DRAFT - Requires Legal Review
Last Updated: [DATE]
Effective Date: [DATE]
This is a TEMPLATE for legal review. It must be customized and reviewed by legal counsel before publication.
Required Customizations:
- Replace [COMPANY NAME], [ADDRESS], [EMAIL], [WEBSITE]
- Confirm data practices match actual implementation
- Review lawful bases with legal counsel
- Confirm international transfer mechanisms
- Add jurisdiction-specific disclosures
- Translate to required languages
- Legal review and approval
[COMPANY NAME] ("we," "us," or "our") operates the Interact employee engagement platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.
By using the Service, you agree to the collection and use of information in accordance with this policy.
Account Information:
- Name
- Email address
- Password (encrypted)
- Company/Organization name
- Department
- Job title or role
- Profile photo (optional)
- Bio and preferences (optional)
Activity Data:
- Activity registrations and participation
- Comments and feedback
- Ratings and reviews
- Check-ins and attendance
Communications:
- Messages sent through the platform
- Support requests
- Survey responses
Usage Information:
- Pages viewed
- Features used
- Session duration
- Click patterns
- Search queries
Device Information:
- IP address
- Browser type and version
- Operating system
- Device identifiers
- Screen resolution
Location Information:
- General location based on IP address
- Precise location (only if you grant permission for location-based features)
Integration Partners:
- Calendar events (Google Calendar)
- Profile information from SSO providers
- Team information from workplace collaboration tools (Slack, Microsoft Teams)
Note: We only access third-party data with your explicit permission through OAuth authorization.
We use your information for the following purposes:
- Create and manage your account
- Display your profile to other users in your organization
- Facilitate activity scheduling and participation
- Calculate gamification rewards (points, badges, leaderboards)
- Send activity reminders and notifications
Lawful Basis: Performance of contract
- Analyze usage patterns and trends
- Develop new features
- Identify and fix technical issues
- Conduct research and development
Lawful Basis: Legitimate interest
- Send activity invitations and reminders
- Share platform updates and announcements
- Respond to your support requests
- Send administrative messages
Lawful Basis: Performance of contract (service messages), Consent (marketing)
- Recommend activities based on your interests
- Customize the interface based on your preferences
- Show relevant content
Lawful Basis: Legitimate interest, Consent (for AI recommendations)
- Detect and prevent security incidents
- Verify user identity
- Enforce our Terms of Service
- Comply with legal obligations
Lawful Basis: Legitimate interest, Legal obligation
We do not sell your personal information. We share information only in the following circumstances:
- Your profile is visible to other users in your organization
- Your activity participation is visible to activity organizers
- Leaderboard data is visible to users (if you opt-in)
We share information with third-party service providers who help us operate the Service:
- Base44: Backend platform and database hosting
- Cloudinary: Image hosting and delivery
- OpenAI, Anthropic, Google: AI-powered recommendations (pseudonymized data only)
- Email Service: Transactional email delivery
- Analytics: Usage analytics (anonymized data)
All service providers are contractually required to protect your information and use it only for providing services to us.
With your permission, we connect with:
- Google Calendar
- Slack
- Microsoft Teams
- [Other integrations]
You can disconnect these integrations at any time in your settings.
We may disclose information if required by law or in good faith belief that such action is necessary to:
- Comply with legal obligations
- Protect our rights or property
- Investigate potential violations
- Protect the safety of users or the public
If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.
Our Service is hosted on servers located in [LOCATION]. If you are accessing the Service from outside [LOCATION], your information may be transferred to, stored, and processed in [LOCATION].
For EU/EEA Users: We ensure adequate protection through:
- Standard Contractual Clauses (SCCs)
- Data processing agreements with all processors
- Appropriate technical and organizational measures
You have the right to obtain information about the safeguards we use for international transfers.
We retain your personal information for as long as necessary to provide the Service and fulfill the purposes described in this policy.
Retention Periods:
- Account data: Retained while your account is active, plus 1 year after deletion
- Activity participation: Retained for 1 year after account deletion (anonymized for analytics)
- Analytics data: Anonymized after 90 days, retained for 2 years
- Session data: 30 days or until logout
- Support requests: Retained for 3 years
- Legal hold data: Retained as required by law
You can request deletion of your information at any time (see Your Rights below).
Depending on your location, you may have the following rights:
You have the right to access your personal information and receive a copy.
How to exercise: [Link to data export feature or email privacy@example.com]
You have the right to correct inaccurate or incomplete information.
How to exercise: Update your profile in settings or contact us
You have the right to request deletion of your personal information.
How to exercise: [Link to account deletion feature or email privacy@example.com]
Note: Some information may be retained for legal compliance or legitimate business purposes.
You have the right to request restriction of processing in certain circumstances.
How to exercise: Contact us at privacy@example.com
You have the right to receive your data in a machine-readable format.
How to exercise: [Link to data export feature]
You have the right to object to processing based on legitimate interests or for direct marketing.
How to exercise: Opt-out in notification settings or contact us
Where we rely on consent, you have the right to withdraw it at any time.
How to exercise: Adjust settings or contact us
You have the right to lodge a complaint with your local data protection authority.
For EU/EEA residents: [Link to list of supervisory authorities]
We implement appropriate technical and organizational measures to protect your information:
Technical Measures:
- Encryption in transit (TLS/HTTPS)
- Encryption at rest
- Regular security assessments
- Access controls and authentication
- Security monitoring and logging
Organizational Measures:
- Employee security training
- Incident response procedures
- Regular security audits
- Third-party security assessments
However, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.
Our Service is not directed to children under 16. We do not knowingly collect information from children under 16. If you believe we have collected information from a child under 16, please contact us immediately.
We use cookies and similar tracking technologies to provide and improve the Service.
Types of Cookies:
- Essential: Required for the Service to function (authentication, security)
- Functional: Remember your preferences
- Analytics: Understand how you use the Service
- Third-party: Integrations and embedded content
Your Choices: You can control cookies through your browser settings. However, disabling essential cookies may affect the functionality of the Service.
Do Not Track: We do not currently respond to Do Not Track signals.
The Service may contain links to third-party websites. We are not responsible for the privacy practices of these websites. We encourage you to review their privacy policies.
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the new policy on this page
- Updating the "Last Updated" date
- Sending you an email notification (for significant changes)
Your continued use of the Service after changes constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy or our privacy practices:
Email: privacy@[COMPANY].com
Mail: [COMPANY NAME]
[ADDRESS]
[CITY, STATE, ZIP]
[COUNTRY]
Data Protection Officer (if applicable): dpo@[COMPANY].com
Response Time: We will respond to your inquiry within 30 days.
Categories of Information Collected: See Section 1
Categories of Sources: Directly from you, automatically, third parties
Business Purposes: See Section 2
Categories of Third Parties: Service providers, integration partners
California Rights:
- Right to know what information is collected
- Right to delete
- Right to opt-out of sale (we do not sell information)
- Right to non-discrimination
How to Exercise Rights: Contact privacy@[COMPANY].com
Do Not Sell My Personal Information: We do not sell personal information.
Data Controller: [COMPANY NAME], [ADDRESS]
Data Protection Officer: [NAME], dpo@[COMPANY].com (if applicable)
Lawful Bases: See Section 2
International Transfers: See Section 4
Rights: See Section 6
Supervisory Authority: [Relevant authority based on location]
Data Controller: [COMPANY NAME], [UK ADDRESS]
ICO Registration Number: [NUMBER] (if applicable)
Rights: Similar to GDPR (see Section 6)
Supervisory Authority: Information Commissioner's Office (ICO)
Website: https://ico.org.uk/
If you are located in a jurisdiction with specific data protection laws, please contact us to learn more about your rights.
Personal Information: Information that identifies, relates to, or could reasonably be linked to you.
Processing: Any operation performed on personal data, including collection, storage, use, and deletion.
Controller: The entity that determines the purposes and means of processing personal data.
Processor: An entity that processes personal data on behalf of the controller.
By using the Service, you acknowledge that you have read and understood this Privacy Policy.
[COMPANY NAME]
Last Updated: [DATE]
Before publishing this privacy policy:
- Replace all placeholders [COMPANY NAME], [ADDRESS], etc.
- Confirm all data practices are accurately described
- Add specific service provider names and links
- Confirm retention periods match actual policies
- Review with legal counsel
- Add jurisdiction-specific disclosures as needed
- Translate to required languages
- Implement data export and deletion features mentioned
- Setup privacy@[COMPANY].com email
- Obtain legal approval
- Add to website footer and signup flow
- Version control and change tracking