Privacy Notice
Draft, Updated May 12, 2023
This privacy notice (the “Privacy Notice”) constitutes an agreement between you and Hansen Gress Corporation and its affiliates and subsidiaries (collectively, “Hansen Gress,” “HG,” “us,” “our,” or “we”) while using our IT services pursuant to an IT Services Agreement or other agreement with us (the “IT Services”), or while accessing and using hansengress.com or other websites that we own or operate (collectively, the “Site”),and is governed by and a part of our Terms of Service (https://www.hansengress.com/terms-of-service) and Terms of Use (https://www.hansengress.com/website-terms-of-use). Any terms defined in the Terms of Service or Terms of Use have the same meaning when used in this Privacy Notice. Your privacy is important, and we encourage you to read this Privacy Notice carefully to understand the information we collect and what we do with it.
SCOPE
Please be advised that this Privacy Notice applies to information that we collect when you submit information to us either directly through Hansen Gress or a third party platform or service provider, or communicate with us through telephone, email or other means, or visit the Site,. You might interact with us as a client or potential client receiving IT Services (a “Client”) or as a customer, patient, or visitor to a Client’s website or business (a “Client’s Customer”). This Privacy Notice DOES NOT apply to information collected by our Clients or through websites, apps or other platforms not owned or operated by Hansen Gress (“Third Party Platforms”), including those accessible from or on the Site. If you are a Client’s Customer, your use of a Client’s website or services is governed by the Client’s privacy notice. Likewise, your use of any Third Party Platform is governed by such third party’s privacy notice. Hansen Gress has no control over Client’s or a third party’s privacy practices.
This Privacy Notice also contains information about privacy rights specific to California residents.
CONSENT
By using our IT Services, accessing the Site, or submitting information to Hansen Gress in any way, you consent to this Privacy Notice and the collection and use of information as described below. At different stages of collecting information, we will take steps to notify you and to confirm that you agree. If you do not agree with our policies and practices, you may not be able to access or benefit from certain IT Services or Site features.
PERSONAL INFORMATION
As used in this Privacy Notice, “Personal Information” means information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual consumer or device, such as:
• Identifiers (e.g., name, address, phone, email address, username, IP address)
• Sensitive personal information (e.g., health records, insurance information, state identification number, social security numbers, financial information)
• Protected classification information (e.g., age, sex, veteran or military status)
• Biometric information (e.g., keystrokes, behavioral or biological characteristics)
• Internet or other similar activity (e.g., browsing history)
• Geolocation data
• Employment-related information (e.g., employer, title, work contact information)
• Nonpublic educational information, including information protected under the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)
• Commercial information (e.g., products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies)
Personal Information does not include (a) publicly available information; (b) aggregate information, meaning data about a group or category of services or users from which individual identities and other Personal Information has been removed; or (c) deidentified information that cannot be easily linked back to the individual.
LAWFUL BASIS
We will only collect your Personal Information (a) when applicable, with your consent; (b) if we have a legitimate interest in doing so, such as fulfilling our contract obligations to a Client; or (c) as authorized or required by law. We will limit the collection of Personal Information to that which is reasonable and necessary. If we collect or use your Personal Information based on your consent, we will also notify you of any changes and will request your further consent as needed.
COLLECTION AND USE OF PERSONAL INFORMATION
The types of Personal Information we collect about you and the manner of collection depends on how you interact with Hansen Gress, whether as a Client or Client’s Customer.
Categories. During the preceding 12 months, we have collected these categories of Personal Information:
• Identifiers (e.g., name, address, phone, email address, username, password, IP address)
• Internet or other similar activity (e.g., browsing history)
• Geolocation data
• Employment-related information (e.g., current or past employment)
• Commercial information (e.g., products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies)
Sources. We collect Personal Information from these sources:
• Directly from you when you communicate with Hansen Gress by phone, in person, by email, or via the Site or other means as a Client or Site visitor. We may ask you to provide identifiers like your name, address, email, and phone number. We will also collect your responses to any questionnaires you complete. If you are a Client, we collect information about your company, IT systems, and website. We provide the option for you to provide your payment information via a PCI DSS-compliant payment processor. We collect this information with your consent, and we use it for the purposes stated at the time of collection, to communicate with you about our company, and for our direct marketing.
• From Clients about such Client’s Customers, in our capacity as a service provider of IT Services. When providing managed services to a Client, we may view, transfer or process data containing Personal Information about the Client’s Customers that is stored on the Client’s information system (“Client Data”). Depending on the nature of the Client’s business, Client Data could include any category of Personal Information, such as identifiers, sensitive Personal Information like financial information, protected classification information, internet activity, commercial information, or geolocation data. We may also have access to Client’s Customers’ health information, including information found in medical charts such as date of admittance, diagnosis and prescriptions, and other health information and items related to your insurance or insurance claims. Note that Hansen Gress will only access or view Client Data in order to provide IT Services to a Client. We do not collect, process or store Client Data for our own purposes, and Hansen Gress will never disclose Client data to a third party except as agreed by the Client.
• Directly from you as a Client’s employee, in our capacity as a service provider of IT Services. If your employer is a Client or prospective client of Hansen Gress, we may collect certain Personal Information about you in your capacity as an employee to the Client, such as your professional contact information, job title, and our communications with you. We collect this information in a business-to-business context when you are performing due diligence regarding procurement or use of our IT Services on behalf of your employer or other job duties.
• Indirectly from you as a Client’s Customer, in our capacity as a service provider of IT Services. We may manage security systems that track Client’s Customers’ geolocation data or internet activity to enable Clients to extrapolate certain user behaviors. Clients may also provide us with technical information collected about visitors to the Client’s website or other users of Client’s information systems. We may combine this information with other data, such as analytics from Third Party Platform providers, to analyze, maintain and improve the Client’s information system or to run reports on behalf of our Clients. As mentioned in this Privacy Notice, we are not responsible for the privacy practices of any Client or any third party. We will only use the information that we collect in our capacity as a service provider as permitted by an IT Services Agreement or other agreements with our Clients, or for other purposes as permitted by law.
• Indirectly from you, when you visit our Site. We may automatically collect details about your interactions through the Site, such as (i) your search queries; (ii) device information (e.g., IP address, operating system, browser type, hardware ID, mobile network information and the device's telephone number); (iii) usage details (e.g., traffic data, communication data and the resources you access and use through the Site); (iv) stored information (e.g., metadata associated with the files stored on your device, personal contacts and address book information); and (v) geolocation information. Like most commercial websites, we use cookies and other technologies to track use of our Site. Please read our Cookie Notice (https://www.hansengress.com/cookie-notice) for more information about how we use cookies. We collect this information to achieve our legitimate interest of providing and improving the Site and our IT Services.
• From third parties, such as advertisers, market research, analytics companies, and Third Party Platform providers. This may include Personal Information related to your internet or similar activities across different websites, apps, and other online services. We may combine this information with Personal Information we previously collected about you. We collect and use this information to improve our IT Services, for our own marketing purposes, and as permitted by applicable law.
In addition to the specific uses above, we may use also your Personal Information to:
• Provide you with IT Services or Client support, or to maintain and improve the Sites.
• Protect your privacy and enforce this Privacy Notice.
• Identify, contact or bring legal action against persons or entities who may be causing injury to you, to us, or to others, if we believe it is necessary.
• Comply with a law, regulation, legal process or court order.
• Fulfill any other purpose to which you consent.
THIRD PARTY PLATFORMS
As part of our IT Services, Hansen Gress may help Clients implement, use, or maintain one or more Third Party Platforms. A current list can be found at https://www.hansengress.com/third-party-services. However, Hansen Gress does not exercise any control over any Third Party Platform, and we cannot guarantee that the privacy practices or data security measures of any Third Party Platform are legally compliant or sufficient for your purposes as a Client, Client’s Customer, website visitor or other type of user. If you use a Third Party Platform, whether or not in connection with IT Services, you do so subject to the Third Party Platform’s privacy notice and terms of use, not ours. Please direct any questions about the privacy or data security of a Third Party Platform to its owner or distributor.
DISCLOSURE OF PERSONAL INFORMATION
Disclosure Categories. In the preceding 12 months, Hansen Gress has disclosed the following categories of Personal Information for a business purpose:
• Identifiers
• Internet or other similar activity
• Geolocation information
• Employment-related information
• Commercial information
Disclosure Recipients. Hansen Gress may disclose Personal Information for a business purpose to the following:
• Service Providers. Vendors, including Third Party Platform providers, that provide us with various services (collectively, “Service Providers”) may have access to your Personal Information while they are performing their contractual obligations. We prohibit our Service Providers from selling or disclosing the Personal Information we provide, and we require all Service Providers to maintain confidentiality standards that are commercially reasonable to ensure the security of your Personal Information. The type of information that we provide to a Service Provider will depend on the purpose of the service that they provide to us.
• Affiliates and Subsidiaries. If we disclose your Personal Information to our affiliates or subsidiaries, their use and disclosure of your Personal Information will be subject to this Privacy Notice.
• Law enforcement and regulatory and other governmental agencies, as permitted or required by law.
• Cookie information recipients, subject to their respective privacy notices.
• Other Third Parties, as permitted by applicable law. Examples include: if we go through a business transition (e.g., merger, acquisition, or sale of a portion of our assets); to comply with a legal requirement or a court order; when we believe it is appropriate in order to take action regarding illegal activities or prevent fraud or harm to any person; to exercise or defend our legal claims; or for any other reason with your consent.
Aggregated and Deidentified Information. We reserve the right to share aggregate, anonymized, or deidentified information about any individuals with nonaffiliated entities for marketing, advertising, research or other purposes, without restriction.
No Sale of Personal Information. Hansen Gress does not, and will not, sell your Personal Information.
CALIFORNIA PRIVACY RIGHTS
Hansen Gress adopted this section to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and it applies solely to residents of the State of California (“California Consumers”).
Employee Data Exception. In many cases, the Personal Information Hansen Gress collects about you is in a business-to-business context when you are acting as an employee to a potential Hansen Gress Customer in the context of performing due diligence regarding potential procurement of IT Services on behalf of your employer, or as an employee to a Hansen Gress customer in the performance of your job duties. Personal Information collected and used in this context is not protected Personal Information under the California Consumer Privacy Act.
Service Provider. Under the CCPA, Hansen Gress is classified as a “service provider” rather than a business, meaning we collect and use personal information as instructed by our Clients. This means that we may be unable to respond to some of your questions or requests. In this case, we will inform you that you need to direct the question or request to the Client for which we collect or retain your personal information.
Without limiting the foregoing, this section provides California Consumers with the disclosures and notices required under the CCPA. Exceptions related to employee data or our role as a service provider to our Clients, as well as other exceptions and limitations, may apply to a California Consumer’s rights and Hansen Gress’s obligations under the CCPA.
• Right to Disclosure. You have the right to request that we disclose information to you about our collection and use of your Personal Information over the past 12 months, such as (i) the categories of Personal Information we have collected about you; (ii) the categories of sources for the Personal Information we have collected about you; (iii) our business purpose for collecting or selling that Personal Information; (iv) the categories of third parties with whom we share that Personal Information; and (v) if we sold or disclosed your Personal Information for a business purpose, two separate lists stating (a) sales, identifying the Personal Information categories that each category of recipient purchased; and (b) disclosures for a business purpose, identifying the Personal Information categories that each category of recipient obtained. Hansen Gress is required to respond to only two disclosure requests within a 12-month period.
• Right to Access. You have the right to request that we provide you with access to specific pieces of Personal Information we have collected about you over the past 12 months (also called a data portability request). If you submit a right to access request, we will provide you with copies of the requested pieces of Personal Information in a portable and readily usable format. Please note that Hansen Gress is prohibited by law from disclosing copies of certain pieces of Personal Information (e.g., government identification numbers, financial account information, and passwords or security questions and answers), because the disclosure would create a substantial, articulable, and unreasonable risk to the security of the information, our business systems, or your account. Hansen Gress is required by law to respond to only two access requests within a 12-month period.
• Right to Deletion. You have the right to request that we delete any of your Personal Information that we collected from you and retained, with certain exceptions. Hansen Gress may permanently delete, deidentify, or aggregate the Personal Information in response to a request for deletion. If you submit a right to deletion request, we will confirm the Personal Information to be deleted prior to its deletion, and we will notify you when your request is complete.
• Right to Nondiscrimination. We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by law, we will not (i) deny you goods or services, (ii) charge you different prices or rates for goods or services, (iii) provide you a different level or quality of goods or services, or (iv) suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services because you exercised a right under the CCPA.
• Right to Disclosure of Marketing Information. California’s Shine the Light Act (Civil Code sections 1798.83-1798.84) entitles California residents to request certain disclosures regarding Personal Information sharing with affiliates and/or third parties for marketing purposes.
California Consumers may exercise their CCPA rights as by submitting a Consumer Privacy Request as described under Controlling Your Personal Information. We endeavor to respond to a verifiable Consumer Privacy Request from a California Consumer within 45 days of receipt. If we require more time, we will notify you in writing of the reason and extension period. We will deliver our written response by mail or electronically, at your option. Any disclosures we provide will cover only the 12-month period preceding receipt of the verifiable consumer request. If we cannot comply with part or all of your request, we will explain the reasons in our response.
CONTROLLING YOUR PERSONAL INFORMATION
Hansen Gress provides you the ability to exercise certain controls and choices regarding our collection, use, and sharing of your information. Depending on where you reside, your options to control your Personal Information may include some or all of the following:
• Changing your IT Services Agreement or other agreement with Hansen Gress.
• Changing your preferences for how and about what we communicate with you.
• Correcting, updating, and deleting the Personal Information in your account. Please note that certain legal obligations may limit or prevent our ability to fulfill these requests, and that copies of information that you have updated, modified or deleted may remain viewable in cached and archived pages of the Site for a period of time.
• Requesting access to the Personal Information we hold about you and that we amend or delete it.
• Choosing whether to receive marketing communications from us, including promotions, surveys, and information about products and services that may be of interest to you.
• Controlling how the cookies we use interact with your browser.
Emails from Hansen Gress. Hansen Gress may use your email and other contact information to send you advertising and marketing communications. If you do not want us to use your email address or other contact information for advertising purposes, you can opt out by adjusting your Hansen Gress account profile, selecting “unsubscribe” or emailing us directly at privacy@hansengress.com. Please note that it may take up to 10 business days for us to process opt-out requests. If you opt out of receiving promotional emails, we may still send you emails about your account or any services you have requested or received from us.
Text Messages. By providing us with your wireless phone number, you consent to Hansen Gress sending you informational text messages related to our IT Services. You can unsubscribe from our text messages by replying STOP or UNSUBSCRIBE to any of these text messages. Messaging and data charges may apply to any text message you receive or send. Please contact your wireless carrier if you have questions about messaging or data charges.
Do Not Track. Currently, our systems do not recognize browser “do-not-track” requests. You may, however, disable certain tracking as discussed below.
Consumer Privacy Requests. To exercise any of your rights under the privacy laws applicable to you, express concerns, lodge a complaint, or obtain additional information about the use of your Personal Information, please submit a request to Hansen Gress by email at privacy@hansengress.com. Hansen Gress may only legally fulfill requests when we have sufficient information to confirm that you are the person about whom we have collected Personal Information or are an authorized representative thereof, and to properly understand, evaluate, and respond to it. We do not charge a fee to process or respond to your verifiable consumer privacy request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
CHILDREN’S PRIVACY
The Site and IT Services are not intended for children under 16 years of age. Hansen Gress does not knowingly collect Personal Information from children under 16 without verification of parental consent. If you are under 16, do not use the Site or submit any Personal Information to Hansen Gress. If we discover that a child under 16 has provided us with Personal Information, we will delete such information from our systems. If you believe we might have any information from or about a child under 16, or if you become aware of any unauthorized submission of information to Hansen Gress, including children’s information, please contact us at privacy@hansengress.com.
DATA SECURITY
We implement measures designed to protect your Personal Information from accidental loss or unauthorized access, use, alteration or disclosure. However, the safety and security of your information also depends on you. We urge you to protect your user information and password and to be careful about giving out information in public areas of the Site, which may be viewed by other users of the Site. Unfortunately, transmitting information via the internet and mobile platforms is not completely secure. We cannot guarantee the security of your Personal Information when transmitted through our Site or the security of any Personal Information transmitted via Third Party Platform. Please note that Hansen Gress has no control over the security safeguards of any Third Party Platforms you use. Hansen Gress advises its Clients to follow all Third Party Platform data security recommendations, but we will not be liable for any losses or damages related to your use of any Third Party Platform under any circumstances. Any transmission of Personal Information is at your own risk, and we are not responsible for circumvention of any privacy settings or security measures.
Account Security. If you create a Hansen Gress account, you will have a login and password. Hansen Gress encourages you to take steps to protect against unauthorized access to your account and password by, among other things, signing off after using a shared computer, choosing a robust password that nobody else knows or can easily guess, using multi-factor authentication where possible, and keeping your login and password private. We are not responsible for any lost, stolen, or compromised passwords or call forwarding numbers, or for any activity on your account via unauthorized activity.
Social Networking. If you access our Site from a social networking website (e.g., Facebook or Twitter), we may receive Personal Information about you from such social networking website. Our receipt of your Personal Information via a social networking website is governed by the terms of service and privacy policy of that website. We may retain this information with the information we collect from you directly. Our Site may include buttons that link to social network websites. Your use of these social networks is entirely optional and subject to the privacy policy and terms of service of the social networking website you choose to use.
NO AUTOMATED DECISION-MAKING
Hansen Gress does not use Automated Decision-Making (“ADM”) for any purpose. We are not aware of whether a particular Client uses ADM in connection with its transactions with such Client’s Customers. Please check with the Client of whom you are a Client’s Customer to confirm their use of ADM.
CHANGES TO OUR PRIVACY NOTICE
We may update our Privacy Notice from time to time. If we make material changes to how we treat your Personal Information, we will post the new Privacy Notice on this page. Your continued use of the Site or IT Services after we make changes is deemed to be your acceptance of those changes, so please check this policy periodically for updates. The date that this Privacy Notice was last revised is identified at the top of the page. You are responsible for periodically visiting this Privacy Notice to check for any changes.
CONTACT US
Please email us with any questions or comments about this Privacy Notice and our privacy practices at privacy@hansengress.com.