How Are Changes to this Privacy Policy Communicated?

Any information we collect is subject to the Privacy Policy in effect at the time the information is collected. We may, however, change, modify, and revise our Privacy Policy, from time to time. Although most changes are likely to be minor, if we make a change in the way we collect, use, or share your personal information, we will update this policy and the “last updated on” date above. Additionally, we may notify you via email or prominent notice on our Site or within your account. If you object to any change, you should stop using the Site and Services. Your continued use of this Site or Services, after we post any changes on this page, is subject to the updated Privacy Policy.

What Information Do We Gather About You?

We only collect information about you if we have a reason to do so (e.g., provide or improve our Services, or communicate with you). When you access our Site or use the Services, we process certain information about you, including “Personal information.” Personal information is information that, alone or in combination with other information in our possession, could be used to personally identify you and personal information may include certain health related or background information which is considered sensitive in some jurisdictions. We collect the following categories of personal information and other information as described below.

2.1. Information You Provide. We may collect or receive the following categories of personal information when you, your employer, or your employer’s designated agent or administrator access the Site, request to receive information about Zenefits or its Services, create an account, verify your identity, use any of the Services, or otherwise communicate with us, including through customer support channels.

• Identification Information, such as:
  • Name, mailing address, phone number, birthdate, email address;
  • Social Security Number or Social Security Card;
  • Government-issued documentation, such as a driver’s license, passport, or birth certificate.
• Taxpayer Information, such as:
  • Federal Employer Identification Number (FEIN), Taxpayer Identification Number (TIN);
  • Tax withholding selections, including how many dependents you have, jobs you’ve worked, and your tax filing status.
• Financial Information, such as:
  • Bank account and routing number;
  • Bank account balance and transaction number.
• Health and Welfare Benefits Information, such as:
  • Identification information for you and your dependents;
  • Insurance policy information, including plan numbers, benefits and coverage information, and premium amounts;
  • Insurance claim information, including monetary amounts, CPT codes, and other information required to process or verify claims;
  • Life events and conditions that impact benefits eligibility, including marital status, employment information, and illness or disability information.
• Additionally, we may collect personal and other information, when you voluntarily:
  • Register for, attend, or participate in conferences, webinars or events;
  • Provide us feedback or comment on our blogs or social media pages;
  • Participate in surveys, contests, sweepstakes, or promotions;
  • Submit information to allow us to assess potential business opportunities;
  • Apply for a job position with us.

2.2. Information Collected Automatically. Certain information is collected automatically when you access the Site or use the Services.

• Electronic & Online Identifiers (IDs), such as:
  
  • If on a mobile device: mobile carrier, device IDs, and mobile advertising IDs;
  • If using a browser: operating system, browser type, and Internet Protocol (IP) address.
• Geolocation Information, such as:
  • Approximate location derived from IP address (if using a browser).
  • Precise location (based on your device’s GPS coordinates) if you have opted into a product feature that includes it (such as a geo-fenced or geo-location time tracking service).
• Internet Activity Information, such as:
  • Your “log-in” and “log-out” information;
  • Pages you visit before, while, and after, using our Services;
  • Pages you visit, content you view, and links you click, while on our Site.
• Single Sign-On Information (SSO) which allows us to verify your authorized access to the Services from another service you use and with which we partner, such as your email provider.
• We collect information using “Tracking Technologies”, such as:
  • Cookies – which are small text files that websites send to your computer or mobile device. This includes session cookies (which are deleted once you close your browser) and persistent cookies (which remain on your computer or device until you delete them or they expire).
  • Clear GIFs, Pixel tags/scripts (sometimes called web bugs or web beacons) – are pieces of code embedded in our Services that collect information about engagement on our Site or through emails. To make it easier, we call cookies, clear GIF’s, pixel tags/scripts and web beacons “Tracking Technologies.”
• We use Tracking Technologies for the following purposes:
  • when it is operationally necessary for us to provide you access to our Site or Services. This also includes tracking behavior in order to protect against irregular, fraudulent, or possibly illegal behavior on our Site or Services;
  • to assess the performance of how you and others use our Site and Services (for more information, read the Analytics section below);
  • to enhance the functionality of our Site or Services. This includes identifying you when you sign into our Services and keeping track of your preferences, interests, or past items viewed;
  • to target our advertising to you using Tracking Technologies that we or our third-party partners place on our Site or other websites, including to monitor user behavior, deliver cookies, collect information, count visits, understand usage and campaign effectiveness, and to tell if a recipient has opened and acted upon an email.

2.3. Information Collected From Third-Parties.

We may collect and receive information about you, including personal information, from third-parties, such as your employer, your employer’s agents or service providers, financial institutions, credit bureaus, insurance carriers and third-party administrators, as well as our service providers, for the purposes described in this Privacy Policy.

• Ads and Analytics Services Provided by Others. Ads appearing on any of our Services may be delivered by advertising networks. Other third parties may provide analytics services via our Services. These ad networks and analytics providers may set Tracking Technologies (like cookies) to collect information about your use of our Services and across other online services and websites. Information regarding your Privacy Choices and how to opt out of third-party ads and analytics is provided in Section 5.1 below. Please note this Privacy Policy only covers collection of information by Zenefits and does not cover the collection of information by third party advertisers or analytics providers.
• Social Media Platforms. Our Site or Services may contain social media buttons such as Facebook, Instagram, LinkedIn, and Twitter (including widgets such as the “share this” button or other interactive functionality). By using these features, you are consenting to allow the social media platform or other third-party service to collect and share your IP address, which page you are visiting on our Services, and set a cookie or Tracking Technologies to enable the feature to function properly. Your interactions with these platforms are governed by the privacy policy of the social media platform or third-party service providing it.
• Other Third-Party Services. We may use, IdentityMind, Plaid Technologies, Inc. (“Plaid”) or other Third-Party Services to collect information from financial institutions. By connecting your bank account using IdentityMind, Plaid, or other Third-Party Services you acknowledge and agree that such information will be treated in accordance with their privacy policies, IdentityMind’s Privacy Policy and Plaid’s Privacy Policy are linked for convenience.

What Do We Do With the Information We Collect About You?

3.1. Operate our business, including but not limited to:

• Manage and enforce contracts with you or third-parties;
• Process payment transactions;
• Manage our corporate governance, compliance and auditing practices;
• Recruit new hires if you submit an application for employment with us;
• Generate anonymized or aggregated data.

3.2. Communicate with you as part of your use of Services, including, but not limited to:

• Respond to requests or questions you submit;
• Send you surveys and get your feedback about the Services;
• Otherwise contact you with Services-related notices.

3.3. Improve and provide you with the Site and Services, including, but not limited to:

• Operate the Site, manage accounts, and provide Services;
• Determine your eligibility for our Services and programs;
• Investigate, repair, and help prevent Site and Services issues;
• Improve, personalize, and enable your use of the Site and Services;
• Develop new products and features.

3.4. Protect Zenefits, our Customers, Users, and the public, and to comply with applicable laws, regulations, or legal process, including to:

• Validate user information for fraud and risk detection purposes;
• Resolve disputes and protect the rights of users and third-parties;
• Respond to claims and legal process (such as subpoenas and court orders);
• Monitor and enforce compliance with the applicable Terms of Service;
• Prevent or stop any activity that may be illegal, unethical, or legally actionable.

3.5. Advertise and market to you, including to:

• Determine your eligibility for certain programs, events, and offers;
• Inform you of our or our partners’ products, services, features or promotions;
• Provide you with newsletters, articles, reports, and announcements;
• Develop “interest-based” or “personalized advertising,” including through cross-device tracking.

3.6. Recruit and hire, including to:

• Evaluate applicants and communicate with them.

3.7. For any other purpose for which you, your employer, or your employer’s agent expressly authorize us to use your information.

With Whom and When Do We Share Your Information?

We share your information in limited circumstances, and with appropriate safeguards on your privacy, with the categories of third-parties listed below:

4.1. Advertising Partners that utilize Tracking Technologies in order to deliver advertisements about us that are personalized to you and your interests when you visit their websites (“interest-based advertising” or “personalized advertising”).

4.2. Business Partners with whom we jointly offer products or services. Examples include:

• Subsidiaries and independent contractors. We require our subsidiaries and independent contractors to follow this Privacy Policy for any Personal Information we share with them.
• Insurance providers and carriers or third-party administrators, for users of our Benefits Service. We will share your protected health information (“PHI” as defined in 45 C.F.R. Part 160) only as is (i) authorized by you; (ii) necessary for us to provide you with the Benefits Service; and (iii) compliant with the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”), as amended from time to time.
• Third-party partners that provide services through our Site or Services, such as background checks (ex: Checkr), accounting software (ex: QuickBooks, Xero, Expensify), and 401(k) management (ex: Guideline). Some partners offer you their services through our Application Program Interface (“API”) or Software Development Kits (“SDKs”). For more information about Zenefits’ use of API’s and SDK’s, please contact us.

4.3. Governmental Agencies, including state and federal taxing authorities and their authorized collectors.

4.4. Other parties under the circumstances described below:

• For legal reasons including:
  • With companies that verify your identity and detect illegal activity and fraud;
  • With financial and legal advisors, auditors, examiners, and certain (including, potential) investors;
  • With companies if we are involved in a merger, acquisition, or sale of assets.
• To comply with applicable law, regulations, or legal process, including to:
  • Comply with law enforcement and national or international security requests;
  • Comply with legal process, such as a court order or subpoena (including in a country other than your home country);
  • Protect your, our, or others’ rights, property, or safety;
  • Enforce our policies or contracts and collect amounts owed to us;
  • Assist with an investigation or prosecution of suspected or actual illegal activity.
• To manage our referral program, including emailing potential customers you referred to us, which reference you as the referral source;
• To further public policy goals, including:
  • Publishing reports that incorporate aggregated, anonymized/non-personally identifiable information about customer and user characteristics, use of Services, including transactions and behavior;
  • Sharing data containing aggregated and/or non-personally identifiable customer and user information with non-profit or non-partisan organizations, academic institutions, trade associations, consultancies, or similar organizations, that have signed a data processing agreement with us that restricts how they can access, use, share, store, and safeguard the information.
• For any other purpose and to any other person with whom you, your employer, or your employer’s agent expressly authorize and consent to us sharing your personal information.

What Are Your Privacy Choices and Rights?

5.1. Privacy Choices. You may have choices about your personal information which are determined by applicable law and described below.

• • “Do Not Track.” Do Not Track (“DNT”) is a privacy setting available on some web browsers; at this time, we do not respond to DNT signals.
  • Email, Text Messages, and Mobile Notifications. We respect your privacy choices and provide you the choice to opt-in and opt-out of direct marketing. We will send direct marketing materials if you have provided opt-in consent, have been referred to us or if applicable law permits us to send marketing communications without explicit consent based on an existing business relationship.
    • You can opt-out of our marketing emails, at any time, by using the unsubscribe link located at the bottom of such emails, or by contacting us as described in Section 12 below;
    • You can opt-out of text messages from us by replying “STOP” or by contacting us as described in Section 12 below. If you decide to opt-out, we may still send you non-marketing communications such as your payday notifications and account, benefits, and compliance communications;
    • You can opt-out from receiving push notifications, and limit access to information by changing the settings on your mobile device.
  • Cookies and Interest-Based Advertising. You may accept, reject, or configure which Tracking Technologies you will allow by changing the settings on your browser. If you block all Tracking Technologies (including strictly necessary cookies), our Services may not work properly through your browser or on your device. Please note: you must separately opt-out in each browser and on each device. We have provided links to popular browsers, for your convenience. You can learn more about the browser’s specific Tracking Technologies settings and your privacy choices, by clicking on the links below:
    • Android Browser
    • Google Chrome
    • Internet Explorer
    • Mozilla Firefox
    • Safari (Desktop)
    • Safari (Mobile)

    Some mobile platforms and applications may allow you to limit Tracking Technologies employed by our mobile application, that enables us to offer you personalized advertisements and content. Additional information and instructions regarding your privacy choices and settings are available through the following third-party links, provided for your convenience: Android, iOS, and others. You may also opt-out of receiving targeted ads from advertising partners that participate in self-regulatory programs, such as the Digital Advertising Alliance, Digital Advertising Alliance of Canada, European Digital Advertising Alliance, and the Network Advertising Initiative.

5.2. Privacy Rights. Depending on where you are located or what state you are a resident of, applicable law may provide you with the following rights:

• Access to the personal information collected about you, including confirming whether we are processing your personal information and obtaining access to your personal information (At any point in time, you can request to access your data. If you wish to access/confirm your data is being processed, please contact us by visiting this page if you have a Zenefits account or this page if you do not have a Zenefits account);
• Request correction or rectification of your personal information, where it is inaccurate or incomplete;
• Request restriction of or object to our processing of your personal information (If you wish to restrict or object to processing of your personal information, please contact us by visiting this page if you have a Zenefits account or this page if you do not have a Zenefits account);
• Consent and withdraw your consent to our processing of your personal information (Before collecting and using your personal data, Zenefits will obtain consent. At any point in time, you can revoke consent and Zenefits will stop using and processing your personal data); and
• Request deletion or erasure of your personal information (If Zenefits receives a request, we will inform all third-parties who have your information of your request. For additional information on when you can request data erasure, please contact us by visiting this page if you have a Zenefits account or this page if you do not have a Zenefits account);
• Portability of personal information (natural persons located in the EEA have the right to transfer personal data from one electronic processing system to another. Unless extended by Zenefits’ request, within ninety (90) days, Zenefits will respond to your portability request and provide you with the desired information in a structured and commonly used electronic format).
• If you are an account holder, you can access, review, update, or correct your Personal Information through your account.
• Because we act as a service provider to our Customers, in some instances we may need to coordinate your privacy requests with the Customer whose account your account is provided through (maybe a current or former employer) and obtain permission from the Customer controlling your information before taking action. As discussed, in Sections 5 and 6, there may be applicable laws or regulations requiring us, or the Customer whose account your account is provided through to, collect and maintain certain information for legal and compliance purposes which preempts individual’s privacy requests.

5.2.1. Exercising GDPR Data Protection Rights

E.E.A. or European Economic Area means all Member States of the European Union, plus Norway, Iceland, and Liechtenstein and for GDPR purposes includes Switzerland and the United Kingdom (UK), after its exit from the European Union. You may exercise your rights of access, rectification, cancellation and opposition by contacting us by visiting this page if you have a Zenefits account or this page if you do not have a Zenefits account. Please note that we may ask you to verify your identity before responding to such requests. If you make a request, we will try our best to respond to you as soon as possible. You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data.

5.2.2. California Consumer Privacy Notice

Effective Date: February 1, 2023

This supplemental privacy notice is provided pursuant to the California Consumer Privacy Act of 2018, as amended by the California Consumer Privacy Rights Act of 2020 (“CCPA”) and other laws of California. Zenefits, and our subsidiaries (“Zenefits” “we” or “our”) are providing the following Privacy Statement to explain how we use and disclose personal information that we collect from natural persons who are residents of California, including but not limited to users who visit our California office, Site, or consumers who receive Services directly from Zenefits. The CCPA defines Personal Information, (also known as “Personal Data”), as categories of information that identify, relate to, describe or are reasonably capable of being associated with, or could reasonably be linked, directly or indirectly to a particular natural person or household.

Do Not Sell My Personal Information

We do not sell personal information. However, the Service Providers we partner with (for example, our advertising partners) may use technology on the Services could be considered a “sale” of personal information as defined by the CCPA. If you wish to opt out of the use of your personal information for interest-based advertising purposes and these potential sales as defined under CCPA, you may do so by contacting us as described in Section 12 below.

Right to Equal Service

We will not discriminate against you if you exercise your privacy rights, including by: (1) denying goods or services to you; (2) charging different prices or rates for goods or services, including the use of discounts or other benefits or imposing penalties; (3) providing a different level or quality of goods or services to you; or (4) suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

Right to Know and Access

Where Zenefits acts as the controller of your personal information, you may submit a verifiable request for information we may have about you. To make such a request, please contact us as described in Section 12. In order to verify any request, you may need to log into your account or respond to an email verification request.

Right to Delete

Where Zenefits acts as the controller of your personal information, you also have the right to request the deletion of your personal data that have been collected in the past 12 months. To make such a request, please contact us as described in Section 12. Note that certain exceptions to deletion may apply. In order to verify any request, you may need to log into your account or respond to an email verification request.

Right to Correct Inaccurate Information

Where Zenefits acts as the controller of your personal information, you have the right to correct inaccurate personal information we have about you. Please login to the Zenefits Platform and correct the information that is inaccurate.

Exercising Your CCPA Protection Rights

Where Zenefits acts as the controller of your Personal Information, you may exercise any of your California Privacy Rights by contacting us as described in Section 12. In order to verify any request, you may need to log into your account or respond to an email verification request. We will disclose and deliver the required information free of charge within 45 days of receiving your verifiable request. The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary and with prior notice.

A list of categories of personal information we may collect and how we use that information is set forth below:

Identifiers (such as: contact information, online identifiers, social security numbers and other government-issued ID numbers);

Personal information categories listed in the California Customer Records Statute (Cal. Civ. Code § 1798.80(e)), (such as name, contact information, education, employment, employment history, financial information, insurance policy number, medical information and health information);

Characteristics of protected classification under California or federal law, such as: sex (including pregnancy, childbirth, breastfeeding, and related medical conditions), age (40 and over), race, color, religion or creed, ancestry, national origin, disability, medical conditions, genetic information, marital status, sexual orientation, gender identity and expression, citizenship, primary language, immigration status, military/veteran status, political affiliation/activities, domestic violence victim status, and request for leave;

Commercial information, such as transaction information, purchase history and financial details;

Biometric information, such as facial recognition and fingerprints; Internet or network activity information, such as browsing history and interactions with our website, applications or systems;

Geolocation data, such as device location;

Audio, electronic, visual, and similar information, such as images and audio, video, or call recordings created in connection with our business activities;

Employment-related or professional information, such as work history, previous employers, references, human resources data and data necessary for benefits and related administrative services;

Education information subject to the federal Family Educational Rights and Privacy Act (FERPA), such as student records; and

Inferences drawn from any of the Personal Information listed above to create a profile or summary, for example, an individual’s preferences, abilities, aptitudes, and characteristics.

5.2.3. Verifiable Consumer Request

Only you, or someone legally authorized to act on your or your minor child’s behalf, may make a verifiable consumer request related to your personal information. In order to verify your request, you will need to provide your name, email address, and certain other pieces of identifying information. To designate an authorized agent, please contact us as set forth below.

How Long Does Zenefits Retain Data and Information?

It depends. Typically, Zenefits will retain Customer Data for no longer than 27 months after a legitimate business purpose for the data no longer exists or upon Customer request, whichever occurs first. However, applicable laws might require us to retain your personal information even after you close your account with us.

When deciding how long to keep your information, we consider:

• How long we have had a relationship with you and what Services we have provided to you or your company.
• Whether we are subject to any legal obligations (e.g., any laws that require us to keep transaction records for a certain period of time before we can delete them, such as IRS regulations, HIPAA, state and federal employment laws).
• Whether there are any ongoing disputes, or required legal reporting or disclosures. In such instances, rather than delete your data, we might de-identify it by removing identifying details.

How Does Zenefits Protect Personal and Sensitive Information?

While no online service is 100% secure, we work very hard to protect information and we employ technical, administrative, and physical measures designed to protect your information from unauthorized access and to comply with applicable privacy laws. We monitor our Services for potential vulnerabilities and attacks, and have also implemented controls which require our third-party service providers and partners to have appropriate safeguards to protect your personal information.

Despite these efforts, no security measures are perfect or impenetrable and no method of data transmission can be guaranteed to prevent any interception or other type of misuse. To the fullest extent permitted by applicable law, we do not accept liability for unauthorized disclosure. You are also responsible for protecting your information. To enhance the security of your account, we encourage you to enable our advanced security settings, like Two Factor Authentication. If you become aware of any breach of security or privacy, please notify us immediately.

Privacy Policy Regarding Children.

The Services are not directed to children under 13 or intended for a general audience and we do not knowingly gather personal information (as defined by the U.S. Children’s Privacy Protection Act, or COPPA) in a manner not permitted by COPPA. However, if a child under the age of 13 is a dependent on a benefits plan covered by the Benefits Service, we may collect information about the child (solely as needed to provide the Benefits Service) from the child’s parent or legal guardian, or from insurance carriers and third-party administrators. If you are a parent or guardian and believe we have collected information from your child in a manner not permitted by law, please contact us. We will remove the data to the extent allowable by applicable laws.

How is Information Transferred Internationally?

Zenefits is headquartered in the United States of America. If you are located outside the United States, your information is collected in your country and then transferred to the United States — or to another country in which we (or our affiliates or service providers) operate, pursuant to terms of this Privacy Policy. If we transfer your data out of the European Economic Area (E.E.A.) or the United Kingdom (U.K.), we implement at least one of the following safeguards:

• We transfer your information to countries that have been recognized by the European Commission as providing an adequate level of data protection according to E.E.A. standards (see the full list of these countries); or
• We take steps to ensure that the recipient is bound by E.U. Standard Contractual Clauses to protect personal information. You can see a copy of these clauses.

In certain situations, regulatory agencies, security authorities, the courts, or law enforcement agencies, in those countries may be entitled to access your personal information.

What is our Legal Basis?

If you are located in some jurisdictions, like the European Union, European Economic Area, and United Kingdom, we only collect, use, or share information about you when we have a valid reason called a “lawful basis,” which is one of the following:

• The consent you provide to us at the point of collection of your information;
• Performance of the contract we have with you or your employer;
• Compliance of our legal obligations; or
• The legitimate interests of Zenefits or a third-party. “Legitimate interest” is a legal term under international laws, including the European Union General Data Protection Regulation (GDPR). It means that there are valid reasons for the processing of your personal information, and we take measures to reduce the impact on your privacy rights and interests. “Legitimate interest” also refers to our use of your data in ways you would reasonably expect and which have minimal privacy impact.

We have a legitimate interest in collecting and processing personal information, for the purposes of, for example: (1) ensuring that our networks and information are secure; (2) administering and generally conducting business; (3) conducting our marketing activities; and (4) preventing fraud.

What about links to Third-Party websites and services?

This Privacy Policy applies only to our Sites and Services. Some of the Services may contain links to other websites, services, browsers, or applications, not operated or controlled by us (the “Third-Party Sites”). The information that you share with Third-Party Sites will be governed by the stated privacy policies and terms of service of those Third-Party Sites and not by this Privacy Policy. By providing third-party links we do not imply that we endorse or have reviewed these Third-Party Sites. Please contact the Third-Party Sites directly for information regarding their privacy practices and policies.

Contact Us.

If you have any questions about our privacy practices or this Privacy Policy, or to exercise your privacy rights as detailed in this Privacy Policy, please contact us, visit this page if you have a Zenefits account or this page if you do not have a Zenefits account. We work to respond to privacy inquiries, and investigate verified consumer requests and complaints within a reasonable timeframe.