Six Seconds Privacy Policy

Version 4.4
Last Revised: July 1, 2022

 

Introduction

Maintaining your Personal Data (the same as Personal Information) secure, while ensuring your Privacy is really a big deal to us at Six Seconds.

A Privacy Policy/ Notice goal is to inform everyone of:

  • what data we collect and why;
  • how your data is handled by us;
  • what entitles us to process it;
  • and your rights under applicable Personal Data Protection laws.

We (at Six Seconds) do not, nor will ever sell Personal Data.

We will modify this Privacy Policy, from time to time, on a need basis, always posting a time-stamped updated version.

 

Applicable Laws

This Privacy Policy is provided to you, in line with the following Applicable Personal Data Protection Legislation:

  • The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 also known as the General Data Protection Regulation (the GDPR), which became enforceable across the EU and the EEA from May 25th, 2018 having replaced the previous Directive 95/46/EC; In Ireland, the national law, which amongst other things, gives further effect to the GDPR, is the Data Protection Act 2018 (‘the 2018 Act’).

 

  • The Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 also known as the ePrivacy Directive, amending the Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws;

 

  • The California Consumer Privacy Act 2018 (the CCPA), assembly Bill of the State of California United States of America No. 375, under CHAPTER 55, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by Governor June 28, 2018. Filed with Secretary of State June 28, 2018 and enforceable from January 1st, 2020 onwards.

 

  • The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a U.S. federal law that sets national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The Privacy Rule standards address the use and disclosure of individuals’ health information (known as “protected health information”) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being. The Privacy Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.

 

The primary goal of Processing Personal Data is to allow Six Seconds the identification of those natural persons who have either joined programs that are supported by Six Seconds’ under the scope of Emotional Intelligence Assessments or act as Certified Practitioners towards such assessments (the “Certs”).

Another goal is to allow our Certs to perform the emotional intelligence assessments or other similar processes over Six Seconds platform either by inputing the Personal Data pertaining to those natural persons who participate in those activities or allowing them to input the Personal Data pertaining to them on their own.

Six Seconds also retails 3rd party products which implies the need to Process Personal Data pertaining to those Customers who acquire them, both in terms of the sale as the delivery of those products.

Six Seconds (both as an organization as each of its staff members) is perfectly aware of the fact that Personal Data/ Health Information may represent a risk towards you if accessed by unauthorized 3rd parties; and that is why a set of Policies, Operational Processes, and mechanisms (technological and human-based) has been developed, ensuring that the Personal Data entrusted by you to Six Seconds will be maintained, handled and shared in a manner that warrants its Security, Accuracy, Confidentiality, and Privacy, hence assuring your Personal Data Protection.

 

Each and every Data Subject maintains full control over the Personal Data that pertains to him/ her) as well as the Personal Data Processing Activities undertaken by Six Seconds.

Anyone who is identified as being under 18 years of age is not allowed to use our service, therefore if any Personal Data has been gathered pertaining to such an individual, it shall be immediately erased from all repositories, and the user privileges will be revoked.

 

What we do with Personal Data

We do not process any data that is not required as an enabler for the delivery of our services to you.

The Personal Data under processing through our Services or otherwise consist of the following categories:

  • If you are undergoing an emotional assessment or coaching support supported by our platform and methodology:

     

    Business and personal contact data, such as your first and last name, e-mail and mailing addresses, phone number, job title and organization name.

    –  Assessment data, including the responses you provide to any behavioural assessments we make available to you and any Personal Data about you which is contained within reports issued by us, based on those responses.

The purpose and scope of Processing such categories of Personal Data pertaining to you consist of:

  • create and, providing assessment reports based on provided replies when completing our assessments;
  • enable security features of the Services, such as sending you security codes via email or SMS, and remembering devices from which you have previously logged in;
  • communicate with you about the Services, including sending you announcements, updates, security alerts, and support and administrative messages;

These data sets (above) are processed under either the Legal Basis of fulfilling a Contractual Obligation (where we have been hired by your employer, another organization or a “Cert” is using our services to deliver his/ her services to you or your organization), so the case of a registered user; or Legitimate Interest while the natural person inputting the data has not yet been identified, yet doing so on his/ her free will.

In these circumstances and as defined under the GDPR, Six Seconds acts as a Processor, meaning under the instructions of a Controller, which is either a Corporate Client or a Cert.

  • If you are a certified assessor (“Cert”):
  • Profile data, such as your first and last name, e-mail address, and password when you create an account to log in to our Services (“Account”). You are also required to tell us where you are based.
  • Demographic data, such as your city, state, country of residence, postal code, and age.
  • Content you choose to upload to the Services, such as text and images, along with the metadata associated with the files you upload.

 

The purpose and scope of Processing such categories of Personal Data pertaining to you consist of:

  • provide, operate and improve the Services, including to facilitate the creation of, maintain and secure your Account;
  • enable security features of the Services, such as by sending you security codes via email or SMS, and remembering devices from which you have previously logged in;
  • communicate with you about the Services, including by sending you announcements, updates, security alerts, and support and administrative messages;

 

This data set is processed under the Legal Basis of Explicit Consent provided by the natural person (Data Subject) who enrols as a Cert.

Let is be noted that where Six Seconds may directly offer a service to a Data Subject (meaning with no intervention from a 3rd party, either a Cert or a Corporate Client) the Legal Basis for the Processing of Personal Data is Explicit Consent by that Data Subject. 

  • If you are a user taking an assessment on our Services, a certified assessor, a Customer or any other type of website visitor:
  • Feedback or correspondence, Personal Data you provide when you contact us with questions, feedback, or otherwise correspond with us online.

     

This data set is processed under the Legal Basis of Legitimate Interest since it is mandatory for the delivery and quality assurance of the services that we deliver to you.

  • Transaction data, consists of data about payments to and from you and other details of products or services you have purchased from us.

This data set is processed under the Legal Basis of Explicit Consent that derives from the fact that you have taken action to purchase a product or service from us.

  • Profiling
  • Usage data, data on how you use the Services and interact with us, including where you use any interactive features of the Services
  • Marketing data, such as your preferences for receiving communications about our activities, events, and publications, and details about how you engage with our communications.

 

The purpose and scope of Processing such categories of Personal Data pertaining to you consist of:

  • improve the quality of experience when you interact with our Services;
  • respond to your requests, questions and feedback;
  • understand your needs and interests, and personalize your experience with the Services and our communications.

 

Our Legal Basis for Proceeding with this Profiling activities is Legitimate Interest, however and because it is “Profiling”, you may exercise your Right to Opt-out or object to such Processing activities at any time.

  • Information and Marketing

We may send you Six Seconds-related marketing communications (including newsletters, surveys and other promotional materials related to the Services and other products and services we offer) as permitted by law. You will have the ability to opt-out of our marketing and promotional communications by exercising your Rights under the law.

We do not share Personal Data with any 3rd party that is not involved in the delivery of our services (not a Controller or a Processor) and which bears a relevant role in specific Personal Data Processing Activities, unless under a legal obligation.

 

The Controller

The Controller is Six Seconds Europe a company established in the European Union, 2a Drinan Street OSullivans Quay, Cork. T12 CY28 Ireland, being the for profit affiliate of sixseconds.org, a non-profit company out of the U.S.

 

DPO contacts

We have someone in our team who is responsible for ensuring our on-going compliance towards applicable Personal Data Protection laws and here is his identification and contacts:

Mr. Rui Serrano

Country: Portugal, European Union

email – [email protected]

 

Data Retention

We will maintain your Personal Data for the duration of the service contract with our Corporate Client (where that is the case) or until you ask us to erase it by exercising your Rights under the law.

Note that if you have been enlisted towards us by our Corporate Clients (including “Certs” that resort to our tools) and you ask for your Personal Data to be erased, we will inform our Corporate Client of that request and it shall be that Client decision either to erase the data or not, since our contractual obligation is to assure the service towards all of its registered users.

The erasure of your Personal Data takes place over both “live repositories” as well as backups as determined under the law upon 30 days of either your valid request for it to be erased or after termination of the service contract with our Corporate Client.

 

Ensuring the Security and Confidentiality of your Data

We resort to secure and encrypted hosting environments to host and process your Personal Data, observing by the highest market standards and operated under market best practices, and all transfer of Data from and to your browser is also encrypted.

Regardless of the potential need of transferring your Personal Data to other countries (so our partners may provide their component of our service) we have in place all required by law technical and legal measures/ commitments.

Our partners (in the delivery of our service) consist of:

  • Amazon Web Services – for the hosting of our service on the Cloud in the U.S.;
  • Slack and Zoom – as a communication channel;

 

Your Rights under the Law

You may exercise the following Rights where these apply to you:

[HIPAA] The right to receive a notice of privacy practices. Please refer to this Privacy Policy plus the information provided to you upon requesting your Explicit Consent to become a “Participant”.

[GDPR] Right of access. The right to obtain from us confirmation as to whether your Personal Data is being processed by us, and where that is the case, access to such Personal Data. To prevent violating your Privacy there may be the need to identify you prior to sharing the Personal Data with you.

[CCPA] Right to know and access your personal information – similar to the Right of Access under the GDPR, California resident natural persons have the right to:

  • Know the categories of personal information we collect and the categories of sources from which we got the information;
  • Know the business or commercial purposes for which we collect and share personal information;
  • Know the categories of third parties and other entities with whom we share personal information; and
  • Access the specific pieces of personal information we have collected about you.

[GDPR] Right to rectification – you can ask for the update of inaccurate Personal Data pertaining to you. You may directly amend existing information while logged-in towards us or by submitting a request as herein defined ahead.

[GDPR] Right to erasure – you can ask us to erase your Personal Data, which will be done unless there is a legal obligation or Legitimate Interest from our side to maintain it.

[CCPA] Right to deletion – again in a similar manner to what the GDPR rules, natural persons who reside in the state of California may ask us to delete their Personal Data.

[GDPR] The right to restrict processing – you may request of us to have in place specific processing restrictions. If you exercise this right make sure to explain which are those restrictions and the reason for the request and we will provide you a reply, either acknowledging your request or denying it and explaining why.

[GDPR] The right to object to processing – you may object to processing activities that occur under our Legitimate Interest, however we may refuse to comply if that means no longer being able to deliver our services.

[CCPA] Right to opt-out of sales – As previously informed we do not “sell “ Personal Data

[GDPR] Right to data portability – you may ask us to provide all the Personal Data that we have pertaining to you or just some that you specifically ask us for.

[GDPR] Right to be informed about a Personal Data Breach – in case of an incident that breaches your Privacy (in the sense that your Personal Data under Processing by us has been/ or even potentially has been exposed to unauthorized 3rd parties) you have the Right to be informed within 72 hours of such incident.

[GDPR] Right to lodge a complaint with a supervisory authority – you have the right to lodge a complaint regarding our Processing activities over your Personal Data towards any of the EU Member States data protection Supervisory Authorities.

[CCPA] Right to be free from discrimination – You may exercise any of the above rights without fear of being discriminated against.

For any of the above-mentioned CCPA related rights, you may designate an authorized agent to submit a request on your behalf. In the request, you or your authorized agent must provide sufficient information for us to confirm the identity of such authorized agent as well as your own. We are also required to verify that your agent has been properly authorized to request information on your behalf and this may represent additional time to fulfil your request.

 

Exercising your Rights

You may exercise your Rights towards us by sending us an email to [email protected]

 

Final note

Our service includes links to other websites whose privacy practices may differ from our own. If you submit personal data to any of those sites, your information is governed by their privacy policies, hence we strongly encourage you to carefully read the privacy policy of any website you visit.