Privacy Policy

Effective August 1, 2019

Content

  1. General Information 
  2. Contact Information 
  3. Personal Data We Collect and Purposes for which it is Used 
  4. How We Share Personal Data
  5. Transfers of Personal Data
  6. Criteria and Time Period for Retaining Personal Data 
  7. Rights Available to You 
  8. How We Store Personal Data 
  9. Anonymized Data 
  10. Children 
  11. Changes to this Privacy Policy 

A) General Information

Herrmann International, Inc., is referred to in this Privacy Policy as Herrmann or by first person pronouns such as we, us, our, etc.

This Privacy Policy applies to i) all users of Internet websites published by Herrmann, ii) all users of Herrmann products and services, and iii) other individuals whose personal data (as described below) is collected or processed by Herrmann. All such individuals are referred to in this Privacy Policy by second person pronouns such as you, your, etc.

This Privacy Policy describes the types of personal data we may collect from you, how we collect it, how we use it, how we share or disclose it, how we store it, and your choices regarding the use and processing of your personal data.

As used in this policy, “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).

B) Contact Information


Headquarters

Herrmann will control the use of your personal data. You may contact Herrmann at: 

Herrmann International, Inc.
P.O. Box 389
Forest City, NC 28043
privacy@thinkherrmann.com

EU Representative

Our representative in the European Union is Herrmann International UK. You may contact our representative at: 

Herrmann International UK
10 John Street
London, WC1N 2EB
+44 (0) 208 123 7155
ukservice@thinkherrmann.com

C) Personal Data We Collect and Purposes for which it is Used

Information necessary to access products and services

Account Information

We collect and process information needed to create an account from which you can access our products and services.  Your account will store and provide you with information regarding assessments you have taken, your assessment results, activities in which you have participated, and similar information associated with services you obtain from us.  The information we collect to create your account includes your first and last names and an email address, all of which will be used by us to communicate with you regarding your account and services. You will also be required to provide a password of your choice (which must meet certain specifications to promote security) that you will use when accessing your account. 

Our legal bases under the GDPR for processing this data include:

  • the processing is necessary for the performance of a contract to provide you with our goods or services (GDPR Article 6, Section 1(b)); or
  • the processing is necessary for legitimate interests we pursue in operating our business and providing products and services to you (GDPR Article 6, Section 1(f)).

Responses to assessment questions

If you participate in an assessment, we will first obtain your consent to process your personal data, including contact information, assessment responses, and resulting profiles and reports as reasonably necessary to conduct the assessment. Optional demographic and research information may also be requested. We use assessment data to create and deliver reports, such as the HBDI® individual profile reports, team reports and other reports. Your consent will establish a legal basis for such processing in accordance with (GDPR Article 6, Section 1(a)). The consent document for each assessment will provide you with specific information regarding how your data will be processed prior to your taking the assessment. 

Processing payments

To enable purchases of products and services, we collect data necessary to process payments. Such information may include a credit card number and the associated security code if that is your chosen method of payment.  

Our legal bases under the GDPR for processing this data include:

  • the processing is necessary for the performance of a contract to provide you with our goods or services (GDPR Article 6, Section 1(b)); or
  • the processing is necessary for legitimate interests we pursue in operating our business and providing products and services to you (GDPR Article 6, Section 1(f)).

Information we use to provide you with information about our products and services

To provide you with information regarding our products and services, we may collect your first and last names, telephone number, address, and email address.  Your consent will establish a legal basis for such processing in accordance with (GDPR Article 6, Section 1(a)). Your consent will normally be established by your clicking a box requesting such consent.  You may withdraw your consent at any time by sending a request to privacy@thinkherrmann.com.

Information processed via cookies

Our websites and services use “cookies.” Cookies are small text files that a website transfers to your computer’s local storage. We may use cookies to measure traffic patterns, personalize content, control security and help us make our websites more useful. The cookies we use may identify your OS version, browser and Internet specifications. You have the choice to accept, reject or be notified when a site sets a cookie by configuring your browser preferences. You may view our Cookie Policy by clicking here.

Our legal bases under the GDPR for processing cookie data include:

  • if the processing is necessary to carry out electronic communications with you or to provide certain functions desired by you; or if processing is pursuant to our legitimate interest in providing the technically error-free and optimized delivery of our services we may process the data in accordance with (GDPR Article 6, Section 1(f)); or
  • for processing data related to cookies used for other purposes we may process the data in accordance with your consent (GDPR Article 6, Section 1(a)).

Information automatically collected and stored in log files

Our websites may automatically gather and store certain information in log files, including IP Address, browser type, Internet service provider, referring/exiting pages, operating system, date/time stamp and clickstream data. 

Our legal basis under the GDPR for processing log file data includes is our legitimate interest in providing the technically error-free and optimized delivery of our services in accordance with (GDPR Article 6, Section 1(f)). 

Other Information and Purposes

We also use personal data, to the extent necessary to:

  • protect against and prevent fraud, legal claims, and liabilities; and to manage associated risk exposure; 
  • respond to your inquiries and requests;
  • process and manage opt-out or unsubscribe requests; 
  • comply with applicable laws, regulations, codes, and industry standards and practices; 
  • create and send communications to you; 
  • respond to subpoenas or to orders of a court or government agency; and 
  • establish, exercise, or defend legal claims, including, without limitation, to protect our rights and/or property.

Our legal bases under the GDPR for processing this data include:

  • the processing is necessary for the performance of a contract to provide you with our goods or services (GDPR Article 6, Section 1(b)); or
  • the processing is necessary for legitimate interests we pursue in operating our business and providing products and services to you (GDPR Article 6, Section 1(f)).

In some cases, our apps may permit you to enter, sync, store and process third party personal data, which will not be accessible to us. If you choose to use such app functionality, you are responsible for processing the personal data you enter, sync, store and process in conformance with all applicable data processing and privacy laws and regulations.

D) How We Share Personal Data

Your personal data will be accessible by our employees who require access in order to fulfill your requests and orders and to further our business interests as described above. We may share your personal data with our affiliate, Herrmann Global LLC, and with our licensees, distributors and contracted service providers to enable these organizations and individuals to provide our products and services to you, for customer support, marketing, technical operations and account management purposes, and to perform other activities described in this Privacy Policy. We do not share, sell, rent, or trade any personal data with third parties for any purposes unrelated to our own business. Contractors and service providers that process personal data on our behalf must sign contracts with us that conform to the requirements of GDPR Article 28, Section 3.

Examples of data processing services that may be performed by contractors on our behalf include: 

  • hosting our websites and services; 
  • hosting our email server; 
  • processing your orders and payments; 
  • maintaining, enhancing, or adding to the functionality of our websites; 
  • collecting web analytics data; and
  • performing other administrative services.

Other parties we may share personal data with include: 

  • governmental authorities pursuant to applicable laws or court process, or as we reasonably deem necessary to prevent harm, financial loss, fraud or illegal activity; 
  • the successor in interest to all or a portion of our business or assets; provided that should such a transfer occur, we will require such successor to agree in writing to use, protect, and maintain the security, integrity, and confidentiality of the transferred personal data in accordance with our Privacy Policy; and 
  • others pursuant to consent obtained from you.

If you participate in taking the HBDI® thinking preference assessment or other assessments offered by us, we may share your contact information, assessment responses, and assessment results with certified practitioners who have been accredited by Herrmann to administer assessments and interpret assessment results and reports. We may also share such data with persons assisting certified practitioners. Before receiving your data, all persons described in this paragraph must have: (i) agreed to protect the data and to use it only for the purposes described in this paragraph. and (ii) been determined by us to have a legitimate need to access assessment data in order to facilitate, administer or coordinate assessments.

E) Transfers of Personal Data 

We use the transfer mechanisms described below for transfers of personal data from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of their respective data protection laws and regulations: 

  • Our EU-U.S. and Swiss-U.S. Privacy Shield Framework self-certifications apply to transfers made to facilities or systems owned or controlled by us or by our affiliate, Herrmann Global LLC, located in the United States. We comply with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. We have certified to the Department of Commerce that we adhere to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles will govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/. Under the Privacy Shield Framework, we are subject to the investigatory and enforcement powers of the FTC. It is possible, under certain conditions, for you to invoke binding arbitration before a Privacy Shield panel regarding a dispute. We may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may be liable under the Privacy Shield Framework for onward transfers of personal data to third parties. We commit to cooperate with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and to comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship. In compliance with the EU-US and Swiss-US Privacy Shield Principles, We commit to resolve complaints about your privacy and our collection or use of your personal information. European Union or Swiss individuals with inquiries or complaints regarding this privacy policy should first contact us at: Herrmann International, Inc. P.O. BOX 389 Forest City NC 28043 privacy@thinkherrmann.com

We have further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please contact the independent recourse mechanism listed below.

NON-HR RECOURSE MECHANISM http://www.bbb.org/EU-privacy-shield/for-eu-consumers (BBB EU Privacy Shield Program) If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at: https://www.privacyshield.gov/article?id=ANNEX-I-introduction 

  • In other cases, we will seek your prior consent before transferring your personal data to countries not determined to ensure an adequate level of data protection within the meaning of the applicable data protection laws and regulations

F) Criteria and Time Period for Retaining Personal Data

We will retain your personal data for a period of time consistent with the original purpose of its collection. We also may retain your personal data during the period of time needed for us to pursue our legitimate business interests, conduct audits, comply with our legal obligations, resolve disputes and enforce our agreements.

G) Rights Available to You

Persons whose personal data is governed by the GDPR have several rights related to the processing of their data which are explained below. We extend these rights to everyone whose personal data we process.  In cases where you have given us your consent to collect and use your personal data, you have the right to withdraw that consent at any time (without affecting the lawfulness of processing based on your consent before its withdrawal). You may direct such requests to: Herrmann International, Inc P.O. BOX 389 Forest City NC 28043 privacy@thinkherrmann.com.

The following rights are available to you:

  • The right to request access to personal data (GDPR Article 15)—You have the right to obtain confirmation from us regarding whether we process personal data about you, and, where that is the case, access to the personal data and certain information about how and why we process your personal data.
  • The right to rectification of personal data (GDPR Article 16)—You have the right to rectification and/or completion if the personal data concerning you is incorrect or incomplete.
  • The right to be forgotten/Right to erasure (GDPR Article 17)—You have the right to obtain the erasure of your personal data where one of the following grounds applies: 

○ your personal data are no longer necessary in relation to the purpose for which they were collected or otherwise processed;

○ you withdraw consent and we have no other legal ground for the processing;

○ Your personal data have been unlawfully processed;

○ Your personal data must be erased for compliance with a legal obligation; or

○ Your personal data is collected in the context of information society services pursuant to GDPR Article 8, Section 1.

  • The right to restrict processing of your personal data (GDPR Article 18)—You have the right to restrict processing of your data under the following conditions: 

○ the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data; 

○ your personal data have been unlawfully processed and you request the restriction of processing instead of deletion;

○ we no longer need the personal data for the purpose of the processing, but the personal data is required by you for the establishment, exercise or defense of legal claims; or

○ you have objected to processing pursuant to GDPR Article 21, Section 1 and it has not been determined whether the legitimate grounds of us override those of you.

  • The right to object to processing of your personal data (GDPR Article 21)—You have the right to object to our processing of your personal data based on legitimate interests (GDPR Article 6, Section 1(f)), for the performance of a task carried out in the public interest (GDPR Article 6, Section 1(e)) or for direct marketing purposes.
  • The right to data portability (GDPR Article 20)—You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from us, as far as:

○ the processing is based on consent or on a contract pursuant to GDPR Article 6, Section 1(b); or 

○ The processing is carried out by automated means.

  • The right to lodge a complaint with a supervisory authority—You have the right to lodge a complaint with the supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement. 

You are not required to provide us with any personal data we may request. However, if the requested information is necessary for us to provide any product, service or information requested by you, we will be unable to fulfill your request.

H) How We Store Personal Data

Personal data is stored on servers and systems that are owned by us or by contractors engaged by us under written agreements which comply with GDPR Article 28, Section 3 and this Privacy Policy. We maintain appropriate technical, administrative and physical safeguards to protect personal data received or collected by us. We review, monitor and evaluate our privacy practices and protection systems on a regular basis. Transmission of personal data is protected by SSL encryption when it is exchanged between your web browser and Herrmann. We also provide secure https access to the htms.hbdi.com website and to axon.herrmannsolutions.net. Axon is hosted on virtualized servers in an industry leading cloud computing environment. All infrastructure is protected by a virtual private cloud, and access to that infrastructure by administrators is controlled via zero trust security web portal which requires two factor authentication. Key information security certifications including ISO/IEC 27001 and ISAE 3402 are enabled. Notwithstanding the foregoing measures, transmissions over the Internet or a mobile network are not 100% secure and we do not guarantee the security of transmissions. We are not responsible for any errors by individuals in submitting personal data to Herrmann.

I) Anonymized Data

We may use, transfer, sell, and share aggregated, anonymous data, which does not include any personal data, about our website’s users as a group for any legal business purpose, such as analyzing usage trends, generating reports and insights on the relationships within the data as well as with other data sets, providing services on the basis of the data, or seeking compatible advertisers, sponsors, clients, and customers.

J) Children

We do not knowingly market our products or services to, and do not solicit or collect information from, children under the age of 16. We may ask users for their age to ensure that we are not collecting information from children under age 16 or to identify when additional steps may be necessary in connection with information collected from persons as required by the jurisdiction in which they reside. If we learn that we have collected personal data from a child under age 16 without parental consent, we will delete that information as quickly as possible. If you believe that we might have any personal data from or about a child under 16, please contact us at: privacy@thinkherrmann.com.

K) Changes to this Privacy Policy

This policy may be amended from time to time, consistent with the requirements of any applicable laws. We will post the revised version on our website and update the "Effective" date above to reflect the date of the changes.