OrgVitality’s Data Privacy Framework Policy

This data privacy framework policy (the “Privacy Policy”) is designed to assist you in understanding your rights and OrgVitality’s obligations under the Data Privacy Framework Principles between the United States of America and the European Union, the United Kingdom, and Switzerland. OrgVitality's Data Privacy Policy applies to HR data only. Please also read our Terms of Use, which governs your use of the Website. Your use of the Website indicates to us that you have read and accept the Terms of Use and our privacy practices, as outlined in this Privacy Policy.

INTRODUCTION

This data privacy framework policy (the “Privacy Policy”) is designed to assist you in understanding your rights and OrgVitality’s obligations under the EU-U.S. Data Privacy Framework Principles and the UK Extension to the EU-U.S. DPF, and Swiss-U.S. Data Privacy Framework Principles agreement between the United States of America and the European Union, the United Kingdom, and Switzerland. Please also read our Terms of Use, which governs your use of the Website. Your use of the Website indicates to us that you have read and accept the Terms of Use and our privacy practices, as outlined in this Privacy Policy.

OrgVitality, LLC complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. OrgVitality, LLC has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) and the UK Extension to the EU-U.S. DPF, with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. OrgVitality, LLC has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the UK Extension to the EU-U.S. DPF and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program and to view our certification, please visit https://www.dataprivacyframework.gov/

In compliance with the EU-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), OrgVitality, LLC commits to resolving complaints about our collection or use of your personal information. Individuals in the EU, UK, or Swiss individuals with inquiries or complaints regarding our Privacy Policy should first contact OrgVitality, LLC at: Contactus@orgvitality.com.

OrgVitality, LLC commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship. The services of EU DPAs, the UK's ICO, and the Swiss FDPIC are provided at no cost to you.

We commit to cooperate with EU data protection authorities (DPAs), the UK ICO, and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU, UK, and Switzerland in the context of the employment relationship.

We are aware of the General Data Protection Regulation (GDPR), which regulates the use of personal data of individuals within the EU. As we do not sell products or provide services directly to any data subjects in the EU or engage in any monitoring or profiling of individuals, the GDPR does not directly apply to OrgVitality, LLC. However, where we have corporate clients based in the EU or UK, or with EU or UK-based employees, our clients are obliged to seek certain commitments from us. We fully expect to provide our clients with all such information, data security guarantees, and data assistance as required of ‘data processors’ under GDPR.

We maintain a strict policy prohibiting bribery and corruption and conduct our business in compliance with all applicable anti-corruption laws and regulations, including the U.S. Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act.

NOTICE: ACTIVITIES COVERED AND DESCRIPTIONS OF DATA PRIVACY FRAMEWORK

a. OrgVitality is participating in the Data Privacy Framework. b. The type of data we collect: OrgVitality conducts employee surveys as we consult with our clients, many of which have operations in the European Union or UK, OrgVitality, LLC, collects personal demographic information about survey respondents and their opinions on a variety of topics related to the organization. The demographics may include tenure, location, and other similar demographics, which we use in our organizational analyses. OrgVitality, LLC does not disclose or use this information for any purpose other than analyzing the survey responses from our client’s employees. c. OrgVitality, LLC is committed to these Principles with respect to all personal data received from the EU and UK in reliance with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework, d. OrgVitality, LLC can be contacted at contactus@orgvitality.com for any inquiries or complaints. e. OrgVitality, LLC does not disclose the collected information to any third parties. f. Individuals have the right to access any personal data which we may have. g. Should an individual choose not to participate in their company’s survey (all of which are voluntary) no personal data will be maintained for that individual’s record, and no disclosure of their personal data will be made. h. Disputes can be resolved through the EU Data Protection Authority (DPA) or UK ICO. i. OrgVitality, LLC is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). j. Under certain conditions, individuals may be able to invoke binding arbitration. k. OrgVitality, LLC may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. l. OrgVitality, LLC may be held liable in cases of onward transfers of data to third parties. m. Certain features on OrgVitality’s Website, such as the “Contact Us” form, may ask you to provide us with personally identifiable information, which is information such as your name, title, occupation, business, home address, business address, telephone number, fax number, or e-mail address (collectively, the “PII”). You can choose not to provide certain information. n. When you visit, interact with, or download information from the Website, our web servers may automatically collect Website usage information. Website usage information is non-PII that describes how our visitors use and navigate this Website. Website usage information may include, without limitation, the number and frequency of visitors to each web page, the length of stay on each web page, browser type, the preceding and subsequent page viewed, and an Internet Protocol (“IP”) address. o. An IP address is a number that is automatically assigned to your computer or network when you are on the internet. When you request pages from the Website, our servers log your IP address. OrgVitality, LLC may use IP addresses for a number of purposes, including, without limitation, system administration and audits of our Website. We may also use IP addresses in cooperation with internet service providers or law enforcement agencies to identify users if we deem it necessary to comply with law, to enforce compliance with this Privacy Policy or this Website’s Terms of Use, or to protect the Website or its users and visitors. Website usage information may be used by us to determine the applicable technology available in order to serve the visitor the most appropriate version of a web page, e-mail, or other similar services. In addition, Website usage information may be used by us to determine how visitors arrive at the Website, what type of content is most popular, what type of content is more relevant, and what type of visitors are interested in particular kinds of content and advertising. We may also collect your IP address or some other unique identifier for the particular device you use to access the internet, as applicable (collectively, the “Device Identifier”). A Device Identifier is a number that is automatically assigned to your computer, cell phone, or other device used to access the internet. Our computers identify your device by its Device Identifier. We may associate your Device Identifier with other information you provide. p. We may receive information about you from other sources, including, without limitation, geographic or demographic information or information regarding your possible interests from third parties, or we may receive information from a marketing partner in connection with a co-branded Website or promotion. We may use this information for a variety of purposes, including, without limitation, our ability to serve you and to tailor the content we have on the Website. We may combine the information we receive from those other sources with information we collect through the Website. In such cases, we will apply this Data Privacy Framework Policy to any PII received, unless otherwise specifically disclosed by us at the time you provide your PII.

CHOICE:

1. Individuals are given the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals will be provided with clear, conspicuous, and readily available mechanisms to exercise choice.
2. For sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), OrgVitality, LLC will obtain affirmative express consent (opt in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. In addition, OrgVitality, LLC will treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.

ACCOUNTABILITY FOR ON-WARD TRANSFER

1. To transfer personal information to a third party acting as a controller, OrgVitality, LLC will comply with the Notice and Choice Principles. OrgVitality, LLC will enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made, the third-party controller ceases processing or takes other reasonable and appropriate steps to remediate.

2. To transfer personal data to a third party acting as an agent, OrgVitality, LLC will: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; (iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (vi), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vii) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.

SECURITY:

1. OrgVitality, LLC will take reasonable and appropriate measures to protect from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing and the nature of the personal data.

DATA INTEGRITY AND PURPOSE LIMITATION:

1. Consistent with these Principles, personal information will be limited to the information that is relevant for the purposes of processing (See footnote 2 below). a. OrgVitality, LLC will not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, OrgVitality, LLC will take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. OrgVitality, LLC will adhere to the Principles for as long as it retains such information. b. Information may be retained in a form identifying or making identifiable (See footnote 3 below) the individual only for as long as it serves a purpose of processing within the meaning of section “a” immediately above. This obligation does not prevent OrgVitality, LLC from processing personal information for longer periods for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research, and statistical analysis. In these cases, such processing shall be subject to the other Principles and provisions of the Framework. Organizations should take reasonable and appropriate measures to comply with this provision.
   
   Footnotes: Footnote 2. Depending on the circumstances, examples of compatible processing purposes may include those that reasonably serve customer relations, compliance and legal considerations, auditing, security and fraud prevention, preserving or defending the organization’s legal rights, or other purposes consistent with the expectations of a reasonable person given the context of the collection. Footnote 3. In this context, if, given the means of identification reasonably likely to be used (considering, among other things, the costs of and the amount of time required for identification and the available technology at the time of the processing) and the form in which the data is retained, an individual could reasonably be identified by OrgVitality, LLC, or a third party if it would have access to the data, then the individual is “identifiable.”

ACCESS:

1. Individuals will have access to personal information about them that OrgVitality, LLC holds and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.

RECOURSE, ENFORCEMENT AND LIABILITY:

1. OrgVitality, LLC will respond promptly to inquiries and requests by the Department for information relating to the Data Privacy Framework. a. OrgVitality, LLC will respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. b. OrgVitality, LLC has chosen to cooperate with DPAs and will respond directly to such authorities with regard to the investigation and resolution of complaints. c. OrgVitality, LLC will arbitrate claims and follow the terms as set forth in the Data Privacy Framework Policy, provided that an individual has invoked binding arbitration by delivering notice to OrgVitality, LLC and following the procedures and subject to conditions set forth in Data Framework Policy. d. In the context of an onward transfer, OrgVitality, LLC has responsibility for the processing of personal information it receives under the Data Privacy Framework and subsequently transfers to a third party acting as an agent on its behalf. OrgVitality, LLC shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage. e. If OrgVitality, LLC becomes subject to an FTC or court order based on non-compliance, OrgVitality, LLC shall make public any relevant Data Privacy Framework-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements.

PASSIVE INFORMATION COLLECTED

We and our third-party service providers may use a variety of technologies that automatically collect information when you use this Website. This information may include browser type, operating system, and IP address. The methods that may be used to collect this information include the following:

• A cookie is a data file placed on a computer when it is used to visit this Website. Cookies may be used for many purposes, including, without limitation, tracking user preferences and web pages visited while using this Website. You may disable cookies using your browser’s preferences, but some features of this Website may not function properly or may operate slowly if you disable the cookies.

• Web Beacons. A web beacon is a small graphic image or other web programming code (also known as “1×1 GIFs” or “clear GIFs”) that may be included in our Website pages or e-mail messages. Web beacons may be invisible to you, but any electronic image or other web programming code inserted into a web page or e-mail can act as a web beacon. Web beacons or similar technologies may be used for a number of purposes, including, without limitation, to count how many e-mails that were sent were actually opened, to serve users with relevant content at the Website, count Website visitors, monitor Website traffic patterns, and/or count how many articles or links were actually viewed.

• Embedded Scripts. An embedded script is a programming code that is designed to collect information about your interactions with this Website, such as which links you click on. The code is temporarily downloaded onto your computer from our web server or third-party provider, is active only while you are connected to the Website, and is deactivated or deleted thereafter.

• Mobile Device Identifiers. Mobile device identifiers are used by certain mobile service providers that uniquely identify mobile devices. We or our third-party providers may receive such device information if you access the Website through mobile devices. Certain features of our Website may require the collection of mobile phone numbers, and we may associate that phone number with mobile device identification information. Additionally, some mobile phone service providers operate systems that pinpoint the physical location of devices that use their services. Depending on the provider, we or our third-party service providers may receive this information.

Information collected through passive means may be non-identifying or may be associated with you. In the latter case, it will be treated as PII.

USE OF INFORMATION COLLECTED

If you are responding to a survey/360, OrgVitality does not share any PII. The use of PII is limited to the information needed to distribute, collect, and analyze respondent results in a confidential manner (at or above the minimum n threshold agreed to by the client). If you made an inquiry through the Website, we will not share PII with third parties except as set forth below or in this Privacy Policy. OrgVitality may use the PPI we collect from you on the Website or from e-mails you send directly to us as follows:

• To respond to your inquiries, comments, questions, or requests;
• To send you newsletters, e-mails, and other communications for which you have registered;
• To monitor and statistically analyze usage of the Website and to improve the Website and/or product and services offerings;
• To administer the Website’s systems, to audit the Website, and for other internal business purposes;
• To add to our database, subscriber lists, and/or contact lists;
• To contact you about the Website, including, without limitation, to notify you in our discretion of changes to this Privacy Policy, the Terms of Use, or other policies that affect your use of the Website;
• To verify and monitor compliance with the Privacy Policy and Terms of Use;
• To comply with a judicial, administrative, or similar proceeding or order, such as a subpoena, search warrant, discovery request, or other valid law enforcement measure or investigation;
• To protect the legal rights, interests, and safety of the Websites, our users, or others in cooperation with copyright owners, internet service providers, wireless service providers, and law enforcement agencies;

USER NAMES, FORUMS, MESSAGE BOARDS, AND SIMILAR PAGES

You may be asked to choose a username and password in order to identify yourself on the Website. Some features of the Website may allow you to post communications that will appear on the Website for other visitors to view, and your user name may appear in connection with those postings. For that reason, you may not want to use your real name or the name of any other actual person as your user name.

The Website may make forums and message boards available to its users. All postings, including any PII you choose to post or include, are publicly available and are not subject to this Privacy Policy. If you post PII online, it will be publicly available, and you may receive unsolicited messages from other parties. We cannot ensure the security of any information you choose to make public in a forum or message board. Also, we cannot ensure that parties who have access to such PII will respect your privacy. Please exercise caution when disclosing PII in these areas. Your use of forums and message boards is subject to our Terms of Use.

OUR COMMITMENT TO SECURITY

Your privacy is important to us. OrgVitality uses reasonable efforts and safeguards to protect the PII we collect on this Website from unauthorized access, use, modification, or disclosure. However, due to the design of the internet and other factors outside of our control, we cannot guarantee that PII will be protected in all situations and circumstances. All information you transmit to OrgVitality via the Website is at your own risk.

CONSENT TO TRANSFER

This Website is operated in the United States. If you are located in Canada, the European Union, the UK, or elsewhere outside the United States, please be aware that any information you provide to us will be transferred to the United States. By using the Website or by providing us with your information, you consent to this transfer.

LINKS

While on this Website, you may be directed to other websites that are operated and controlled by third parties that are beyond our control. These other websites may set their own cookies, collect data, or have their own privacy policies. As noted above, this Privacy Policy only covers information collected by OrgVitality on this Website. This Privacy Policy does not cover any information collected by any other third-party websites linked to this Website, which you may visit by following links from our Website. We encourage you to review the privacy policy of any other website you visit before providing any PII.

UPDATING/CORRECTING YOUR PII AND CONTACTING ORGVITALITY

This Website may contain pages through which you can change your preferences or update the PII you have provided us through the Website. If you register to receive e-mail, you may unsubscribe by following the instructions provided to you in the applicable communication. You can contact OrgVitality, LLC directly in order to: (i) update or correct the PII that we store about you; or (ii) direct us to render inactive on our systems all your PII. We may be reached at contactus@orgvitality.com or at 914-747-7736. Please note that if you request us to render inactive your PII, we may still use aggregate non-PII, and some PII that you provided may continue to reside on backup tapes and other non-active systems for data restoration purposes. We will not manually delete PII from such backup media.

GENERAL AUDIENCE

The Website is a general audience Website. We do not knowingly collect or maintain any PII from children under the age of thirteen (13). We do not expect children to be attracted to or to use this Website. In the event we discover that a child under the age of thirteen (13) has provided this Website with PII, we will delete such child’s PII from our database.

ACCEPTANCE & PRIVACY POLICY CHANGES

By using this Website, you accept our privacy practices as outlined in this Privacy Policy. OrgVitality reserves the right to modify, revise, or otherwise update this Privacy Policy at any time for any reason. We will post any new or revised policies on the Website, but we will only use your PII in accordance with the privacy policy that was in effect at the time it was collected, unless you consent to any new terms regarding its use.

IF YOU DO NOT AGREE TO THE TERMS OF THIS PRIVACY POLICY, PLEASE EXIT THIS WEBSITE IMMEDIATELY.

This OrgVitality Privacy Policy has an effective date of May 10, 2017, and was updated on May 21, 2026.