California Privacy Policy Addendum and Notice at Collection for Job Applicants and Employees

(Updated as of March 1, 2023)

Introduction

This California Privacy Policy Addendum and Notice at Collection for Job Applicants and Employees (“Addendum”) is an addendum to the Catalist Privacy Policy and describes how Catalist collects, uses, and discloses information about our individual current and former employees, applicants, contractors, interns, and other workforce members (and their beneficiaries and other contacts) in the context of our working relationship with the relevant individuals.

We may update this Addendum at any time. We may also provide you additional privacy notices regarding our collection, use, or disclosure of information. Any changes will become effective when posted to our website. Please read this Addendum and any other privacy notices carefully and check our Privacy Policy and any related addenda regularly to ensure that you have read the latest version to stay informed of our privacy practices. Your continued employment or access to or use of our websites or Products and Services constitutes your acceptance of the Privacy Policy, this Addendum, and any updates.

This Addendum does not apply to our handling of data gathered about you in your role as a user of any of our consumer-facing services. When you interact with us as in that role, the Catalist Privacy Policy applies. Terms used but not defined in the Addendum will have the meanings assigned to such terms in the Privacy Policy.

Our Collection of Personal Information

The following sets forth the categories of personal information we collect, the sources of such information, and the purposes for which we may use personal information in connection with your application or employment at Catalist. For purposes of the Addendum, personal information is broadly defined as information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device. We collect such information either directly from you or (where applicable) from another person or entity, such as an employment agency or consultancy, recruitment company, background check provider, or others who provide references. We will collect additional information throughout the course of your employment or other provision of services to us.

Catalist does not expect that you will be subject to decisions that will have a legal or similarly significant effect on you based on the automated processing by Catalist of your personal information.

The type of information we have or will have about you depends on your role with us and may include, where applicable:

Category of Information

Source(s) of Information and Collection

Purposes of Collection (see below for more information)

Identifiers

real name, alias, postal address, unique personal identifiers, email address, or other similar identifiers.

Employee, recruiters, and other sources as directed or authorized by an employee, former employee, or job applicant and credentialing and licensing organizations

HR management and administration, business operations, recruiting and workforce planning, security operations, legal compliance, and exercising our legal rights

Internet or other electronic network activity information

such as information about your use of the Catalist network, information, and communication systems, including user IDs, passwords, IP addresses, device IDs, web logs, metadata, and audit trails of system access, as may be further detailed in our acceptable use policies and related policies regarding the security of our network.

Catalist systems and websites

HR management and administration, business operations, recruiting and workforce planning, security operations, legal compliance, and exercising our legal rights.

Geolocation data

Not applicable

Not applicable

Business travel and expense information

such as travel itinerary information, corporate expenses, and company credit card usage.

Employee or Catalist system

HR management and administration, business operations, recruiting and workforce planning, security operations, legal compliance, and exercising our legal rights.

Professional or employment-related information

such as your employment history, job application or resume, job interview notes, responses to screening questions, assessment results and any other information you provide in connection with the recruitment process, employment contract, contractor agreement, references, information about skills and abilities, accomplishments and awards, training and development information, licenses and professional memberships, performance evaluation information, disciplinary records, photos, information from employee expenses, payroll- and benefits-related data, internal and external contact information, and employment termination information.

Employee, recruiters, and other sources as directed or authorized by an employee, former employee, or job applicant and credentialing and licensing organizations

HR management and administration, business operations, recruiting and workforce planning, security operations, legal compliance, and exercising our legal rights.

Medical information (about you, and, if applicable, your beneficiaries and dependents)

such as physical or mental medical conditions and other information provided in health forms; disability status; health and safety incidents or accidents; sickness records; emergency medical information; and health issues requiring adaptations to your working environment or working practices.

Internally, service providers, business operations, legal compliance, exercising legal rights, business transaction purposes, and consent

No

Government identification information

such as passport number, Social Security number, and driver’s license number.

Employee, recruiters, and other sources as directed or authorized by an employee, former employee, or job applicant and credentialing and licensing organizations

HR management and administration, business operations, recruiting and workforce planning, security operations, legal compliance, and exercising our legal rights.

Categories of personal information described in Cal. Civ. Code § 1798.80(e)

E.g., physical characteristics or description; telephone number. Information included in this category may be duplicative of information identified in other categories in this table.

Employee, recruiters, and other sources as directed or authorized by an employee, former employee, or job applicant and credentialing and licensing organizations

HR management and administration, business operations, recruiting and workforce planning, security operations, legal compliance, and exercising our legal rights.

Characteristics of protected classifications under California or US law

E.g., race; color; religion; sex/ gender, gender identity; marital status; military or veteran status; national origin; ancestry; age.

Employee, recruiters, and other sources as directed or authorized by an employee, former employee, or job applicant and credentialing and licensing organizations

HR management and administration, business operations, recruiting and workforce planning, security operations, legal compliance, and exercising our legal rights.

Our Disclosure and Sale of Personal Information

We will share the information collected about you as discussed above for people management and related internal business purposes, with service providers, and with third parties.

The chart below describes how and with whom we share or disclose personal information, and whether we believe we have “sold” or “shared” a particular category of information in the prior 12 months. Under the CPRA (as defined below), “sharing” generally includes the use of information for targeted advertising.

Category of Information

How We Share Personal Information

(see below for more information)

Whether We “Sold” or “Shared” This Category of Personal Information in the Last 12 Months

Identifiers

real name, alias, postal address, unique personal identifiers, email address, or other similar identifiers.

Internally, service providers, business operations, legal compliance, exercising legal rights, business transaction purposes, and consent

No

Internet or electronic network activity information

such as information about your use of the Catalist network, information, and communication systems, including user IDs, passwords, IP addresses, device IDs, web logs, metadata, and audit trails of system access, as may be further detailed in our acceptable use policies and related policies regarding the security of our network.

Internally, service providers, business operations, legal compliance, exercising legal rights, business transaction purposes, and consent

No

Geolocation data

Not applicable

No

Business travel and expense information

such as travel itinerary information, corporate expenses, and company credit card usage.

Internally, service providers, business operations, legal compliance, exercising legal rights, business transaction purposes, and consent

No

Professional or employment-related information

such as your employment history, job application or resume, job interview notes, responses to screening questions, assessment results and any other information you provide in connection with the recruitment process, employment contract, contractor agreement, references, information about skills and abilities, accomplishments and awards, training and development information, licenses and professional memberships, performance evaluation information, disciplinary records, photos, information from employee expenses, browsing and search history, payroll- and benefits-related data, internal and external contact information, and employment termination information.

Internally, service providers, business operations, legal compliance, exercising legal rights, business transaction purposes, and consent

No

Medical information (about you, and, if applicable, your beneficiaries and dependents)

such as physical or mental medical conditions and other information provided in health forms; disability status; health and safety incidents or accidents; sickness records; emergency medical information; and health issues requiring adaptations to your working environment or working practices.

Internally, service providers, business operations, legal compliance, exercising legal rights, business transaction purposes, and consent

No

Government identification information

such as passport number, Social Security number and driver’s license number.

Internally, service providers, business operations, legal compliance, exercising legal rights, business transaction purposes, and consent

No

Categories of personal information described in Cal. Civ. Code § 1798.80(e)

E.g., physical characteristics or description; telephone number. Information included in this category may be duplicative of information identified in other categories in this table.

Internally, service providers, business operations, legal compliance, exercising legal rights, business transaction purposes, and consent

No

Characteristics of protected classifications under California or US law

E.g., race; color; religion; sex/ gender, gender identity; marital status; military or veteran status; national origin; and ancestry; age.

Internally, service providers, business operations, legal compliance, exercising legal rights, business transaction purposes, and consent

No

Use of Company Devices and Systems

You understand and agree that you have no expectation of privacy with respect to Catalist’s communications, networking, or information processing systems (including, without limitation, files, e-mail messages, chat messages, video conferencing sessions, and voice messages) and that any activity and any files or messages on or using any of those systems owned by Catalist may be monitored at any time without notice. You also agree that any property situated on Catalist’s premises, including disks and other storage media, filing cabinets, or other work areas, is subject to reasonable inspection by Catalist personnel at any time with or without notice; and you agree to immediately return or destroy, at the company’s request, any Catalist confidential information that may be on personal devices.

How We Use Personal Information

We have or will collect, use, share, and store personal information for Catalist’s and our service providers’ and contractors’ business purposes, which include, where applicable:

  • HR management and administration, for example: training, compensation and benefits, invoices, leave, scheduling, career development, performance appraisals and recognition, investigating and resolving inquiries and complaints, providing references, succession planning, organizational changes, fraud prevention and investigation, preparing analyses and reports, and communicating with our workforce about updates or relevant information about perks, benefits and discounts, and changes to Catalist Products and Services.
  • Business operations, for example: providing and monitoring IT systems for any lawful purpose, maintaining accounts and internal directories, crisis management, protecting occupational health and safety, participating in due diligence activities related to the business, business succession planning, data administration, workplace management, and conducting internal analyses and audits, including through machine learning and algorithmic decision-making, in accordance with applicable legal requirements.
  • Recruiting and workforce planning, for example: assignment planning and budgeting, job advertising, interviewing, and selecting and hiring new staff.
  • Security operations, for example: detecting security incidents, debugging and repairing errors, preventing unauthorized access to our computer and electronic communications systems, preventing malicious software distribution, and monitoring and controlling access to company premises and locations (including through use of CCTV).
  • Legal compliance, for example: complying with anti-bribery, tax, social security, immigration obligations, and responding to and cooperating with legal or regulatory requests and investigations.
  • Exercising our legal rights, for example: seeking legal advice from our external lawyers or in connection with litigation with a third party.

We may also use personal information for any other legally permitted purpose (subject to your consent, where legally required).

Certain information we collect may be “sensitive personal information under California law. We use such information as necessary to conduct our relationship with you, in the following ways:

  • Social Security number or passport information for legal compliance, payroll, benefits, tax, and immigration purposes;
  • Union membership information for legal compliance and compliance with collective bargaining agreements or to exercise rights thereunder;
  • Driver’s license and state ID card for legal compliance, payroll, benefits, tax, and immigration purposes and eligibility for certain positions within company;
  • Health information, which may include disability status, to provide reasonable workplace accommodations and manage absences, for workplace health and safety purposes, and for compliance with applicable law and contracts or to exercise rights thereunder; and
  • Racial/ethnic origin, sexual orientation, and/or disability status for equal opportunity and diversity and inclusion purposes and compliance with applicable law or to exercise rights thereunder.

How We Share Personal Information

As noted above, we may disclose certain personal information to the following types of entities or in the following circumstances (where applicable):

  • Internally, for example: to employees within Catalist to carry out the purposes described in this Policy, including to your manager, human resources, as well as payroll, IT, legal, and finance.
  • Service providers, for example: to compensation and benefits providers, tax and other professional advisors, technology service providers, corporate card issuers, travel management providers, travel providers, human resources suppliers, and background check companies. These entities process your personal information on Catalist’s behalf in performing services for Catalist and are subject to contractual restrictions on use of your personal information.
  • Business operations, for example: to provide another entity (such as a potential or existing business counterparty or customer) with a means of contacting you in the normal course of business, for example, by providing your contact details, such as your Catalist phone number and email address.
  • Legal compliance and exercising legal rights, for example: when required to do so by law, regulation, or court order, in response to a request for assistance by the police or other law enforcement agency, to seek legal advice from our external lawyers, or in connection with litigation.
  • Business transaction, for example: in connection with the sale, purchase, or merger of all or a portion of our business.
  • Consent: with your consent and as permitted by law, we may share personal information with any other third parties in any other circumstances.

Data Retention and Security

Catalist maintains security measures that are aimed at protecting against the loss or theft, unauthorized access or use, misuse, disclosure, copying, or modification of personal information in its possession and control. These security measures will vary depending on the sensitivity of the information, the amount, distribution, and format of the information, and the method of storage. The methods of protection include physical measures (including restricted access to files), organizational measures (including limiting information on a “need-to-know” basis), and technological measures (including the use of passwords and encryption).

The personal information we do or will collect, including sensitive personal information, will be retained until we determine it is no longer necessary to satisfy the purposes for which it was collected and our legal obligations. As described above, these purposes include our business operations and complying with reporting, legal, and accounting obligations. Catalist retains some data for extended periods for limited purposes, including:

  • Security, fraud, and abuse prevention
  • Financial record-keeping
  • Complying with legal or regulatory requirements
  • Ensuring the continuity of our services
  • Your direct communications with Catalist

In determining how long to retain information, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorised use or disclosure of the personal information, the purposes for which we process the personal information and whether we can achieve those purposes in other ways, the applicable legal requirements, and our legitimate interests.

For example, we will keep certain information about former employees (e.g. name job title, organizational hierarchy, and records of employment) for as long as necessary for our legitimate interests in keeping this information as part of our organizational history and to confirm the facts of their employment with us and to comply with law. The purposes we process information (as well as the other factors listed above) may dictate different retention periods for the same types of information. For example, tax records that have employee names are normally retained for seven years after the deadline to make the applicable filing, while employee names in email headers may be kept indefinitely depending on the nature of the email.

Your Privacy Choices

Right to Know your Personal Information

California residents have the right to request that we disclose the categories of your personal information that we collect, use, or sell. You may also request specific pieces of personal information that we have collected about you. Such requests may be made by contacting us as described in Privacy Options.

For security and safety purposes, and as required under California law, you will have to provide proof of your California residency and verify your identity. For instance, you may need to confirm your possession of an identifier, identifying information, or to provide a piece of identification that confirms you are the person you claim to be. We will respond to verifiable consumer requests for access not more than twice within a 12-month period or as required by law.

Once we have verified your identity, we will respond to your request as follows:

  • Where you have requested the categories of personal information that we have collected about you, we will provide a list of such categories.
  • Where you have requested specific pieces of personal information, we will provide the information you have requested to the extent required by law (unless we believe that there is an overriding privacy or security concern).

If we are unable to verify your identity, we will inform you that we cannot verify your identity and will not disclose any specific pieces of personal information to you; however, we may return category information upon your request.

We may withhold some personal information where the risk to you or our business is too great to disclose the information or as permitted by applicable law

Right to Request Deletion of your Personal Information

As a California resident, you have the right to request that we delete personal information we have collected directly from you. Such requests may be made by contacting us as described in Privacy Options.

For security and safety purposes, and as required under California law, you will have to provide proof of your California residency and verify your identity. For instance, you may need to confirm your possession of an identifier, identifying information, or to provide a piece of identification that confirms you are the person you claim to be.

We may retain personal information for certain important purposes, such as (a) to ensure your deleted information is not reintroduced to our systems, (b) to protect our business, systems, and users from fraudulent activity, (c) to address technical issues that impair existing functionality (such as de-bugging purposes), (d) as necessary for us, or others, to exercise their free speech or other rights, (e) to comply with law enforcement requests pursuant to lawful process, (f) for scientific or historical research, (g) for our own internal purposes reasonably related to your relationship with us, or (h) to comply with legal obligations.

Right to Request Correction of your Personal Information

California residents have the right to request that we correct your inaccurate personal information. Such requests may be made by contacting us as described in Privacy Options.

Right to Opt-Out of the Sale of Personal Information

California residents have the right to opt-out of the sale of your personal information. We have not sold any categories of information about you in the last 12 months as described in Our Disclosure and Sale of Personal Information.

Right to Limit Use or Disclosure of Sensitive Personal Information

To the extent that your sensitive personal information is directly collected by Catalist, California residents have the right to request that we limit the use and disclosure of your sensitive personal information. Such requests may be made by contacting us as described in Privacy Options.

Right to Non-Discrimination

You have the right not to receive discriminatory treatment by Catalist for the exercise of your privacy rights under CPRA. We do not discriminate in this manner.

Authorized agents

An authorized agent may make requests to exercise your CPRA rights. For security and safety purposes, and as required under California law, the consumer and the agent will have to verify their respective identities and provide proof of the consumer’s California residency.

We will also verify that the agent has permission to submit requests on behalf of the consumer. Such proof includes written authorization identifying the consumer’s first name, last name, email address, and telephone number, along with which rights the consumer has authorized the agent to exercise on their behalf. The written authorization must be signed and dated by each consumer authorizing the agent to act on their behalf. This document should also include, if applicable, the business name of the authorized agent. Valid email addresses for each consumer are required so that we may directly contact the consumer for identity verification purposes.

We cannot provide you or your agent with personal information if we cannot verify your identity as the consumer, your agent’s identity, or your agent’s authority to make the request.

Privacy Options

Please contact Catalist by completing this form or by mail, telephone, or email as follows:

Mail

Catalist LLC

1310 L Street NW #500

Washington, DC 20005

Attn: Data Privacy

Telephone

(800) 938-9516

Email

Email: [email protected]

Current employees may also access personal information directly through our Applicant Tracking System or Human Resources Information System.

If you have questions about this Addendum, the practices of this website, or your dealings with this website, you may contact us as described in this section.