Discover the only event dedicated to Developer Productivity Engineering and Developer Experience—September 24-25 in San Francisco.
CCPA and GDPR Job Applicant Privacy Notice
Job Applicant Privacy Notice
Updated: April 22, 2024
As your employer, Gradle, Inc. (the “Company” or “we”) must meet our contractual, statutory, and
administrative obligations. We are committed to ensuring that the personal data of our employees and contractors, as
well as their emergency contacts and beneficiaries’ data, is handled in accordance with sound data protection and
privacy principles.
This privacy notice tells you as an employee or contractor what to expect when we collect personal
information about you. It applies to all employees and contractors at Gradle and our subsidiaries (collectively,
“Personnel”). Importantly, what we process about you will vary depending on your specific role and personal
circumstances. Unless otherwise noted, we are considered the controller (or “business” under the California Consumer
Privacy Act (CCPA)) of this personal information.
We do not sell or otherwise disclose or share your personal information for monetary or other
consideration to any third parties, but we may need to share relevant information with service providers and
sub-processors (collectively, “Service Providers”), in order to fulfill our business purposes, act on your behalf,
comply with our legal obligations, or for other purposes described below.
What Categories of Personal Information Do We Collect and How Do We Use This Information as a Business?
We collect the following categories of personal information for the following business purposes identified
below:
Category of Personal Data | Types of Personal Information Collected and Processed | Reason / Business Purpose of Collection and Processing |
Information Related to your Employment |
|
We collect and process this information to:
|
Salary, Pension and Benefits |
|
We collect and process this information to:
|
Information Related to Your Performance, Promotions and Training |
|
We collect this information to:
|
Sensitive Personal Information and Protected Categories Information |
|
We collect this information to:
|
Internet or Network Activity information When Using our Networks |
|
We collect this information to:
|
If You Contract With Us or Seek Reimbursement for Expenses |
|
We collect this information to:
|
Sensory Data |
|
We collect this information to:
|
Inferred Data |
|
We collect this information to:
|
Personal Data About Minors |
|
We collect and process this information to:
The Company collects information about Employees’ dependents under the age of 16 if Employees voluntarily provide such |
Information Collected for Legal and Contractual Obligations |
|
We collect and process this information to:
The Company collects this information to comply with our legal and contractual requirements, and to establish, exercise, |
Where Do We Obtain Your Personal Information?
We usually collect personal information directly from you. We may also collect personal information from
other sources. For example, we may collect information from:
- Recruiters, recruiting platforms (e.g., Greenhouse, LinkedIn) and employment agencies;
- Professional references you provide to us;
- Pre-employment screening services;
- Prior employers (e.g., for references);
- Educational institutions;
- From government agencies;
- Third parties and service providers as necessary to provide you with benefits, equipment, technology, and ancillary
services; - Credentialing and licensing organizations;
- Pension and benefits providers and providers of other staff benefits;
- Publicly available sources such as your social media profile (e.g., LinkedIn, Twitter, and Facebook);
- CCTV images at our office locations; and/or
- Other sources as directed by you.
Who Do we Share Your Data With?
We may share your personal information as necessary for the purposes described in this Privacy Notice,
including with other businesses. For example, we share your personal information with the following parties:
- Affiliates and Subsidiaries: We may share information with affiliates and subsidiaries of
Gradle. - Service Providers: We use service providers to operate, host, and facilitate our operations and business. These include hosting, technology, and communication providers; security and fraud prevention services and consultants; analytics providers; background and reference check screening services; immigration support; HR and recruiting; payroll administration; and benefits management and administration tools. We share data and information for Personnel located in the United States with the Company’s professional employer organization, Sequoia One. For information on how Personnel data may be processed by Sequoia One, please review Sequoia One’s Privacy Policy, available at https://one.sequoia.com/legal/privacy/.
- Government authorities and law enforcement: In certain situations, we may be required to disclose personal information in response to lawful requests made by public authorities, including to meet national security or international law enforcement requirements, and for immigration support purposes.
- Business transfers: Your personal information may
be transferred to a third party if we undergo a merger, acquisition, bankruptcy, or other transaction in which that
third party assumes control of our business (in whole or in part). - Professional Advisors and Contractors: We may share your personal information with our professional advisors and contractors to handle business operations.
- Other: We may also share your personal information
with third parties for purposes of fulfilling our legal obligations under applicable law, regulation, court order,
or other legal process, such as preventing, detecting and investigating security incidents and potentially illegal
or prohibited activities; protecting the rights, property or safety of you, us or another party; enforcing any
agreements with you; responding to claims; and resolving disputes.
We do not share your information with any third party for the purposes of behavioral advertising. We may share sensitive personal information in specific contexts, as described above.
The Company have agreements in place with our affiliates and subsidiaries, as well as service providers, professional
advisors and contractors. These agreements strictly limit and set strong controls around the collection, use, storage,
sharing and retention of your data. A list of our third party Service Providers is attached hereto as Exhibit A.
Your Rights
Depending on where you live, you may have additional rights under the data protection laws. For example,
the California Consumer Privacy Act, other US state laws, and the EU and UK General Data Protection Regulations all
provide individuals (or their authorized agents) with additional rights to their data.
Many of these rights ensure that you are informed and aware of how we process data about you. For example,
you have the right to know what information we collect, the categories and sources we collect data from, our business
purposes for collecting and processing your data, our legal reasons (or ‘lawful basis’) for processing your data, our
retention period and security controls, and who we share your data with. Most of this information is available in this
privacy notice.
But you also have other rights, which we have listed below. Sometimes, we may have valid grounds for
limiting how we respond to some requests, rejecting a request, or charging a reasonable fee. Sometimes, technical, or
legal restrictions may also make it impossible for us to comply with your request. For example, we may not be able to
delete information about you if we need it to fulfill our legal obligations, or we may not be able to provide you with
access to information if we have anonymized it.
In addition to the right to know, you have the following rights under the data protection laws:
- Right of access – you have a right to access a copy of the data we hold about
you. This right may be restricted depending on the volume and nature of the request, specific exceptions under the
law, or the type of data available. - Right to withdraw consent – if we process data (including transferring data
outside of the US, EU, or UK) based on your consent, you have the right to withdraw that consent at any time.
- Right to rectification – if you believe the information we have about you is
wrong or incomplete, you have a right to ask us to correct that data. - Right to erasure (i.e. a right to be forgotten) – you have the right to ask
us to delete data about you. While this is not an absolute right, if we no longer need this data, we will delete
it. - Right to data portability – If you would like to transfer data to another
service, you have a right to receive your personal data in a machine-readable format. - Right to restrict processing (or opt out of sale and sharing) – in certain
cases, you may ask us to stop processing your data – for example, if we process data for a purpose you do not
consent to, if we sell or share your information with third parties, especially sensitive personal information, or
if we use that information to infer characteristics about you. In such cases, unless this processing is legally
necessary, we will comply with your request. - Right to refuse automated decision-making including profiling – In
some situations, if we make decisions about you based solely on automated means or profiling, you have the right
to object and to ask us to stop. - Right to non-discrimination – Under the CCPA and related laws, you have a
right not to be subject to discrimination if you exercise these rights. - Right to lodge a complaint with the Supervisory Authority – If you are based
in the EU/EEA or UK, you can complain to your data protection authority if you feel your rights have been
infringed. - Right to seek a judicial remedy: Depending on your jurisdiction, you may have the right to
make a legal claim where you believe we or our processors have not fulfilled our obligations under the data
protection laws.
We are committed to helping you exercise your rights. If you have a query, you can email us at privacy@gradle.com.
To comply with your request, we may request specific information from you to help us confirm your
identity. If we cannot comply with your request, or need to limit information we share, we will inform you of the
reasons why, subject to any legal or regulatory restrictions. We generally have at least one month (30 days) to
respond to a request under the law but may request additional time in some cases.
Data Retention
Except as otherwise permitted or required by applicable law, regulation, or other legal obligation, we
will only retain your personal information for as long as necessary to fulfill the purposes we collected it for, in
line with our data retention policy.
Under some circumstances we may aggregate and/or anonymize your personal information so that it can no
longer be associated with you. We reserve the right to use such anonymous and de-identified data for any legitimate
business purpose without further notice to you or your consent.
Data Security
We have implemented appropriate physical, technical, and organizational security measures designed to
secure your personal information against accidental loss, unauthorized access, use, alteration, or disclosure. In
addition, we limit access to personal information to those employees, agents, contractors, and Service Providers that
have a legitimate business need for such access.
In terms of technical controls, we apply encryption in transit and at rest, regularly undertake
vulnerability assessments on our software and tools, monitor our service provider’s compliance with their data
protection and security obligations, and ensure that contracts and agreements are in place with organizations that
touch your data. If you have additional questions about our security practices, please reach out to security@gradle.com.
Personnel Located in the EU/European Economic Area (EEA) AND the United Kingdom (UK)
If you are in the EU / EEA or the UK, we need to provide you with additional information regarding our
legal reasons (or ‘lawful basis’) for processing your personal information. These fall into the following categories:
- Article 6(1)(a) – If we obtain your consent
- Article 6(1)(b) – To perform a contract with you, or on your behalf
- Article 6(1)(c) – To comply with our legal
obligations - Article 6(1)(f) – For our legitimate business
interests. We will undertake a legitimate interests assessment that balances our interests against yours as a
data subject.
Additionally, when we process sensitive personal information (or sensitive categories data), we have
additional legal grounds on which we may rely. These are:
- Article 9(2)(b) – To meet our employment obligations and carry out our rights in the field of
employment, social security and social protection - Article 9(2)(e) – If the information has manifestly been made public by you
- Article 9(2)(f) – For the establishment, exercise, or defense of legal claims
We will only process your personal data for the purposes we collected it for or for compatible purposes.
If we need to process your personal data for an incompatible purpose, we will provide notice to you and, if required
by law, seek your consent. We may process your personal data without your knowledge or consent where required by
applicable law or regulation.
Depending on the processing activity, we rely on the following lawful basis for processing your personal
data under the EU and UK GDPR:
Category of Personal Data |
Reason / Business Purpose of Collection and Processing |
Information Related to your Employment |
|
Salary, Pension and Benefits |
|
Information Related to Your Performance, Promotions and Training |
|
Sensitive Personal Information and Protected Categories Information |
|
Internet or Network Activity information When Using our Networks |
|
If You Contract With Us |
|
Sensory Data |
|
Inferred Data |
|
Personal Data About Minors |
|
Information Collected for Legal and Contractual Obligations |
|
Data Privacy Framework (DPF)
This policy applies to Personal Data processed in the course of the EU-U.S. Data Privacy Framework, to which Gradle has committed. Gradle complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the European Union, the United Kingdom (including Gibraltar) and Switzerland to the United States.
Gradle has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of Personal Data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.
Gradle has also certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF.
Under the EU-U.S. DPF, including the UK Extension of the EU-U.S. DPF, and the Swiss-U.S. DPF , Gradle shall be subject to liability in cases of onward transfers of personal information to third parties, however Gradle is required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles including the UK Extension of the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the EU-U.S. DPF program, and to view our certification, please visit https://www.dataprivacyframework.gov/s/.
EU, UK, and Swiss individuals have rights, under certain circumstances, to access Personal Data about them, request that Personal Data be corrected, amended, or deleted and to limit use and disclosure of their Personal Data. With our Data Privacy Framework self-certification, Gradle has committed to respecting those rights. To exercise your rights under the DPF Principles, please contact Gradle at: privacy-internal@gradle.com.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Gradle commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship. EU, UK, and Swiss individuals with inquiries or complaints regarding our Data Privacy Framework policy should first contact Gradle’s privacy team at privacy-internal@gradle.com
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2 for more information.
Contact for questions
If you have any questions or concerns regarding this Privacy Notice or the collection of your personal information, please contact our Data Protection Officer:
Michael Baylon
Email: privacy-internal@gradle.com
Website: www.gradle.com
Email: privacy-internal@gradle.com
Address: 2261 Market Street #4081, San Francisco, CA 94114, United States / Danckelmannstr. 21, 14059, Berlin, Germany
Personnel with disabilities may access this notice in an alternative format by contacting privacy-internal@gradle.com.
Exhibit A
Third Party Service Providers
Data Processor | Data Protection Officer Contact | Description of Processing Activities |
---|---|---|
Hi Bob, Inc. | Mr. Miki Fainberg, DPO dpo@hibob.io |
DPA Human resources administration platform |
Certn Holdings Inc. | privacy@certn.co | DPA Background check provider |
Greenhouse Software, Inc. | Brian Reece and Ron Gutierrez privacy@greenhouse.io |
DPA Recruiting and hiring platform |
eShares, Inc. DBA Carta, Inc. | privacy@carta.com | DPA Equity benefits and administration |
ForUsAll Inc. | James Gramata, Data Processing Officer james.gramata@forusall.com |
Privacy Policy 401(k) benefits administration |
Sequoia Benefits and Insurance Services, LLC | contactus@sequoia.com | Privacy Policy Payroll and human resources benefits administration |
EasyLlama, Inc. | Michael Devyver, CTO michael@easyllama.com |
Privacy Policy Expense reimbursement tool (through Q1 2024) |
Mineral, Inc. | privacy@trustmineral.com | DPA Anti-harassment training platform for employees located outside the US |
Remote Europe Holding B.V. | Reach out via this form | Privacy Policy Anti-harassment training platform for employees located in the US |
Certify, Inc. | support@certify.com | Privacy Policy Employment of Record services for employee hiring in countries where we do not have an entity |
Swiss Life Ltd. | info.com@swisslife.ch | DPA Swiss insurance/benefits platform and administration |
DATEV eG | Walter Deinzer datenschutz@datev.de |
Privacy Policy German payroll platform, processes and provides payroll data |
JobRad GmbH | Eva Böttcher, Data Processing Officer datenschutz@jobrad.org |
DPO German benefits platform and administration for bikes leased through the employer (1 active user) |
NAVAN, Inc. | Wendy Anna Herby, DPO dpo@navan.com |
DPO German benefits platform and administration for bikes leased through the employer (1 active user) |
TravelPerk S.L. | Data Protection Officer dpo@travelperk.com |
Privacy Policy Travel booking and expense processing platform |
Not Available | Not Available | Privacy Policy Travel booking platform (through Q1 2024) |