SPI Online Data Privacy Policy

Summary

• A. Definitions
• B. What is our Privacy Commitment to you?
• C. Legal basis for collection
• D. Types of data
• E. Data we collect
• F. Processing Purposes: How We Use Your Data
• G. Sharing: Who do we share your data with?
• H. Specific note on SPI E-learning platform
• I. Complementary note on SPI Audit data
• J. SPI Online Hosting
• K. Use of cookies
• L. Data transfers to other countries
• M. Security measures to protect your Data
• N. Data retention and destruction policies
• O. Use and storage of Personal data
• P. Information access, questions, complaints
• Q. Your rights
• R. Changes to the privacy notice and your duty to inform us of changes
• S. Privacy contact details

A. Definitions

Please refer to the Terms of Service for all relevant definitions.

B. Privacy Commitment

We respect your privacy and are committed to protecting your Data.

This privacy notice describes how we collect, use, share and secure data you provide on the Website and specifically on SPI Online when you become a User and create Audits or sign-up on our SPI E-learning platform. It also explains your privacy rights and how laws that are applicable to you may protect you and is intended to supplement other notices and privacy policies and not to override them.

The use of and access to the Website and use of the Services are subject to the Agreement.

C. Legal basis for collection

In many countries, we are required by law to explain the legal bases we rely on when we process your Data. These legal bases are listed as follows and we may use more than one lawful basis when processing your Data.

Consent – In certain cases, we collect and process your Data with your consent e.g. when you register to use the Services or complete an Audit.

Legitimate interest – means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your Data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

Legal compliance – If the law requires us to, we may need to collect and process your Personal Data in response to lawful requests by public authorities or if e.g. we believe in good faith that disclosure is necessary to protect our rights, to protect your safety or the safety of others, to investigate fraud or breaches of our site terms, or to respond to a government request.

D. Types of data

We may collect, use, store and transfer different kinds of data about you, including but not limited to, which we have grouped together as follows:

Personal data

A. Identity data:

• a. First name
• b. Last name
• c. Organization name
• d. Organization Mix ID (which can be associated with your Mix ID (from https://databank.banquemondiale.org/source/mix-market or an ID created for usage of the Service)
• e. Country
• f. Role/position in your organisation
• g. Language(s)

B. Contact data:

• a. email address
• b. phone number

C. Technical data – includes but not limited to:

• a. internet protocol (IP) addresses
• b. login data
• c. browser type and version
• d. time zone setting and location
• e. browser plug-in types and versions
• f. operating system and platform and other technology on the devices you use to access this Website.

User-Generated Content

D. Audit data are data you enter in Audits, i.e., the answers to the indicators and all metadata about the Audit.

E. Provided data refers any other types of data you enter, upload, send or transfer using the Website or during activities directly related to the Services.

F. SPI E-learning data are the data you enter using the SPI E-learning platform.

E. Data we collect

Data is collected from you directly, automatically from your device and from third parties. Below, we detail the information we collect through each of these channels and which data type this refers to:

A. From You

• Account Data: We collect certain information when you open an Account or register for one of the Services (A, B, C)
• User-Generated Content: When you use our Services, we collect Data included as part of the information you provide such as inputs, text, documents, images (D, E, F).
• Demographic information: In some cases, you provide us with gender, or similar demographic details (A).
• Feedback Data: This consists of information you submit through surveys, reviews, or interactive features (A, B, C, E).
• Payment Information: For paid subscriptions, we collect details like name, billing address, and payment specifics (A, B, C, E).
• Profile Information: We collect information to create a user profile, which may include a photo, additional email addresses, job title, or biography (A, B, C, E).
• Sales and Marketing Data: This includes information provided for promotional communications, such as name, email address, and company name (A, B).
• Support Data: When you seek customer support, we collect details like e-mail address, text, or multimedia files. (A, B, E)

B. Automatically

• Buttons, Tools, and Content from Other Companies: Our Website contains links or buttons that lead to third-party services like X or LinkedIn. Use of these features may result in data collection. Engaging with these buttons, tools, or content may automatically send certain browser information to these companies. Please review the privacy statements of these companies for more information.
• Essential Cookies and Similar Tracking Technologies: We use cookies and similar technologies to provide essential functionality like storing settings and recognizing you while using our Service.
• Non-essential Cookies: we use online analytics products that use cookies to help us analyze how users use our Service and to enhance your experience when you use the Service. We only use non-essential cookies after obtaining your consent. (C)
• Email Marketing Interactions: Our emails may have web beacons that offer information on your device type, email client, email reception, opens, and link clicks. (B, C, E)
• Geolocation Information: Depending on the Service's functionality, we collect regional geolocation data (C)
• Service Usage Information: We collect data about your interactions with the Service, such as session details, date and time of requests, information related to your Audits. (A, C)

C. From Third Parties

• Information from other Users of the Service: Other users may share information about you. We may also receive information about you if you are identified as a representative or administrator of your company.
• Publicly Available Sources: We may acquire information about you from publicly available sources.
• Vendors, Partners, and Affiliates: We may receive information about you from third parties, like vendors, resellers, partners, or affiliates for the purposes outlined in this statement.

F. Processing Purposes: How We Use Your Data

The Data we process depends on your interaction with the Service. This section details all the potential ways CERISE may process your Data:

• Providing the Service: we use Data to give you access to, operating and maintaining the Service. This includes copying and duplicating Data for back-ups.
• Business or financial Operations: We use Data for activities like billing or accounting. This includes creating aggregated statistical data for internal reporting or financial reporting.
• Communication: We use Data to inform you about our activities, events, features, offers and other information. This also includes sending confirmations, invoices and administrative messages.
• Personalization: We use Data to customize the Service and Content to your preferences.
• Safety and Security: we process Data for abuse detection and violations of terms of service.
• Troubleshooting: We use Data to identify and resolve technical issues.
• Inference: We generate new information from other data (e.g. Region or Sub-region from Country).
• Complying with and resolving legal obligations.
• Legitimate interest, including:
  • Research: We use Audit data for research related to Social and Environmental Performance Management betterment such as areas of improvement, better outcomes management or improving environmental practices.
  • Fee for services: We use Data to provide third parties partners with reports or Audit data. We only share Data as Anonymized data, with your consent or within the framework of another contract (e.g. reporting data of an investee).
  • Advocacy: We use Data to support key Users such our SEPM Pros or Impact Investors.

G. Sharing: Who do we share your data with?

We do share your data with the following recipients.

• Organization on SPI Online: If you join an Organization on SPI Online, we will share limited Data (Name and email address) with that Organization for you to be able to use the Services.
• Subprocessors and Service Providers: We may use vendors to provide services on our behalf, including hosting, marketing, email list management and email distribution, social media, analytics, support ticketing, credit card processing, or security services. They are bound by contractual obligations to ensure the security, privacy, and confidentiality of your information. Our list of Subprocessors is available here.
• Social Performance Task Force (SPTF): Since 2021 CERISE and SPTF have signed a Memorandum of Understanding (MOU). CERISE and SPTF will share Data to pursue Joint Activities stated within the contract.
• Partners: We cooperate with third parties that offer consulting, support, and technical services for our Services. We may share your data with these partners and resellers where allowed, under confidentiality agreement or with your consent when required.
• Other Users: Depending on your account settings (especially the Audit settings on SPI Online), we may share Data with other users of the Services. Please be aware that any information you share in a collaborative context. Some Data may be shared with other Users as Anonymized data, in aggregate form or with your consent.
• Corporate Transaction Entities: we might disclose Data within the limits of the law and in accordance with this Privacy Statement for strategic business transactions such as a joint-venture or a merger.
• Abuse and Fraud Prevention Entities: We may disclose Personal Data based on a good faith belief it is needed to prevent fraud, abuse, or attacks on our Services, or to protect the safety of CERISE and our Users.
• Competent Authorities: We may disclose Data to authorized law enforcement, regulators, courts, or other public authorities in response to lawful requests or to protect our rights and safety.

H. Specific note on SPI E-learning platform

We collect data from Users who interact with the SPI e-learning platform, which is hosted by a third-party provider, TalentLMS. This data may include information such as your name, email address, IP address, and User-Generated Content you input, upload or provide in any other way. We do not share your personal information with the third-party provider, except as necessary to provide the e-learning platform service to you. The third-party provider is subject to its own data privacy policy, which you can find on their website.

I. Complementary note on SPI Audit data

• Data quality / no representation: Please note we do not take responsibility for the quality of the Audit data you provide or collect via SPI Online. Although we may try upon reviewing the Audit data to correct flagrant errors, we do not take responsibility for the User-Generated Content. Cerise shall not have any responsibility for any action or decision resulting from the use of Audit data hosted on SPI Online.
• Data ownership and sharing: All Data hosted on SPI Online is shared with CERISE. In the case of Audit data, consent to share with CERISE is mandatory for each Audit creation. All duplicated Audits resulting from the use of the duplication tool, retain the initial consent and conditions unless modified directly in the Audit settings. The User who creates an Audit is the owner of the Audit and its data. When the user decides to share an audit with other Users of SPI Online, he can choose several levels of sharing: “Can edit the settings and answers”, “Can change answers”, “Can view”, “No access”. Depending on the sharing level selected he accepts that those Users may access and modify the audit, and/or access and modify its data or simply access the data. Once a user has access to audit data, he may use the data on SPI Online (e.g. in the analysis module for example), download and store the data.
• Private audits: Private Audits are Audits for which you wish to restrict access. We treat these audits as confidential, and we only access those for security purposes, to assist the User with a support matter, to maintain the integrity of the Service, to comply with our legal obligations or with your consent.

J. SPI Online Hosting

SPI Online is hosting service is located in France. As such, the hosting company must respect GDPR (General Data Protection Regulation (EU) 2016/679). Data provided within the use of Cerise’s activities may only be used to maintain their services.

K. Use of cookies

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer's hard drive.

Cerise participates in and complies with all IAB Europe Transparency & Consent Framework Specifications and Policies (learn more here). Cerise uses the Consent Management Platform n°92 (Sirdata).

SPI Online uses cookies to distinguish you from other users of our site. This helps us to provide you with a good experience when you use our site. The main purpose of these cookies is to simplify logins while conducting Audits on SPI Online. By continuing to browse the Website, you are agreeing to our use of cookies.

We also use non-essential cookies to gather information about our Users’ interests and online activities. We mostly use this information to monitor the Website’s usage and the relevance of the Content we provide.

Our emails to users may contain a pixel tag, which is a small, clear image that can tell us whether you have opened an email and what your IP address is. We use this pixel tag to make our email communications more effective and to make sure we are not sending you unwanted email.

The length of time a cookie will stay on your browser or device depends on whether it is a “persistent” or “session” cookie. Session cookies will only stay on your device until you stop browsing. Persistent cookies stay until they expire or are deleted. The expiration time or retention period applicable to persistent cookies depends on the purpose of the cookie collection and tool used. You can delete cookie data.

L. Data transfers to other countries

Data collected through the Services will be stored and processed mainly in the European Union but also in the United States or countries where CERISE’s affiliates or service providers maintain facilities or employ staff or contractors. CERISE transfers information that we collect about you, including personal information, to affiliated entities, and to other third parties across borders and from your country or jurisdiction to other countries or jurisdictions around the world. As a result, we may transfer information, including personal information, to a country and jurisdiction that does not have the same data protection laws as your jurisdiction. However, we always take steps to ensure that your information remains protected wherever it is stored and processed in accordance with applicable laws. Where required under applicable laws, you consent to the transfer of information to the U.S. or any other country in which CERISE, subsidiaries, affiliates or service providers maintain facilities and the use and disclosure of information about you as described in this Privacy Policy.

CERISE will take all reasonable measures guarantee Data security and confidentiality.

M. Security measures to protect your Data

We have put in place appropriate security measures (SSH keys, passwords, IP whitelists for servers, systematic NDA/contracts to work on Data) to prevent your Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Data on our instructions, and they are subject to a duty of confidentiality.

Although we do everything we can to keep your Data safe, unfortunately, no systems can guarantee they are 100% secure. If you have questions about the security of your Data, or if you have reason to believe that the Data that we hold about you is no longer secure, please contact us immediately as described in this Data Policy.

We will notify you and any applicable regulator or supervisory authority of a breach where we are legally required to do so.

N. Data retention and destruction policies

Audit Data is kept to conduct historical analysis of trends for the social audits. Data is kept under the same level of protection over time. Audits and contacts can be destroyed under conditions stated in the Terms of Service.

O. Use and storage of Personal data

We will only retain your Personal data for as long as necessary to fulfil the purposes we collected it for, including giving access to the Services, satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for Personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your Personal data, the purposes for which we process your Personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

If you are a citizen or resident of the EEA, or we are processing your personal data in the European Economic Area (EEA), in some circumstances you can ask us to delete your data: see below for further information.

P. Information access, questions, complaints

Upon request, CERISE will provide you with information about whether we hold any of your personal data. You may access, correct, or request the deletion of your personal data.

You can direct any questions or complaints about the use, disclosure of your Data and specifically Personal data to the contact listed in section S. We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of your personal data within 90 days of receiving your complaint.

Q. Your rights

You may:

• request access to your Data and we may conduct ID checks before we can respond to your request.
• have your Data erased, corrected or restricted if it is inaccurate or requires updating. You may also have the right under certain circumstances to request the deletion of your Data; however, this is not always possible due to legal requirements and other obligations and factors.
• object to the processing your Data if we are not using your Data for the purposes set out in this Agreement.

If you are in the EEA, you additionally will have the right to:

• have your Data transferred to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
• make a complaint at any time to a data protection regulator. A list of National Data Protection Authorities can be found here.

We would, however, appreciate the chance to deal with your concerns before you approach the data protection regulator, please contact us in the first instance.

R. Changes to the privacy notice and your duty to inform us of changes

This version was last updated on the date at the top of this privacy policy.

We reserve the right to modify this privacy statement at any time, so please review it frequently.

It is important that the personal data we hold about you is accurate and current. Please keep your Account details updated if your Personal data changes during your relationship with us.

S. Privacy contact details

We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact:

• Data Protection Officer
• CERISE
• 71 Cours Anatole France
• 33000 Bordeaux
• FRANCE
• E-Mail: DPO@cerise-spm.org