CHANGEUP PRIVACY NOTICE

Last Updated: 02/22/2024

This Privacy Notice applies to the processing of personal information by Change Up, Inc. (“ChangeUp,” “us,” “we,” or “our”), including on our website available at https://www.changeup.com/ and our other online or offline offerings which link to, or are otherwise subject to, this Privacy Notice (collectively, the “Services”).

Disclosure Regarding Customer Data. This Privacy Notice does not apply to the personal information that we process on behalf of our customers pursuant to a written agreement we have entered into with such customers (“Customer Data”). Our customers’ respective privacy notices or policies govern their collection and use of Customer Data. Our processing of Customer Data is governed by the contracts that we have in place with our customers, not this Privacy Notice. Any questions or requests relating to Customer Data should be directed to our customer.

  1. UPDATES TO THIS PRIVACY NOTICE
  2. PERSONAL INFORMATION WE COLLECT
    1. Personal Information You Provide to Us Directly
    2. Personal Information Collected Automatically
    3. Personal Information Collected from Third Parties
  3. HOW WE USE PERSONAL INFORMATION
  4. HOW WE DISCLOSE PERSONAL INFORMATION
  5. YOUR PRIVACY CHOICES AND RIGHTS
  6. INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION
  7. RETENTION OF PERSONAL INFORMATION
  8. CHILDREN’S PERSONAL INFORMATION
  9. THIRD-PARTY WEBSITES/APPLICATIONS
  10. CONTACT US

1. UPDATES TO THIS PRIVACY NOTICE

We may update this Privacy Notice from time to time in our sole discretion. If we do, we’ll let you know by posting the updated Privacy Notice on our website, and/or we may also send other communications.

2. PERSONAL INFORMATION WE COLLECT

We collect personal information that you provide to us, personal information we collect automatically when you use the Services, and personal information from third-party sources, as described below.

      A. Personal Information You Provide to Us Directly

     We may collect personal information that you provide to us.

  • Account Information. We may collect personal information in connection with the creation or administration of your account. This personal information may include, but is not limited to, email address, first name and last name.
  • Your Communications with Us. We, and our service providers, may collect the information you communicate to us, such as through email.
  • Surveys. We may contact you to participate in surveys. If you decide to participate, we may collect personal information from you in connection with the survey.
  • Interactive Features. We and others who use our Services may collect personal information that you submit or make available through our interactive features (e.g., messaging features, commenting functionalities, forums, blogs, and social media pages).  Any information you provide using the public sharing features of the Services will be considered “public.”
  • Business Development and Strategic Partnerships. We may collect personal information from individuals and third parties to assess and pursue potential business opportunities.
  • Job Applications. If you apply for a job with us, we will collect any personal information you provide in connection with your application, such as your contact information and CV.

    B. Personal Information Collected Automatically

  1. We may collect personal information automatically when you use the Services.
  • Device Information. We may collect personal information about your device, such as your Internet protocol (IP) address, user settings, cookie identifiers, other unique identifiers, browser or device information, Internet service provider, and location information (including, as applicable, approximate location derived from IP address and precise geo-location information).
  • Usage Information. We may collect personal information about your use of the Services, such as the pages that you visit, items that you search for, the types of content you interact with, information about the links you click, the frequency and duration of your activities, and other information about how you use the Services.
  • Cookie Notice (and Other Technologies). We, as well as third parties, may use cookies, pixel tags, and other technologies (“Technologies”) to automatically collect personal information through your use of the Services.
    • Cookies. Cookies are small text files stored in device browsers.
    • Pixel Tags/Web Beacons. A pixel tag (also known as a web beacon) is a piece of code embedded in the Services that collects personal information about use of or engagement with the Services. The use of a pixel tag allows us to record, for example, that a user has visited, a particular web page or clicked on a particular advertisement. We may also include web beacons in e-mails to understand whether messages have been opened, acted on, or forwarded.

See “Your Privacy Choices and Rights” below to understand your choices regarding these Technologies.

          C. Personal Information Collected from Third Parties

We may collect personal information about you from third parties.  For example, if you access the Services using a Third-Party Service (defined below), we may collect personal information about you from that Third-Party Service that you have made available via your privacy settings. In addition, users of the Services may upload or otherwise provide personal information about others.

3. HOW WE USE PERSONAL INFORMATION

We use personal information for a variety of business purposes, including to provide the Services, for administrative purposes, and to provide you with marketing materials, as described below.

          A. Provide the Services

We use personal information to fulfill our contract with you and provide the Services, such as:

  • Managing your information;
  • Providing access to certain areas, functionalities, and features of the Services;
  • Answering requests for support;
  • Communicating with you;
  • Sharing personal information with third parties as needed to provide the Services;
  • Processing your financial information and other payment methods for products and Services purchased;
  • Processing applications if you apply for a job we post on our Services; and
  • Allowing you to register for events.

    B. Administrative Purposes

We use personal information for various administrative purposes, such as:

  • Pursuing our legitimate interests such as direct marketing, research and development (including marketing research), network and information security, and fraud prevention;
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity;
  • Carrying out analytics;
  • Measuring interest and engagement in the Services;
  • Improving, upgrading, or enhancing the Services;
  • Developing new products and services;
  • Creating de-identified and/or aggregated information. If we create or receive de-identified information, we will not attempt to reidentify such information, unless permitted by, or required to comply with, applicable laws;
  • Ensuring internal quality control and safety;
  • Authenticating and verifying individual identities, including requests to exercise your rights under this Privacy Notice;
  • Debugging to identify and repair errors with the Services;
  • Auditing relating to interactions, transactions, and other compliance activities;
  • Enforcing our agreements and policies; and
  • Carrying out activities that are required to comply with our legal obligations.


    C. Marketing

We may use personal information to tailor and provide you with marketing and other content. We may provide you with these materials as permitted by applicable law.

If you have any questions about our marketing practices, you may contact us at any time as set forth in “Contact Us” below.

          D. With Your Consent or Direction

We may use personal information for other purposes that are clearly disclosed to you at the time you provide personal information, with your consent, or as otherwise directed by you.

4. HOW WE DISCLOSE PERSONAL INFORMATION

We disclose personal information to third parties for a variety of business purposes, including to provide the Services, to protect us or others, or in the event of a major business transaction such as a merger, sale, or asset transfer, as described below.

          A. Disclosures to Provide the Services

We may disclose any of the personal information we collect to the categories of third parties described below.

  • Service Providers. We may disclose personal information to third-party service providers that assist us with the provision of the Services. This may include, but is not limited to, service providers that provide us with hosting, customer service, analytics, marketing services, IT support, and related services. In addition, personal information and chat communications may be disclosed to service providers that help provide our chat features.
    • Google Analytics. For more information about how Google uses your personal information, please visit Google Analytics’ Privacy Policy. To learn more about how to opt-out of Google Analytics’ use of your personal information, please click here.
    • LinkedIn Analytics. For more information about how LinkedIn uses your personal information, please visit LinkedIn Analytics’ Privacy Policy. To learn more about how to opt-out of LinkedIn’s use of your information, please click here.
  • Third-Party Services You Share or Interact With. The Services may link to or allow you to interface, interact, share information with, direct us to share information with, access and/or use third-party websites, applications, services, products, and technology (each a “Third-Party Service”). Any personal information shared with a Third-Party Service will be subject to the Third- Party Service’s privacy policy. We are not responsible for the processing of personal information by Third-Party Services.
  • Business Partners. We may share your personal information with business partners to provide you with a product or service you have requested. We may also share your personal information with business partners with whom we jointly offer products or services.Once your personal information is shared with our business partner, it will also be subject to our business partner’s privacy policy. We are not responsible for the processing of personal information by our business partners.
  • ChangeUp Customers (Authorized Users Only). In cases where you use our Services as an employee, contractor, or other authorized user of a ChangeUp customer, that customer may access information associated with your use of the Services including usage data and the contents of the communications and files associated with your account. Your personal information may also be subject to the ChangeUp customer’s privacy policy. We are not responsible for the ChangeUp customer’s processing of your personal information.
  • Affiliates. We may share your personal information with our corporate affiliates.
  • Advertising Partners. We may share your personal information with third-party advertising partners. These third-party advertising partners may set Technologies and other tracking tools on our Services to collect information regarding your activities and your device (e.g., your IP address, cookie identifiers, page(s) visited, location, time of day). These advertising partners may use this information (and similar information collected from other services) for purposes of delivering personalized advertisements to you when you visit digital properties within their networks. This practice is commonly referred to as “interest-based advertising”, “personalized advertising”, or “targeted advertising.”
      • Facebook Connect. For more information about Facebook’s use of your personal information, please visit Facebook’s Data Policy. To learn more about how to opt-out of Facebook’s use of your information, please click here while logged in to your Facebook account.

          B. Disclosures to Protect Us or Others

We may access, preserve, and disclose any information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our, or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.

          C. Disclosure in the Event of Merger, Sale, or Other Asset Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, purchase or sale of assets, transition of service to another provider, or other similar corporate transaction, your personal information may be disclosed, sold, or transferred as part of such a transaction.

5. YOUR PRIVACY CHOICES AND RIGHTS

Your Privacy Choices. The privacy choices you may have about your personal information are described below.

  • Email Communications. If you receive an unwanted email from us, you can use the unsubscribe functionality found at the bottom of the email to opt out of receiving future emails. Note that you will continue to receive transaction-related emails. We may also send you certain non-promotional communications regarding us and the Services, and you will not be able to opt out of those communications (e.g., communications regarding the Services or updates to this Privacy Notice).
  • Text Messages. If you receive an unwanted text message from us, you may opt out of receiving future text messages from us by following the instructions in the text message you have received from us or by otherwise contacting us as set forth in “Contact Us” below.
  • “Do Not Track. Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. Please note that we do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.
  • Cookies. You may stop or restrict the placement of Technologies on your device or remove them by adjusting your preferences as your browser or device permits. However, if you adjust your preferences, the Services may not work properly.

Please note that cookie-based opt-outs are not effective on mobile applications. However, you may opt-out of certain tracking on some mobile applications by following the instructions for Android, iOS, and others.

The online advertising industry also provides mechanisms that may allow you to opt out of receiving targeted ads from organizations that participate in self-regulatory programs. To learn more, visit the Network Advertising Initiative, the Digital Advertising Alliance, and the European Digital Advertising Alliance.

Please note you must separately opt out in each browser and on each device.

Your Privacy Rights. In accordance with applicable law, you may have the right to:

  • Confirm Whether We Are Processing Your Personal Information;
  • Request Access to or Portability of Your Personal Information;
  • Request Correction of Your Personal Information;
  • Request Deletion of Your Personal Information;
  • Request Restriction of or Object to Our Processing of Your Personal Information; and
  • Withdraw Your Consent to Our Processing of Your Personal Information. Please note that your withdrawal will only take effect for future processing and will not affect the lawfulness of processing before the withdrawal.

If you would like to exercise any of these rights, please contact us as set forth in “Contact Us” below. We will process such requests in accordance with applicable laws.

Though we do not meet the thresholds that would subject us to the California Consumer Privacy Protection Act (“CCPA”) as a “business,” California residents can choose to opt-out of our “sales” or “sharing” of their personal information (as those terms are defined in the CCPA) by accessing this link.

6. INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION

All personal information processed by us may be transferred, processed, and stored anywhere in the world, including, but not limited to, the United States or other countries, which may have data protection laws that are different from the laws where you live. These countries may or may not have adequate data protection laws as defined by the data protection authority in your country.

If we transfer personal information from the European Economic Area, Switzerland, and/or the United Kingdom to a country that does not provide an adequate level of protection under applicable data protection laws, one of the safeguards we may use to support such transfer is the EU Standard Contractual Clauses.

For more information about the safeguards we use for international transfers of your personal information, please contact us as set forth below.

7. RETENTION OF PERSONAL INFORMATION

We store the personal information we collect as described in this Privacy Notice for as long as you use the Services, or as necessary to fulfill the purpose(s) for which it was collected, provide the Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.

To determine the appropriate retention period for personal information, we may consider applicable legal requirements, the amount, nature, and sensitivity of the personal information, certain risk factors, the purposes for which we process your personal information, and whether we can achieve those purposes through other means.

8. CHILDREN’S PERSONAL INFORMATION

The Services are not directed to children under 13 (or other age as required by local law outside the United States), and we do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has uploaded personal information to the Services in violation of applicable law, you may contact us as described in “Contact Us” below.

9. THIRD-PARTY WEBSITES/APPLICATIONS

The Services may contain links to other websites/applications and other websites/applications may reference or link to our Services. These third-party services are not controlled by us. We encourage our users to read the privacy policies of each website and application with which they interact. We do not endorse, screen, or approve, and are not responsible for, the privacy practices or content of such other websites or applications. Providing personal information to third-party websites or applications is at your own risk.

10. CONTACT US

If you have any questions about our privacy practices or this Privacy Notice, or to exercise your rights as detailed in this Privacy Notice, please contact us at hello@changeup.com.

Roles and Responsibilities

Policy Adoption

ChangeUp, Inc. shall, in cooperation with relevant stakeholders, develop and adopt necessary and appropriate data privacy policies, which will include, among other things, the technical, physical, and administrative safeguards required to ensure the confidentiality, integrity, and privacy of personal data, and protect personal data against reasonably anticipated threats or hazards and unauthorized uses or disclosures. All relevant ChangeUp, Inc. stakeholders shall cooperate with ChangeUp, Inc. in the development and implementation of the policies.

The ChangeUp, Inc. Information Security and Data Privacy Policies are a component of the policies and implement controls which support compliance with all relevant data privacy regulations.

Data Protection Officer (DPO)

A Data Privacy Officer (DPO), has been assigned the role of Data Protection Officer (DPO) for ChangeUp, Inc.’s Data Privacy Compliance Program, also known as the Privacy Information Management System (PIMS).

In accordance with Article 39 of the GDPR, the DPO shall perform the following tasks:

  • Inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
  • Monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  • Provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
  • Cooperate with the supervisory authority;
  • Act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.


The DPO can be contacted at hello@changeup.com.

Implementation

Data Protection and Regulatory Compliance

All personal data requires a legal basis for processing, and will be accessible on a strict need-to-know basis. Personal data is to be kept confidential and must be protected and safeguarded from unauthorized access, modification and disclosure.

  • Storage and Transmission: Personal data must be encrypted, with strong cryptography, whenever stored on or transmitted by ChangeUp, Inc. systems
  • Disposal: Paper records must be securely shredded prior to disposal. Electronic media must be securely wiped, sanitized or physically destroyed prior to disposal or reuse
  • Awareness Training: Relevant personnel will receive appropriate training on their information security and data privacy responsibilities with regard to relevant regulations and the handling of personal data as well as the Consumer (Data Subject) Access Request (DSAR) procedure. Relevant persons shall be trained to properly direct consumers in the exercise of their privacy rights.
  • ChangeUp, Inc. will not transmit personally identifiable information (PII) to any third-party or vendor until an appropriate Data Protection Addendum (DPA), or sufficient contract language, has been fully executed by ChangeUp, Inc. and the third-party.
  • ChangeUp, Inc. shall not sell the personal information or minors or of persons who have previously opted out of sales, without explicit permission and shall not ask for permission for at least twelve (12) months after a consumer has opted-out
  • ChangeUp, Inc. shall ensure that no service providers continue to sell PII after a consumer has opted out
  • ChangeUp, Inc. shall not use PII provided for the purposes of opting-out of a sale for any other purpose
  • ChangeUp, Inc. shall not deny goods or services or otherwise discriminate against (i.e. charge different prices, or offer different levels of service) persons for exercising their privacy rights
  • ChangeUp, Inc. shall provide at least two methods for consumers to submit data access requests including an email address or webform
  • Responses to access requests shall cover at least the preceding twelve (12) months
  • ChangeUp, Inc. shall locate data in all relevant systems in response to access requests
  • A public-facing Privacy Policy shall include a description of consumers’ rights and shall be updated at least every twelve (12) months
  • PII collected for the purposes of responding to a SAR shall not be used for any other purpose
  • ChangeUp, Inc. shall not sell any PII without posting a “Do Not Sell My Personal Information” link on the company homepage and Privacy Policy for consumers to opt-out of any sale.
  • ChangeUp, Inc. shall provide at least two methods for opting out of sales of PII which are consistent with the manner in which the company typically interacts with customers
  • ChangeUp, Inc. will allow consumers to opt-out of sales via web browser plugin or other privacy setting
  • When ChangeUp, Inc. offers an opt-out of a specific use, it shall also offer a global opt-out
  • ChangeUp, Inc. shall ensure that opt-out requests are honored as soon as feasibly possible and within fifteen (15) days in all cases
  • ChangeUp, Inc. shall establish a process for consumers to submit requests via an authorized agent
  • ChangeUp, Inc. shall ensure that a written contract is established with all service providers that prohibits the service provider from retaining, using, or disclosing the personal information for any purpose other than the specific purpose specified in the contract
  • Service providers shall only use, retain or disclose PII for the following purposes:
  1. to provide service on behalf of the controller
  2. to employ another service provider
  3. to improve service quality
  4. to detect security incidents and or fraud
  5. to comply with the law or law enforcement
  • ChangeUp, Inc. shall inform consumers of the company’s privacy practices at or before any PII collection. The Privacy Notice shall be made available via a link titled “privacy” on the company’s homepage.
  • ChangeUp, Inc. shall deny access requests where the requestor’s identity cannot be reasonable verified
  • ChangeUp, Inc. in any case where the company has a legal basis for denying a consumer request, it shall provide an explanation of its decision to the consumer including a reference to the relevant laws or regulations
  • ChangeUp, Inc. shall provide a individual response to each requestor and not refer them to a policy or provide a generic response
  • ChangeUp, Inc. may de-identify personal information in response to a request for deletion
  • ChangeUp, Inc. shall not be required to delete personal information from backups unless the backups are restored, accessed or disclosed
  • ChangeUp, Inc. may retain records of completed deletion requests for compliance purposes
  • ChangeUp, Inc. shall deny fraudulent requests with an explanation as to why they believe the request is fraudulent
  • Opt-out processes shall require minimal steps and no multi-step opt-out process shall not have more steps than the opt-in process
  • Opt-in processes shall have two steps: an opt-in request followed by a verification of the request
  • When a consumers who have opted-out attempt to use a service that requires opt-in, the company shall inform the consumer how to opt-in
  • When the company collects personal information that a consumer would not reasonably expect from a mobile device then it shall provide a just-in-time notice containing a summary of categories collected and a link to the full notice.

Breach Notification

Notification of any reportable unauthorized use or disclosure of personal data will be sent to affected parties, Data Controllers, and relevant regulators in accordance with all applicable notification requirements and the Incident Response Policy.

Identity Verification

ChangeUp, Inc. shall establish and document a reasonable method for verifying the identity of a requestor which shall not require a fee from the consumer.

The company shall implement reasonable security measures to detect and prevent fraudulent identity-verification activity.

Where a consumer maintains a password protected account with a company, the company may verify their identity using existing authentication practices.

Before providing categories of personal information, the company shall verify the identity of requesters to a “reasonable degree of certainty.” Before providing specific pieces of personal information or honoring a deletion request, a company shall verify the identity of requesters to a “high degree of certainty,” depending on the sensitivity of the personal information or the risk of harm from an unauthorized deletion request.

A company shall consider the following criteria when determining a verification method:

  • whenever feasible identifying information provided by a requestor should be matched with identifying information already maintained by the company, or use a third-party identification service
  • avoid collecting unnecessary personal information
  • consider the sensitivity of information requested, the risk of harm to the consumer, the likelihood of fraud, the manner in which the business interacts with the consumer and the availability of verification technology.

A company shall avoid personal information unless needed to verify the identity of the requestor. A company shall delete personal information collected for the purpose of verification as soon as possible after processing the request.

If there is no reasonable method by which a company can verify the identity of the consumer to the degree of certainty required by this section, the business shall state so in response to any request and explain why it has no reasonable method by which it can verify the identity of the requestor. If the company has no reasonable method by which it can verify any consumer, the company shall explain why it has no reasonable verification method in its privacy policy. The company shall evaluate and document whether a reasonable method can be established at least once every 12 months.

Agent Verification

When a consumer uses an authorized agent to submit a request to know or a request to delete, a business may require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. The business may also require the consumer to do either of the following:

  • Verify their own identity directly with the company.
  • Directly confirm with the company that they provided the authorized agent permission to submit the request

Request Verification for Minors

Process for Opting-In to Sale of Personal Information

When the company has actual knowledge that it sells the personal information of a consumer under the age of 13, it shall establish, document, and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the personal information about the child is the parent or guardian of that child. This affirmative authorization is in addition to any verifiable parental consent required under COPPA, if applicable. (2) Methods that are reasonably calculated to ensure that the person providing consent is the child’s parent or guardian include, but are not limited to:

  • Providing a consent form to be signed by the parent or guardian under penalty of perjury and returned to the company by postal mail, facsimile, or electronic scan
  • Requiring a parent or guardian, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
  • Having a parent or guardian call a toll-free telephone number staffed by trained personnel;
  • Having a parent or guardian connect to trained personnel via video- conference;
  • Having a parent or guardian communicate in person with trained personnel; and
  • Verifying a parent or guardian’s identity by checking a form of government- issued identification against databases of such information, as long as the parent or guardian’s identification is deleted by the business from its records promptly after such verification is complete.

The process for validating requests on behalf of minors and verifying the identity of parents or guardians shall be described in the public-facing Privacy Policy.

Consumer (Data Subject) Access Requests (DSAR/SAR)

Subject to the exceptions noted below in this policy, ChangeUp, Inc. will comply with any SAR concerning the following rights of the consumer:

  • Access (a copy of the personal data undergoing processing)
  • Rectification of personal data (correction of data stored or processed)
  • Erasure (‘right to be forgotten’)
  • Notification regarding rectification or erasure
  • Objection to processing (withdrawal of consent to processing)
  • Right to opt-out of any sale of PII (i.e. Do Not Sell requests)

SAR/DSAR Response Requirements:

Responses to access requests shall include the following data points as appropriate.

  • Categories of PII collected
  • Categories of PII sold and disclosed to third parties

SAR when ChangeUp, Inc. is the data controller:

  • A SAR must be made using the link on ChangeUp, Inc.’s privacy page ChangeUp, Inc..com/privacy. If the consumer has a password-protected account on ChangeUp, Inc. systems, the company may provide an “interface” or self-service mechanism that the consumer is instructed to use to initiate the SAR process.
  • A SAR can also be made using the email address help@changeup.com.
  • Where required, the consumer must provide reasonable evidence of their identity in the form of valid identification, for example, email verification.
  • When submitting the SAR via the interface, the consumer must identify the SAR type that is being requested, e.g., erasure.
  • If a SAR is submitted by an agent, the submission must include the identification of the consumer as well as a signed authorization from the consumer. ChangeUp, Inc. must make reasonable efforts to verify the identity of the consumer and legitimacy of all requests submitted by authorized agents.
  • If a SAR is received which does not meet ChangeUp, Inc. criteria, the ChangeUp, Inc. shall inform the consumer or agent how to correct the SAR in order to receive a response from ChangeUp, Inc.

SAR when ChangeUp, Inc. is the data processor:

  • The SAR must be submitted via the user interface in the ChangeUp, Inc. Services.
  • ChangeUp, Inc. shall direct the consumer to the relevant Controller in accordance with all contractual commitments.

SAR requirements:

  • The date by which the SAR is submitted, identification is verified, and the specification of the SAR request type must be recorded; ChangeUp, Inc. will acknowledge any manual requests within 10 business days. The acknowledgement will describe the verification process and when the consumer should expect a response.
  • ChangeUp, Inc. has thirty (30) days from the initial request date to complete the request. If the company cannot respond within thirty days, it shall provide notice to the consumer. In California, the company may extend the response timeline up to an additional forty-five (45) days.
  • The SAR application will be documented and can be audited using the ChangeUp, Inc.’s internal processes.
  • ChangeUp, Inc. shall ensure that deletion and correction requests are sent to subprocessors as needed

Subject Access Request (SAR) Process

At ChangeUp, we are committed to ensuring the protection of your personal data and your rights to access the information we hold about you. In accordance with data protection laws, you have the right to request access to the personal data that ChangeUp processes about you.
To make this process as easy and accessible as possible, we have provided a dedicated SAR webform that you can use to submit your request securely. By using our webform, you can specify the information you wish to access and provide us with the necessary details to accurately identify your data and process your request efficiently.
Access the SAR Webform

ChangeUp, Inc. as the data controller

  • Collect the data specified by the consumer
  • Verify the identity of the consumer by consumer data that was collected ex: name, email, address(if applicable). The preferred method is having the consumer send an email from their email address that is on file with ChangeUp, Inc.
  • Search all databases and all relevant filing systems (manual files) in ChangeUp, Inc., including all back up and archived files, whether computerized or manual, and including all email folders and archives. ChangeUp, Inc. maintains a record that identifies where personal data in ChangeUp, Inc. is stored.
  • ChangeUp, Inc. will maintain a record of requests for data and of its receipt accessible by ChangeUp, Inc.’s help@changeup.com, and/or any other designated ChangeUp, Inc. representatives. ChangeUp, Inc. will also keep a record of processing to include dates.
  • Provide consumers an online mechanism for making requests and all such requests will be logged.
  • ChangeUp, Inc. will acknowledge the SAR within ten (10) days of the initial request and respond to any SAR within 30 days of the initial request.
  • SARs from employees or previous employees will be coordinated with HR and the employees’ current or previous departmental leadership.

SAR Exemptions

  • ChangeUp, Inc. may withhold information requested under SAR in accordance with any exemption under applicable law. Any such exemption must be reviewed and approved by the Data Privacy Officer.

Compelled Disclosure

ChangeUp, Inc. governs the compelled disclosure of customer Personally Identifiable Information pursuant to valid third-party legal demands for such information, such as court orders, search warrants, subpoenas, government investigations, and similar demands, and is incorporated by reference into ChangeUp, Inc.’s Privacy Policy.

In no cases shall personal information be voluntarily provided to law enforcement or any regulatory agency without the express written consent of the Data Controller or Data Subject.

Upon receipt of legal demands for information, ChangeUp, Inc. will immediately notify the legal counsel, CEO, and Data Privacy Officer (DPO).

ChangeUp, Inc. shall immediately notify any relevant Data Controllers unless prohibited by law.

The Chief Legal Officer in connection with the CEO and Data Privacy Officer will determine the company’s response to law enforcement and affected third parties, including data subjects.

If determined to be appropriate by legal, and executive management, ChangeUp, Inc. will investigate the demands, and if it is determined at ChangeUp, Inc.’s sole discretion that they are valid, we will search for and disclose the information that is specified and that we are reasonably able to locate and provide. ChangeUp, Inc. shall not process overly broad or vague demands, and will not disclose information that is not specifically demanded, except in response to follow-up demands.

ChangeUp, Inc. may contact customers if we are compelled to disclose their information pursuant to valid legal demands for such information, but we are not required to do so, and in some instances, we may be legally prohibited from doing so.

All external communications with customers, regulators and law enforcement shall be approved by ChangeUp, Inc.’s legal counsel, and Data Privacy Officer as appropriate.

Enforcement

The legal counsel, CEO, and Data Privacy Officer (DPO) are responsible for the enforcement of this policy.

Employees who may have questions should contact the Data Privacy Officer (DPO) as appropriate. They can be reached at hello@changeup.com.

Disciplinary Action

Failure to comply with any provision of this policy may result in disciplinary action, including, but not limited to, termination.

Records Retention and Metrics

A record of all consumer requests shall be maintained for at least twenty-four (24) months and shall include the following elements:

  • request date
  • nature of request
  • request method
  • date of company response
  • nature of company response
  • basis for any denial

Records of consumer requests shall not be shared with any third party except as necessary to comply with a legal obligation.

A company that buys, sells, or shares for commercial purposes the personal information of 10,000,000 or more consumers in a calendar year shall maintain and publish the following metrics:

  1. the number of requests “to know” received and processed
  2. the number of requests “to delete” received and processed
  3. the number of requests “to opt-out” received and processed
  4. the median number of days to respond


The company shall include a link to these metrics in its privacy policy and shall update this information by July 1st annually, and shall implement a documented privacy training policy.

Disclosures Log

A record of all non-standard disclosures of PII to third parties, including compelled disclosures to law enforcement and/or regulators shall be logged in Appendix A

Special Cases

Household Requests

Where a household doesn’t have a password protect account with a company, the company shall not disclose or delete household personal information unless the following conditions are satisfied:

  • all consumers of the household submit a joint request
  • the company individually verifies all members of the household
  • the company verifies that each requestor is member of the household


If a member of a household is under 13, a company must obtain a verifiable parental consent before complying with a request.

Reporting

All suspected violations or potential violations of this policy, no matter how seemingly insignificant, must promptly be reported either to recipient(s) or policy violation reports, e.g., Legal Counsel, or ChangeUp, Inc.’s Data Privacy Officer immediately, or via the incident reporting process at help@changeup.com.

As long as a report is made honestly and in good faith, ChangeUp, Inc. will take no adverse action against any person based on the making of such a report. Failure to report known or suspected wrongdoing of which you have knowledge may subject you to disciplinary action up to and including termination of employment.

Applicable Laws, Regulations and Standards

  • ISO 27701 Privacy Information Management System (PIMS)
  • SOC 2 Privacy Criterion
  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
  • Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Colorado Privacy Act
  • Connecticut Data Privacy Act
  • Virginia Consumer Data Protection Act
  • Utah Consumer Privacy Act
Support Ukraine