Last updated: November 2020
This notice applies to our website www.complyworks.com (“Website”) and our marketing services, as related to personal information or personal data of an identified or identifiable individual from any Canadian or international jurisdiction, including EU jurisdictions.
Additional specific information is available below, for Canada and EU jurisdictions.
We may need to update this notice from time to time. Where a change is significant, we’ll make sure we let you know by sending you an email, if you are a registered user with us or by posting a visible notice on our Website.
Our Privacy Practices
Who we are
When we refer to ‘we’ (or ‘our’ or ‘us’), we mean ComplyWorks Ltd.
Our headquarters are in Calgary, Canada and we also have local offices in Toronto and internationally in Pretoria, South Africa (“Affiliates”). Our addresses are available on our Contact page.
During 2020, we were acquired by Veriforce LLC (“Affiliate”) https://veriforce.com/ which is a US based entity operating and offering similar services and products to ours.
References to our “Affiliate(s)” include companies that are under the same common ownership as ComplyWorks and the parent company of the group that owns us.
We provide an easy-to-use global online compliance platform for businesses of all sizes. If you want to find out more about what we do, see the What We Do page.
If you are a contractor asked to subscribe to our platform by an organization or an employee of an organization using our platform to manage their workforce compliance requirements, please contact the organization to learn more about their privacy practices. We process your personal data under their strict guidance and instructions.
What information we collect and how
We collect information by fair and lawful means and limit the collection to the personal information that is necessary for us to provide our services to you and our customers.
We collect information directly from you:
- When you purchase one of our services, for example our training courses, we collect your name, contact details (phone, email address, physical address, company you work for or represent) and payment details. We do not store the payment details.
- When you sign up to receive our news, updates and marketing communications, we collect your name and email address and company you work for or represent. You may unsubscribe at any time from these communications by clicking the “Unsubscribe” link in the email.
- When you request a free demo of our platform, we collect your name, email address, company you work for, country you live in, phone number, job title and your status as a contractor, vendor or supplier.
- When you submit a job application for one of our open positions to our dedicated email address, we will collect your name, contact details, work history, education, skills and other information you include in the body of the email and your resume.
- When you contact us with questions and inquiries, we collect your name, contact details (phone, email address, company you work for or represent) and your user account details.
- When you contact us directly by phone, we may record the call with you for training purposes.
We strive to obtain your consent when we collect your personal information unless the applicable privacy legislation allows collection without consent.
We collect Information automatically
We collect some information about you automatically when you visit our Website or use our online compliance platform, like your IP address, browser type, site clicks etc.
This information helps us understand how you’re using our Website and services so that we can continue to provide the best experience possible (e.g., by personalising the content you see).
We collect information from other parties
Limited personal information such as name, company you work for, contact details, job role, work email and telephone number may be collected from an organization that has contracted our services. The purpose of this information is to allow us to invite you to subscribe to our compliance platform on behalf of our customer organization.
How we use your personal information
We use the personal information for the following reasons:
- To provide to you the services you purchased from us, such as online training
- To communicate with you, as needed, to ensure you receive the purchased services or to provide you with information you have requested from us
- To communicate to you operational changes, security updates, user account maintenance and support information
- To process the payment you made for the purchased services
- To deliver marketing communications in accordance with your marketing preferences
- To support you and provide assistance with the resolution of technical support issues or other issues relating to the Website or services, whether by email, by phone or otherwise
- To enhance our Website and services and develop new ones. For example, by tracking and monitoring your use of Website and services so we can keep improving or by carrying out technical analysis of our Website and services so that we can optimise your user experience and provide you with more efficient tools
- To protect ourselves and you through detection and prevention of any fraudulent or malicious activity and to make sure that everyone is using our Website and services fairly and in accordance with our terms and conditions available on our platform once you have logged in at https://new.complyworks.com/public/ComplyWorks_User_Agreement.pdf
- To carry out various analysis and gather metrics related to our performance of our services and interactions with you in order to deliver enhanced services to you
- To carry out market research about our products and services and to understand our customer base
How we share your information
We do not generally share your personal information but if we need to, we will only disclose your personal information to:
- Our Affiliates. These are companies that are under the same common ownership as ComplyWorks and the parent company of the group that owns us.
- Third party service providers and partners who assist and enable us to carry out our services, for example:
- to support delivery of or provide functionality on the Website or services,
- to provide IT managed services and server hosting services
- to provide credit card payment services, or
- to market or promote our goods and services to you
- Regulators, law enforcement bodies, government agencies, courts or other third parties where it’s necessary to comply with applicable laws or regulations or to exercise, establish or defend our legal rights. Where possible and appropriate, we will notify you of this type of disclosure
- An actual or potential buyer (and its agents and advisors) in connection with an actual or proposed purchase, merger or acquisition of any part of our business
- Other people and businesses where we have your consent, for example if you wish to display your business credentials to specific Employers in our database
How we store your personal information and how long for
Your personal information is stored on servers in Canada. Security of your personal information is a priority for us and have appropriate technical and organisational measures in place to make sure that your personal information is protected.
The length of time we keep your personal information depends on what it is and whether we have an ongoing business need to retain it (for example, to provide you with a service you’ve requested or to comply with applicable legal, tax or accounting requirements).
We’ll retain your personal information for as long as we have an ongoing relationship with you and for a period of time afterwards where we have an ongoing business need to retain it. Following that period, we’ll make sure it’s deleted or anonymized.
It’s your personal information and you have certain rights relating to it. When it comes to marketing communications, you can ask us not to send you these at any time by following the unsubscribe instructions contained in the marketing communications or make your request on the Contact page.
Based on the country you live in, you may also have the following rights:
Your right of access - You have the right to ask us for copies of your personal information.
Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing (for EU based individuals) - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing (for EU based individuals) - You have the right to object to the processing of your personal information in certain circumstances.
Your right to data portability (for EU based individuals) - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
Your right to withdraw consent – You have the right to withdraw consent at any time, for our collection and use of any of your personal information that was collected based on your consent.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Security and confidentiality
ComplyWorks has implemented commercially reasonable and appropriate technical, physical, and organizational measures to protect employee and client data from misuse or accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, acquisition, or access during the processing, which will meet the requirements of applicable legislation, or any stricter requirements, as applicable.
For individuals based in European Union, EEA, Switzerland and UK
For listing of what countries are in the EU or EEA see https://europa.eu/european-union/abouteu/countries_en#other-european-countries and https://ec.europa.eu/eurostat/statisticsexplained/index.php/Glossary:European_Economic_Area_(EEA).
The information below should be read in addition to the information in the section Our Privacy Practices.
ComplyWorks may act as controller or processor of your personal data.
We act as controller in the following situations:
- when we collect your personal data through your direct interactions on our Website
- when we collect your personal data automatically
- when you interact with us directly at trade shows, events, through training and informational programs etc
We act as processor of your personal data every time we collect your personal data though our subscription based application website (https://new.complyworks.com), at the direction of one of our client employers or at your direction. We only process your personal data only as instructed or permitted by our client employer or you.
We have appointed a EU and UK representative, DataRep, which you may contact as follows:
- sending an email to DataRep at firstname.lastname@example.org quoting “ComplyWorks Ltd” in the subject line,
- contacting us on our online webform at https://www.datarep.com/data-request, or
- mailing your inquiry to DataRep at the most convenient addresses
Country Address Austria DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria Belgium DataRep, Place de L'Université 16, Louvain-La-Neuve, Waals Brabant, 1348, Belgium Bulgaria DataRep, 132 Mimi Balkanska Str., Sofia, 1540, Bulgaria Croatia DataRep, Ground & 9th Floor, Hoto Tower, Savska cesta 32, Zagreb, 10000, Croatia Cyprus DataRep, Victory House, 205 Archbishop Makarios Avenue, Limassol, 3030, Cyprus Czech Republic DataRep, IQ Ostrava Ground floor, 28. rijna 3346/91, Ostrava-mesto, Moravska, Ostrava, Czech Republic Denmark DataRep, Lautruphøj 1-3, Ballerup, 2750, Denmark Estonia DataRep, 2nd Floor, Tornimae 5, Tallinn, 10145, Estonia Finland DataRep, Luna House, 5.krs, Mannerheimintie 12 B, Helsinki, 00100, Finland France DataRep, 72 rue de Lessard, Rouen, 76100, France Germany DataRep, 3rd and 4th floor, Altmarkt 10 B/D, Dresden, 01067, Germany Greece DataRep, 24 Lagoumitzi str, Athens, 17671, Greece Hungary DataRep, President Centre, Kálmán Imre utca 1, Budapest, 1054, Hungary Ireland DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland Italy DataRep, BPM 335368, Via Roma 12, 10073 , Turin, Italy Latvia DataRep, 4th & 5th floors, 14 Terbatas Street, Riga, LV-1011, Latvia Lithuania DataRep, 44A Gedimino Avenue, 01110 Vilnius, Lithuania Luxembourg DataRep, BPM 335368, Banzelt 4 A, 6921, Roodt-sur-Syre, Luxembourg Malta DataRep, Tower Business Centre, 2nd floor, Tower Street, Swatar, BKR4013, Malta Netherlands DataRep, Cuserstraat 93, Floor 2 and 3, Amsterdam, 1081 CN, Netherlands Poland DataRep, Budynek Fronton ul Kamienna 21, Krakow, 31-403, Poland Portugal DataRep, Torre de Monsanto, Rua Afonso Praça 30, 7th floor, Algès, Lisbon, 1495-061, Portugal Romania DataRep, 15 Piaţa Charles de Gaulle, nr. 1-T, Bucureşti, Sectorul 1, 011857, Romania Slovakia DataRep, Apollo Business Centre II, Block E / 9th floor, 4D Prievozska, Bratislava, 821 09, Slovakia Slovenia DataRep, Trg. Republike 3, Floor 3, Ljubljana, 1000, Slovenia Spain DataRep, BPM 335368, Avd. Castilla La Mancha Nº 70-1 (Nave A), 45270, Mocejon-Toledo, Spain Sweden DataRep, S:t Johannesgatan 2, 4th floor, Malmo, SE - 211 46, Sweden United Kingdom DataRep, BPM 335368, 372 Old Street, EC1V 9AU, London, United Kingdom
Legal basis for processing
We process your personal data using the following legal bases:
- consent. We obtain and record your consent every time you submit your personal data to us (for example, to register for news and marketing updates)
- contractual. We process your personal data in order to deliver any contracted services (for example, processing payment for a purchased training course)
- legitimate interest. We process your personal data for our business interests such as improvement of our services and Website content. (for example, automatic collection of IP addresses when Google Anonymizer tool may not be used.
International Data Transfers
We collect and process your personal data in Canada which is a country benefitting from the adequacy status granted by the European Union. This means that the European Commission has decided that the legal framework in Canada provides ‘adequate’ protection for individuals’ rights and freedoms for their personal data.
We may also transfer the personal data to other countries or international organizations, such as our Affiliates and some service providers but we will only do so where we have approved transfer mechanisms in place to protect your personal data, such as European Commission’s Standard Contractual Clauses and Data Sharing agreements.
How to contact us
If you would like to get in touch with us with any privacy related questions/comments or if you would like to exercise your rights, please get in touch with us, Contact page or by writing to us at: ComplyWorks Privacy Officer Suite 200, 4838 Richard Road SW Calgary, Alberta Canada T3E6L1.
We will get back to you within regulatory or reasonable timelines.
If you are located in the EU, you also have a right to complain to your local data protection authority. Visit their websites to understand how to submit a complaint. Here is a list of EU data protection authorities and their addresses https://ec.europa.eu/info/law/law-topic/dataprotection/reform/what-are-data-protection-authorities-dpas_en.
For individuals based in Canada
The information below should be read in addition to the information in the section Our Privacy Practices.
We process your personal information as per requirements of provincial and federal Canadian privacy legislation.
Your rights to the personal information are:
Right to access
- End users, ie users of our Platform, may see what personal information we have on them, by accessing the user account.
- Other individuals may contact us using the contact details from Contact page to obtain more information about what personal information we have and also to obtain a copy of their personal information.
Right to be informed
Right to rectification
- You may contact us to request correction of the personal information we have on you, if you believe it is inaccurate or incomplete.
Right to deletion
- You may have the right to request deletion of your personal information. This right is subject to contractual obligations between us and you as well as to other legal requirements.
To exercise any of your rights, please contact us using the details from Contact page.
You also have the right to complain to the federal or provincial Privacy Commissioners or request any decision reviews.
Here are the details:
Privacy Commissioner of Canada, 112 Kent Street, Ottawa, Ontario, K1A 1H3 -or- to the Office of the Information
For contact information for all provincial privacy commissioners or ombudsman, see https://www.priv.gc.ca/en/about-the-opc/what-we-do/provincial-and-territorialcollaboration/provincial-and-territorial-privacy-laws-and-oversight/