK Notice for residents of the UK and European Economic Area is provided in order to satisfy certain obligations that Lightspeed has under the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) and UK Data Protection Act 2018 (as amended from time to time) and any relevant transposition of, or successor or replacement to, that regulation (together, the “Data Protection Legislation”).

Under applicable law, Lightspeed is considered the “data controller” of the personal information we handle under this Policy. In other words, we are responsible for deciding how to collect, use and disclose this information, subject to applicable law. Our contact information appears in this Policy.

Legal Bases

Data Protection Legislation may require us to explain to you the legal bases for our collection, processing, and use of your personal information. Our legal bases include:

  • to take steps at your request prior to entering into a contract of employment or other contract with you or performing a contract of employment (e.g., to administer payroll and benefits);
  • our legitimate interests (e.g., human resources management; in managing our business operations and information technology resources, such as managing internal directories and improving cybersecurity; in protecting Lightspeed, its employees, customers, and others; dispute resolution; physical security, IT, and network security; workplace safety; and in managing the employment relationship with you, such as performance reviews, training and promotions; internal investigations);
  • addressing and complying with legal requirements and obligations (in particular in the area of labor and employment law, social security and social protection law, data protection law, tax law, and corporate compliance laws);
  • the protection of vital interest of you or of another individual (e.g., in an emergency medical situation);
  • your consent (explicit consent where required), in accordance with local data protection law.

Where the collection of personal information is required to comply with legal or contractual obligations, or to manage the employment relationship, the provision of personal information generally is mandatory. In all other cases, provision of requested personal information is optional; however, failure to provide the information may result in your inability to fully participate in the activity or benefit for which the personal information is requested, such as an optional benefit program. If you have any questions regarding whether provision of personal information is mandatory and the consequences for withholding such data, please contact us using the contact information in this Policy.

The personal information that we collect and process may also contain sensitive data relating to your race or ethnic origin, physical or mental health or condition, trade union membership, commission or alleged commission of criminal offences and any related legal actions. For example, Lightspeed may process health information in accordance with applicable laws, such as information on disabilities for purposes of accommodations in the workplace and for the purpose of arranging employee medical benefits. We only collect and process sensitive data where and to the extent permitted in accordance with applicable data protection laws.

Transfer of Personal Information

Your personal information may be transferred to countries which may not have the same or equivalent data protection laws as the European Union. Where required, we make such transfers in compliance with Data Protection Legislation, such as through the use of model contractual clauses (as published by the European Commission).

Retention of Personal Information

We may retain personal information for so long as necessary for the purposes described above, unless a longer retention period is required or permitted by applicable law. To provide security and business continuity for the activities described in this notice, we may make backups of certain data, which we may retain for longer than the original data.

Security of Personal Information

We take technical, administrative, physical, and procedural security measures to reduce the risk that personal information in our possession and control will undergo accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access. Please visit our Trust Page for more detailed information of our data privacy and security practices.

Rights and Choices

Where the Data Protection Legislation applies, you have certain legal rights to request access to, and rectification or erasure of, personal information that we hold about you.

In some cases, you are entitled to receive, in portable form, a copy of the personal information you have provided to us or to request that we transmit it to a third party. You may also object to our processing of your personal information or request certain restrictions on the processing. You may withdraw any consent you have provided for the processing of personal information (which will not affect the legality of any processing that happened before the request takes effect). All such rights may be exercised by contacting the applicable entity listed below or by contacting Lightspeed as described above, who will handle or route the request as appropriate. These rights are subject to legal exceptions and limitations, which we must consider when addressing the request.

If you have any questions, concerns or complaints relating to our handling of personal information, please contact us as described in this Policy. You may also contact the relevant governmental authority (e.g., the UK Information Commissioner’s Office for UK individuals) with a complaint related to our handling of your personal information. However, we invite you to give us a chance to resolve the situation directly. Your privacy is important to us, and we will do our very best to address your concerns.

Contacting Lightspeed

To exercise your rights in this EU/UK Notice or under the Data Protection Legislation (including to request further information on the mechanisms we have put in place in relation to personal information transfers outside the EU), to notify us of your preferences, please contact us as follows:

Data Protection Officer: John Genter
Lightspeed Systems Privacy Department
12013 Fitzhugh Rd.
Austin, TX 78736

Email: [email protected]

\

General Data Protection Regulation (GDPR) – European Representative

Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Lightspeed Systems has appointed European Data Protection Office (EDPO) as its GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:

UK General Data Protection Regulation (GDPR) – UK Representative

Pursuant to Article 27 of the UK GDPR, Lightspeed Systems has appointed EDPO UK Ltd as its UK GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR:

5. U.S. Department of Commerce’s Data Privacy Framework (DPF)

The EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), were respectively developed in furtherance of transatlantic commerce by the U.S. Department of Commerce, the European Commission and the UK Government to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union/ European Economic Area and the United Kingdom, while ensuring data protection that is consistent with EU and UK laws.

Lightspeed Systems complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. Lightspeed Systems has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Lightspeed Systems is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Lightspeed Systems commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the employment relationship.

Accountability for Onward Transfer
In the event Lightspeed Systems transfers personal data covered by this Policy to a third party acting as a controller, we will do so consistent with any notice provided to Data Subjects, any consent they have given, and only if the third party has given us contractual assurances that it will (i) process the Personal Data for limited and specified purposes consistent with any consent provided by the Data Subjects, (ii) provide at least the same level of protection as is required by the Data Privacy Framework Principles, and notify us if it makes a determination that it cannot do so; and (iii) cease processing of the Personal Data or take other reasonable and appropriate steps to remediate if it makes such a determination. If Lightspeed Systems has knowledge that a third party acting as a controller is processing Personal Data covered by this Policy in a way that is contrary to the Data Privacy Framework Principles, Lightspeed Systems will take reasonable steps to prevent or stop such processing.

Lightspeed Systems remains liable under the Data Privacy Framework Principles if an agent processes Personal Data covered by this Policy in a manner inconsistent with the Principles, except where Lightspeed Systems is not responsible for the event giving rise to the damage.

Questions/Complaints
If you have any questions, concerns or complaints relating to our handling of personal information, please contact us as described in this Policy. You may also contact the relevant governmental authority (e.g., the UK Information Commissioner’s Office for UK individuals and the relevant Data Protection Authorities for EU individuals) with a complaint related to our handling of your personal information. However, we invite you to give us a chance to resolve the situation directly. Your privacy is important to us, and we will do our very best to address your concerns.
Under certain conditions, an individual may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted, provided that the individual has invoked binding arbitration by delivering notice to Lightspeed Systems, and following the procedures and subject to conditions set forth in Annex I of the DPF Principles.

6. Additional Notice for California Residents

This section applies only to California residents and are intended to supplement this
policy with information required by California law.

For detailed information on categories of data collected, purposes of collecting/disclosing data and recipients of disclosures, please refer to Sections 1 & 2 of this Policy.

Exercising your rights: If you are a California resident, there are some additional rights that may be available to you under the California Consumer Protection Act (“CCPA”) and the California Privacy Rights Act (“CPRA”), including:

  • The right to request information about how we process your personal information;
  • The right to request access to the specific pieces of personal information we have collected about you;
  • The right to request that we correct inaccurate information;
  • The right to request deletion of personal information we hold about you; and
  • The right to request that we limit the use of your sensitive personal information.

If you’d like to exercise your rights, please contact us as described in this Policy. Please provide details about the kind of request you are making. In order to protect your information from unauthorized access or deletion, we may require you to provide additional information to verify your identity. If we cannot verify your identity, we will not be able to fulfill your requests to know, access, correct, or delete your information. You will not be discriminated against for exercising any of your privacy rights under the CCPA/CPRA.

This policy was last updated 08/31/2023 . Effective Date: 08/31/2023