Privacy Policy for Astride (EXIN competency assessment)

Applicability of this Privacy Policy

Our Privacy Policy governs the use of the Astride competency assessment tools and platform —a product of EXIN B.V. (hereafter referred as “EXIN”)—inclusive of Astride's mobile and desktop applications (hereafter referred toas the “Services”), the astride.com website, and any interactions you may have with Astride such as customer service communications. This encompasses the handling of responses to the competency assessment and any texts, files, videos, audio recordings, or other materials provided through our Services(hereinafter referred to as “Customer Content”). However, this Privacy Policy is not applicable to third-party applications or software that may be used in conjunction with our Services (“Third-Party Services”), nor to any other third-party products, services, or entities.

The Privacy Policy recognizes that the entity—be it youremployer or another organization or individual—that enters into a contractual agreement with us through our Terms of Use, retains control over their particular instance of theServices (referred to as their “Organization”) and the Customer Content that isgenerated within it. Individuals granted access by the Customer to use the Organization’s services (“Authorized Users”) will regularly produce CustomerContent within Astride by utilizing the Services.

For questions about the privacy settings and practices of a particular Organization, please address your queries to the Customer in charge of the Organization to which you belong. If you have received an invite to an Organization but have not created an account, please contact the Customer who issued the invite for further guidance.

Identifying the Data Controller and Processor

Under data protection regulations applicable in some jurisdictions, there is a distinction made between the "controller" who determines the purposes and means of processing personal data, and the "processor" who processes personal data on behalf of the controller. Typically, the Customer acts as the controller of Customer Content, while EXIN serves as the processor.

TheCustomer, as the controller, utilizes the Services to manage access to an Organization, assign user roles, configure settings, and control the CustomerContent through various actions such as accessing, modifying, exporting, sharing, and deleting data in accordance with their own policies.

EXIN, inits role as the processor, handles Customer Content solely based on theCustomer’s directions and in line with the stipulations of the CustomerAgreement, the Customer's interaction with the Services, and as mandated bylaw. For detailed information on the processing of Customer Content, including the processing of personal data, its purpose, the legal basis for such processing, and the rights of data subjects, reference should be made to the privacy notice provided by the relevant Customer.

For other types of data, as outlined in the third paragraph of the next section, EXIN isthe data controller. Any questions, concerns, or requests pertaining to your personal data can be directed to EXIN by contacting privacy@exin.com.

The types of personal data we collect

Your personal data is sourced from your own disclosures, acquired from third-party entities, or generated internally by us through your interaction with the Services.

EXIN gathers and receives data that constitutes CustomerContent as well as other personal information (“Other Data”) through several methods:

‍Customer Content. This refers to the information and data that Customers or Authorized Users frequently provide to EXIN during their engagement with the Services.‍
‍Other Data. EXIN also collects, generates and/or receives Other Data:
‍Organization and account information. To set up or modify an Organization account, either you or the appropriate Customer (for example, your employer)will provide EXIN with details such as an email address, phone number, password, domain, and other similar account information. Furthermore, our platform may receive your email address and name from external organizations that have integrations with our services, which can be used for signing up.Additionally, Customers who opt for a paid version of the Services submit billing information, which includes credit card details, banking information, and billing address, directly to EXIN or to the designated payment processors.
‍Usage data.

‍Service metadata. When an Authorized User interacts with the Services, metadata is generated to provide additional context about their use of the Services. For example, Astride logs the Organizations, Teams, features, content and links that you view or interact with..
Log data. Like most websites and services delivered over the Internet, our servers automatically collect information when you access or use our Websites or Services, recording this information in log files. This log data may include the Internet Protocol (IP) address, the address of the web page visited before using the Website or Services, your browser type and settings, the date and time the Services were used, information about browser configuration and plugins, and language preferences.
‍Device data. EXIN collects information about devices accessing the Services, including the type of device, operating system used, device settings, application IDs, unique device identifiers and crash data. Whether we collect some or all of this Other Data often depends on the type of device used and its settings.‍
Location data. We receive information from you, the relevant Customer and other third-parties that helps us approximate your location. We may, for example, use a business address submitted by your employer or an IP address received from your browser or device to determine approximate location. EXIN may also collect location information from devices in accordance with the consent provided by your device.
‍Cookie data. Astride uses a variety of cookies and similar technologies in our Websites and Services to help us collect Other Data. For more details about how we use these technologies, as well as your opt-out opportunities and other options, please see our Cookie Notice.
‍Email performance data. EXIN uses a “tracking pixel” in email communications in order to track engagement and performance metrics. Much of this data is aggregated and does not contain personal data. If you wish to turn off this tracking, you can do so by turning off images in the email itself. ‍
Third-PartyServices data. A Customer may choose to use Third-Party Services. IfCustomer enables Third-Party Services, EXIN may access and exchange Customer Content and Other Data with the Third-Party on Customer’s behalf, in accordance with our agreement with theThird-Party Services and any permissions granted by the Customer (including its Authorized User(s)).‍
Contact data.In accordance with the consent provided by your device or other third-partyAPI, we process any contact information that an Authorized User chooses to import when using the Services.‍
Call data. Our Customer Success team may record video or telephone calls withCustomers for the purposes of training and quality assurance. You will be notified of this when a recording is made, and can request that EXIN does not record these calls.‍
Additional data provided to Astride.We also receive Other Data when submitted to our Websites or in other ways, such as when you request support, interact with our social media accounts or otherwise communicate with Astride.‍
Business data. EXIN may receive information about individuals from organisations, industries,Customers, (potential) partners, parent corporations, affiliates and subsidiaries, and our partners for cooperation and communication purposes.

Generally, no one is under a statutory or contractual obligation to provide any Customer Content or Other Data (collectively,“Personal Data”). However, certain Personal Data is collected automatically and, if some Personal Data, such as Organization setup details, is not provided, we may be unable to provide the Services.

How we use personal data

Customer Content will be used by EXIN in accordance with Customer’s instructions, including any applicable terms in the Customer Agreement andCustomer’s use of the Services, and as required by applicable law.

EXIN uses Other Data for the purposes of our legitimate interests in operating our Services, Websites and business. More specifically, EXIN usesOther Data:

‍To provide, update, maintain and protect ourServices, Websites and business. This includes the use of Other Data to support delivery of the Services under a Customer Agreement, including to create or update an Organization, to prevent or address service errors, security or technical issues, and to analyze and monitor usage of the product and its features, trends and other activities.
‍As required by applicable law, legal process or regulation.
‍To support and communicate with you by responding to your requests, comments and questions. If you contact us, we may use your Other Data to respond.‍
To develop, test and provide search, learning and productivity tools and additional features. EXIN tries to make the Services as useful as possible. For example, we make Services suggestions based on historical use and predictive models, identify organizational trends and insights, customize your experience of the Services, or to create and develop new features and products.‍
To conduct market and user research. To improve our Services and troubleshoot new products and features, we may carryout research. For example we may survey Customers (including Admins and Regular Users) or third parties about customer satisfaction, user experience, the effectiveness of our marketing campaigns, and their broader interests.‍
To send emails and other communications.
Transactional: As part of our services, we provide users with certain communications and updates, We may send you service, transactional, technical and other administrative communications, suchas communications about your account, our Service offerings, changes to theServices, and important Services-related notices, such as security and fraud notices. We consider these communications as part of our Services to you.‍
Soft opt-in / Legitimate Interests: In addition, where you are a non-enterprise user or you if you have opted-in as an enterprise user, we sometimes send emails about new product features, recommendations and promotional communications, or other news about Astride. You can opt-out of these messages at any time by using the unsubscribe link included in all of these communications.‍
For billing, account management and other administrative matters. EXIN may need to contact you for invoicing, account management, and similar reasons and we use account data to administer accounts and keep track of billing and payments.‍
To investigate and help prevent security issues and abuse.‍

If information is aggregated or de-identified so that it can no longer reasonably be associated with an identified or identifiable natural person, EXIN may use it for any business purpose. To the extent information is associated with an identified or identifiable natural person and is protected as personal data under applicable data protection law, it is referred to in this Privacy Policy as “Personal Data.”

Data Retention

EXIN holds onto Customer Content based on the Customer's directives, which are governed by the terms set out in the Customer Agreement, the Customer's application of the Services, and in line with legal requirements. Erasing a Customer's Personal Data might lead to either the removal or anonymization of their account and specific related Other Data. EXIN will keep Other Data for a duration deemed necessary for the objectives stated in this Privacy Policy.

Additionally, it should be noted that EXIN may retain specific kinds of Other Data following an account's deactivation for a timeframe necessary to support EXIN's legitimate business pursuits, conduct audits, adhere to legal responsibilities and demonstrate such adherence, settle disputes, and enforce contractual agreements.

How we share and disclose personal data

This section outlines the ways in which EXIN may share and distribute personal data, as detailed in paragraph 3. The policies and methods regarding the sharing and disclosure of personal data are determined by theCustomers themselves, and EXIN does not have control over these decisions byCustomers or any other third parties.

EXIN adheres to the instructions provided by Customers for sharing and disclosing personal data, in line with the terms of the CustomerAgreement and how the Services are used, always ensuring compliance with applicable laws. However, for assessment results, EXIN only shares aggregated results with Customers, not individual ones. Additionally, EXIN may share personal data with third parties, but only if explicit consent for such sharing has been obtained.

We may share personal data as follows:

Customer access. Owners, administrators, Authorized Users, and other Customer representatives and personnel may be able to access, modify, or restrict access to personal data. This may include, for example, your employer using Service features to export logs of your activity or accessing or modifying your profile details.

Subcontractors. We may engage third-party companies or individuals as sub-processors to process personal data. These third parties may, for example, provide virtual computing and storage services, or we may share business information to develop strategic partnerships to support ourCustomers.

Third-Party Services. Customers may enableThird-Party Services. When enabled, EXIN may access and exchange Customer Content with the provider of a Third-Party Service on Customer’s behalf. Third-Party Services are notowned or controlled by EXIN and third parties that have been granted access to personal data may have theirown policies and practices for its collection, use, and sharing. Please check the permissions, privacy settings, and notices for these Third-Party Services or contact the relevant provider with any questions.

Partners. We may share personal data with developers, partners and others we engage to create Astride applications and/or integrating Astride features.

Corporate Affiliates. EXIN may share personal data with its corporate affiliates, parents and/or subsidiaries for business continuity purposes.

To comply with laws. If we receive a request for personal data, we may disclose personal data if we reasonably believe disclosure is in accordance with or required by any applicable law, regulation, or legal process.

To enforce our rights, prevent fraud, and for safety.To protect and defend the rights, property or safety of EXIN, its users, or third parties, including enforcing its contracts or policies, or in connection with investigating and preventing illegal activity, fraud, or security issues, including to prevent death or imminent bodily harm.

Our responsibility for third party links

Our Services may contain links to websites and services operated by third parties. If you follow a link to any of these websites, please note that these websites have their own privacy notices and terms and conditions. Further, we have no responsibility for, or control over, the information collected by any third-party website and we cannot be responsible for the protection and privacy of any information which you may provide to these websites. You should read the relevant privacy notices and terms and conditions before using their websites or services.

Changes to this Privacy Policy

EXIN may change this Privacy Policy from time to time. Laws, regulations, and industry standards evolve, which may make those changes necessary, or we may make changes to our services or business. We will post the changes to this page and we encourage you to review our Privacy Policy to stay informed. If we make changes that materially alter your privacy rights, EXIN will provide additional notice, such as via email or through the Services. If you disagree with the changes to this Privacy Notice, you should deactivate your account. Contact the relevant Customer if you wish to request the removal of your personal data under their control.

Local Provisions

European Union

For individuals in the European Union, the following additional terms apply:

GDPR refers to the General Data Protection Regulation(Regulation 2016/679), a law enacted by the European Parliament and Council onApril 27, 2016. It focuses on the protection of natural persons concerning personal data processing and the unrestricted movement of such data, superseding Directive 95/46/EC.

Member State denotes a country that is a member of the European Union.

In instances where your personal data is transferred to our group companies or third-party entities outside of the European Economic Area, we implement measures to ensure your data remains protected. This includes using Standard Contractual Clauses approved by the European Commission (as perArticle 46(2)(c) of the GDPR) to maintain data security.

When we act as the controller of your personal data, you are entitled to specific data protection rights under the GDPR. While these rights are comprehensive, they are not without legal limitations and exemptions. We commit to addressing any request to exercise your rights within a month.However, this period may be extended under certain conditions, in which case you will be informed within one month of your request. If we find your request to be unfounded or excessive, we reserve the option to charge a reasonable feeor decline the request. To exercise your GDPR rights, you can contact us by emailing privacy@exin.com.

Access your personal data. You are entitled to ask us if we are processing your personal data and, if we are, you can request access to your personal data. This enables you to receive a copy of the personal data we hold about you.

Request erasure (deletion) of your personal data. You are entitled to ask us to delete or remove personal data in certain circumstances. There are certain exemptions where we may refuse a request for erasure. For example, where the personal data is required for compliance with law or in connection with legal claims. Where we rely on an exemption, we will inform you about this.

Request the correction or updating of your personal data.This enables you to have any incomplete or inaccurate data we hold about you corrected.

Request the restriction of our processing of your personal data in some situations. If you request this, we can continue to store your personal data but are restricted from processing it while the restriction is in place.

Object to our processing of your personal data where we are relying on legitimate interests. You also have a right to object where we are processing your personal data for the purposes of direct marketing or profiling. You can object at any time and we shall stop processing the information you have objected to, unless we can show compelling legitimate grounds to continue that processing.

Withdraw your consent. Where you have provided your consent to our processing of your personal data, you can withdraw your consent at any time. If you do withdraw consent, it will not affect the lawfulness of what we have done with your personal data before you withdrew consent.

Lodge a complaint at a supervisory authority. We will do our best to resolve any complaints you may have. However, if you feel we have not resolved your complaint, you have a right to lodge a complaint with a supervisory authority in the country where you live, where you work, or where an alleged infringement of the applicable data protection law took place.

If you exercise the rights above and there is any question about who you are, we may require you to provide information in order to satisfy ourselves as to your identity.

United Kingdom

If you are based in the United Kingdom, the following provisions apply:

UK GDPR means the Retained Regulation 2016/679 of theEuropean Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

If we share your personal data with our group company(ies)or third parties located outside the United Kingdom, we take steps to ensure that appropriate safeguards are in place to guarantee the continued protection of your personal data, such as by entering into the international data transfer addendum to the European Commission’s Standard Contractual Clauses, adopted by the UK Government under section 119A of the Data Protection Act 2018..

In relation to your data subject rights, paragraph 11(d)above applies, except that references to the "GDPR" will be read asreferences to the "UK GDPR", and in case wish to lodge a complaint with a supervisory authority, you may direct your complaint to the UKsupervisory authority, the Information Commissioner’s Office.