Privacy Notice
ANDY FRAIN SERVICES, INC.
Effective: May 25, 2018
1. Introduction.
Andy Frain Services, Inc., including its corporate headquarters, divisions, field offices, affiliates and subsidiaries (Andy Frain Services of Canada, Inc., Andy Frain Services UK and Andy Frain Services (France)) (“Frain”, "us", "we", or "our") is a provider of business management software solutions as well as physical security, event, screening and audit services.
Frain respects and values the privacy of its customers, users, business partners and visitors to its Sites and users of its Services. This Privacy Notice (“Privacy Notice”) applies when you use our Sites and Services (defined below) and describes the information that we collect, and how we may use or disclose that information. This Privacy Notice also describes the purpose and legal basis for data collection, safeguards and measures we take to protect the security of information and how you can contact us about our privacy practices or to exercise your data subject rights.
2. Scope.
This Privacy Notice applies to our privacy practices concerning the Sites and the Software (defined below) which is hosted by Frain and/or accessed through the Sites (defined below), the Mobile Applications (below defined) and Frain’s Support Services. Frain owns and operates the websites, www.andyfrain.com, www.prismesolutions.com, www.prismesolutions.net, and www.redi-trak.com (the “Site” or "Sites"). Frain provides Andy Frain Services or Prism eSolutions branded, hosted, on-demand, web-based business management software service subscriptions (“Frain Software”) and mobile applications (“Mobile Applications”) and related communications for the purpose of enhancing awareness, quality auditing, management of risk, communication, documentation, and analysis of incidents that occur in sensitive facilities or environments, including the right to use the Frain Software and support services (“Support Services”) for such Frain Software (where applicable), as well as any other services provided by Frain (Frain Software, Mobile Applications and Support Services shall be collectively referred to herein as the “Services”). Software as a service or mobile application use is provided pursuant to execution of a Master Services Agreement (“Master Services Agreement”) which incorporates this Privacy Notice. This Privacy Notice also applies to Frain’s online job application systems which can be accessed through the Sites. Frain and its subsidiaries have different systems for receiving and reviewing job applications in different countries. This Privacy Notice covers both the electronic systems that Frain has implemented for job applications in the United States and the processes that some locations may use that do not involve an online system.
The Sites may contain links to other sites. Please be aware that we are not responsible for the content or privacy practices of such other sites and this Privacy Notice does not apply to other sites. We encourage our users to be aware when they leave our Site and to read the privacy statements of any other site that collects personal data.
3. Data We Collect and Use (Processing).
3.1. Data You Provide Us. Personal data that you provide us:
3.1.1. Frain Software and Mobile Applications. Frain’s Software and Mobile Applications collect user information to authenticate access and provide user log information to Frain’s Customers and Users as part of the Services. Frain provides Software and Mobile Applications services and programs to certain authorized customers and users pursuant to written master service agreements between Frain and its customers (“Customer”) and Customer’s authorized end users (“Users”). Such agreements identify the scope of services, the costs for such services and other terms of service. For Customer and their Users to create and register their account, at Customer’s direction, Users need to provide the following personal data:
• Name
• User name,
• Password and
• E-mail address.
Customers and Users are solely responsible for their content. In the normal course of using the Services, Users will input electronic business use case data into the Frain’s Software or Mobile Applications (“Customer Data”). The Software and Mobile Applications consist of business management solutions such as document control, audit and ISO certification, and we are not responsible for the content or nature of the Customer Data you upload into the Software and Mobile Applications. If you upload Customer Data which includes personal data content or other sensitive information, then that personal data would be collected by us as a result of your voluntary action to store such Customer Data in our Software and/or Mobile Application. You do not have to and there is no requirement to upload personal data into the Software or Mobile Application other than the above user credential information which is required to create an account, to log user activities as part of the Services and to communicate with you about activities occurring within the Software or Mobile Application projects.
Frain stores on its servers located in the United States Customer Data under the direction of its Customers pursuant to the Master Services Agreement and Frain has no direct control or ownership of the Customer Data it stores. Customers are responsible for complying with any regulations or laws that require providing notice, disclosure and/or obtaining consent prior to transferring the data to Frain for processing purposes. Frain does not transfer, sell, lease, license or rent Customer Data to third parties.
The use of personal data collected from our Services shall be limited to providing the Services to you. Accordingly, we only use personal data:
• To authenticate access to the Services pursuant to the Master Services Agreement;
• We use your e-mail address contained in your user information to send you system generated email notifications to notify you of certain activity occurring within a project to which user has access;
• Your user information is used to log certain activities in the Software which are integral to the Software such as tracking access or revisions to a document in a document control module;
• Provide administrative notices or communications applicable to your use of the Sites or Services;
• We may send you communications regarding the availability of our Services, security or other service-related issues;
• We may also send you legal notices.
• We may access Customer Data (and if necessary personal data contained therein, if any) for the purposes of providing or discussing with Customer the Services, preventing or addressing service or technical problems, responding to support issues, responding to Customer’s instructions or as may be required by law, in accordance with the Master Services Agreement between Customer and Frain;
• We use Customer Data (and if necessary personal data contained therein, if any) to investigate, respond to and resolve customer support matters, complaints and Services issues;
• We use Customer Data (but not personal data) to:
• Operate, evaluate and improve the Services;
• Analyze trends and statistics regarding visitors’ use of our Sites and Services.
By using the Sites and Services, you consent to the collection and use of information in accordance with this Privacy Notice.
3.1.2 Websites. Frain’s Sites collect Log Data and Cookies. You can obtain more information below at Paragraph 3.2. In addition, if you wish to follow our Sites or comment on our Sites, then you are required to provide Frain with your name and e-mail address. Providing this information enables you to communicate with us through or follow our blogs, social networks and other interactive media; and solicit your feedback and input. These communications will contain links for preference management and, where appropriate, unsubscribe links should you decide you do not want to receive further communications. If you wish to have Frain “erase” your personal data or otherwise refrain from communicating with you, please contact us at ITsupport@andyfrain.com.
3.1.3. Electronic Job Applications. We collect personal data from you if you complete an employment application through the Site. Completing an employment application through the Site is limited to jobs posted for operations in the United States and is also completely voluntary and users may choose whether or not to do so and therefore whether or not to voluntarily disclose information requested by such application. If you choose not to complete an employment application using the Site, depending on the position applied for, Frain may not be able to consider you for a position. Personal data provided by a user as part of a job application may include but shall not be limited to: • Name • Date of birth • Contact information (address, telephone number, email address) • Work history • Education • Resume • Eligibility to work • Citizenship • Job specific questions that relate to the fitness of a candidate for a particular job • References • Information that we may be required by law to ask in certain countries • Where you learned about the job opening • Any other information that you may choose to provide as part of your application • Information provided by third party sites, if you apply for a job opening through a third party site In the United States, Frain will also ask individuals to self-identify their ethnicity, gender, veteran status, and disability information. That information is entirely voluntary and your decision to provide or withhold any of that information will not negatively impact how we consider you for employment. For certain jobs and in certain locations, you may be asked to have a medical examination, hearing or vision checks, drug testing, a background check, or a criminal history check. These will only be performed with your consent, but in certain circumstances, your offer of employment may be contingent on your successful completion of one or more of these checks. Frain does not perform criminal history checks where prohibited from doing so by law. Frain may confirm the information provided in your application, such as your references, driving license and record, education and job history, without seeking your additional consent. Employment applicant information will be used only for lawful evaluation, employment and hiring purposes consistent with our Human Resources policies and procedures. These include the following uses: • allow you to apply for employment with Frain and evaluate your application and candidacy for employment, including without limitation arranging for and conducting phone or in person screening, and interviews consistent with all applicable labor and employment laws and consistent with our Human Resources policies and practices; • invite you to apply for and consider you for other opportunities that may be or become available; • contact you with regard to a job opportunity • validate reference checks, and conduct background checks; • facilitate your hiring and on-board your employment, if you are hired; • comply with legal and regulatory requirements involving job applicants, which may include providing reports to government agencies; • verify your identity to ensure security for one of the other purposes listed here; • conduct internal investigations and comply with legal obligations.
3.1.4. Communication. If you correspond with us by email, in writing, or other form of communication, whether related to our Sites, Software or other Services, we may retain such correspondence and the information contained in it and use it to respond to your inquiry; to provide customer support; to keep a record of your complaint, accommodation your request, and for other similar uses. If you wish to have Frain “erase” your personal data or otherwise refrain from communicating with you, please contact us at legal@andyfrain.com.
3.1.5 Sensitive Information. We do not collection sensitive personal data as part of our Software and Mobile Applications. However, we are required to collect certain types of sensitive information during the employment application process and for certain contractors, partners or vendors. Some countries or jurisdictions consider some personal data particularly sensitive. Frain only collects this data when voluntarily given by the user in connection with an employee application when necessary or voluntarily provided to Frain through Frain’s software programs as Customer Data. If provided in the context of an employee application, this information is used only for lawful purposes in connection with evaluating employee applications and on-boarding applicants to Frain’s HR systems. Frain does not share this information with third parties except as necessary for human resources administration. Such information may include the following: • Date of birth; • Social Security Number (United States); • Ethnicity, nationality, gender, and other demographic information.
3.1.6 Security. We may use data collected under paragraphs 3.1.1 – 3.1.5 if we think it is necessary to protect against and prevent fraud, unauthorized transactions, claims and other liabilities, and manage risk exposure, including by identifying potential hackers and other unauthorized users. We may also use your data to investigate possible fraud or violations of this Privacy Notice or our Service Agreement.
3.2 Cookies. We collect information about the Website Services that you use and how you use them, like when you visit a Site that uses our services or you view and interact with our content.
3.2.1. Log Data. Like many site operators, we collect information that your browser sends whenever you visit our Site ("Log Data"). This Log Data may include information such as your computer's Internet Protocol ("IP") address, browser type, browser version, the pages of our Site that you visit, and other usage information such as the time and date of your visit, the time spent on those pages and other statistics. In addition, we may use third party services such as Google Analytics provided by Google, Inc. (“Google”) that collect, monitor and analyze this Log Data. Google Analytics uses Log Data, which are log files reflecting your interactions with our Site to help us analyze how users use the Site. The information generated by your use of the Site (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purposes of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. You may prevent the use of Google Analytics by disabling cookies in the browser's set up screen. You may prevent the storage of cookies by selecting the appropriate settings on your browser software. You may prevent Google from recording the data generated by the cookie and pertaining to your use of the website (including your IP address), or processing these data by downloading and installing the following browser plug-in available through Google at the following link: http://tools.google.com/dlpage/gaoptout?hl=en. Google's Privacy Notice is located at http://www.google.com/analytics/learn/privacy.html. An opt-out cookie will be set on the computer, which prevents the future collection of your data when visiting this website: Disable Google Analytics. By using Frain’s Sites and not adjusting your browser settings, you consent to the processing of data about you by Google in the manner and for the purposes set out above.
3.2.2. Cookies. Like many sites, we use cookies (“Cookies”) to collect information. Cookies are files with small amount of data, which may include an anonymous unique identifier. Cookies are text files sent to your browser from a web site and stored on your computer's hard drive. You can instruct your browser through its privacy features to refuse all cookies or to indicate when a Cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Site. The Site uses Cookies to provide enhanced functionality on the site (e.g., user ID and password prompts) and aggregate traffic data (e.g., what pages are the most popular). We use this information to analyze general traffic patterns and to perform routine system maintenance. You may refuse the use of Cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.
By clicking “Agree” or by continuing to browse our Sites without adjusting your browser settings to block cookies (for information about how to do this please see below “How to manage cookies”), you are agreeing to our use of log data and cookies.
3.3 Purposes and Lawful Basis. We will only collect and process personal data about you where we have lawful bases. Lawful bases include consent (where you have given consent), contract (where processing is necessary for the performance of a contract with you and “legitimate interests”. Where we rely on your consent to process personal data, you have the right to withdraw or decline your consent at any time and where we rely on legitimate interests, you have the right to object. If you have any questions about the lawful bases upon which we collect and use your personal data or how to withdraw your consent, please contact us below.
3.31. Software and Mobile Applications: The purpose of this data processing is provide you with secure access to and the ability to use and access documents or information in the Software or Mobile Application which you or Frain’s Customer on your behalf purchased from us. This data collection by Frain’s Customer and processing by Frain is necessary to utilize the Software or Mobile Application. Like any software portal or platform, without user credentials, access to the system could not be controlled by Frain’s Customer and Customer’s Data would not be protected. specific purpose of the Software and Mobile Applications may vary depending on the application and the goals and purposes of Frain’s Customers (i.e. the data controller), including but not limited to, document control, data collection, ISO certification and quality control and risk management auditing; Frain’s Customers are the data controllers of personal data collected by Frain in providing the Software and Mobile Application. Failure to provide this personal data will result in Customer’s and their Users being unable to access the Software or Mobile Application.
3.32. Employment Applications: The purpose of this data processing is to receive, review, screen and evaluate prospective employee applications for employment and to on-board, hire and employ individuals using Frain’s Human Resources systems when hired for employment with Frain. This data collection is necessary to further Frain’s legitimate interest in hiring highly qualified staff for its software and security businesses. In addition, in certain cases collection of this personal data is required by applicable labor and employment laws or you may consent to this data collection . Failure to provide personal data required by Frain’s policies or by law will result in a prospective employee not being considered for employment. 3.33. Log Data and Cookies: The purpose of this data collection and processing is to allow Frain to understand how Frain’s Customers and Users interact with the Sites, and Mobile Applications. This data collection is necessary to further Frain’s legitimate interest in understanding the use of its Sites and Services. Further, Frain has hereby requested your consent to this data collection. You may opt of processing by Google as set forth in this Privacy Notice.
4. How We Transfer Data. 4.1. Third Party Service Providers. We use others to help us provide our Services. This includes hosting, fraud detection, and software development services. Third party service providers will have access to your information only where necessary to perform these tasks on our behalf and are contractually obligated not to disclose or use it for other purposes. Frain also uses service providers that assist with its online job application systems which are accessed through the Site. These providers provide back-up storage and hosting services, assist with job postings, payroll and time and attendances services and on-board applicants to Frain’s human resources systems. 4.2 Legal Disclosures. It is possible that we will need to disclose information about you when required by law. This includes by legal mandate, compliance with applicable law, subpoena, or other legal process or if we have a good faith belief that disclosure is reasonably necessary to (1) investigate or respond to suspected or actual illegal activities; (2) enforce our Master Service Agreements with Frain’s Customers, (3) investigate and defend ourselves against any third-party claims or allegations, or (4) protect the security or integrity of our Sites and Services. We attempt to notify you about legal demands for their personal data when appropriate in our judgment, unless prohibited by law or court order or when the request is an emergency. We may dispute such demands when we believe, in our discretion, that the requests are overbroad, vague or lack proper authority, but we do not promise to challenge every demand. Frain will refer any request for disclosure of personal data by a law enforcement authority to the Customer. 4.3. Change in Control or Sale. We can also share your personal data if necessary during a change in Frain’s business as part of a sale of the business, merger with another company or change in control of the business, or in preparation for any of these events. Any other entity which buys us or part of our business will have the right to continue to use your data, but only in the manner set out in this Privacy Notice unless you agree otherwise. 5. Transferring Personal Data from the EU to the US. Personal data is processed in the United States. Frain has its headquarters in the United States. Except for personal data deriving from Frain’s subsidiaries which shall be processed where possible in the country where such subsidiary is domiciled, personal data we collect from you will be processed in the United States. The United States has not sought nor received a finding of an unconditional “adequacy” from the European Union under Article 45 of the GDPR. Frain relies on the Standard Data Protection Clauses set forth in Article 46(2) and derogations for specific situations as set forth in Article 49 of the GDPR. In particular, Frain collects and transfers to the U.S. personal data only: with your consent; to perform a contract directly with you or with Customers on your behalf; or to fulfill a compelling legitimate interest of Frain in a manner that does not outweigh your rights and freedoms. Frain endeavors to apply suitable technical, administrative and physical safeguards to protect the privacy and security of your personal data and to use it only consistent with your relationship with Frain and the practices described in this Privacy Notice. Frain also minimizes the risk to your rights and freedoms by not collecting or storing sensitive information about users located in the EU. See the below section on “Security” for more information. 6. Data Subject Rights. Depending on your location and applicable laws: you have a right of access, right of rectification, right to erasure, right to restrict data processing, right to object against profiling and your right to data portability. Certain countries privacy laws and regulations provide certain data subject rights which may be applicable to you. This Privacy Notice is intended to provide you with information about what personal data the Frain collects about you and how it is used. If you have any questions, please contact us at legal@andyfrain.com. If you wish to confirm that Frain is processing your personal data, or to have access to the personal data Frain may have about you, please contact us at legal@andyfrain.com. 6.1. Control Over Personal Data. You have the right to and can request us to: 6.1.1. Access your personal data. 6.1.2. Change or correct inaccurate personal data. 6.1.3. Delete your personal data if your personal data is no longer needed by Frain to perform the Services and for the purposes set forth in this Privacy Notice. 6.1.4. Restrict use of your data if we are not using it legally, if it is inaccurate or if you are no longer a user of the Services. 6.1.5. Receive your personal data in a machine readable format and have your personal data transmitted to another service provider. 6.1.6. Object to data processing. 6.1.7. Opt out of and cease receiving communications. 6.1.8. Lodge a complaint with a supervisory data protection authority. To the extent that we are relying on our legitimate interests to use your personal data, you also have the right to object to such processing, unless we can either demonstrate compelling legitimate grounds for the use that override your interests, rights and freedoms or where we need to process the data for the establishment, exercise or defense of legal claims. To the extent that we engage in direct marketing efforts (which we do not), you also have the right to object to such processing. Without undue delay and not later than within a month, we will respond to your request to invoke your rights consistent with applicable law. Frain does not engage in automated-decision making or profiling. A User of Frain’s Software or Mobile Application who seeks access, or who seeks to correct, amend, or delete inaccurate data, should direct his or her query to Frain’s Customer (the data controller). For more information on the applicable Controller of your data, please contact Frain at legal@andyfrain.com. If Frain’s Customer requests Frain to remove the personal data to comply with data protection regulations, Frain will respond to their request within 30 business days. 6.2 Data Retention. The length of our data retention depends upon how long you use our Services or how much time has passed since your employment application. Your personal data is stored by Frain on its servers, and on the servers of the cloud-based database management services Frain engages, located in the United States. We retain personal data of Users of Frain Software or Mobile Applications while your account remains active or while we are contracted to provide Services to a Customer. Personal data provided by job applicants is retained in accordance with applicable legal retention requirements set by each state or jurisdiction applicable to the data subject in order to comply with labor and employment laws and regulations. We retain personal data of job applicants even if not selected for a position with us for a maximum of three (3) years, except for such longer periods of time where reasonably necessary to comply with our legal obligations, meet regulatory requirements, and resolve disputes. 6.3. Contact Details. You can obtain more information about our data retention practices or exercise any of the above requests by contacting us at legal@andyfrain.com or by mailing us at 761 Shoreline Drive, Aurora, Illinois 60504, ATTN: Legal Department/Privacy. 7. Security. We implement physical, technical and administrative safeguards consistent with industry standard and applicable law. The security of your personal data is important to us, but remember that no method of transmission over the Internet, or method of electronic storage, is 100% secure. To help protect the privacy of personal data you transmit through use of this Site, we maintain physical, technical and administrative safeguards. Wherever we collect personal data, that information is encrypted and transmitted to us in a secure way. We update and test our security technology and we monitor our systems on an ongoing basis. The systems in which personal data is stored are maintained in a physically and technically secure environment. We use encryption to protect sensitive information transmitted online, and we also protect your personal data offline through physical and administrative safeguards. We restrict access to your personal data to only those employees who need to know that information to perform a specific job. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information. We commit to taking appropriate disciplinary measures to enforce our employees' privacy responsibilities. More information about our safeguards and security policies can be obtain by contacting us at legal@andyfrain.com. 8. Certain Jurisdictions. Certain jurisdictions provide for specific user rights or data subject requirements, including the following and Frain’s policy is to comply with all regulations applicable to Frain’s business operations, including, where applicable, the following: 8.1. California: California residents may request and obtain data that Frain shared with other businesses for their own direct marketing use (as defined by California’s “Shine the Light Law”). Frain does not share personal data of job applicants with third parties for their direct marketing efforts, and therefore this law does not apply to personal data collected from job applicants. 8.2 EU and EEA countries which are covered by the EU’s General Data Protection Regulations and certain other countries provide for the data subject rights set forth in Section 6 of this Privacy Notice. 8.3 United States: Frain collects Social Security Numbers where required by law, such as for tax and payroll purposes for its employees. When Frain collects and/or uses Social Security Numbers, Frain will implement adequate safeguards by protecting confidentiality, limiting access on a need-to-know basis, and implementing appropriate technical safeguards and retention plans. 9. Changes To This Privacy Notice. This Privacy Notice is effective as of May 25, 2018 and will remain in effect until otherwise changed or updated. We reserve the right to amend this Privacy Notice and change or update our privacy policies at any time, for any reason, without notice to you other than posting an amended Privacy Notice to the Sites and you should check this Site periodically. Your continued use of the Site and Services after we post any modifications to the Privacy Notice will constitute your acknowledgment of the updates, changes or modifications and your consent to the amended Privacy Notice. If we make any material changes to this Privacy Notice, we will endeavor to notify you either through the email address you have provided us or by placing a prominent notice on our Site. 10. Contact Us. If you have any questions, concerns or complaints about this Privacy Notice, please contact Frain’s Privacy Officer at: Andy Frain Services, Inc. 761 Shoreline Drive Aurora, Illinois 60504 (630) 820-3820 ATTN: Legal/Privacy legal@andyfrain.com