StarCompliance, Inc. offers products and services in the business-to-business market sector. As such, when StarCompliance collects information about an individual (that is, personal information), it is generally only related to that person's role at his or her company and is not related to him/her as a private person or as an individual consumer. This document describes StarCompliance's policy for treating personal information submitted to the StarCompliance Solution (defined below) as well as personal information of StarCompliance employees.
StarCompliance customers may be referred to as "Client Company" throughout this document. Individual users of the Solution (employees of the Client Company) collectively and individually may be referred to as "you" and "your" throughout this document.
StarCompliance supports the right to privacy, including the rights of individuals to control the dissemination and use of personal data that describes them, their personal choices, or life experiences. StarCompliance supports domestic and international laws and regulations that seek to protect the privacy rights of such individuals but is subject to providing a software solution which is configured based on the individual Client Company’s policies.
The StarCompliance Solution includes the family of regulatory compliance software solutions such as:
Any information relating to an individual such as; name, address, telephone number, address, and personal security transaction details for Client Company employees and further for employees includes any banking information.
Processing of personal data or “processing”
Any operation or set of operations performed on personal data, whether by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, combination, blocking, erasure or destruction.
Any person, partnership, corporation, public authority, government agency, or any other entity other than the individual, including a StarCompliance Client Company.
The person, public authority, government agency, or any other entity to which personal data is disclosed, even if the recipient is a third party.
"Personal Information" is a person's name and information associated with his or her personal identity as opposed to information associated with a business. Personal Information, such as name, email, telephone number and individually used brokerage account names and numbers (required for Personal Trading and Insider Trading Solutions only), is normally required for use in these features of the Solution. If you do not want to provide Personal Information to the StarCompliance Solution or wish to remove your Personal Information from the Solutions, please contact your employer's StarCompliance account administrator. StarCompliance is a software provider to your company and follows the directions of your company officials and policies and procedures.
"Sensitive Personal Information" means government identification numbers or financial account numbers associated with individual persons (e.g. U.S. Social Security numbers, driver's license numbers, or personal credit card or banking account numbers), and medical records or health care claim information associated with individuals, including claims for payment or reimbursement for any type of medical care for an individual. While StarCompliance maintains this information for employees, StarCompliance only retains brokerage information and associated home addresses at the direction of Client Companies.
Use of Personal Information by StarCompliance
StarCompliance will treat Personal Information as confidential and maintains it in the system so that the Client Companies can facilitate operation of the Solution and its related services; enhance use of the Solution. StarCompliance may view personal information for such items such as but not limited to performing internal tracking and Solution improvement; enable the Client Company to process requested transactions through the Solution (at the request of a Client Company such as the Solutions pre-clearance and attestation functionality); and analyze the volume and history of a Client Company's Solution usage.
Some of our Solution areas utilize cookie technology for the above purposes. If you configure your browser to reject cookies from the StarCompliance Solutions, you will not be able to access the Solutions. StarCompliance does not link the information we store in cookies to Personal Information you submit while using the Solutions except as necessary to perform website security, service functionality and usage analytics. StarCompliance does not place any third-party advertising tracking cookies on your computer during your use of the StarCompliance Solutions. The web pages you access when using the StarCompliance Solutions do not respond to “do not track” signals sent by your browser.
Visibility of Personal Information within a Solution
The StarCompliance Solution is a single-tenant model thus there is no sharing of personal information within various databases. Each Client Company receives a dedicated Solution; each Solution contains only that Client Company’s employee personal information. The Client Company’s administrative teams (e.g. compliance office) manages their StarCompliance Solution. The Solutions provide role- based and data visibility functionality to prevent unauthorized Client Company employees from viewing employee transactional data.
By submitting Personal Information to the Solutions, Client Company employees are consenting to the Client Company direction to have StarCompliance's software to collect, process, store, and use of that information in accordance with this policy. Before providing Personal Information to the Solutions, the Client Company should inform individual's of the collection, transfer, processing, and use of that. As a user of the Solutions, and subject to the roles you hold and your notification settings, you may be required to receive certain administrative notices from the StarCompliance Solutions.
StarCompliance, Inc. maintains operations offices and hosting facilities in both the United States and theUnited Kingdom. Client Companies located in the European Union will utilize our United Kingdom data centers, while Client Companies from the rest of the world; will typically utilize our United States data centers. Upon written request, the Client Company may be hosted in their preferred data center location. By submitting data to the Solutions, you consent to having such data transferred to the Solutions operation location selected by the Client Company.
EU - US Privacy Shield
StarCompliance is a participating company in the EU- US Privacy Shield program and as such is registered with the US Department of Commerce and acknowledges adherence to the respective Principals outlined in the adopting release.
StarCompliance will annually self-certify compliance with this policy in order to avail itself of the protections and the benefits of the Privacy Shield.
StarCompliance as the provider of the software when hosting Client Company’s databases and thus individual’s personal data is only maintained at the direction of clients and individuals have the right to access that data directly from their employer. StarCompliance does not use or disclose this information, except as required by law, the owner of the data is our Client Companies, i.e., the individual’s employer and as a result maintains those decision-making rights. An individual who seeks access, correct, amend, or delete inaccurate data, or who wishes to limit the use and disclosure of their personal data, should direct thier query to firstname.lastname@example.org, who will then forward the request to our corporate client.
StarCompliance is committed to the principals as outlined in the release and will only capture such personal data as directed by our clients. StarCompliance does not use any personal data that is collected on behalf of our clients but merely operates as a software package to collect the information for our Client Companies.
StarCompliance has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.
Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
StarCompliance always retains the right to disclose personal information of individuals in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
StarCompliance maintains all personal information in a reasonable and appropriate manner to protect it from loss misuse and unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
The information collected at the direction of the client is limited to the information that is required under the company policies and procedures, and StarCompliance does not use the data in any manner inconsistent with the client’s intent. StarCompliance clients provide individuals with access to personal information about them consistent with the client’s policies and procedures.
StarCompliance will annually follow up and verify that these policies and privacy practices are true and accurate and that there have been no breaches of this policy. In the event that there is a breach of this policy, StarCompliance will investigate and remediate as appropriate and will hold employees appropriately accountable for any breach of this policy.
For absolute clarity StarCompliance is a software provider and as such is a mere conduit for data transmitted by third party clients and does not determine the purposes and means of processing those personal data.
Correcting Account Information (Exercising Your Right to Access Personal Information)
You have a right to access and modify your Personal Information subject to your Client Company’s policies and procedures. To exercise these rights, you should contact your Company to allow you to update Personal Information in a timely manner. In the Solutions, the administrative contact for your company can directly change most contact information by logging on to the Solutions and manage your account profile directly.
Employees of StarCompliance corporate clients always have the right to access their information via the software provided to those individuals. Such information resides within our software solution data bases and clients can access it through their log in or their company compliance department.
Disclosure by StarCompliance to Third Parties
StarCompliance may provide third parties with personal data processed on its systems for generally accepted business purposes such as court orders, subpoenas, employment verification (for StarCompliance employees), governmental inspections, and other related reasons. All recipients of such information must definitively identify themselves, verify in writing the legal and customary purposes for which the information is sought and certify that the personal data will be used for no other purposes.
All disclosures to government agencies and other third parties may be preceded by written or other notice sent to the individual. A blanket, one-time approval of such disclosures is sufficient. Any objection must be directed to the Client company as they are the actual owner of the personal data. StarCompliance will notify employees of any legal order requesting employee personal data on a timely basis so an employee has the opportunity to object.
StarCompliance will not directly disclose personal information to the US Securities and Exchange Commission or any other regulator without first informing the corporate client of such fact. StarCompliance will work with the corporate client to determine if disclosure is proper and warranted. StarCompliance does not disclosure personal information for any other reason.
StarCompliance will work with our corporate clients in the event of a lawful request by public officials for disclosure of personal information. It is anticipated that the information provided via the StarCompliance software will be disclosed to US regulators if the corporate client is registered to do business in the United States. The corporate client will determine which personal information will be provided to the regulators in most situations. StarCompliance normally will not be involved in this determination unless contacted by the regulators directly, which would be an unusual event.
StarCompliance corporate clients determine any limitations regarding the use and disclosure of their personal data but normally this information is not disclosed to third parties except to either process the transaction or as the result of a regulatory inquiry. StarCompliance would only disclose any personal data as the result of a regulatory inquiry so similar situation.
While StarCompliance does not engage in onward transfer of personal data to third parties, StarCompliance remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless StarCompliance proves that it is not responsible for the event giving rise to the damage.
Processing Confidentiality and Security
Transfers of private information to another country, no matter what technology is employed, must not take place unless prior approval of the Client Company has been obtained. An exception is made in those cases where the individual is, was, or will be located in the destination country, or when the individual has specifically requested such a transfer.
StarCompliance does not use externally meaningful identifiers as its own internal individual account numbers. For example, to prevent identity theft, StarCompliance customer user account numbers must never be equivalent to social security numbers, driver’s license numbers, or other identifiers that might be used in an unauthorized fashion by a third party.
StarCompliance uses industry standard security technology and organizational measures to protect Personal Information from unauthorized disclosure. StarCompliance takes steps to safeguard personal information appropriately using recommended industry encryption methods for both data in transit and data at rest. StarCompliance’s services are designed so that these categories of information can only be viewed from within the Solutions. Using role-based and data visibility features, the Client Company can further limit access to only those users who need to see such information.
During the building, testing, enhancing, and maintaining of the Solutions, developers do not have access to actual user personal data. Instead, they must use fictional or sanitized personal data that preserves the essential characteristics of the data, but that does not relate to identifiable individuals. In emergency situations where processing with actual personal data is required, use of such information is permitted under strict security procedures defined by information security policy.
StarCompliance will retain Personal Information in active databases for varying lengths of time depending upon the type of data, and applicable law at the Client Company’s direction. Consistent with StarCompliance's backup and storage procedures and due to the close integration of data with the Solutions, Personal Information might be stored by StarCompliance in backup logs and files for the duration necessary for legal requirements.
Monitoring of Internal Activities
In general terms, StarCompliance does not engage in blanket monitoring of internal StarCompliance communications. It does, however, reserve the right at any time to monitor access, retrieve, read, or disclose internal communications when a legitimate business need exists that cannot be satisfied by other means, the involved individual is unavailable, and timing is critical to a business activity, there is reasonable cause to suspect criminal activity or policy violation, or monitoring is required by law, regulation, or third- party agreement.
At any time and without prior notice, StarCompliance management reserves the right to examine archived electronic mail, personal computer file directories, hard disk drive files, and other information stored on StarCompliance information processing systems. This information may include Personal Information. Such examinations are typically performed to assure compliance with internal policies, support the performance of internal investigations, and assist with the management of StarCompliance information processing systems.
Changes to this Policy
From time to time, StarCompliance will need to make changes to this policy. Some of the changes will be in response to changes in applicable laws and regulations. In addition, as StarCompliance adds new features and new services to the Solutions, StarCompliance will continue to handle Personal Information consistently with this policy, but some changes or clarifications may be required.
If StarCompliance seeks to make a material change to StarCompliance's policy to allow use of Personal Information for a new, legitimate business purpose, StarCompliance will document the change to this policy, note the date of the last update at the end of the policy, and publish the policy on our secure customer portal. You are encouraged to check this policy occasionally to stay informed of any changes in our policies and procedures regarding Personal Information. For substantial and material changes to this policy, StarCompliance will use reasonable efforts to provide notification to all affected users and suggest that such users review the updated policy.
StarCompliance recognizes that is subject to the investigatory and enforcement power of the Federal Trade Commission.
If you have any questions, please contact StarCompliance with the details below:
451 Hungerford Drive, Suite 515, Rockville, MD 20850, USA
This policy is posted at www.starcompliance.com and is effective November 2016.