GDPR

The European Union (EU) has enforced a new data protection policy called the General Data Protection Regulation (GDPR). The new regulation has been in effect as of May 25, 2018. The GDPR is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens' data privacy and to reshape the way organizations across the region approach data privacy. PeopleGoal is compliant with the GDPR directive as of May 2018.

The GDPR applies to all organizations within the European Union (EU) and any organization located outside of the EU in the case that they offer goods and services or monitor the behaviour of EU persons. Specifically, it applies to all companies processing and holding personal data of persons ("data subjects") residing in the EU.

How does PeopleGoal comply with the GDPR?

We have evaluated our readiness towards the GDPR and made the necessary enhancements to our processes to ensure full compliance.

Specifically PeopleGoal has:

• Documented the use of personal data in our system
• Introduced a new Privacy Policy that reflects our obligation towards our customers and users under the GDPR
• Implemented processes to address the sub-processors' requirements under the GDPR
• Made technical changes in our platform to support the enhanced data subjects' rights under the GDPR

What is classified as personal data under the GDPR?

Any information related to a data subject that can be used to directly or indirectly identify the person is classified as personal data. Some examples include:

• Name
• Email address
• Social network identity
• Bank details
• Medical records

What personal data does PeopleGoal collect from its users?

When you complete our sign-up form we collect some personal information such as your name, email address and phone number (optional). To create a trial account we ask only for a name, email and password.

More details about the information we collect and how we use that information is available in our Privacy Policy.

Does PeopleGoal have a Data Processing Addendum (DPA)?

PeopleGoal has a DPA in place because in some cases we are processors and not controllers of the data.

If you require further details please reach out to us via email at contact@peoplegoal.com.

Does PeopleGoal maintain the E.U.-U.S. Privacy Shield Framework certification?

PeopleGoal has acquired the E.U.-U.S. Privacy Shield Framework certification.

For more information and updates on our certification, please email us at contact@peoplegoal.com. You can also find links to the relevant security policies and data request processes below.

What if I have further questions about the GDPR?

For more information about the GDPR please contact us at contact@peoplegoal.com or visit https://www.eugdpr.org/

PeopleGoal's Data Request Policy

Access requests for user data by third parties

Third parties or Individuals seeking access to user data should contact the Customer regarding such requests. Our Customer controls the user data and generally gets to decide what to do with all user data (i.e. edit, delete).

Requests for user data by legal authorities

Except as expressly permitted by our order form or contract or in cases of emergency to avoid death or physical harm to individuals, PeopleGoal will only disclose user data in response to valid and binding compulsory legal process. PeopleGoal requires a search warrant issued by a court of competent jurisdiction (a federal court or a court of general criminal jurisdiction of a State authorized by the law of that State to issue search warrants) to disclose user data.

All requests by courts, government agencies, or parties involved in litigation for Customer Data disclosures should be sent to contact@peoplegoal.com and include the following information:

(a) the requesting party, (b) the relevant criminal or civil matter, and (c) a description of the specific Customer Data being requested, including the relevant Customer’s name and relevant Authorized User’s name (if applicable), and type of data sought.

Requests should be prepared and served in accordance with applicable law. All requests should be narrow and focused on the specific Customer Data sought. All requests will be construed narrowly by PeopleGoal, so please do not submit unnecessarily broad requests. If legally permitted, Customer will be responsible for any costs arising from PeopleGoal’s response to such requests.

PeopleGoal is committed to the importance of trust and transparency for the benefit of our customers and does not voluntarily provide governments with access to any data about users for surveillance purposes.

Customer Notice

PeopleGoal will notify the Customer before disclosing any of Customer’s Customer Data so that the Customer may seek protection from such disclosure, unless PeopleGoal is prohibited from doing so or there is a clear indication of illegal conduct or risk of harm to people or property associated with the use of such Customer Data. If PeopleGoal is legally prohibited from notifying Customer prior to disclosure, PeopleGoal will take reasonable steps to notify Customer of the demand after the nondisclosure requirement expires.

Domestication and International Requests

PeopleGoal requires that any individual issuing legal process or legal information requests (e.g., discovery requests, warrants, or subpoenas) to PeopleGoal properly domesticate the process or request and serve PeopleGoal in a jurisdiction where it is resident or has a registered agent to accept service on its behalf.

Reporting a security issue or vulnerability

If you believe that you have discovered a security issue or a vulnerability in our platform please let us know right away. You can email the issue to contact@peoplegoal.com and our security team will take immediate action to resolve it.