Effective Date: January 1, 2023
If you are a California resident and have interacted with us or otherwise provided us with personal information in the following HR contexts in the bulleted lists below, please read this policy carefully as it describes how we collect, use, retain, disclose, and otherwise process your personal information, and the rights you have under California law as to your personal information.
- Current/Former Employees. You are a current or former employee of BioCare, Inc.
- Independent Contractor. You are a current or former contractor of BioCare, Inc.
- Job Applicant. You have applied to a position with BioCare, Inc. previously, such as on https://biocare-us.com/Careers/.
- You are listed as an emergency contact for a BioCare, Inc. employee or former employee.
- You are a beneficiary or dependent of a BioCare, Inc. employee or former employee.
- NOTICE OF DATA PRACTICES
(a) PI Collection and Retention
The first column in the table below lists the categories of personal information we collect, while the second column provides examples of types of personal information within such category. We collect the following categories of personal information listed in the below table. We disclose or otherwise make available personal information to our vendors, affiliates, and related entities, and other parties for the purposes as more fully set forth in the table below. Generally, we disclose personal information for business purposes, and may be considered to “sell” and/or “share” certain categories of personal information to Cookie Operators, as more fully discussed in the Do Not Sell/Share section below where we describe your rights to opt out of the “sale” and “sharing” of personal information
|Category of PI||Examples of types of PI within category||Third Party Recipients|
|1. Identifiers and contact information||Name, alias, postal address, phone number, email address, driver’s license, social security number, employee ID, IP address and other online IDs.||Disclosures for Business Purposes:
Sale/Share: Cookie Operators
|2. Personal Records||Some PI included in this category may overlap with other categories. Examples include name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, education, employment, employment history, bank account number, medical information, or health insurance information.||Disclosures for Business Purposes:
|3. Personal Characteristics or Traits||In some circumstances, we may collect PI that is considered protected under U.S. or California law, such as age, gender, nationality, race or information related to medical conditions, but only when that information is relevant for our business purposes (which, as discussed below, include legal obligations).||Disclosures for Business Purposes:
|4. Commercial Information||Records of products or services purchased or obtained in the HR context, such as benefits you have signed up for.||Disclosures for Business Purposes:
|5. Biometric Information||Not Collected
|6. Internet Usage Information||When you use our online systems or otherwise interact with us online, we may collect browsing history, search history, and other information regarding your interaction with our internal systems and third-party applications, or other sites, applications, or content.||Disclosures for Business Purposes:
Sale/Share: Cookie Operators
|7. Geolocation Data||If you use our systems or interact with us online we may gain access to the approximate location of the device or equipment you are using, or the location from which you are accessing our systems.||Disclosures for Business Purposes:
|8. Audio, electronic, visual, thermal, olfactory, or similar Information||Examples of this category may include security video and HR help line recordings.||Disclosures for Business Purposes:
|9. Professional or Employment Information||For example, if you are an applicant, your current and prior jobs and education. If you are an employee, examples include your status of employment, title, performance reviews, store location, tenure.||Disclosures for Business Purposes:
|10. Non-public Education Records||For example, official grades, transcripts, class lists, or disciplinary records from your educational institution.||Disclosures for Business Purposes:
|11. Inferences from PI Collected||We may draw inferences from other information we collect about you.||Disclosures for Business Purposes:
|12. Social Security, driver’s license, state identification card, or passport number
|For example, we collect certain government ID numbers when you apply for jobs with us or when we onboard you as an employee.
|Disclosures for Business Purposes:
|13. Account log-In, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account||For example, we may collect account logins in combination with passwords for some of our IT systems.||Disclosures for Business Purposes:
|14. Racial or ethnic origin, religious or philosophical beliefs, or union membership||You may provide this information voluntarily in an HR context.||Disclosures for Business Purposes:
|15. The contents of mail, email and text messages, unless Company is the intended recipient of the communication||Like all employers, if you utilize our email or other communications systems, we may review and monitor your communications.||Disclosures for Business Purposes:
|16. PI collected and analyzed concerning health||For example, we may receive information about your health in relation to health insurance and other benefits.||Disclosures for Business Purposes:
Scope of PI: There may be additional information that we collect that meets the definition of PI under the CCPA but is not reflected by a category above, in which case we will treat it as PI as required, but will not include it when we describe our practices by category of PI.
Retention Details: The CCPA requires us to either disclose length of time we intend to retain each category of personal information listed above, or if that is not possible, the criteria used to determine the period of time it will be retained. Because there are so many different types of personal information in each category, and so many purposes and use cases for different data, we have determined that it is not possible to disclose in a clear manner how long we intend to retain each category. The criteria for determining the retention period is whether we have a legitimate purpose for the retention consistent with the collection purposes and applicable law, and/or a legal obligation or right to retain the data. For instance, we may maintain business records for so long as relevant to our business, and/or may have a legal obligation to hold PI for so long as potentially relevant to prospective or actual litigation or government investigation.
(b) Sources of PI
We may collect your PI from a number of sources, including:
- You, such as when you apply for a position or become employed or engaged by us (e.g., identification/identity data, contact details, educational and employment data), or otherwise during the course of your employment or engagement
- Your devices and our equipment and systems
- From other personnel through interactions in the course of employment or engagement (e.g., performance reviews by your supervisor, information provided by a co-worker, etc.)
- From third parties (e.g., background check and vendors, references, job agencies), including third-party online services, and from public sources of data
- Our affiliates and related entities
- If you are an emergency contact, beneficiary, or dependent, from your family member or friend who is employed by us.
(c) Use of PI
Generally, we collect, retain, use, and disclose your personal information for HR business purposes and as otherwise related to the operation of our business. Our HR business purposes include the following:
- Employee Intake/ Onboarding/ Offboarding
- Payroll, Reimbursements, and Timekeeping
- Employee activation initiatives and communications
- Training programs and education
- HR IT Systems and Security
- Employee and Performance Management
- Health & Safety/Occupational Health
- Security (including electronic and of premises)
- Other purposes disclosed at the time you provide your information or done at your direction
Additional business purposes that apply to our business more broadly, and that may apply in the HR context, include:
- To assignees or potential assignees as part of an acquisition, merger, asset sale, or other transaction where another party assumes control over all or part of our business
- Compliance with legal obligations or legal process;
- Where we believe we need to in order to investigate, prevent or take action if we think someone might be using information for illegal activities, fraud, or in ways that may threaten someone’s safety or violate our policies or legal obligations;
- Otherwise to the extent not prohibited by applicable law.
The italicized business purposes in the list are those that are specifically defined in the CCPA. Our vendors may also use your PI for business purposes and may engage their own service providers or subcontractors to enable them to perform services for us.
- YOUR HR DATA RIGHTS AND HOW TO EXERCISE THEM
BioCare, Inc. provides California residents the privacy rights described in this section, pursuant to our obligations under the CCPA. To exercise your privacy rights, or, if you are an authorized agent of another exercising privacy rights on behalf of someone else, you can submit a request by the following methods:
Writing to BioCare, Inc.
Attn: Privacy Officer
2826 South Potter Drive
Tempe, AZ 85282
Please respond to any follow-up inquiries we make, including in relation to the request verification process that we describe further below. Please be aware that we do not accept or process requests through other means (e.g., via fax, chats, social media, etc.).
(a) Right to Know/Access
You can make “right to know” (also known as “access”) requests, as described below, up to twice in a 12-month period.
(1) Categories of Personal Information
You have the right to request that we share with you certain information to you about our collection, use and disclosure of your PI over the 12-month period prior to the request date. You can request that we disclose to you: (1) the categories of PI we collected about you; (2) the categories of sources for the PI; (3) our business or commercial purpose for collecting or selling that PI (i.e., if we have, in fact, sold PI); (4) the categories of third parties with whom we shared that PI; (5) a list of the categories of PI disclosed for a business purpose in the prior 12 months and, for each, the categories of recipients, or that no disclosure occurred; and (6) a list of the categories of PI sold about you in the prior 12 months and, for each, the categories of recipients, or that no sale occurred.
(2) Specific Pieces
You have the right to request a transportable copy of the specific pieces of personal information we collected about you in the 12-month period preceding your request. Please note that personal information is retained by us for various time periods, so there may be certain information that we have collected about you that we do not even retain for 12 months (and thus, it would not be able to be included in our response to you).
(b) Right to Limit Sensitive PI Processing
(c) Do Not Sell / Share
You have the right to opt-out of the “sale” and “sharing” of your personal information, which are defined in the CCPA in ways that are different from their normal meanings as you may understand them. “Sale” of personal information includes “making available” of personal information to a third party, and “sharing” of personal information includes the “making available” of personal information to a third party for targeted advertising that is served based on an individual’s activity across different websites, applications, or services (defined in the CCPA as “cross-context behavioral advertising” and sometimes referred to as “interest-based advertising”). Neither concept requires money to be exchanged.
“Sales” and “sharing” of personal information may occur when third party operators of cookies and other tracking technologies (“Cookie Operators”) collect information on our websites that meet the definition of personal information. We understand that giving access to personal information on our websites to certain Cookie Operators could be deemed a “sale” and/or “sharing” under the CCPA. Therefore, we will treat such personal information (e.g., cookie ID, IP address, and other online IDs and internet or other electronic activity information) collected by Cookie Operators as such, except in circumstances where they are able to act as “service providers”, which are vendors that agree to process personal information pursuant to limited purposes.
Below, we provide you instructions on how to opt-out of the activities we have just described that may constitute “sale” and “sharing”.
Opt-out for cookie PI: If you want to opt-out of the Sale/Sharing of such PI, you can exercise an opt-out request on our cookie management tool . Our cookie management tool enables you to exercise such an opt-out request and enable certain cookie preferences on your device. You must exercise your preferences on each of our websites you visit, from each browser you use, and on each device that you use. Since your browser opt-out is designated by a cookie, if you clear or block cookies, your preferences will no longer be effective and you will need to enable them again via our cookie management tool. Please be aware that if you use ad blocking software, our cookie management tool and/or our cookie banner may not appear when you visit our website, and you may have to use the link above to access the tool.
The CCPA also requires us to state that we do not knowingly “sell” or “share” the PI of Consumers under 16.
We may disclose your PI for the following purposes, which are not a “sale” or “sharing”: (i) if you direct us to disclose PI; (ii) to comply with a Consumer rights request you submit to us; (iii) disclosures amongst the entities that constitute Company as defined above, or as part of a Corporate Transaction; and (iv) as otherwise required or permitted by applicable law.
(d) Opt-Out Preference Signals (also known as Global Privacy Control or GPC)
The CCPA requires businesses to process opt-out preference signals (“OOPS”), which are signals sent by a platform, technology, or mechanism, enabled by individuals on their devices or browsers, that communicates the individual’s choice to opt-out of the “sale” and “sharing” of personal information. The opt-out preference signal is also known as GPC. To use an OOPS/GPC, you can download an internet browser or a plugin to use on your current internet browser and follow the settings to enable the OOPS/GPC.
We receive and process OOPS/GPC in a “frictionless manner”, which means that we do not (1) charge a fee for use of our website if you have enabled OOPS/GPC, (2) change your experience with any product or service if you use OOPS/GPC, or (3) display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial in response to the OOPS/GPC.
We process OOPS/GPC with respect to “sales” and “sharing” that may occur in the context of collection of personal information online by Cookie Operators, discussed above. We do not process OOPS/GPC for opt-outs of “sales” and “sharing” in any other context (e.g., offline data) because our “sale” and “sharing” activities, are limited to personal information collected online by Cookie Operators, as discussed above.
(e) Right to Delete
You have the right to request that we delete personal information that we collected directly from you. However, we may have retention rights or obligations that apply, such as for legal, security, or internal business purposes such as maintaining business records, which we will take into consideration when processing your request.
(f) Correct Your Personal Information
You have the right to request that we correct inaccuracies that you find in your personal information maintained by BioCare, Inc. Your request to correct is subject to our verification (discussed below) and the CCPA’s response standards.
(g) Automated Decision Making/Profiling
We may engage in processing that constitutes automated decision-making or profiling under the CCPA. However, as of the Effective Date, the definitions of these concepts, and any associated opt-out and access rights have not been added to the updated CCPA and finalized.
(h) Non-Discrimination / No Retaliation
We will not discriminate or retaliate against you in a manner prohibited by the CCPA for your exercise of your privacy rights.
- VERIFYING YOUR REQUESTS, AGENT REQUESTS, AND OUR RESPONSES
(a) Request Verification Process
As required by the CCPA, when you make a request, we will verify that you are the person you say you are, or, if you are seeking information on behalf of another person, that you are authorized to make the request on their behalf. In addition, we will compare the information you have provided to ensure that we maintain personal information about you in our systems. We may ask initially that you provide certain verifying information, such as your name, home address, email address, phone number, etc. We will review the information provided as part of your request and may ask you to provide additional information via e-mail or other means as part of this verification process. We will not fulfill your Right to Know (Categories), Right to Know (Specific Pieces), Right to Delete, or Right to Correction request unless you have provided sufficient information for us to reasonably verify you are the Consumer about whom we collected PI. The same verification process does not apply to opt-outs of ”sale” or “sharing”, or Limitation of Sensitive PI requests, but we may apply some verification measures if we suspect fraud.
The verification standards we are required to apply for each type of request vary:
We verify your categories requests and certain deletion and correction requests (e.g., those that are less sensitive in nature) to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you. For certain deletion and correction requests (such as those that relate to personal information that is more sensitive in nature) and for specific pieces requests, we apply a verification standard of reasonably high degree of certainty. This standard includes matching at least three data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you, and may include obtaining a signed declaration from you, under penalty of perjury, that you are the individual whose personal information is the subject of the request.
If we cannot verify you in respect of a certain requests, such as if you do not provide the requested information, we will still take certain action as required by the CCPA. For example:
- If we cannot verify your specific pieces request, we will treat it as a categories request.
(b) Agent Requests
You may use an authorized agent to make a request for you via the above methods, subject to our verification of (i) the agent, (ii) the agent’s authority to submit requests on your behalf, and (iii) of you. Once your agent’s authority is confirmed, they may exercise rights on your behalf subject to the agency requirements of applicable U.S. Privacy Laws.
(c) Our Responses
Some personal information that we maintain is insufficiently specific for us to be able to associate it with an individual (e.g., clickstream data tied only to a pseudonymous browser ID). We do not include that personal information in response to those requests. If we cannot comply with a request, we will explain the reasons in our response.
We will make commercially reasonable efforts to identify personal information that we maintain to respond to your requests. In some cases, particularly with voluminous and/or typically irrelevant data, we may suggest you receive the most recent or a summary of your PI and give you the opportunity to elect whether you want the rest. We reserve the right to direct you to where you may access and copy responsive PI yourself. We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded, or overly burdensome. If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.
- OUR RIGHTS AND THE RIGHTS OF OTHERS
- CONTACT US
If you have any questions, comments, concerns, or complaints about our privacy practices, please contact us as indicated below.