1       INTRODUCTION

1.1      Purpose

This Internal Privacy Policy (“Privacy Policy”) sets forth SupplyHive’s policies and procedures for protecting the privacy of Personal Data, as defined below. The Privacy Policy is applicable to all SupplyHive employees, contractors, and visitors.

1.2      Mission Statement

At SupplyHive, safeguarding individual privacy is paramount. We are focused on elevating the collective mind data point by data point. Our mission is to collect input using crowdsourcing, data, feedback, and client opinions to build a true understanding of suppliers. We prioritize privacy protection by collecting only the minimal amount of personal information necessary to distinguish between members of our colony. We safeguard our customers privacy by never sharing our customers information with 3rd parties without consent. Our strong culture of privacy helps to ensure that we have the strongest possible hive.

1.3      Definitions

“Data Controllers” are those people that determine how and whether Personal Information is processed. SupplyHive is a Data Controller for purposes of these procedures.

“Data Processors” are those people that process Personal Information on behalf of a Data Controller.

“Data Subjects” are the people to whom the Personal Data relates.

“Personal Data” is any information about an identifiable individual. Properly anonymized and de-identified or aggregate data is not Personal Data. Examples of Personal Data include (but are not limited to):

  • name, date of birth, and social security or other identity card number;
    • contact information such as mailing address, email address, and phone numbers;
    • credit card and financial account numbers;
    •  health or medical information;
    • information contained in employee files, including employment history, evaluations, and information collected during the application and hiring process; and
    • information related to employee benefits, such as the names of dependents, beneficiaries, and insurance policy information.


“Process”
is used very broadly to indicate performing any action on Personal Data, such as collecting, recording, organizing, storing, transferring, modifying, using, retaining, or deleting.

“Sensitive Personal Data” is Personal Data that relates to an identifiable person’s health, finances, sexual orientation, religious beliefs, or criminal record.

1.4      Scope

This policy is applicable to all employees, visitors, and contractors.

2       PROCEDURES

2.1      Notice and Transparency

Privacy protection is integral to SupplyHive’s processing of Personal Data because it helps to protect our members and to let them feel comfortable sharing information with us. This information helps us to grow and improve our community.

We collect and process Personal Data in a number of ways, including:

  • Members when they sign up to join SupplyHive, including first name, last name, City, State, and email address.
    • Employees, and applicants as part of their employment or application. This information may include job applications, records of training, documentation of performance appraisals, salary, and other employment records.

Such processes should be designed to minimize the unnecessary collection or use of Personal Data. Likewise, the use of anonymized and de-identified or aggregate data is generally preferable to the use of Personal Data.

2.2      Data Collection and Consent

Prior to the collection and processing of Personal Data, SupplyHive must obtain consent from the Data Subject in a manner appropriate to the context. Consent can be implied from the circumstances. When Personal Data is used in ways that are not reasonably implied from the apparent circumstances, consent may be provided orally, in writing, or electronically on an opt-in or opt-out basis. Usage of Sensitive Personal Data should have more clear opt-in consent. Personal Data should not be collected from children without clear parental or legal guardian written consent, and Sensitive Personal Data collection requires particularly clear consent to collect.

To provide notice and receive informed consent, SupplyHive should disclose the following before collecting Personal Data when it is not otherwise clear from the circumstances:

  • the identity of the person or entity that is collecting the Personal Data (i.e., the Data Controller);
    • the purpose(s) for which the Personal Data is to be processed or used;
    • the methods by which the Personal Data is to be collected;
    • the scope of Personal Data that may be collected (e.g., types, over what time period, etc.); and
    • the identity of anyone to whom the Personal Data may be disclosed or transferred.

SupplyHive need not obtain consent from the Data Subject in the following limited circumstances:

  • in an emergency that threatens an individual’s life, health, or personal security;
    • when the Personal Data is available and collected from a public source;
    • when the processing is necessary for the performance of a contract to which the Data Subject is party, or in order to take steps at the request of the Data Subject prior to entering into a contract;
    • when the processing is necessary for compliance with SupplyHive’s legal obligations, such as to investigate and protect its legal interests;
    • when the processing is necessary in order to protect the vital interests of the Data Subject;
    • in certain circumstances, when processing is necessary for the performance of a task carried out in the public interest;
    • when processing is necessary for SupplyHive’s legitimate business interests, as disclosed to the Data Subject, consistent with the fundamental rights and freedoms of the Data Subject; or
    • where the intended collection, use, processing, and/or disclosure is otherwise permitted or not precluded by applicable law.

2.3      Use and Retention

When Personal Data is used, SupplyHive must use the Personal Data in a way that is compatible with the purposes for which it was collected, or for a reasonably related purpose. If Personal Data needs to be used for another purpose or handled in a way that the Data Subject has not provided consent for, SupplyHive should obtain the consent of the Data Subject for the new or different use. Only SupplyHive personnel or third parties working on behalf of SupplyHive with a legitimate business purpose may access or use Personal Data, and even those individuals may only access such Personal Data for legitimate purposes required by their positions. The more sensitive the Personal Data is, the greater the security should be to protect it.

SupplyHive should not keep Personal Data longer than necessary for the purpose for which it was collected. SupplyHive must securely destroy or erase Personal Data from its systems when it is no longer required to accomplish the purpose for which it was collected. SupplyHive also shall endeavor to ensure the secure deletion and destruction of Personal Data stored or maintained by third parties. We may, however, retain some Personal Data in order to comply with applicable laws, regulations, rules, and court orders.

2.4      Disclosure and Onward Transfer

SupplyHive may share Personal Data with third parties that provide services to the extent such third parties are contractually required to follow the procedures set forth herein, or substantially equivalent standards, and to protect Personal Data in accordance with all relevant laws, regulations and rules, and subject to any appropriate security measures. These requirements should also apply to any subcontractors engaged by third parties.

Personal Data may not be sold, transferred, or disclosed to other third parties except as authorized in this document.

Prior to disclosing Personal Data to a third party, SupplyHive may provide the Data Subject the opportunity to choose whether his or her information may be disclosed to that third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the Data Subject.

In all instances, Sensitive Personal Data should not be disclosed to unaffiliated third parties or used for new purposes without explicit consent or the presence of other circumstances requiring or justifying such use.

2.5      Quality and Integrity

SupplyHive shall use its best efforts to process accurate Personal Data. To this end, Data Subjects may make reasonable requests for the correction of any incorrect or misleading Personal Data about them. To the extent reasonably feasible, we must, as appropriate, correct or destroy Personal Data that is inaccurate, misleading, or out-of-date. If SupplyHive does not make a requested correction, the request should be noted in the Data Subject’s file to the extent feasible and explained to the Data Subject.

3       COMPLIANCE

3.1      Risk and Responsibility

CEO Michael Anguiano is responsible for the collection and proper management of any personal information you submit. SMW Data Privacy is responsible for all applicable privacy and data protection laws and the terms of this Privacy Policy.

3.2      Security

SupplyHive takes reasonable administrative, technical, and physical measures to safeguard against unauthorized processing or use of Personal Data, and against the accidental loss of, or damage to, Personal Data. These measures include:

  • making available written plans to identify, prevent, detect, respond to, and recover from cybersecurity threats and incidents;
    • developing security authentication procedures for accessing all systems that store Personal Data;
    • maintaining patched, up-to-date anti-virus software, firewalls, and other computer security safeguards, and appointing appropriate personnel to be responsible for keeping such safeguards up-to-date;
    • requiring third-party data processors, vendors and other service providers who will be processing Personal Data on behalf of SupplyHive to maintain appropriate security measures;
    • maintaining appropriate records of access to and processing of Personal Data;
    • auditing Personal Data security at regular intervals (but no less than annually) and recording the results of such audits;
    • using appropriate protections, such as encryption, to protect Sensitive Personal Data in transit and when stored on portable computer media as necessary or appropriate;
    • utilizing appropriate and secure destruction methods of Personal Data as legally required; and
    • taking all other reasonable measures as required from time to time by local laws and regulations.

3.3      Accountability

All major information assets shall be accounted for and have a nominated owner.

Accountability for assets helps to ensure that appropriate protection is maintained. Owners are to be identified for each major asset and the responsibility for the maintenance of appropriate controls is to be assigned. Inventories of assets help ensure that effective asset protection takes place, and will also be useful for other business purposes, such as health and safety, insurance, or financial management reasons. The process of compiling an inventory of assets is an important aspect of risk management.

3.4      Penalties

SupplyHive takes the issue of security seriously. Those people who use SupplyHive’s technology and information resources must be aware that they can be disciplined if they violate this policy. Upon violation of this policy, an employee may be subject to discipline up to and including discharge. The specific discipline imposed will be determined on a case-by-case basis, taking into consideration the nature and severity of the violation, prior violations of the policy committed by the individual, state and federal laws, and all other relevant information. Disciplinary action taken against an employee shall be administrated in accordance with any established SupplyHive rules, policies, or procedures.

In a case where the accused person is not an employee of company the matter shall be submitted to law enforcement agencies and/or prosecutors for consideration as to whether criminal charges should be filed against the alleged violator(s).

3.5      Training

Employees with access to Personal Data shall receive annual training on this Privacy Policy.

3.6      Privacy Inquiries and Disputes

SupplyHive must designate an individual to handle complaints and disputes regarding the use of Personal Data. SupplyHive must inform the individuals from whom it collects Personal Data of a phone number or email address that they may contact for complaints or disputes about how their Personal Data is handled. These complaints and disputes shall be addressed by SupplyHive management, who may decide when consultation with legal counsel is appropriate in anticipation of potential litigation with the Data Subject. Internal processing of requests for legal counsel would be subject to attorney-client privilege and attorney work- product doctrine protections to the extent applicable under state or federal law. The person(s) authorized to handle complaints and disputes are CEO Michael Anguiano and Data Privacy Program Manager Scott Wener.

3.7      Access

SupplyHive shall post a privacy notice so that Data Subjects can contact the appropriate person with inquiries or complaints regarding the use of their Personal Data. SupplyHive must make reasonable efforts to grant Data Subjects’ requests to access their Personal Data. In accordance with these procedures, Data Subjects may ask SupplyHive whether it maintains Personal Data about them, and the contents, if any, of that data. If SupplyHive denies access, it should provide the Data Subject the reasons for such denial and allow the Data Subject to challenge the denial.

3.8      Controls

A fundamental component of our Privacy Policy is controlling access to the critical information resources that require protection from unauthorized disclosure or modification. The fundamental meaning of access control is that permissions are assigned to individuals or systems that are authorized to access specific resources. Access controls exist at various layers of the system, including the network. Access control is implemented by logon ID and password. At the application and database level, other access control methods can be implemented to further restrict access. The application and database systems can limit the number of applications and databases available to users based on their job requirements.

3.9      Policy review

This policy shall be reviewed at least annually.

4       REFERENCES

For questions related to the implementation of this Policy, contact CEO Michael Anguiano at [email protected] or Data Privacy Program Manager Scott Wener at [email protected].