Privacy Policy

We at Firstwork Solutions, Inc. doing business as Firstwork (“we”, “us”, “our” or “Firstwork”) value your privacy and are committed to taking care of your Personal Data, which is a responsibility that we take very seriously. 

This Privacy Policy explains why we collect your Personal Data and how we use it when you interact with our website https://www.firstwork.com/ (“Website”), our Platform, mobile applications, application programming interfaces (“APIs”), and any other services offered by Firstwork, its Affiliates, or its and their respective subsidiaries (“Services”). It also describes how we collect and use your information if you are a potential customer, or business partner inquiring about our products, are a customer purchasing a product, subscribe to our marketing communications, an applicant for a position with us, or when you communicate with us in other ways. 

Firstwork provides a suite of cloud-based tools for recruiting, onboarding, worker management, and human resources (the “Platform”) to its customers, enabling them to create opportunities for the global workforce. As part of these services, Firstwork’s customers may collect and process Personal Data from job applicants, candidates, employees, or other individuals. In these cases, Firstwork acts solely on behalf of and under the instructions of its customers, who serve as the data controllers. Customers are responsible for ensuring that their collection and processing of Personal Data complies with applicable legal data protection frameworks, including providing any required notices and information to individuals. If you are an applicant, candidate, or employee submitting your Personal Data through the Firstwork Platform or its Services and have questions or concerns about how the customer collects and uses your Personal Data, or about your rights and choices regarding such use, please refer to the customer’s Privacy Policy for further details.

Table of Contents

  1. Definitions

Unless otherwise indicated, capitalized terms used in this Privacy Policy are defined in Annex 1. Most of the definitions are derived from the EU and UK General Data Protection (“GDPR”), Connecticut Data Privacy Act (“CTDPA”), Colorado Privacy Act (“CPA”) Utah Consumer Privacy Act (“UCPA”), Virginia Consumer Data Protection Act (“VCDPA”) and the California Consumer Privacy Act (“CCPA/CPRA”).

For purposes of this Privacy Policy, the term “Personal Data” refers to any information that relates to an identified or identifiable individual, as defined under applicable laws, including but not limited to the GDPR or the CPA and the CCPA, where it is referred to as “Personal Information”.

  1. What type of Personal Data do we collect from you?

Personal Data means any information relating to you which allows us to identify you, either directly from that data or because we combine that information with other data about you.

When you use our Website, mobile applications, including to create an account with us and purchase, or use our products, subscribe to our marketing communications or we interact with you in relation to our products, you may provide us with your Personal Data, or we may obtain Personal Data about you. 

We may process the following Personal Data:

  • Contact details and personal identifiers: such as your name, email address, telephone number, address, billing address, date of birth, usernames, social networking services usernames;
  • Account information: login credentials; 
  • Purchase data: data on the products you have asked us to provide to you, such as date and time of purchase, customer number, order number, invoice number;
  • Payment data: information relating to your bank account, credit/debit card details, payment and receipt details, tax identification number, refund or credit details and details of payment transactions with you;
  • Application information: information obtained from your CV, photograph, content of your application; 
  • Professional information: such as your job title, job function, company name, professional background, business email address; 
  • Records of your interactions with us: such as any feedback, enquiries you make, questions you have, or content of any other interactions with us; 
  • Internet information: including your use of and movements through our Website and Services, the date and time of your visit or use of our Website, your interaction with links on our Service, domain names, landing pages, pages viewed, personal identification numbers, geolocation, IP addresses, information about your mobile device, including unique device identifier, geolocation, device information such as type of browser, operating system, referring/exit URLs, logs, and search engine used, cookies, and other IT system identifying information;
  • Your marketing preferences: so that we know whether and how we should contact you. 

You can stop receiving our marketing communications at any time, free of charge, through the methods displayed as part of any communication such as the unsubscribe link in our emails.  Or further information on this please see the section below on Direct Marketing.

  1. Where do we collect your Personal Data from? 

We will collect Personal Data from several sources. These include the following:

  • Directly from you: when you use our Website, use our Service, purchase our products, provide your feedback or make a complaint, contact us by email or communicate with us directly in some other way.
  • Our website: provides us with information about how you use it and the devices that you use to connect to our Website. Like many other websites we use so-called “cookies”. Cookies are small text files that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our Website. If you have given your consent to our use of cookies, we do so to improve the use of our Website, analyze our Website or to display advertising on our Website. You can revoke your consent to our use of cookies any time.  Further details of our Cookie Policy can be found here
  • Publicly available sources: in individual cases, we may also obtain Personal Data from publicly available sources, such as from third party websites, social media platforms or public records databases.
  • From third parties: from time to time, we may obtain information from third-party information providers, such as for example database providers.

If you are providing information regarding other individuals to us, it is your responsibility to ensure

that you have the right to provide the information to us.

  1. How we use the Personal Data we collect

We use the Personal Data we collect for the various purposes, including:

  • Providing our Website, Services and its features to you
  • Improving website security, offering IT support, and performing troubleshooting
  • Managing your purchases and ensuring the provision of our Platform and Services
  • Enhancing and developing our Platform and Services
  • Creating and maintaining your account with us
  • Facilitating hiring and recruiting activities
  • Issuing invoices and processing payments
  • Marketing products that may interest you and offering promotions
  • Sending you our newsletter
  • Handling inquiries and responding to communications from you
  • Analyzing user behavior on our Platform and Services
  • Delivering targeted advertisements
  • Complying with legal and regulatory obligations
  • Storing records related to you and our business operations

We may use information we collect to create aggregated data sets that are not identifiable to an individual. We may use this aggregated data for ordinary business purposes such as for example development.

  1. Who we share your Personal Data with?

In order to operate our Website and provide you with the products and Services we may need to share your Personal Data with third parties. This includes sharing your Personal Data with companies engaged by us to manage our relationship with you and provide you the services described above. 

We may share your Personal Data with the following recipients:

  • Sub-contractors: such as our marketing and service technology providers, cloud hosting service providers, newsletter and email service provider, customer service provider, payment service providers and other sub-contractors.
  • Consultants and accountants: such as legal or tax consultants and accountants.
  • Government and law enforcement agencies: where we are required to do so by law or to assist with their investigations or initiatives.

We do not disclose Personal Data to anyone else except as set out above unless we have your consent, or we are legally obliged to do so. These recipients will only process your Personal Data to perform tasks and duties on our behalf and in compliance with this Privacy Policy and governing data protection laws. 

  1. Direct Marketing preferences

From time to time, we may contact you by email with information about products and events you believe you may be interested in.

Marketing emails and newsletters will only be sent to you based on the preferences you set when you create your account, tell us that you wish to receive marketing related messages or when you have purchased similar products from us previously.

You can opt out any time if you do not wish to receive any marketing messages by clicking on the “unsubscribe link” or “do not sell my personal information” in any marketing email you receive to unsubscribe from future marketing communications. 

You can further text a reply of “STOP”, by adjusting your account settings to reflect your communications preferences, or by contacting us as described below. We make every effort to promptly process all unsubscribe requests. You can text "HELP" at any time for more information about our messaging program. 

Note that you will continue to receive Service-related communications (e.g., account verification, transactional communications, changes/updates to features of the Services, technical and security notices). Removing your name from the email list may take a reasonable amount of time.

  1. How long do we keep Personal Data for?

Generally, we will retain your Personal Data for as long as we need it for the purposes for which it was collected. The duration for which we retain your Personal Data will differ depending on the type of information and the reason why we collected it from you. However, in some cases Personal Data may be retained on a long-term basis: for example, Personal Data that we need to retain for legal purposes will normally be retained in accordance with usual commercial practice and regulatory requirements.

In addition, we may be allowed to retain Personal Data whenever you have given consent to such processing (e.g. subscription to our newsletter), as long as such consent is not withdrawn.

  1. Data security

We take the security of your information very seriously and only handle Personal Data as permitted by data protection regulations. We use a variety of technical and organizational measures to help protect your Personal Data from unauthorized access, disclosure, modification, loss or destruction in accordance with applicable data protection laws. When handling Personal Data, our employees are obliged to comply with the applicable legal data protection and privacy frameworks.

  1. Processing data in relation to children

Our services are not intended for and shall not be used by individuals under the age of 16. Firstwork does not knowingly collect Personal Data from persons under 16 or allow them to register. Any individuals under the age of 16 must have consent from their parent or legal guardian to provide Personal Data to Firstwork or otherwise use the Services from their parent or guardian. If it comes to our attention that we have collected or processed Personal Data from such a person, we may delete this information without notice. If you have reason to believe that this has occurred, please contact us using the following link: https://app.prighter.com/portal/13266541395. 

  1. Third-party links

The Services may contain links to, or other integrations with, third-party SaaS platforms, websites, APIs, and other third-party services, which third parties have privacy policies and other data practices that govern the collection, sharing, processing and use of your Personal Data on their platforms, websites, APIs, and services. Please review the privacy policies and other materials relevant to the use of such platforms, websites, APIs, and other third-party services to understand how your Personal Data may be collected, shared, processed, and used by these third parties and to exercise your applicable rights with respect to such Personal Data. Firstwork providing links to, or other integrations with, third-party SaaS platforms, websites, APIs, and other third-party services does not signify our endorsement of these third-party properties nor their contents, functionality, or any practices of such third parties.

  1. Global Privacy Control and Do Not Track

Global Privacy Control (“GPC”), also known as Do Not Track, is a browser and/or device setting that notifies websites or other digital services of a user’s privacy preferences, such as not to share or sell personal data without their consent, by sending a signal to each website a user visits. GPC and Do Not Track signals, protocols and processes are not yet uniform, do not have widely recognized and agreed standards domestically or internationally, and their regulation is nascent. We continue to monitor developments with respect to GPC and Do Not Track requirements and are taking commercially reasonable steps to honor such requests.

  1. Collection Across Multiple Devices

Sometimes, Firstwork  and its service providers may use the information we collect—for instance, log-in credentials, IP addresses, hashed email addresses, and unique mobile device identifiers—to locate or try to locate the same unique users across multiple browsers or devices to offer the Services, better tailor content, features, and advertising, and provide you with a seamless experience across the devices you use to access the Services.

  1. Changes to our data protection provisions 

We may need to make changes to this Privacy Policy to ensure that it complies with current legal requirements or to implement changes to the services detailed in the Privacy Policy, e.g., when introducing new services and products. In this case, your future visits to our Website and usage of our Services will be subject to the updated Privacy Policy. 

  1. Additional information for EU, EEA and UK residents 

This section is dedicated to individuals residing in the European Union (EU) and the United Kingdom (UK) and the European Economic Area (EEA). It outlines specific information regarding the purposes for which we process Personal Data, the legal bases for processing, and your rights are under the EU General Data Protection (“GDPR”), the UK Data Protection Act 2018 (“Data Protection Act”).

Firstwork is the data controller of the services offered through this website. Our registered office is at 900 High Street, Palo Alto, California 94301, United States. 

Why do we collect your Personal Data and on what legal basis?

The table below describes the main purposes for which we process your personal data, the categories of your information involved and our lawful basis for being able to do this.

Purpose

So that we can provide our website to you

Personal Data used

IP address, browser type, device ID, geolocation

Lawful basis 

We have a legitimate interest in our website working properly

Purpose

To improve our website security, offer IT support and troubleshooting

Personal Data used

IP address, date and time of your visit or use of our website, device information

Lawful basis

We have a legitimate interest in ensuring our systems are secure

Purpose

To manage your purchases and provide our Platform and Services to you

Personal Data used

Name, email address, telephone number, billing address, company name, business email address, customer number

Lawful basis

This is necessary to fulfil our contract with you

Purpose

To improve our Platform and Services 

Personal Data used

Your feedback, including your use of and movements through our Website and Services, the date and time of your visit or use of our Website, your interaction with links on our Service, domain names, landing pages, pages viewed, personal identification numbers, geolocation, IP addresses, information about your mobile device, including unique device identifier, geolocation, device information such as type of browser, operating system, referring/exit URLs, logs, and search engine used, cookies, and other IT system identifying information

Lawful basis

We have a legitimate interest in improving our Platform and Services

Purpose

To create an account with us 

Personal Data used

Name, such as your job title, job function, company name, professional background, business email address, login credentials

Lawful basis

This is necessary to fulfil our contract with you

Purpose

Hiring and Recruiting

Personal Data used

Name, email address, telephone number further information obtained from your CV, such as photograph and content of your application which you provided to us 

Lawful basis

This is necessary to fulfil our contract with you

Purpose

To invoice you and receive payments from you 

Personal Data used

Name, email address, billing address, telephone number, customer number, invoice number, tax identification number, and other payment data 

Lawful basis

This is necessary to fulfil our contract with you

Purpose

Marketing products which may be of potential interest to you and offering promotions

Personal Data used

Name, email address, business email address, company name, telephone number and marketing preferences 

Lawful basis

We have a legitimate interest to provide you with information about or products including those that are the same or similar to the ones you have inquired about. If we cannot rely on legitimate interest as our lawful basis for processing, then we will obtain consent from you

Purpose

Provide you with our newsletter 

Personal Data used

Name, email address, business email address, marketing preferences

Lawful basis

We only send you newsletters if you gave us your consent

Purpose

To deal with inquiries, and other communications from you

Personal Data used

Name, billing address, business email address email address, telephone number and customer number, content of inquiries

Lawful basis

This is necessary to fulfil our contract with you

Purpose

Analysis user behaviour on our Platform and Services

Personal Data used

Use of and movements through our Website and Services, the date and time of your visit or use of our Website, your interaction with links on our Service, domain names, landing pages, pages viewed, personal identification numbers, geolocation, IP addresses, information about your mobile device, including unique device identifier, geolocation, device information such as type of browser, operating system, referring/exit URLs, logs, and search engine used, cookies, and other IT system identifying information

Lawful basis

We only process your personal data for analysing purposes if you gave us your consent

Purpose

To deliver targeted ads to you

Personal Data used

Cookies, IP address, browser type, device type and ID, geolocation, pages visited, browsing history, time spent on the website, website activity

Lawful basis

We only process your personal data for advertisement purposes if you gave us your consent

Purpose

For the purpose of complying with any legal and regulatory requirements

Personal Data used

Contact details, invoice number and tax identification number

Lawful basis

We have a legal obligation to comply with any legal or regulatory requirements 

Purpose

Storage of records relating to you and also records relating to our business

Personal Data used

All the personal information we collect about you

Lawful basis

To be able to manage and fulfil our contract with you, we may have a legal and/or regulatory obligation to do so and we also have a legitimate interest to keep proper records

Some of your Personal Data may be required due to legal, contractual, or other obligations. Failure to provide this data may impact our ability to fulfil our contract with you or comply with relevant legal obligations. For other Personal Data, whilst you may not be under an obligation to provide it to us, if you do not provide it, we may not be able to properly perform our services for you. Without your Personal Data, you may be unable to complete purchases or register an account with us. 

Providing Personal Data for marketing and newsletters is optional. Refusal to provide this data has no negative consequences but means that we cannot offer personalised marketing messages or promotional offers. If you gave us your consent for marketing purposes, you can revoke your consent or object the processing at any time by utilizing the following website: https://app.prighter.com/portal/13266541395 or by following the information in section “Contact Information”. 

International data transfers

In the course of our operations, it may be necessary to transfer your Personal Data to recipients located outside the European Union (EU), European Economic Area (EEA), or the United Kingdom (UK). These transfers may be to our Clients, partners or service providers who are located in regions with differing data protection laws than those in your country. When transferring your Personal Data internationally we implement appropriate safeguards to ensure the security and confidentiality of your data. These safeguards may include for example Standard Contractual Clauses (SCCs) approved by the European Commission or applicable supervisory authority.

Your rights in relation to your Personal Data 

You have the following rights in relation to your Personal Data:

Right of Access - you have the right to be informed about how we are using your Personal Data and the right to access that data that we hold about you.

Right to Erasure or "Right to be Forgotten" – you have the right to ask us to delete your Personal Data provided that there are no valid grounds for us to keep it, for example we may have to keep some or all of the Personal Data to comply with legal obligation or in respect of any legal claims.

Right to Data Portability – you have the right to receive the Personal Data you have provided to us in a digital format or in certain circumstances and where technically feasible the right to ask us to transmit the data to another organization.

Right of Rectification – you have the right to ask us to amend the Personal Data that we hold about you where believe it is inaccurate or incomplete. 

Right to Object - in certain circumstances, you have the right to object to the processing of your Personal Data and to ask us to block, erase and restrict our use of your personal data. 

Automated Decision Making – we may process your Personal Data by solely automated means (without human intervention), including for profiling.  Where such processing may have a legal or similarly significant effect on you, you have the right not to remain subject to any decisions based on such automatic processing, except as otherwise provided by law.  You have the right to understand when and how automated decisions are made about you, and the factors involved and you have the right to challenge these decisions, request human intervention, express your point of view, and seek a review of the decision. 

Right to Withdraw Consent or Right of Opposition – if you have provided your consent to the collection, processing and transfer of your personal data, you have the right to fully or partly withdraw your consent. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) to which you originally consented unless there is another legal ground for the processing.

Right of Limitation - you have the right to request the limitation of the Processing of your Personal Data, in the form of: (i) suspension of Processing or (ii) limitation of the scope of Processing to certain categories of Personal Data or purposes of Processing.

Right to complain – you have the right to complain to the supervisory authority, in addition to us.

The period for handling a request is 30 days unless it is a particularly complex request.

Once our specified retention period has expires, we shall delete the relevant Personal Data. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after the expiration of such retention period.

Data Subject Requests from EU Data Subjects according to the GDPR

We value your Data Subject Rights under EU GDPR and have therefore appointed Prighter as representative according to Art 27 EU GDPR.  We provide you with an easy way to submit a privacy related request like a request to access or erase your personal data by visiting: https://app.prighter.com/portal/13266541395

Data Subject Requests from UK Data Subjects according to the Data Protection Act

We value your Data Subject Rights under the UK GDPR and have therefore appointed Prighter as representative according to Art 27 UK GDPR.  We provide you with an easy way to submit a privacy related request like a request to access or erase your personal data by visiting: https://app.prighter.com/portal/13266541395

  1. Additional information for California, Virginia, Colorado, Connecticut and Utah residents

California law requires us to provide California residents with certain specific information regarding how we collect, use, and share “personal information” as such term is defined in the California Privacy Rights Act and its implementing regulations (“CPRA”, which amended the California Consumer Privacy Act (known as the “CCPA”)). Following California’s passage of the CCPA, other states have passed similar data privacy laws, including the Virginia Consumer Data Protection Act (“VCDPA”), effective January 1, 2023; the Colorado Privacy Act (“CPA”), effective July 1,2023; the Connecticut Data Privacy Act (“CDPA”), effective July 1, 2023; and the Utah Consumer Privacy Act (“UCPA”), effective December 31, 2023.

For clarity and ease of reference, we may refer to CPRA, VCDPA, CPA, CDPA, and UCPA collectively as “State Data Privacy Laws”. In the event that one or more State Data Privacy Laws offers more or enhanced rights, privacy, or protections than the State Data Privacy Law applicable to you, we will endeavor to provide you with those additional and/or enhanced rights, privacy, or protection, though we may not be legally obligated to do so.

Sale of Information

CPRA and other State Data Privacy Laws sets forth certain obligations for businesses that “sell” personal information, as “sell” and “sale” are defined in CPRA and the regulations issued thereunder (together with analogous State Data Privacy Laws and their implementing regulations). While Firstwork does share Personal Information with certain of its service providers and sub-processors to perform the Services and maintain the Platform as described in this Privacy Policy, Firstwork does not “sell” personal information as defined under CPRA and these other State Data Privacy Laws (in other words, we do not accept money or other things of value in exchange for your Personal Information).

California “Shine the Light” Disclosure

The California “Shine the Light” law (Cal. Civ. Code §1798.83) gives residents of California the right under certain circumstances to opt out of the sharing of certain categories of personal information (as defined in the “Shine the Light” law) with third parties for their direct marketing purposes. Firstwork does not share your personal information (as defined in the “Shine the Light” law) with third parties for their own direct marketing purposes.

“Sensitive” Personal Information

Firstwork may collect, on its own account and/or on behalf of Customers, Personal Information that may be classified as “sensitive” under certain State Date Privacy laws and other privacy laws. Personal Information that is classified as “sensitive” may be supplied as part of a job application or to facilitate consented to background checks, credential verification and/or other reporting, provided by a third-party to supplement information provided by you, or provided by various service providers, such as benefits providers or insurers and may include one or more of your:

  • social security, driver’s license, state identification card, or passport number.
  • account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
  • precise geolocation.
  • racial or ethnic origin, religious or philosophical beliefs, or union membership.
  • contents of mail, email, and text messages (sent through our Platform between you and the business with whom you are applying, for example).
  • Information concerning health, sexual orientation, or sex life (in connection with applying for and receiving health, fertility or other benefits available from an employer, for example).

How We Source, Use, Disclose and Retain Personal Information for Business Purposes

The chart below details the categories of Personal Information we collect, the sources of such Personal Information, and how we use, share and retain such information for Firstwork ’s business purposes.

Categories Personal Information

Identifiers, including Account Registration Information and Contact Information, such as name, date of birth, physical and mailing address, passwords and usernames, email addresses, phone numbers, wireless device information, social networking and messaging handles and usernames, and security questions and answers

Sources

▪ You

▪ Linked Social Media

▪ Linked Wallets and other Accounts

▪ Third-Party Service Providers

▪ Customers

Purposes and uses

▪ Provide, secure, maintain, and improve the Platform and Services

▪ Recruiting, hiring, onboarding, retention, and HR-functions

▪ Communicate with you

▪ Fraud prevention, compliance and legal purposes

▪ Analytics and Reporting

Disclosure and Sharing

▪ Service providers

▪ Third parties for legal purposes

▪ With entities in the event of a business transaction (or contemplation thereof)

▪ With your consent

▪ Customers

Categories Personal Information

Application Information., including Demographic and Statistical information, such as responses to and documents uploaded to application questions, results of background checks, work authorization and identity verification, gender, gender expression, sexual preferences, race, age, date of birth, military and veteran status, nationality, disability information, criminal history information, educational history, employment history, professional licenses and memberships, schedule and availability, access to transportation, and responses to tests and surveys

Sources

▪ You

▪ Governmental Authorities

▪ Third-Party Providers

▪ Customers

Purposes and uses

▪ Provide, secure, maintain, and improve the Platform and Services

▪ Recruiting, hiring, onboarding, retention, and HR-functions

▪ Communicate with you

▪ Fraud prevention, compliance and legal purposes

▪ Analytics and Reporting

Disclosure and Sharing

▪ Customers

▪ Service providers

▪ Third parties for legal purposes

▪ With entities in the event of a business transaction (or contemplation thereof)

▪ With your consent

Categories Personal Information

Sensitive Personal Information Identifiers and Employment Eligibility Information, such as photographs, driver’s license number, passport number, alien registration number, operator’s license number, Social Security Number, other state or federal-issued identification numbers, and information you provide on tax and other government forms

Sources

▪ You

▪ Governmental Authorities

▪ Third-Party Providers

▪ Customers

Purposes and uses

▪ Provide, secure, maintain, and improve the Platform and Services

▪ Recruiting, hiring, onboarding, retention, and HR-functions

▪ Communicate with you

▪ Fraud prevention, compliance and legal purposes

▪ Analytics and Reporting

Disclosure and Sharing

▪ Customers

▪ Service providers

▪ Third parties for legal purposes

▪ With entities in the event of a business transaction (or contemplation thereof)

▪ With your consent

Categories Personal Information

Customer Service and Other Communications Information, such as questions, responses and other messages sent through our Platform or Services or otherwise through online forms, by email, over the phone, or by post; and summaries or recordings of your interactions with our customer support team

Sources

▪ You

▪ Third-Party Providers

▪ Customers

Purposes and uses

▪ Provide, secure, maintain, and improve the Platform and Services

▪ Recruiting, hiring, onboarding, retention, and HR-functions

▪ Communicate with you

▪ Fraud prevention, compliance and legal purposes

▪ Analytics and Reporting

Disclosure and Sharing

▪ Customers

▪ Service providers

▪ Third parties for legal purposes

▪ With entities in the event of a business transaction (or contemplation thereof)

▪ With your consent

Categories Personal Information

Device Information and Identifiers, Connection and Usage Data and other internet or other electronic network activity, such as IP address; browser type and language; operating system; platform type; device type; software and hardware attributes; download and browsing activity, dates and times of access, pages viewed, forms you complete or partially complete, search terms, interaction with web and messaging content, and other similar information

Sources

▪ You

▪ Customers

▪ Third-Party Providers

▪ Cookies, pixels, beacons, tags and other tracking technologies

Purposes and uses

▪ Provide, secure, maintain, and improve the Platform and Services

▪ Communicate with you

▪ Fraud prevention, compliance and legal purposes

▪ Analytics and Reporting

Disclosure and Sharing

▪ Service providers

▪ Customers

▪ Third parties for legal purposes

▪ With entities in the event of a business transaction (or contemplation thereof)

▪ With your consent

Categories Personal Information

Geolocation Information, such as city, state, country, and ZIP code associated with your IP address or derived through Wi-Fi triangulation, and, with your permission in accordance with your device settings, precise geolocation information from GPS-based functionality on your devices

Sources

▪ You

▪ Customers

▪ Third-Party Providers

▪ Linked Social Media

▪ Cookies, pixels, beacons, tags and other tracking technologies

Purposes and uses

▪ Provide, secure, maintain, and improve the Platform and Services

▪ Recruiting, hiring, onboarding, retention, and HR-functions

▪ Communicate with you

▪ Fraud prevention, compliance and legal purposes

▪ Analytics and Reporting

Disclosure and Sharing

▪ Customers

▪ Service providers

▪ Third parties for legal purposes

▪ With entities in the event of a business transaction (or contemplation thereof)

▪ With your consent

Categories Personal Information

Other Information, e.g., any other information you choose to directly provide in connection with your use of the Platform and Services

Sources

▪ You

▪ Customers

Purposes and uses

▪ Provide, secure, maintain, and improve the Platform and Services

▪ Recruiting, hiring, onboarding, retention, and HR-functions

▪ Communicate with you

▪ Fraud prevention, compliance and legal purposes

▪ Analytics and Reporting

Disclosure and Sharing

▪ Customers

▪ Service providers

▪ Third parties for legal purposes

▪ With entities in the event of a business transaction (or contemplation thereof)

▪ With your consent

Categories Personal Information

Inferences, such as preferences based on your activity on the Platform and with the Services, machine learning associated with analyzing the categories of information enumerated in this table of disclosures, and automated decision-making based on the foregoing.

Sources

▪ You

▪ Customers

▪ Third-Party Providers

▪ Linked Social Media

▪ Cookies, pixels, beacons, tags and other tracking technologies

Purposes and uses

▪ Provide, secure, maintain, and improve the Platform and Services

▪ Recruiting, hiring, onboarding, retention, and HR-functions

▪ Communicate with you

▪ Fraud prevention, compliance and legal purposes

▪ Analytics and Reporting

Disclosure and Sharing

▪ Customers

▪ Service providers

▪ Third parties for legal purposes

▪ With entities in the event of a business transaction (or contemplation thereof)

▪ With your consent

Privacy Rights for Residents of California, Virginia, Connecticut, Colorado, Utah, and Residents subject to other State Data Privacy Laws: 

If you are a resident of California, Virginia, Connecticut, Colorado, or Utah, applicable State Data Privacy Laws require us to provide you with some additional information about your rights with respect to your “personal information” (as defined in CPRA and similar State Data Privacy Laws). Specifically, CPRA, provides you with the right to:

  • know what personal information we collected about you during certain periods, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom we disclose personal information, and the specific pieces of personal information we collected about you;
  • delete personal information that we collected from you, subject to certain exceptions;
  • correct inaccurate personal information that we maintain about you;
  • opt-out of the sale or sharing of your personal information, to the extent we sell or share your personal information;
  • limit the use or disclosure of sensitive personal information, to the extent we use such personal information beyond certain express uses, such as in furtherance of providing you our Platform and Services and ensuring their security and integrity;
  • receive non-discriminatory treatment for the exercise of privacy rights conferred by CPRA, including an employee’s, applicant’s, or independent contractor’s right not to be retaliated against for the exercise of their rights described above or otherwise provided in CPRA.

One or more of the above rights may be available, in the same or substantially the same form, under one or more of the other State Data Privacy Laws in effect from time to time. Firstwork  respects the privacy of its candidates, its current and former employees, its Customers and their Applicants, and other users of the Platform and Services and will endeavor to honor the above requests regardless of state of residency.

If you would like further information regarding your legal rights under CPRA or any other State Data Privacy Law or would like to exercise any of the rights available under such laws, please contact us at privacy@firstwork .com or visit our self-service privacy request form [here].

We will honor the requests described above and otherwise available to you under applicable Data Privacy Laws, but these rights do not always apply, and exemptions exist that may be relied upon in denying or only partially fulfilling your request. We will usually, in response to a request, ask you to verify your identity and/or provide information that helps us to better understand your request. If we do not comply with your request, we will explain why. With regard to Customer Records, Applicants should direct requests to exercise applicable rights to the Customer on whose behalf we handle the subject Personal Information. If we receive a request from an Applicant directly in relation to Customer Records, we may refer that request to the appropriate Customer(s) and await each such entity’s instructions on how to process the request.

Requests Submitted by Authorized Representatives:

You may submit a request through someone holding a valid Power of Attorney or an authorized agent acting on your behalf. Authorized agents must have, and provide us with, written permission to make a request on your behalf and must provide necessary information to verify your own identity directly with us. We will require any purported authorized agent to submit proof of authorization to make requests on your behalf.

Annual Disclosures under CPRA:

Firstwork makes the following disclosure under Section 7102(a)(1)(A) of the CPRA regulations for the prior calendar year, which disclosures reflect the respective requests received by Firstwork from all individuals and which were substantively responded to within five (5) business days on average (mean):

Request Type

Request to Delete 

Request to Correct

Request to Know

Request to Opt-Out

Requests to Limit

Received

Denied

Processed Wholly

Processed, In Part

  1. Additional information for Nevada residents 

Under Nevada law, certain Nevada residents may opt out of the “sale” of “covered information” (as such term is defined under Nevada law) for monetary consideration to a person for that person to license or sell such information to additional persons. “Covered information” includes first and last name, address, email address, phone number, Social Security Number, or an identifier that allows a specific person to be contacted either physically or online.

We do not engage in such activity; however, if you are a Nevada resident who has purchased or leased goods or services from us, you may submit a request to opt out of the sale of your covered information under Nevada law by emailing us at contact@firstwork.com. Please note we will take reasonable steps to verify your identity and the authenticity of the request.

  1. Contact Information

If you have any questions or comments about this Privacy Policy, the ways in which we collect and use your Personal Data, or your choices and rights regarding such use please do not hesitate to contact us by:

Email at: contact@firstwork.com

Post to: 2261 Market St, San Francisco, California

This Policy was last updated: 31.01.2025

ADM

means Automated decision-making;

CPA

Means the Colorado Privacy Act (CPA) and is a part of the State of Colorado’s Consumer Protection Act and went into effect July 1, 2023. https://coag.gov/app/uploads/2023/03/FINAL-CLEAN-2023.03.15-Official-CPA-Rules.pdf 

CCPA

means the California Consumer Privacy Act (CCPA) signed into law on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code. http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180AB375 

CDPA

Means Connecticut Data Privacy Act (CTDPA) which came into effect on July 1, 2023  https://www.cga.ct.gov/2022/ACT/PA/PDF/2022PA-00015-R00SB-00006-PA.PDF 

CPRA

means the California Privacy Right Act of 2020

Consent of the Data Subject 

means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her;

Contract Performance

means concluding, maintaining, and completing of a contract concluded between the Controller and a Data Subject, including Processing activities which take place at the request of the Data Subject before entering into a contractual relation;

Controller

means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Data Subject

is any natural person whose Personal Data is being collected, held or processed. Examples of a Data Subject can be an individual, a customer, a prospect, an employee, a contact person, etc;

Direct Marketing

means personal data processed to communicate a marketing or advertising message. This definition includes messages from commercial organisations, as well as from charities and political organisations;

General Data Protection Regulation (GDPR)

is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA); Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) https://eur-lex.europa.eu/eli/reg/2016/679/oj ;

Legitimate Interest

means the Controller’s interest to process Personal Data in order to carry out tasks related to the Controller‘s business activities. The processing of Personal Data in that context may not necessarily be justified by a legal obligation or carried out to execute the terms of a contract with a Data Subject;

Personal Data 

means any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

Personal Information

means information of the types set out in Section 1798.140. (v) (1-3) of the CPRA where it identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Processing

means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Processor

means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller;

Recipient

means a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as Recipients; the Processing of those Personal Data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the Processing;

Sell, Selling, Sale or Sold

means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration, according to Section 1798.140. (ad) (1-2) of the CPRA.

Share, Shared or Sharing

means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.

Sensitive Personal Information

means personal information that reveals: the social security, driver’s license, state identification card, or passport number. An account log-in, financial account, debit card, or credit card number, or credentials allowing access to an account, the precise geolocation, racial or ethnic origin, religious or philosophical beliefs, or union membership, content of a consumer’s mail, email and text messages unless the business is the intended recipient of the communication, and genetic data, the processing of biometric data for the purpose of uniquely identifying a consumer, personal information collected and analyzed about a consumer’s health, sex life or sexual orientation according to Section 1798.140. (ae) (1-3) of the CPRA.

UCPA

Means Utah Consumer Privacy Act, which came into effect on December 31, 2023 https://le.utah.gov/xcode/Title13/Chapter61/C13-61_2022050420231231.pdf 

VCDPA

Means Virginia Consumer Data Protection Act, which came into effect on January 1, 2023 https://law.lis.virginia.gov/vacodefull/title59.1/chapter53/