Diligent Privacy Policy

Contents

1. Personal information we use

1.2 Special categories of personal data

2. How we use your personal information and the basis on which we use it

3. The information we collect on behalf of our customers

4. Your rights over your personal information

5. Information Disclosures

6. Information Security and Storage

7. International Data Transfer

8. EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework

9. Links to Other Sites

10. Contact Us

11. Changes to the Policy

This Privacy Policy applies to our websites and online board management and corporate governance, risk, and compliance-related services and product offerings (as well as other interactions in relation to the foregoing, such as webinars and events that we may hold in connection with our business activities, as well as web-based resources we make available through our websites, such as our resource center, online training, community, and tools & templates).

Websites where this Privacy Policy applies include diligent.com, boardeffect.com, boarddocs.com, blueprintoneworld.com, cglytics.com, manzama.com, steeleglobal.com, transparint.com, compliancewave.com, wegalvanize.com, info4c.net and ospreycompliancesoftware.com.

Within this Privacy Policy, (i) our corporate governance, risk, and compliance-related services and product offerings are referred to as the “services” and (ii) our websites are referred to as the “websites”. The websites and the services are owned and operated by Diligent Corporation and its group companies listed here (collectively, “We”, “Us”, or “Our”). This Privacy Policy describes how we collect, use, disclose and secure the personal information you provide via the websites or the services. It also describes your choices regarding use, access and correction of your personal information.

Personal information is information, or a combination of different types of information, that could reasonably allow you to be identified. For example, an individual’s name, e-mail address, phone number, or photo is generally understood to be their personal information. Other data points, such as an IP address, may constitute personal information if the data point can be used to identify an individual. Information that has been anonymized, and from which no individual can be identified either directly or in combination with other data, is not personal information.

For the avoidance of doubt, this Privacy Policy does not supersede or replace any additional or supplementary requirements that may be present in our customer contracts.

The Privacy Policy Supplement related to info4c Products can be accessed here.

1. Personal information we use

You can generally visit our websites without actively entering any personal information about yourself. However, in certain areas of this site, we may ask you to contact us with questions or comments or request more information about our services. You may also have the opportunity to use certain services within certain websites that require you to have a user account. In these cases we will collect personal information from you directly as described below.

We may be required to collect certain personal information about you either by law or as a consequence of any contractual relationship we have with you or your organization. Failure to provide this information may prevent or delay the fulfillment of these obligations. We will inform you at the time your information is collected whether certain data is compulsory and the consequences of the failure to provide such data.

1.1 Information we collect

We collect the following categories of information:

CategoryExamplesSources
IdentifiersPersonal details (e.g., name, title, employer, organization, or similar employment related information). Contact details (e.g., phone number, email address, postal address, phone number, or similar identifiers). Other information that you provide to us at your option, such as survey responses, contest submissions, feedback or optional user profile information (which may include a photo). Usage data about your use of the services (such as applications and features used, number and size of attached files, number and types of devices used to access the services and session lengths). Account information (such as user ID, contact details, answers to security questions, or similar identifiers, language, time zone).You, your organization, our business partners, or information resellers.
Commercial InformationCommercial information about your organization (e.g., annual operating budget, number of board members, number of committee members)You, your organization, our business partners, or information resellers.
Internet or other similar network activityInformation we collect automatically from you, including internet or other electronic network activity data collected using cookies and other device identifying technologies (‘Cookies and Tracking Technologies’). Further information about our use of Cookies and Tracking Technologies is available in our Cookies Policy. Commercial information about your usage of our services or the websites (such as support requests, recordings of or information from phone calls with our sales or support teams, or information provided to us to resolve such support requests).You
Geolocation dataInformation about your physical location or movements.You, business partners or information resellers.
Sensory dataAudio, electronic, visual, or similar information.You, your organization, our business partners, or information resellers.
Professional or employment-related informationYour current employment or past job history.You or your organization.
Inferences drawn from other personal informationProfile reflecting a person's preferences, characteristics, behavior, attitudes, abilities, and aptitudes.You, your organization, our business partners, or information resellers.
Sensitive Personal InformationDemographic information (e.g., age, education status, sex, protected classifications, diversity status)You, your organization, our business partners, or information resellers.

1.2 Special categories of personal data

We collect sensitive categories of personal data (known under some laws as sensitive personal information or protected classifications of data) with your consent when you directly submit it to us through our services such as Diligent Director Network.

We may also process this kind of information on behalf of our customers where our customers upload to or request this information in connection with our services. We will not process such information for any purpose other than as a provider of the services in accordance with the terms of use for the relevant services.

If you are a California Resident, you have the right to restrict our use and disclosure of your sensitive personal information to only limited purposes that are necessary to perform services that you request. If you are a California Resident and would like to restrict our use and disclosure of your sensitive personal information, click here.

2. How we use your personal information and the basis on which we use it

We use your personal information to:

Identify and authenticate you: We use your identification information to verify your identity when you create an account with us, when you access and use our services, and when needed to ensure the security of your personal information. We do this to comply with our contractual obligations to you or your organization. For our Director Network service, you have the option of designating whether you identify as racially diverse, as well as your gender identity. These fields are optional, and you can delete this information by contacting us using the details at the end of this Privacy Policy.

Provide you with services: We process your personal information to provide the services you or your organization have requested, such as when we compile commercial information collected from you about your organization. We do this to comply with our contractual obligations to you or your organization.

Improve our services: We analyze information about how you use our services to provide an improved experience for our customers of all our services, including service testing and analytics.It is in our legitimate interest to use the information provided to us for this purpose, so we can understand any issues with our services and improve them.

Communicate with you: We may use your personal information to communicate with you, for example to notify you of updates to the services, scheduled maintenance, security alerts, service-related surveys or events, subscription renewals or changes to terms and conditions, or if you contact us with questions. It is in our legitimate interest to provide you with appropriate responses and provide you with notices about our services.

Market our services: We may use your personal information to provide you with relevant information about the services offered by Diligent Corporation and its group companies and related materials about governance related topics or to help determine if our marketing emails to you have been opened. For these purposes, we may to build a profile about you and place you into particular marketing segments in order to understand your preferences better and to appropriately personalize the marketing messages we send to you or to contact you by phone with the information relevant to you. It is in our legitimate interest to provide more relevant and interesting advertising messages and other marketing communications. Where necessary, we will obtain your consent before sending such marketing messages or contacting you by phone for marketing purposes.

Exercise our rights: We may use your personal information to exercise our legal rights where it is necessary to do so, for example to detect, prevent and respond to fraud claims, intellectual property infringement claims or violations of law or our applicable contract terms and conditions.

Comply with our obligations: We may process your personal information to, for example, carry out fraud prevention checks or comply with other legal or regulatory requirements, where this is explicitly required by law.

Customize your experience: When you use the services, we may use your personal information to improve your experience of the services, such as by providing interactive or personalized elements on the services and providing you with content based on your interests.

We may obtain your consent to collect and use certain types of personal information when we are required to do so by law (for example, in relation to our direct marketing activities, Cookies and Tracking Technologies or when we process certain sensitive personal information). If we ask for your consent to process your personal information, you may withdraw your consent at any time by contacting us using the details at the end of this Privacy Policy.

Customer Testimonials

We may post customer testimonials on our websites which might contain personal information. We will obtain consent via email prior to posting the testimonial or your name, title, and organization. If you wish to update or delete your testimonial, you can contact us at marketing@diligent.com.

3. The information we collect on behalf of our customers

Where a customer has retained us to provide our services and either provides us with personal information or requires us to collect personal information on their behalf in connection with such services, then our use of such personal information shall be limited to the purpose of providing these services. For example, we may receive your personal information from our customers who, in order to comply with their regulatory compliance obligations, have requested due diligence investigations and/or third party business partner management and monitoring.

In the circumstances described under this Section, we have no direct relationship with the individuals whose personal information we process. If your data is processed on behalf of one of our customers, please contact the customer you interact with directly. We may transfer personal information to companies that help us provide our services. Transfers to subsequent third parties are covered by the service agreements with our customers.

An individual whose data is being processed in the circumstances described in this section should direct any queries with respect to access, correction, amendment, or deletion of inaccurate data to our customer (the data controller). If requested to remove data, we will respond within a reasonable timeframe.

Personal information processed under this section will be retained as long as needed to provide services to our customer. We will retain this personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

4. Your rights over your personal information

You have certain rights regarding your personal information, subject to local law. These may include the following rights to:

  • access your personal information;
  • rectify the information we hold about you;
  • erase your personal information;
  • restrict our use of your personal information, including limiting disclosures made for valuable consideration;
  • object to our use of your personal information;
  • receive your personal information in a usable electronic format and transmit it to a third party (right to data portability);
  • receive a disclosure regarding how we have collected and used your personal information; and/or
  • lodge a complaint with your local data protection authority.

If you would like to discuss or exercise these rights, please contact us at the details below. We will request that you provide us with information for us to verify your identity and process your request. Once we verify your request, we will comply with it to the extent required by applicable law. Note, that in some cases, we may be prohibited from disclosing certain information, such as Social Security numbers, or may be permitted to retain information, for example to complete the transaction for which it was provided.

We encourage you to contact us to update or correct your information if it changes or if the personal information we hold about you is inaccurate.

We will contact you if we need additional information from you in order to honor your requests.

If you are a California resident, we will not deny you goods or services, charge a different price or rate, or provide a different level or quality of goods or services on account of your decision to exercise any of the above rights which may apply to you.

5. Information Disclosures

We may disclose your personal information to third parties under the following circumstances:

Vendors. We disclose your personal information with our vendors and service providers who provide products and services that we use to operate our business and carry out the purposes listed above. For example, these vendors may provide services related to order delivery, customer service and support, payment processing, customer database management, contract signing, in-app notifications, website hosting, website analysis, marketing campaigns, email services, event registration, document storage, job applications and alerts, surveys and contests, and include contractors or consultants that work on our behalf. Vendors and services providers are authorized to use your personal information only as necessary to provide these services to us.

Business partners and customers. Some of our services involve disclosing personal information with our customers and business partners. For example, for CGLytics and Diligent Director Network, we display your personal information to other users of those services and disclose your personal information to partners advertising employment opportunities on the services and elsewhere (e.g., third party recruiters who may offer opportunities to you through their own platforms). Other business partners who may receive your personal information include our resellers, referral partners, consulting partners, associations of directors and other professional membership organizations.

Diligent group companies. Diligent Corporation works closely with other businesses and companies that fall within the Diligent group of companies. We may disclose certain personal information (such as your personal details and contact information, cookie information, service usage information, or use of our website) with other Diligent group companies for provision of customer support services pursuant to a contract, for marketing purposes (including for direct marketing activities carried out by such Diligent group companies), for internal reporting and customer insights, in the context of the establishment or performance of a contract (including participation in tenders), and for service optimization. A list of companies within the Diligent group with which your personal information may be disclosed can be found here.

Law enforcement agency, court, regulator, government authority or other third party. We may disclose your personal information with these parties where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party. Where permitted by law or regulation and reasonably practicable, we will attempt to notify you of such requirements.

The company or organization that has made you an authorized user of the Services.

Asset purchasers. We may disclose your personal information with any third party that purchases, or to which we transfer, all or substantially all of our assets and business. Should such a sale or transfer occur, we will use reasonable efforts to try to ensure that the entity to which we transfer your personal information uses it in a manner that is consistent with this Privacy Policy. You will be notified via email and/or a prominent notice on our websites of any change in ownership or uses of your personal information.

Because we operate as part of a global business, the recipients referred to above may be located outside the jurisdiction in which you are located (or in which we provide the services). See the section on “International Data Transfer” below for more information.

We have disclosed the following categories of personal information about consumers for valuable consideration in the 12 months before posting this privacy policy:

  • Identifiers, to vendors, business partners and customers
  • Professional or employment-related information, to vendors, business partners and the customers
  • Contact details, to vendors, business partners and customers
  • Demographic Information, to vendors, business partners and customers
  • Education information, to vendors, business partners and customers
  • Protected classifications, to vendors, business partners and customers
  • Inferences drawn from any of the information identified above, to vendors, business partners and customers

We do not have actual knowledge of disclosure of the information of minors under age 16 for valuable consideration.

In the 12 months before posting this privacy policy, we have disclosed the following categories of personal information with online advertising services and advertising networks to advertise to you based on your activities across distinctly-branded websites, applications, and services:

  • Identifiers
  • Commercial information
  • Internet or other similar network activity

We have disclosed the following categories of personal information about consumers for a business purpose in the 12 months before posting this privacy policy.

  • Identifiers, to vendors, business partners and customers, Diligent group companies, and/or the company or organization that has made you an authorized user of the Services.
  • Professional or employment-related information, to vendors, business partners and customers, Diligent group companies, and/or the company or organization that has made you an authorized user of the Services.
  • Contact details, to vendors, business partners and customers, Diligent group companies, and/or the company or organization that has made you an authorized user of the Services.
  • Demographic Information, to vendors, business partners and customers, Diligent group companies, and/or the company or organization that has made you an authorized user of the Services.
  • Education information, to vendors, business partners and customers, Diligent group companies, and/or the company or organization that has made you an authorized user of the Services.
  • Protected classifications, to vendors, business partners and customers, Diligent group companies, and/or the company or organization that has made you an authorized user of the Services.
  • Commercial information, to vendors, business partners and customers, Diligent group companies, and/or the company or organization that has made you an authorized user of the Services.
  • Internet or other electronic network activity information, to vendors, business partners and customers, Diligent group companies, and/or the company or organization that has made you an authorized user of the Services.
  • Geolocation data, to vendors, business partners and customers, Diligent group companies, and/or the company or organization that has made you an authorized user of the Services.
  • Audio, electronic, visual, or similar information, to vendors, business partners and customers, Diligent group companies, and/or the company or organization that has made you an authorized user of the Services.
  • Inferences drawn from any of the information identified above, to vendors, business partners and customers, Diligent group companies, and/or the company or organization that has made you an authorized user of the Services.

6. Information Security and Storage

We implement technical and organizational measures to ensure a level of security appropriate to the risk to the personal information we process. These measures are aimed at ensuring the ongoing integrity and confidentiality of personal information. In the limited cases where we process credit card transactions, we use PCI compliant third party payment processors to process these transactions in a secure manner. We evaluate these measures on a regular basis to ensure the security of the processing.

You share responsibility for protection of your personal information by keeping your username and password confidential and by changing passwords regularly.

Where we collect personal information from you, we will keep your personal information for as long as we have a relationship with you. Where we collect personal information from third party sources and do not have a relationship with you, we will keep your personal information for a period of time that is consistent with the reason for which we collected it (see the section on How we use your personal information and the basis on which we use it above). This retention period shall take into account the amount, nature and sensitivity of the relevant personal information. When these retention periods have ended, we will retain your personal information for a period of time that enables us to:

  • Maintain business records for analysis and/or audit purposes
  • Comply with record retention requirements under the law
  • Defend or bring any existing or potential legal claims
  • Deal with any complaints regarding the services
  • Enforce our commercial agreements.

We will delete your personal information when it is no longer required for these reasons. If there is any information that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further processing or use of the data.

7. International Data Transfer

Your personal information may be transferred to, stored and processed in various countries, including those that are not regarded as ensuring an adequate level of protection for personal information under European Union law or by the European Commission. We have put in place appropriate safeguards (such as contractual commitments) in accordance with applicable legal requirements to ensure that your personal information is adequately protected. For more information on the appropriate safeguards in place, please contact us at the details below.

8. EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework

Diligent Corporation (“Diligent”) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Diligent has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Diligent has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF Program) and to view our certification, visit the US Department of Commerce’s Data Privacy Framework List: https://www.dataprivacyframework.gov/.

In the context of an onward transfer, Diligent is responsible for the processing of personal data it receives, under each Data Privacy Framework, and subsequently transfers to a third party acting as an agent on its behalf. To the extent provided by the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Diligent remains liable under each respective Data Privacy Framework if Diligent’s agent processes personal data in a manner inconsistent with such Data Privacy Framework, unless Diligent proves that it is not responsible for the matter giving rise to the damage.

With respect to personal data received or transferred under the Data Privacy Frameworks, Diligent is subject to the regulatory enforcement powers of the US Federal Trade Commission. In certain situations, Diligent may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Diligent commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC), respectively, with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF. Under certain conditions, described in more detail on the Data Privacy Framework website here, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

As of the date of this Privacy Policy, Diligent does not rely on the Swiss-U.S. DPF as a data transfer mechanism in accordance with the laws of Switzerland. If and when the Swiss-U.S. DPF comes into effect however Diligent may rely on the Swiss-U.S. DPF as a data transfer mechanism for personal data received from Switzerland.

9. Links to Other Sites

Our sites and services may include links to other websites whose privacy practices may differ from our practices. If you submit personally identifiable information to any of those sites, your information is governed by their privacy policies. We are not responsible for the privacy practices or the content of any sites to which our sites provide links. We encourage you to carefully read the privacy statement of any website you visit.

Social Media Widgets

Our websites include Social Media Features, such as the Facebook Like button, and Widgets, such as the Share this button or interactive mini-programs that run on our websites (the “Features”). These Features may collect your Internet protocol address, which page you are visiting on our website, and may set a cookie to enable the Feature to function properly. Social Media Features and Widgets are either hosted by a third party or hosted directly on our website. Your interactions with these Features are governed by the privacy statement of the company providing it.

10. Contact Us

Diligent Corporation and, with respect to individual service specific inquiries or relationships, the relevant group companies available here, are the controllers responsible for the personal information we collect and process as controllers.

Our European Union representative is Diligent Governance Ireland Limited, whose registered office is located at 6th Floor, South Bank House, Barrow Street, Dublin 4, Ireland.

Our United Kingdom representative is Diligent Boardbooks Limited, whose registered office is located at 1 Northumberland Avenue Trafalgar Square, London, WC2N 5BW, United Kingdom.

Our Data Protection Officer can be contacted at: privacy@diligent.com.

If you have questions or concerns regarding the way in which your personal information has been used, please submit details regarding the request here. If you prefer an alternative to submitting such a request, you may reach out through our support phone number (1.866.262.7326 or otherwise at our page here) and our representatives will attempt to assist.

If you are a California resident and would like to opt out of certain disclosures, please click here: YOUR PRIVACY CHOICES.

If you submit a request relating to your personal information, we will take steps to verify your identity before addressing your requests by comparing the information you provide against datasets that we may hold. You may be asked to confirm certain data points or confirm that you have made the request through an account that you have either with us or third party (such as an email address or other messaging address).

If you are a California resident, you may also submit your rights requests via an authorized agent registered with the California Secretary of State. Authorized agents may submit requests through the methods listed above. When a request is submitted by an authorized agent, we may require the authorized agent to provide evidence of its authority to act and evidence of the authorized agent’s identity. We may also contact the consumer to verify that they provided permission to submit the request.

We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, you have the right to make a complaint to the data protection authority.

11. Changes to the Policy

You may request a copy of this Privacy Policy from us using the contact details set out above. We may modify or update this Privacy Policy from time to time.

If we materially change this Privacy Policy, we will notify you of the changes. Where changes to this Privacy Policy will have a fundamental impact on the nature of the processing or otherwise have a substantial impact on you, we will give you sufficient advance notice so that you have the opportunity to exercise your rights (e.g., to object to the processing).

Last Updated: April 18, 2024

security

Your Data Matters

At our core, transparency is key. We prioritize your privacy by providing clear information about your rights and facilitating their exercise. You're in control, with the option to manage your preferences and the extent of information shared with us and our partners.

© 2024 Diligent Corporation. All rights reserved.