Please be assured that your privacy is of utmost importance to us. We comply with all applicable data privacy laws including the General Data Protection Regulation regarding personal data collected and processed concerning residents of the European Union and European Economic Area.
The specific practices outlined in this privacy statement apply to privacy practices and procedures maintained by or on behalf of ibex. and its affiliates. Some of our web pages contain links to web sites outside ibex. Please be aware that when you follow a link to another site, you are then subject to the privacy policies of the new site.
The Company collects business contact and financial information from our business customers and vendors. We collect personal contact information, purchase information, and customer experience information from individuals who purchase products and services from our business customers.
The Company processes personal information for the following purposes:
We do not collect personal data of and our websites do not target or provide content to children under the age of 16.
Cookies are small files that web servers place on a user’s hard drive. The Company does not use “persistent cookies” or any other persistent tracking methods to collect personal information about visitors to its websites. Cookies serve several functions:
In addition to personal information, we collect and store non-personal (such as search engine queries and anonymous survey responses) to help us better understand and meet the needs of our visitors. We may share non-personal information with others, including the public, in aggregated form (for instance, in a list of our most popular search engine queries), in partial or edited form (such as in a report summarizing responses to a questionnaire), or verbatim (for example, in a complete listing of survey responses).
EU residents have the following rights regarding their personal data:
To make a subject access request, you should send the request to James Ferrato, Chief Information Officer, email@example.com. In some cases, the Company may need to ask for proof of identification before the request can be processed. The Company will inform you if it needs to verify your identity and the documents it requires. The Company normally will respond to a request within a period of one month from the date it is received. In some cases, such as where the Company processes large amounts of an individual's personal data, it may respond within three months of the date the request is received. The Company will write to you within one month of receiving the original request to tell you if this is the case.
The Company has certified that it complies with the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield Frameworks (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred to the U.S. from the EU and Switzerland, respectively. This certification covers the following Company entities:
To learn more about the EU-U.S. and Swiss-U.S. Privacy Shield programs, please visit http://www.privacyshield.gov To view the Company’s certification under Privacy Shield, please visit http://www.privacyshield.gov/list.
You will be offered a clear, conspicuous, and readily available mechanism to choose (opt out) whether their personal information is (1) to be disclosed to a third party (other than a third party acting as an agent to perform tasks on behalf of and under the instruction of the Company or (2) to be used for a purpose that is materially different than or incompatible with the purpose for which it was originally utilized or subsequently authorized by the individual.
Additionally, you will be offered a similar choice mechanism to give affirmative or explicit (opt in) choice whether their sensitive personal information is to be disclosed to a third party or used for a purpose other than the purposes for which it was originally collected or subsequently authorized by the individual by opt-in choice. However, explicit (opt in) choice is not required when the disclosure of the sensitive personal information is (1) in the vital interests of the individual or another person; (2) necessary for the establishment of legal claims or defenses; (3) required to provide medical care or diagnosis; (4) necessary to carry out the organization’s obligations in the field of employment law, or (5) related to personal information that is manifestly made public by the individual.
The Company’s EU and Swiss entities may transfer personal information to a processor in the United States solely for processing purposes. A “processor” is a third party who processes personal information on behalf of and in accordance with the instructions of the Company’s EU and/or Swiss entities. When personal information is transferred from the EU and/or Switzerland to the United States solely for processing purposes, the Company’s EU and/or Swiss entities will comply with the applicable data protection laws including the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP), respectively and enter into a contract with the processor to ensure that the processor (1) acts only on instructions of the Company’s EU and/or Swiss entities; (2) provides appropriate technical and organizational measures to protect the personal information against unlawful destruction or accidental loss, alteration, unauthorized disclosure or access; and understands whether onward transfers are allowed; and (3) assists the Company’s EU and/or Swiss entities in responding to individuals exercising their rights under the Privacy Shield principles, taking into account the nature of the processing.
After personal information is transferred from the EU and/or Switzerland to Company entities in the United States, the Company may thereafter transfer the personal information to third parties acting as controllers. A “controller” is a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal information. Examples of third party controllers may include banks and healthcare providers, or management personnel in other Company offices outside of the U.S. When the Company makes such onward transfers to third party controllers, the Company will comply with the Privacy Shield notice and choice principles and enter into a contract with the third party controller that provides that (1) such personal information may be processed only for limited and specified purposes consistent with the consent provided by the individual; (2) the third party controller will provide the same level of protections as the Privacy Shield principles; (3) the third party controller will notify the Company if the third party can no longer meet its obligation to provide the same level of protection for the personal information as required by the Privacy Shield principles; and (4) upon such notice by the third party controller, the third party controller will cease processing the personal information and/or take reasonable and appropriate steps to remediate any unauthorized processing.
After personal information is transferred from the EU and/or Switzerland to Company entities in the United States, the Company may thereafter transfer the personal information of a small number of individuals for occasional employment-related operational needs, if any, such as the booking of a flight, hotel room, or insurance coverage. When the Company makes such onward transfers, it will comply with the Privacy Shield Notice and Choice principles.
The Company has verified and will verify annually through self-assessment that the attestations and assertions made about its Privacy Shield privacy practices are true and that those privacy practices have been implemented as represented and in accordance with the Privacy Shield principles. This verification has been and will be signed by an officer of the Company or other authorized representative of the Company at least once a year and is available upon request by individuals or in the context of an investigation or a complaint about non-compliance. The verification includes the following:
Inquiries or complaints regarding transfers of personal data from the EU or Switzerland to the U.S. pursuant to Privacy Shield should be directed to our Director of Security and Compliance by e-mail at firstname.lastname@example.org.
If a complaint remains unresolved, EU residents should contact the state or national data protection authority in the jurisdiction where they reside for resolution. A listing of the EU Data Protection Authorities (DPAs) is located at: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm. Individuals in Switzerland should contact the Swiss Federal Data Protection and Information Commissioner (the Commissioner) for resolution. Information regarding the Commissioner is located at: https://www.edoeb.admin.ch/?lang=en.
The Company will cooperate with the DPA’s and/or the Commissioner and comply with the advice of the DPA’s and/or Commissioner. In the event that the DPA’s and/or the Commissioner determines that the Company did not comply with this Policy or Privacy Shield principles, the Company will take appropriate steps to address any adverse effects and to promote future compliance, comply with any advice given by the DPA’s and/or the Commissioner where the DPA’s and/or the Commissioner has determined that the Company needs to take specific remedial or compensatory measures for the benefit of individuals affected by any non-compliance with this Policy or the Privacy Shield principles, and provide the DPA’s and/or the Commissioner with written confirmation that such action has be taken.
Under certain conditions specified by the Privacy Shield Privacy Principles, you may also be able to invoke binding arbitration to resolve your complaints.
The Company is also subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
In the context of an onward transfer of personal information, the Company has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party agent. The Company will remain liable under the Privacy Shield principles if its third party agent processes such personal information in a manner inconsistent with the Privacy Shield principles, unless the Company proves that it is not responsible for the event giving rise to the damage.
All employees who handle personal data transferred from the EU or Switzerland to the U.S. will receive training regarding the data privacy principles and procedures under Privacy Shield Principles and this Policy.
Pursuant to Californian Civil Code Section 1798.83, California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to our Director of Security and Compliance by e-mail at email@example.com.
The Company takes the security of personal data seriously. The Company has internal policies and technical measures in place to protect personal data against loss, accidental destruction, misuse or disclosure. Such internal policies and technical measures include:
For site security purposes and to ensure that this service remains available to all users, this computer system employs software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage to the information on our websites. Unauthorized attempts to upload information or change information on this service are strictly prohibited and may be punishable under the Computer Fraud and Abuse Act of 1986.
The Company retains personal information only for the period of time necessary to meet the purposes for which it was collected, to fulfil the legitimate business interests of the Company, and to comply with any data retention laws or legal requirements. For example,
When the Company engages third parties to process personal data on its behalf, such third parties are required by contract to process the personal data based on the Company’s written instructions, are under a duty of confidentiality, and are required to implement appropriate technical and organizational measures to ensure the security of the personal data.
When the Company shares personal information of EU residents with affiliated companies, vendors, and business customers located outside of the EU, such as the U.S., the Company uses appropriate safeguards such as standard contract clauses to protect the personal information.
Any questions or concerns regarding how the Company processes personal information should be directed to our Director of Security and Compliance by e-mail at firstname.lastname@example.org. EU residents also have the right to lodge a complaint with the local or national data protection authority in the jurisdiction where they reside. A listing of the EU Data Protection Authorities (“DPAs”) is located at: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm. Dispute resolution: If for some reason you believe this site has not adhered to these principles, please notify James Ferrato, Chief Information Officer, at email@example.com. . If our web pages are not fully in compliance with our stated policies, they will be corrected.