Labster Privacy Policy

Last modified: September 8, 2023

This Labster Privacy Policy describes how Labster Group ApS and its subsidiaries (individually, and collectively, “Labster”, “us”, “our”, and “we”) collect and process your Personal Information and Personal Data, as defined by applicable privacy laws and regulations (hereinafter “Personal Data”) for the activities described below, including, but not limited to, when you visit our websites, when you use Labster’s products and services, when you apply for a job at a Labster entity, and when you attend any of our events (online and offline). This Privacy Policy describes your choices and rights related to your Personal Data.

1. Controller, Representatives, and Data Protection Officer

The Controller (as defined in the applicable data protection laws and regulations) for the Personal Data discussed in this Privacy Policy is Labster ApS, unless otherwise stated.

Labster’s EU Representative (according to Art. 27 GDPR) is Labster ApS, CVR number 34457808, with a primary business address at Vesterbrogade 149, St., lokale 102, 1620 Copenhagen V, Denmark.

Labster’s UK Representative (according to Art. 27 GDPR, and DPA 2018) is Labster ApS, with a primary business address at Lowin House, Tregolls Road, Truro, TR1 2NA, United Kingdom.

Labster’s DACH Representative (according to Art. 27 GDPR) is Labster GmbH, with a primary business address at Talacker 41, 8001 Zurich, Switzerland.

Labster’s U.S. Representative (for the purpose of the CCPA and DPF) is Labster Inc., with a primary business address at 561 Windsor Street, B302, Somerville, Massachusetts 02143.

If you have any questions or concerns regarding the processing of your Personal Data or this Privacy Policy, please contact Labster’s Data Protection Officer, John Pothier, at john.pothier@labster.com with a copy to privacy@labster.com or by using the contact details above.

2. The Personal Data We Collect and Process

The information we collect, or may have collected about customers, prospects, website users, and through the use of our products and services, generally falls into the following categories:

2.1 Identifiers and Information that Identifies, Relates to, Describes, or is Capable of Being Associated with, a Particular Individual

Full real name, including first, last, and middle name; signature; age and date of birth; postal address, including business and/or academic/educational institution and/or purchasing contact address, such as mailing street, suite/unit/building, or other address number, mailing city, mailing state or province, ZIP or postal code, and country; telephone or cellular phone number, including office number(s), telephone extension number(s), mobile phone number(s), and facsimile number(s); IP address(es); email address(es) including personal and academic/educational institution email address; employment or enrollment information such as business and/or academic/educational institution of employment or study, workplace role or title, department, job function, management role, management hierarchy, past or previous employment role(s) or title(s), courses of study, and grades.

2.2 Commercial Information

Labster products and services purchases, including service agreements, hardware purchases/leases, software services licenses and subscriptions, purchase orders, and other agreements pursuant to or related to the purchase or licensing of Labster products and services; invoices or statements; bank, credit card, or other payment information; other purchasing or consuming histories and tendencies, such as visits to our website and use of our products and services.

2.3 Internet or Other Electronic Network Activity Information

Your interactions, and history of interactions with our website and Labster online advertisements; interactions with Labster marketing materials and Labster product documentation via Labster support pages and our Labster account; and Labster customer interactions, such as online chat and messaging functions.

Additional data we collect when you visit our website may include the URL of the website that you came from before visiting our website, which pages you visit on our website, which URL you go to next, which browser you used to come to our website, your IP address, and any search terms entered on our website.

2.4 Personal Data Collected Through Automated and Passive Electronic Methods (Online Behavior Tracking and Advertising)

When you visit the Labster website, or interact with our advertisements hosted on third-party websites, or use our products or services, we may collect information about your interactions and history of interactions with the Labster website, product, or service and Labster from cookies on our website, product, or service, and from online ad-tracking, fingerprinting, and behavioral tracking services; IP address(es) and device identity; Interactions with Labster marketing materials and product documentation via Labster support pages and your Labster account.

We may also collect, through automated means, a history of your interactions with our online chat and messaging functions, telephone, email, online chat logs, and other records to provide the services and support to you.

For further information regarding the usage of cookies and other tracking technologies please refer to Section 3 below.

2.5 Personal Data Collected and Shared With Us From Third Parties

Third parties include, but are not limited to, third party resellers, marketing data research services, publicly accessible sources, and referrals.

We may collect Personal Data from publicly accessible sources, sales and marketing data services, referrals, and third-party resellers of Labster products and services.

The information collected may include your: name, email address(es), telephone or cellular phone number, company or academic/educational institution phone number with extension(s), facsimile number(s); employment or enrollment information, such as business and/or academic/educational institution of employment or study, workplace role or title, and department.

2.6 Account Information

Access to certain parts of our website, products, and services may require a username and password. A username and password permit us to track certain information, such as software license and service operations. You are responsible for any action connected with the use of your password, and you should not share your password with anyone. To request a new password, please contact Labster’s Technical Support at customer.support@labster.com.

Labster customers may request customer support via our website and from within certain products and services. For customer support, a customer will generally be required to submit his/her name, academic/educational institution ID, and contact information, such as email address.

2.7 Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information

Audio, such as phone calls, online meetings, webinars, webcasts; visual information from web meetings, webinars, and webcasts.

2.8 Educational, Professional, or Employment-Related Information

Business and/or academic/educational institution of employment, workplace role or title, department within your organization, job function, management role, management hierarchy, past or previous employment role(s) or title(s); academic/educational institution, courses taken; product or service scores or grades.

3. Cookies and Other Tracking Technologies

Our website, products, and services use cookies to distinguish you from other users of our website, products, and services. This helps us to provide you with a good experience when you browse our website, products, and services and also allows us to improve our website, products, and services.

Cookies are pieces of information that are transmitted from our web server or third-party web servers to your browser where they are stored for later retrieval. Cookies can be small files or other types of information storage. Cookies are used to store information that arises in connection with the specific end device used. Cookies contain a characteristic string of characters that enables the browser to be uniquely identified when the website, product, or service is opened again. A cookie also contains information about its origin and the storage period. This does not mean that we will immediately become aware of your identity.

We use the following types of cookies:

Strictly Necessary

Strictly necessary cookies help make a website, product, or service usable by enabling basic functions like page navigation and access to secure areas of the website, product, or service. The website, product, or service cannot function properly without these cookies. These cookies are required to enable you to navigate through the web, product, or service pages and use key functions. They support basic functions, such as order processing in the online shop and access to secured areas of the web, product, or service page. They also serve the purpose of performing an anonymous analysis of user patterns, which we use to continuously develop and improve our web, product, and service pages for you. We automatically store strictly necessary cookies on your device if they are strictly necessary for the operation of our website, product, and service.

Functionality

Functionality cookies enable a website, product, or service to remember information that changes the way the website, product, or service behaves or looks, like your preferred language or the region that you are in.

Performance

Performance cookies help website, product, or service owners to understand how visitors interact with websites by collecting and reporting information anonymously.

Targeting and Advertising

Targeting and advertising cookies are used to track visitors across websites, products, and services. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third-party advertisers. For more information regarding this practice, and to opt-out of such collection and use of this information by our third-party service providers, please see Networkadvertising.org.

The legal basis for all cookies that are not strictly necessary for the operation of the website, product, and service is our legitimate interest in optimizing our marketing measures, and improving our product and service quality, and the user experience on our website and in our products and services. You can find a list of the cookies and tracking technologies we use, including why, and how to accept and reject them, here.

Google Analytics

On some of our websites, we may also utilize Google Analytics, a web analysis service provided by Google, to better understand your use of the website, products, and services. Google Analytics collects information such as how often users visit the websites, what pages they visit, and what other sites they used prior to visiting. Google uses the data collected to track and examine the use of the websites, to prepare reports on its activities, and share them with other Google services. Google may use the data collected on the websites, products, or services to contextualize and personalize the ads of its own advertising network. Google’s ability to use and share information collected by Google Analytics about your visits to the websites is restricted by the Google Analytics Terms of Use and the Google Privacy Policy. Google offers an opt-out mechanism for the web available here.

Without a common industry or legal standard for interpreting Do Not Track (“DNT”) signals, we do not respond to browser DNT signals.

4. Labster Products and Services

4.1 Commercial and Sales Agreements, and Payment Processing

When you or your academic/educational institution purchases Labster products or services and accepts the terms, conditions, and obligations of Labster’s purchasing, services, and licensing agreements we may require you to disclose your identifiers.

4.2 Setting up Your Labster Account

Labster offers its users access to their Labster account. Your Labster account may contain various kinds of commercial information related to your Labster account, such as contracts, invoices, and contact information. Registration with email address and password is required to use your Labster account. In the context of your usage of your Labster account, we may process your identifiers. Such data is processed in order to provide access to your Labster account and to identify the authorized user of the Labster account.

Your Personal Data will be processed as long as you use your Labster account. If you close/delete your account or if your account is deleted either after twelve (12) months of non-use or otherwise, except for any aggregated and anonymized data used in accordance with the terms of this Privacy Policy, or for a legitimate business interest, the Personal Data processed via your Labster account is deleted (subject to our data retention obligations).

4.3 Usage Analytics

To better understand how you use our website, products, and services, and our users’ needs, to optimise your user experience, and to continuously improve our products and services, we may use analytic tools, for example, heat mapping, which allow us to monitor the usage and behavior of the users of our products and services. Such data is used to generate aggregated and anonymized usage reports (no individual user information is contained in these reports). We will not use this information to identify individual users or to match it with further data on an individual user.

4.4 Technical Support, Troubleshooting, Integration, and Other Support and Technical Services

When receiving live technical support and troubleshooting, or integration assistance from our technical support or customer success teams, over the phone and/or through remote access support, as well as through email or support ticketing systems, we may ask for certain identifiers. We may capture audio-visual information recordings during live support calls or remote access sessions, we will retain email records of support emails, and records of support tickets and online support chats. We may also collect IP address(es) and/or internet and other electronic network activity information, as needed to provide your requested support. We may also reach out to you via email or other support system to provide integration and other support in advance of your account activation.

5. Sales Contact, Product Demonstrations, and Negotiations

When you fill out a webform on our website, or a third party’s website, to request a Labster product demonstration, marketing materials, product information, or contact from our sales team or marketing team, we may require you to provide certain identifiers.

When you have in-person, telephone, or web-conference conversations with our sales team, marketing team, customer success team, and/or support team, our team members may ask you for certain identifiers. Our teams may also ask about your past products or services purchased, obtained, or considered.

Finally, we may, subject to your prior consent, if legally required, capture audio-visual information recordings during phone calls or web-conferences, and we will retain records of emails, online chats, and phone logs.

6. Email Newsletter

On our website, you can subscribe to receive our email newsletter. In the context of the subscription process, we collect the Personal Data from the subscription form, the IP address of your device and the date and time of subscription. We obtain your consent to send you our email newsletter.

Subscription to the email newsletter can be terminated at any time by using the unsubscribe link contained in each newsletter or by contacting us at customer.support@labster.com.

If you register as a user of our products and services and enter your email address, we may subsequently use your email address to send you an email newsletter, provided that you have not objected to such use. In such a case, only direct advertising for our own similar goods or services will be sent via the email newsletter. You can object to the use of your email address at any time without incurring any costs other than the transmission costs according to the basic rates by using the unsubscribe link contained in each newsletter or by contacting us at the contact details provided above.

With our newsletters, a statistical evaluation of usage data can be carried out. For this purpose, we may record both the openings of the email and the internal clicks. This information serves the purpose of measuring and optimizing the success of our newsletter campaigns by making the contents of the newsletter more relevant to our target group.

7. Social Media

We maintain publicly accessible profiles on several social media networks like Facebook, Twitter, YouTube, Instagram, Pinterest, and LinkedIn (“Social Media Pages”).

If you visit one of our Social Media Pages and are logged in to the respective social media network, the provider of the social media network can analyze your usage behavior and assign the information collected to your account at the social media network and enrich it there. Even if you are not logged in or if you do not have an account at the respective social media network, Personal Data may be collected by the provider of the respective social media network, for example your IP address or data collected via a cookie.

The operators of the social media networks can use this data to create user profiles. Your user profile can then be used to display interest-based ads both on social media network websites and on other websites.

If you visit one of our Social Media Pages, we are jointly responsible with the social media network provider for the collection and processing of your Personal Data there. With regard to information about the collection and processing of your Personal Data that takes place there, we refer you to the data protection information of the respective social media network. We do not have any further information in this respect.

You can assert your rights of data subjects in accordance with Chapter III of the GDPR (right to information, correction, deletion, restriction of processing, data transferability, etc.) both against us and against the provider of the respective social media network. In this context, we would like to point out that we can only influence the processing of Personal Data and the implementation of the rights affected within the framework of our social media pages within the scope of the possibilities made available to us by the respective provider.

8. Job Applications

We collect and process Personal Data of applicants for the purpose of processing the application process. If an applicant submits his or her application documents to us electronically, they are processed electronically.

If we conclude an employment contract with an applicant, the data transmitted will be processed in order to carry out the employment relationship in compliance with applicable statutory provisions. If no employment contract is concluded with the applicant, the application documents will be retained for a limited period of time, based on our legitimate interest, such as the defense of claims or a preservation of evidence under applicable anti-discrimination laws. Upon determination that there is no longer a legitimate interest for retention, or your request as provided for herein, we will delete your application documents.

8.1 Personal Data Provided by You

Labster processes the Personal Data you provide in connection with your application in order to check your suitability for the position (or any other open positions in one of Labster’s entities) and to carry out the application procedure.

The Personal Data collected us includes:

  • Name, address, telephone number, email address, and other contact information;
  • Username and password;
  • Work authorization status;
  • CV, cover letter, previous work experience and education information;
  • Knowledge, skills, and abilities;
  • Professional and other work-related licenses, permits, and certifications held;
  • Information relating to employment references;
  • Any other information you elect to provide us (e.g., employment preferences, willingness to relocate, current salary, desired salary, awards, professional memberships, hobbies, social preferences, etc.).

8.2 Information Collected from Other Sources

Where relevant for your application and to the extent permitted by applicable law and/or with your prior explicit consent, Labster may, for the purpose of pre-employment screenings and background checks in connection with your application, obtain information about you from other sources. These other sources may include your references, prior employers, academic/educational institutions you attended, credit checks, and social media profiles (e.g., LinkedIn).

8.3 Sensitive Personal Data

Labster usually does not request sensitive data (“special categories of data”, according to Art. 9 GDPR, if applicable), such as ethnic origin, religion, sexual orientation, or political affiliation in connection with your application. Please avoid submitting such sensitive data unless specifically requested. In strict compliance with applicable law, Labster may ask questions about gender, ethnic origin, health and disabilities of applicants for the monitoring of equal employment opportunity compliance. If you provide us with such special categories of data, you consent to the processing of such data in connection with your application and in accordance with this Privacy Policy and applicable laws and regulations.

Where relevant for your application and to the extent permitted by applicable law and/or with your prior explicit consent, Labster may also ask you to provide criminal records.

8.4 Reference Data

Should you provide us with Personal Data of a reference or any other individual as part of your application, you are responsible to obtain the individual’s consent prior to providing such Personal Data to Labster.

8.5 Purposes of Data Processing

Labster will process your Personal Data for recruitment, management, and planning, and in particular, for the following purposes:

  • Processing of your application;
  • Assessment of your capabilities and qualifications;
  • Conduct of reference checks, where relevant and to the extent compliant with applicable law;
  • Communication with you about your application;
  • Compliance with any applicable law or regulation (e.g., diversity requirements);
  • Protection of Labster’s rights; and
  • General administration and human resources management (in case you become a Labster employee).

8.6 Access and Disclosure

Labster will share your Personal Data on a strict “need to know” basis only with those employees who really need it to process your application, including, but not limited to, the human resources department, hiring manager(s), and interview partners.

In this context, Labster may also disclose your Personal Data to employees of other Labster entities globally, if the employment will be with an international Labster entity outside of your home country and/or if such a disclosure is necessary for the fulfillment of the purposes described above, for example, if the hiring manager is not be employed with the hiring entity but with another Labster entity.

8.7 Third-Party Service Provider

Labster may share your data with third-party service providers used for the provision of services in the context of your application, such as the provider of the Labster career website, the provider of our human resources information system, recruitment agencies, external consultants, pre-employment screening providers, tax advisors, and attorneys.

Where Labster uses a third-party service provider to process Personal Data, Labster will enter into data processing agreements with such provider as required by applicable law. Labster will also ensure that the service provider will be able to meet industry standard security measures to ensure the confidentiality and integrity of the Personal Data. Labster's service provider list is here.

9. Events, Webinars, Conferences, and Visiting Labster Offices

9.1 Events

When you register for events, such as webinars, webcasts (pre-recorded or live), as well as industry trade show events and/or when you visit our trade show booth, we may request your identifiers.

9.2 Visiting Labster Offices

If you visit one of our offices, you may be asked to log your identifiers with a front desk receptionist or attendant through physical premises access and entry tracking or management systems, reception logs, and/or on-site visitor tracking and security systems.

9.3 Online Meetings

When we participate in an online meeting, video conference, telephone conference and/or webinar organized, held and/or provided by Labster (“Online Meeting”), we process your Personal Data to enable your participation in the Online Meeting. We may process your identifiers, video and audio content, chat content, and time and duration of the Online Meeting. We will inform you about our intention to record Online Meetings and will, if legally required, obtain your prior consent.

We use third-party service providers to organize and hold such Online Meetings on the basis of a data processing agreement, as required by applicable law. Labster will also ensure that the service provider will be able to meet industry standard security measures to ensure the confidentiality and integrity of the Personal Data.

10. Why We Collect and Process Personal Data About You

We do not and will not sell your Personal Data, however, Labster collects and processes Personal Data, as well as shares your Personal Data for the purposes described in this Privacy Policy and for the following purposes:

  • To communicate with you about our Privacy Policy, our terms and conditions related to your purchase, licensing, use of our products and services, product security, and legally required disclosures;
  • To provide you with products and services you request, keep you updated on new products and services, upcoming events, offers, and promotions; and other information that we think will be of interest to you.
  • To set up and maintain your account, and to do all other things required for providing our products and services, maintaining, servicing, and updating your account(s) associated with our products and services; providing customer service; processing or fulfilling orders and transactions, and processing payments, verifying customer information, and auditing interactions with our customers and users.
  • Web advertising and marketing, including counting ad impressions to unique visitors; verifying positioning and quality of ad impressions; and auditing such efforts for compliance with our legal obligations.
  • Product and service debugging, troubleshooting, and other efforts to identify and repair issues in, and/or upgrade Labster products and services, detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for such activity.
  • Undertaking internal research and activities to verify or maintain the quality and safety of Labster’s products and services, as well as to improve, upgrade, or enhance our products and services, to ask you to participate in surveys, or to solicit feedback on our products and services.

11. Security of Your Personal Data

We employ a variety of physical, administrative, and technological safeguards designed to protect personal data against loss, misuse, unauthorized access or disclosure,  alteration and destruction.

We have dedicated information security programs and continuously enhance our technical and operational security measures.

We follow generally accepted industry standards to protect the information submitted to us throughout three stages of data. Our security measures include data encryption, firewalls, data use, and access limitations for our personnel and vendors and physical access controls to our facilities.

No technology is a perfect solution to protect your data. We strongly encourage you to enable security measures if our platforms/applications also make it available to you.

12. Access to Personal Data and Disclosure to Third Parties

Your Personal Data is only accessible to those internal departments or organisational units that need your Personal Data to fulfill their tasks, to fulfill contracts with, for data processing with your consent, or to safeguard our legitimate interests.

Data will only be transferred to third parties in strict compliance with all legal requirements. We will only transfer your data to third parties if, for example, it is necessary for contractual purposes or to safeguard our legitimate interest in the effective conduct of our business operations.

We may use third parties, such as, but not limited to, service providers, affiliates, agents, and/or business partners, to perform certain services, including, without limitation, facilitating some aspects of our website, our products and services, processing credit card transactions, and/or sending emails. These third parties may be supplied with, or have access to, your Personal Data solely for the purpose of providing these services to you on our behalf.

Labster will enter into data processing agreements with such third parties, as required under applicable law and regulation, and requires these third parties to:

  • Only process your Personal Data for limited and specified purposes;
  • Provide the same level of protection for your Personal Data as is required by applicable privacy law and regulation, and as defined under this Privacy Policy; and
  • Notify us, and cease processing Personal Data (or take other reasonable and appropriate remedial steps), if the third party determines that it cannot meet its obligations to provide the same level of protection for Personal Data as is required by applicable privacy law and regulation.

We also may disclose your information, including Personal Data, in the following circumstances:

  • In response to a subpoena or similar investigative demand, a court order, or other request from a law enforcement or government agency (you cannot opt out of such disclosure if required by lawful order), to: (a) establish or exercise our legal rights, (b) defend against legal claims, or (c) as otherwise required by law;
  • When we believe disclosure is appropriate in connection with efforts to investigate, prevent, or take other action regarding illegal activity, suspected fraud, or other wrongdoing;
  • To protect and defend the rights, property or safety of our company, our users, our employees, or others;
  • To comply with applicable law or cooperate with law enforcement;
  • To enforce our website’s, products’, and services’ terms and conditions or other agreements or policies; or
  • In connection with a corporate transaction, such as the sale of all or a portion of our business, a divestiture, merger, consolidation, or asset sale, or in the event of bankruptcy.

It is possible that we acquire or sell the company or parts of the company or individual assets. Personal Data may be transferred in connection with such a sale, merger, reorganization or similar event. In this case, your Personal Data will continue to be processed in accordance with this Privacy Policy.

In certain circumstances, courts, law enforcement agencies, regulatory agencies, or security authorities may be entitled to access your Personal Data. If we receive any such requests for access to your Personal Data, it is our standard to carefully scrutinize each request and respond with the minimum amount of information in response to legitimate, legally mandated requests.

Labster does not, and will not, sell or disclose Your Personal Data to third parties, unless for business purposes as set forth above. Further, Labster does not collect Personal Data based on characteristics of protected classifications under applicable law. If we anticipate disclosure of your Personal Data to any third party other than those set forth above, you will be given an opportunity to opt out of such disclosure of your Personal Data.  However, you cannot opt out of disclosure of your Personal Data if required by lawful order.

You may choose whether your Personal Data may be used for a purpose that is materially different from the purposes for which the information was originally collected or subsequently authorized by you. You may contact us in accordance with the processes available to you in this Privacy Policy, regarding our use or disclosure of your Personal Data. Unless we offer you an appropriate choice, we use Personal Data only for purposes that are materially the same as those indicated in this Privacy Policy.

Insofar as we use service providers or third-party providers within the context of our collection and processing of Personal Data, the provision of the website and/or the provision of our products and services, we take appropriate legal precautions as well as appropriate technical and organisational measures to ensure the protection of such Personal Data.

13. Retention and Deletion

We adhere to the principles of data avoidance and data minimization. We therefore only store your Personal Data for as long as is necessary to achieve the purposes stated here, under our contractual obligations to you, or as required by the retention periods provided for by law.

In general, we retain your Personal Data as long as we are providing products and services to you. We retain Personal Data after we cease providing products and services directly or indirectly to you, even if you delete/close your account, to the extent necessary to comply with our legal, regulatory, and contractual obligations, as well as for the purpose of fraud monitoring, detection, and prevention.

We also retain Personal Data to comply with our tax, accounting, and financial reporting obligations. Where we retain data, we do so in accordance with any limitation periods and records retention obligations that are imposed by applicable law, regulation, or contractual obligation.

If the storage purpose no longer applies, or if the retention period expires, the Personal Data will be deleted or anonymized in accordance with applicable law and regulation.

However, we may continue to store anonymous or anonymized information, such as, but not limited to, website visits and usage of our products and services, in order to improve our website visitors’, customers’, product and services users’, and other third parties’ experience and our products and services.

With regard to job applications, we may, subject to your explicit consent where required, retain your information in our talent pool for the purpose of considering whether your skills are suitable for other future opportunities.

14. International Transfers

14.1 Global Business

We are a global business and your Personal Data may be stored and processed in any country where we have operations, employees, or consultants, or where we engage service providers. We may transfer Personal Data to recipients in countries other than the country in which the Personal Data was originally collected. Those countries may have data protection rules that are different from those of your country. However, we will take measures to ensure that any such transfers comply with applicable data protection law and regulation, and that your Personal Data remains protected to the standards described in this Privacy Policy. Unless otherwise required in a contract with you, those countries where your Personal Data may be stored or transferred internationally include, but are not limited to: Australia, Canada, those of the European Economic Area, the United Kingdom, and the United States of America.

14.2 Local Requirements and Regulatory or Judicial Decisions

A commission, your local legislature, or regulator, may determine that one of these jurisdictions does not provide for the same level of data protection as your jurisdiction, such as the European Economic Area. Nonetheless, we ensure that the recipient of your Personal Data offers an adequate level of protection and security, for example by entering into the European Union Standard Contractual Clauses (as may be amended from time-to-time) or by an alternative mechanism for the transfer of such data. We will be happy to provide you with information on the appropriate safeguards for data transfer to third countries in accordance with Art. 46 GDPR at any time upon request.

14.3. Data Privacy Frameworks

Labster complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Labster has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Labster has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Labster is accountable for the processing of personal data it receives under the Data Privacy Framework and subsequently transfers to a third party. Labster complies with the Data Privacy Framework Principles for all onward transfers of personal data from the EU, UK, and Switzerland, including the onward transfer liability provisions.

The Federal Trade Commission has jurisdiction over Labster Inc.’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). Labster is, therefore, subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.

For additional information and guidance on how to enforce your rights in accordance with the Data Privacy Frameworks, please see Section 19.

15. Your Choices and Rights

With respect to the collection of your information, if you do not want your Personal Data collected, please do not submit it to us. If you have already submitted Personal Data and would like to review, correct, or remove it from our records, please contact us at privacy-requests@labster.com.

15.1 Cookies

If you wish to disable cookies, you can set your browser not to accept cookies. You can find out how to do so at www.aboutcookies.org.

Please note though that if you turn off cookies, there may be some features and functions of our website, products, and services that will not be available to you and some pages may not display properly.

15.2 Information Shared with Third Parties

You may also choose whether your Personal Data may be used for a purpose that is materially different from the purposes for which the Personal Data was originally collected or subsequently authorized by you. You may contact us as indicated herein regarding our use or disclosure of your Personal Data. Unless we offer you an appropriate choice, we use Personally Identifiable Information only for purposes that are materially the same as those indicated in this Privacy Policy.

If you have consented to our use of your Personal Data for a specific purpose, you have the right to change your mind at any time and revoke your consent by contacting us at the contact details stated above, but this will not affect any processing that has already taken place.

16. California Residents

To the extent applicable to our collection, use, and disclosure of Personal Data relating to California residents, Labster also complies with the principles of the California Consumer Privacy Act (“CCPA”). You have the right under the CCPA and certain other privacy and data protection law, as applicable, to exercise the rights described below, free of charge.

16.1 Disclosure of Personal Data We Collect About You

You have the right to know the:

  • Categories of Personal Data we have collected about you;
  • Categories of sources from which the Personal Data is collected;
  • Business or commercial purpose for collecting or selling Personal Data;
  • Categories of third parties with whom we share your Personal Data, if any; and
  • Specific pieces of Personal Data we have collected about you.

Please note that we are not required to:

  • Retain any Personal Data about you that was collected for a single, one-time, transaction if, in the ordinary course of business, that information about you is not retained;
  • Re-identify, or otherwise link, any data that, in the ordinary course of business, is not maintained in a manner that would be considered Personal Data; or
  • Provide the Personal Data to you more than twice (2x) in a twelve (12) month period.

16.2 Disclosure of Personal Data Sold or Used for a Business Purpose

In connection with any Personal Data we may disclose to a third party for a business purpose, you have the right to know:

  • The categories of Personal Data about you that we sold and the categories of third parties to whom the Personal Data was sold (if applicable); and
  • The categories of Personal Data that we disclosed about you for a business purpose.

16.3 Right to Deletion

Subject to certain exceptions set out below, on receipt of a verifiable request from you, we will:

  • Delete your Personal Data from our records; and
  • Direct any of our Service Providers (as defined by the CCPA) to delete your Personal Data from their records.

Please note that we may not delete your Personal Data if it is necessary to:

  • Complete the transaction for which the Personal Data was collected, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us;
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activity;
  • Debug to identify and repair errors that impair existing intended functionality;
  • Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;
  • Comply with the California Electronic Communications Privacy Act;
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent;
  • Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us;
  • Comply with an existing legal obligation; or
  • Otherwise use your Personal Data, internally, in a lawful manner that is compatible with the context in which you provided us with the information.

16.4 Protection Against Discrimination

You have the right to not be discriminated against by us because you exercised any of your rights under the CCPA. This means we cannot, during or after your exercise of such rights, among other things:

  • Deny products or services to you;
  • Charge different prices or rates for our products or services, including through the use of discounts or other benefits or imposing penalties, which fall outside the scope of normal business practices for other customers and users;
  • Provide a different level or quality of products or services to you; or
  • Suggest that you will receive a different price or rate for products or services or a different level or quality of products or services.

Please note that we may charge a different price or rate, or provide a different level or quality of our products or services to you, if that difference is reasonably related to the value provided to us by your Personal Data.

16.5 How to Exercise Your Rights as a California Consumer

Please submit a request to privacy-requests@labster.com, complete a Personal Data disclosure or deletion request form here via our online form, or call 1-855-749-0697. Please note that you may only make a data access or data portability disclosure request twice (2x) within a twelve (12) month period. Please allow up to forty-five (45) days for a response to your request.

If you request disclosure or deletion, you will need to provide us with:

  • Enough information to identify you (e.g., your full name, email address, country, state, and business and/or academic/educational institution name, if applicable);
  • Proof of your identity and address (if necessary); and
  • A description of what right under the applicable law you want to exercise, and the information to which your request relates.

We are not obligated to make a data access or data portability disclosure if we cannot verify that the person making the request is the person about whom we collected the information or is someone authorized to act on such person’s behalf (i.e., parent or guardian).

Any Personal Data we collect from you to verify your identity in connection with your request will be used solely for the purposes of such verification.

17. Canadian Residents

To the extent applicable to our collection, use, and disclosure of Personal Data relating to Canadian individuals, Labster complies with the principles of:

The Personal Information Protection and Electronic Documents Act (“PIPEDA”), including accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, and challenging compliance. For more information regarding PIPEDA, please visit.

The Canadian Anti-Spam Law (“CASL”), including commercial electronic messages sent to exempt and non-exempt recipients who have provided their express of implied consent. For more information regarding CASL, please visit.

18. India Residents

We will continue to monitor changes in the Personal Data Protection Bill 2019 as presently under consideration by the Indian Parliament; however, to the extent applicable to our collection, use, and disclosure of Personal Data relating to Indian individuals, Labster complies with the principles of the Information Technology Act 2000 (“ITA”), based on the United Nations Model Law on Electronic Commerce adopted by the United Nations Commissions on International Trade Law on 30 January 1997 via resolution A/RES/51/162, including:

Section 43A, governing the use of reasonable security practices and procedures (“RSPP”), as set forth herein, in protecting sensitive personal data and information (“SPDI”), and retaining the SPDI for no longer than is required for the purpose for which the SPDI can lawfully be used or is otherwise required under any other law for the time it is in force.

Section 72A, governing the improper disclosure of personal information without consent in the course of performing a contract.

18.1 Lawfulness of Processing

If you are an individual in India, we collect and process SPDI about you only where we have a legal basis for doing so under applicable Indian laws. The legal basis depends on the products and services you use and how you use them. This means we collect and use your SPDI only where the:

  • SPDI is collected for a lawful purpose connected with a function or activity of us collecting or using the information;
  • Collection of the SPDI is considered necessary for that purpose; and
  • SPDI collected is used for the purpose for which it has been collected, and if for any other purpose consent will be obtained in advance of such use.

18.2 Your Rights

If you fall under the scope of the ITA, you have the right to know the:

  • SPDI being collected;
  • Purposes the SPDI is collected;
  • Intended recipients of the SPDI; and
  • Name and address of the agency collecting or retaining the information.

19. EU/EEA/UK Residents

19.1 Lawfulness of Processing

If you are an individual in the European Union (“EU”), the European Economic Area (“EEA”), or the United Kingdom (“UK”), we collect and process information about you only where we have a legal basis for doing so under applicable EU and UK laws. The legal basis depends on the products and services you use and how you use them. This means we collect and use your information only where:

  • We need it to provide you the services, including to operate the services, provide customer support and personalized features and to protect the safety and security of the services;
  • It satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote our products and services, and to protect our legal rights and interests;
  • You give us consent to do so for a specific purpose; or
  • We need to process your Personal Data to comply with a legal obligation.

19.2 Your Rights and Dispute Resolution

If you fall under the scope of the General Data Protection Regulation (“GDPR”) or the Data Protection Act 2018 (“DPA 2018”) which is the implementing legislation of the GDPR in the UK, you have the right to free information about your Personal Data processed and stored by us, its origin, recipient, and the purpose of data processing, as well as a right to correction, blocking, or deletion of such Personal Data. You also have the right to limit the processing and to object to the processing.

You also have the right to have your data, which we process automatically, handed over to you or to a third party in a common, machine-readable format.

To assert your rights, please contact us using the contact details given above or you can perform your right to data access and deletion directly by reaching out to privacy@labster.com or via our online form here.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Labster commits to cooperate and comply, respectively, with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. Helpful contact information can be found below:

  • Danish Data Protection Agency (https://www.datatilsynet.dk), via e-mail to dt@datatilsynet.dk, call +45 33 19 32 00, or write a letter to: Datatilsynet, Carl Jacobsens Vej 35, DK-2500 Valby, Denmark.
  • Swiss Data Protection Agency (https://www.edoeb.admin.ch/edoeb/en/home.html), via e-mail to info@edoeb.admin.ch, call +41 (0)58 462 43 95, or write a letter to: Office of the Federal Data Protection and Information Commissioner FDPIC, Feldweggweg 1, CH – 3003 Berne, Switzerland.
  • United Kingdom Data Protection Agency (https://ico.org.uk/), via e-mail to info@ico.org.uk, call +44 0303 123 1113, or write a letter to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF United Kingdom.

You may have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Labster’s Data Privacy Framework compliance not resolved by any of the other Data Privacy Framework mechanisms as provided for here.

19.3 Withdrawal of Consent

Some data processing operations are only possible with your express consent. You can withdraw your consent at any time. For this purpose, an informal email notification to us is sufficient. The legality of the data processing carried out until the withdrawal remains unaffected by the revocation.

19.4 RIGHT OF OBJECTION

AS FAR AS YOUR DATA IS PROCESSED, AS EXPLAINED IN THIS PRIVACY POLICY, TO PROTECT OUR LEGITIMATE INTERESTS, YOU CAN OBJECT TO THIS PROCESSING WITH EFFECT FOR THE FUTURE. PLEASE CONTACT US USING THE CONTACT DETAILS GIVEN ABOVE.

AS A MATTER OF PRINCIPLE, YOU ARE ONLY ENTITLED TO THIS RIGHT OF OBJECTION IF THERE ARE REASONS ARISING FROM YOUR PARTICULAR SITUATION (ART. 21, PARA. 1 GDPR). AFTER EXERCISING YOUR RIGHT OF OBJECTION, YOUR PERSONAL DATA WILL NOT BE FURTHER PROCESSED FOR THESE PURPOSES UNLESS WE CAN PROVE COMPELLING REASONS FOR PROCESSING WORTHY OF PROTECTION WHICH OUTWEIGH YOUR INTERESTS, RIGHTS, AND FREEDOMS, OR IF THE PROCESSING SERVES THE ASSERTION, EXERCISE, OR DEFENCE OF LEGAL CLAIMS.

IF THE PROCESSING IS CARRIED OUT FOR THE PURPOSE OF DIRECT ADVERTISING, YOU CAN EXERCISE YOUR RIGHT OF OBJECTION IN THIS REGARD AT ANY TIME (ART. 21 PARA. 2 GDPR) AND YOUR PERSONAL DATA WILL THEN NO LONGER BE PROCESSED FOR THE PURPOSE OF DIRECT ADVERTISING, IRRESPECTIVE OF THE REASONS FOR THE OBJECTION.

19.5 Obligation to Provide Data

The provision of Personal Data is neither required by law nor by contract, nor are you obliged to provide Personal Data. However, the provision of Personal Data is required for the conclusion and performance of a contract to the extent that certain details are absolutely necessary in order to conclude and perform a contract.

19.6 Automated Decision Making

We do not perform automated decision making, including profiling.

19.7 International Transfers to Third Countries Outside of the EU/EEA/UK

Labster may transfer your Personal Data to countries located outside of the EU/EEA/UK. With regard to transfers of Personal Data to third countries not considered adequate by the European Commission, we have put in place adequate safeguards, such as its compliance with the EU-U.S. Data Privacy Framework and to the extent applicable and available the UK Extension to the EU-U.S. Data Privacy Framework, and to the Swiss-U.S. Data Privacy Framework, and/or the EU Standard Contractual Clauses (as may be updated from time-to-time), to protect your Personal Data.

You may obtain a copy of these measures by contacting Labster’s Data Protection Officer, John Pothier, at john.pothier@labster.com with a copy to privacy@labster.com.

20. Links to Third Party Websites and/or Integration with Third Party Platforms

Our website, products, and services may interface with third party sites and services (for example, Social Media Pages, or other third party applications, sites, or services). Our website, products, or services may also contain links to websites operated and maintained by third parties, over which we have no control.

Privacy policies for these third party websites and services may be different from our Privacy Policy. You access these third party sites and services at your own risk. You should always read the privacy policy of a linked site or integrated service before disclosing any Personal Data on such site and/or through such service. Labster is not responsible for information, Personal Data or otherwise, you submit to third parties.

We may also use third party tools to support advertising efforts and/or to track visitors to our website, products, or services, or provide other analytical data. In general, this means that third party vendors may show our ads on sites across the Internet (including non-Labster sites) based upon your visits to our website and we may use general analytic data to track visits to and from our website and other sites. At this time, most web services, including our website, and some of our third party providers, do not currently recognize or alter behavior in response to automated browser signals regarding tracking mechanisms.

21. School Users and Student Records

We strive to implement best practices to protect the privacy of all of our student and non-student users alike. To help our school partners address their obligations to protect their students’ data privacy, we have implemented additional controls and procedures for schools, school districts, colleges and universities, and teachers and professors (collectively referred to as “Schools”) when they enter into a contract with us to use the website, products, and services as part of the School’s educational curriculum. When the website, products, and services are used as part of the School’s educational curriculum, the personal information related to the School’s student users (“Student Users”), that is: (a) provided to us by a student or by a School; or (b) collected by us during the provision of the services to a School, may include information defined as “educational records” by the Family Educational Rights and Privacy Act (“FERPA”) or other information protected by similar student data privacy laws. We call this information “Student Records”.

Please note, only personal information relating to user accounts which are:

(i) created by a School (for example, when a teacher creates the user name, login, and password to establish School User accounts, or when the teacher rosters a class using third party single sign-on service); or

(ii) created by a Student User at the direction of a School, using a School email address (i.e., ‘name@school.edu’, or other email which can be verified with the School), and associated with a School’s class on the website, products, and services; and

(iii) created pursuant to a contract between us and the School, are designated as Student Records.

Student Records shall not include information a student or other individual may provide to us independent of the student’s use of the website, products, or services at the direction of the School.

21.1 Lawfulness of Processing

Our collection and use of Student Records is governed by our contracts with the Schools, by our Privacy Policy, and by applicable privacy laws. For example, we work with Schools to help protect personal information from the Student’s educational record, as required by FERPA, to protect the personal information of students under thirteen (13) consistent with the Children’s Online Privacy Protection Act (“COPPA”), and as may be required by other international privacy laws. If you have any questions about reviewing, modifying, or deleting the personal information of a School User accessing the website, products, or services through a School agreement, please contact your School directly.

We collect, maintain, use, and share Student Records only for an authorized educational purpose and as described in our Privacy Policy, or as directed by the School, Student User, or Student User’s parent or legal guardian (“Parent”).

We do not disclose Student Records for targeted advertising purposes.

We do not build a personal profile of a Student User other than in furtherance of an educational purpose or as authorized by a Parent.

We maintain a comprehensive data security program designed to protect the types of Student Records maintained by the website, products, and services.

We will never sell Student Records unless the sale is part of a corporate transaction, such as a merger, acquisition, bankruptcy, or other sale of assets, in which case we will require the new owner to continue to honor the terms provided in this Privacy Policy, or we will provide the School with notice and an opportunity to opt-out of the transfer of Student Records by deleting the Student Records before the transfer occurs.

We will not make any detrimental material changes to our Privacy Policy or contractual agreements that relate to the collection or use of Student Records without first giving notice to the School and providing a choice before the Student Records are used in a materially different manner than was disclosed when the information was collected.

21.2 How We Share and Disclose Student Records.

Depending on the features and account controls applicable to the Student User accounts, we may share usernames and profile information with other users on the website, products, or services, such as teachers, coaches, or School administrators, and this information may be visible if a Student User posts content in available discussion forums.

Depending on the manner in which our website, products, and services are used by a School and the terms of the agreement between the School and us, we may provide access to certain Student Records, Student User account usage data (“School Analytics”) to the School for the purpose of monitoring student usage and activity, and evaluating the effectiveness of the School’s use of the website, products, and services.

21.3 How We Retain and Delete Student Records

We will not knowingly retain Student Records beyond the time period required to support an educational purpose, unless authorized by a School, Student User, or Student User’s Parent.

All users, including Student Users (or their Parents) can delete their accounts and all personal information associated with the account at any time via email request to customer.support@labster.com.

The School is responsible for managing Student Records which the School no longer needs for an educational purpose by submitting a deletion request when such data is no longer needed. Schools should contact us at privacy-requests@labster.com to request deletion of Student Records associated with the School’s use of our website, products, and services. Please note that we cannot comply with a School’s request to delete personal information in a user account except for accounts created by a School (i.e., using a School email address and/or an account login provided by a School) pursuant to a contractual agreement between the School and us, or unless the Student User (or the Student User’s Parent) requests deletion directly.

21.4 Questions About Student Records

If you have questions about specific practices relating to Student Records provided to us by a School, please direct your questions to your School.

22. Children and Minors

Labster’s website, products, and services are not intended for use by minors, particularly those under age thirteen (13), and we do not knowingly collect information, Personal Data or otherwise, from children unless the user’s academic/educational institution has entered into an agreement with us and allows such minors to use the website, products, and services, and remains responsible for any such actions of the minor when using the website, products, and services, or at the direction and with the permission of a parent. Any use by a minor under the age of thirteen (13) which is permitted by the user’s academic/educational institution is done so in accordance with the academic/educational institution’s receipt of consent from such minor’s parent or guardian in accordance with the Children’s Online Privacy Protection Act, or other applicable law. In the event that we learn that we have collected Personal Data from a child under age thirteen (13) without parental consent, we will delete that information as promptly as possible. If you believe that we might have any information, Personal Data or otherwise, from a child under thirteen (13) years of age, please contact us immediately under the contact details provided above.

23. Bug Bounties

Labster does not offer a ‘Rewards for Bug Bounty’, or similar, program.

‍24. Security Research

Security researchers are prohibited from publicly disclosing vulnerabilities without the prior written consent from Labster’s Privacy and Security team. You are encouraged to contact Labster’s Privacy and Security team for clarification before engaging in conduct that may be inconsistent with, or unaddressed by, Labster’s Privacy Policy. Labster encourages customers, users, and vendors who might find vulnerabilities in or on Labster’s information assets, and would like to report in good faith, to contact Labster’s Prviacy and Security team at privacy@labster.com.

25. Policy Changes

To improve the products and services we can offer you, we may opt to expand our capabilities for obtaining information about users in the future, or may change the ways in which we collect, use, process, or share information, Personal Data or otherwise.

Labster will update this Privacy Policy continually to ensure that you are aware of developments in this area. We will post any such changes here so that you will always know what information we collect, whether online or otherwise, how we use it, and what choices you have. Please be sure to check, from time to time, and before proceeding to use our website, products, and services. Any material changes will be communicated via a notice on our website.