Behaviorally Privacy Governance Policy

Last modified April 2025

Behaviorally (“Behaviorally”) is committed to protecting the information that you share with us, and explaining how we collect, process, and share that information.

1. Introduction

Behaviorally, Inc. (“Behaviorally”) is committed to the proper handling of personal data. This Privacy Governance Policy (“Policy”) serves as an internal framework and reference for Behaviorally’s privacy program to ensure compliance with potentially applicable data protection laws and regulations, including, the European Union General Data Protection Regulation (“EU GDPR”), United Kingdom General Data Protection Regulation (“UK GDPR”) (collectively, “GDPR”), the California Consumer Privacy Act of 2018 and as amended by the California Privacy Rights Act of 2020 (“CCPA”), and other U.S. state privacy laws. As necessary, this Policy and applicable procedures may be supplemented or modified based on any amendments made to the GDPR, CCPA, and other data protection to which Behaviorally may be subject.

2. Key Concepts

  • Data controller: an individual or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data. The term has the same meaning as “business” under the CCPA.
  • Data processor: an individual or legal entity that processes personal data on behalf of a controller. The term has the same meaning as “service provider” under the CCPA.
  • Personal data: any information that identifies or could reasonably be linked, directly or indirectly, to an identifiable individual (also referred to as a “data subject”). Personal data includes, but is not limited to, a person’s name, street address, email address, phone number, government ID, date of birth, financial data, account information, education information and history, professional or employment-related information, status and history; geolocation data; technical information such as an Internet Protocol address and device ID.
  • Process or processing: any manual or automated operation performed on personal data, including but not limited to, the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

3. Scope

This Policy applies to all employees, contractors, vendors, and third parties who process personal data on behalf of and for Behaviorally. It covers all personal data collected, processed, and stored by Behaviorally, regardless of format or location.

  • Behaviorally as a data controller. In some cases, Behaviorally collects, directly or via a third party, certain personal data (defined below) in its capacity as a data controller. This may include personal data about Behaviorally employees, customers, and certain technically information about the use of Behaviorally’s services. In such cases, Behaviorally is primarily responsible for legal compliance with respect to that personal data, including as set forth in this Policy.
  • Behaviorally as a data processor. In other cases, Behaviorally processes personal data solely in its capacity as a data processor, on behalf of customers who control and determine the purposes and means of the processing of such personal data, and not for any other purpose. This may include personal data collected about a customer’s end users. In these cases, Behaviorally’s customer is primarily responsible for legal compliance with respect to that personal data. This Policy nevertheless outlines statutory and contractual obligations that Behaviorally may be subject to in its role as a processor or service provider.

4. Privacy Principles

Behaviorally adheres to the following foundational privacy principles, which serve as guidelines for the development of processes, procedure, and policies.

  • Privacy by Design. It is our policy to take a proactive, not reactive, approach. Our goal is to have privacy incorporated into our services and products beginning with the design phase. The intended result is that privacy becomes an essential component of any product or service.
  • Lawfulness and Fairness. Processing of data should be lawful and fair.
  • Visibility and Transparency. We strive to make our data practices transparent, clear, and accessible to our customers.
  • Purpose Limitation. Data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Processing of personal data should be adequate, relevant, and limited to what is necessary relative to those purposes.
  • Accuracy. Personal data should be accurate and, where necessary, kept up to date. Inaccurate data should be promptly deleted or corrected, as applicable.
  • Storage Limitation. Data should be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (although data may be kept for longer for archiving purposes, legal and compliance, the public interest, or scientific research, subject to applicable law).
  • Data Minimization. We endeavor to have services and products limit the collection, disclosure, and other processing of personal data except in cases where those actions would be reasonably anticipated by an end-user; have been the subject of consent by the end-user, if applicable; or are otherwise allowed or required by applicable law.
  • Integrity and Confidentiality. We work to ensure that user data is protected in transit and at rest and protected by reasonable physical, logical, and administrative safeguards, protections, and countermeasures.
  • Respect for User Privacy. We endeavour to maintain user-centric privacy practices including measures like strong privacy defaults, appropriate notice of privacy changes, and privacy-centric user choices for products and services.

5. Governance and Accountability

Clear lines of data governance control and accountability are established by leadership. Behaviorally’s approach to privacy is “top down” and is cross-disciplinary in nature, although ultimately overseen and directed by the Compliance Team. Personal data that is collected, stored, and processed by Behaviorally is the responsibility of various departments and business lines, including legal (privacy), operations (information security and information technology), and business lines (direct, day-to-day responsibility for carrying out policies related privacy and information security).

A. Compliance Team

The Compliance Team is ultimately responsible for setting policies to ensure and advise on legal compliance for privacy and data processing. The Compliance Team sets enterprise policies and baselines for privacy compliance. This function includes responsibility for compliance with the laws of various jurisdictions, including, but not limited to, the GDPR and CCPA.

B. Data Protection Officer

Behaviorally’s Data Protection Officer (“DPO”), among other functions, is responsible for: informing and advising Behaviorally on privacy obligations; monitoring compliance with applicable law, including, but not limited to, GDPR; providing advice where requested, including on Data Protection Impact Assessments (“DPIA”) (as further described in Section 6); cooperating with data protection authorities; and acting as a contact point on issues relating to data processing.

C. Information Security / Information Technology

The VP of IT is ultimately responsible for setting policies and establishing procedures to ensure the confidentiality, integrity, security, and availability of data that is either in the possession or under the control of Behaviorally. The security function is responsible for ensuring we implement and maintain appropriate security measures to protect personal data, including protection against unauthorized or unlawful processing, unauthorized access, use, or acquisition, and against accidental loss, destruction, or damage, using appropriate technical and organizational measures. This responsibility includes various information security and cybersecurity functions and incident response.

D. Business Lines

The development of applications and day-to-day operation and maintenance of business-line systems is the responsibility of various business verticals within the organization. These business lines are required to implement the privacy and security policies and standards of conduct that are adopted by Behaviorally. Business Line Managers are responsible for ensuring the implementation of, and requisite training on, such policies and standards for employees within his/her business line.

E. Executive Management

Behaviorally’s executive management is accountable to the Board of Directors to ensure that appropriate privacy and security practices are put into place and improved and updated over time. Executive management is responsible for periodically reporting to the Board of Directors regarding privacy and security risks. The Board of Directors has oversight responsibilities for Behaviorally’s privacy program and associated risks.

F. Annual Review

It is Behaviorally’s policy to review privacy, security, and data governance functions annually to identify needed improvements and related issues. The review team shall include designees by the Compliance Team, DPO, Information Security/Information Technology, Human Resources, Delivery Team, and Marketing.

6. Data Collection and Processing

Behaviorally may process certain personal data as a controller, including data about its employees, customers, and limited technical data about customer’s end users. Behaviorally may also process certain personal data as a processor on behalf of its customers.

 

Behaviorally may collect such information via:

  • Direct interactions with customers (e.g., filling out forms, inquiries)
  • Automated technologies (e.g., cookies, analytics)
  • Third-party sources (e.g., business partners, service providers)

A. Legal Bases for Processing

We process personal data based on the following legal grounds:

    • Consent – When explicit consent is provided.
    • Contractual Obligation – When processing is necessary to fulfill a contract.
    • Legal Obligation – When required by law.
    • Legitimate Interest – When processing is necessary for business operations.

B. Data Protection Impact Assessments

Behaviorally may be required by applicable law, including the GDPR, to conduct DPIAs in its capacity as a controller. Additionally, Behaviorally may be contractually obligated or otherwise expected to assist its customers in conducting data protection impact assessments in its capacity as a processor.

DPIAs may be required for processing that is likely to result in a high risk to individuals as well as for processing that will involve transfers of personal data from the EU or UK to jurisdictions that have not received an adequacy decision by the European Commission (as further detailed in Section 7). DPIAs may also be conducted for major projects involving the use of personal data, or processing involving sensitive or special category personal data.

When conducted, DPIAs shall be documented and approved by the DPO. The DPO should be engaged on new business initiatives, product launches, and changes to products or service offerings, and all relevant information must be provided to the DPO in a timely manner in order to allow him/her to provide adequate advice.

C. Third-Party Transfers of Personal Data

Behaviorally may disclose or otherwise make personal data to:

    • Customers, as set forth in applicable agreements
    • Vendors, as further detailed in Section 14
    • International partners, subject to compliant transfer mechanisms
    • Government authorities and law enforcement, when legally required

7. Cross-Border Transfers of Personal Data

As set forth above, it is Behaviorally’s policy to conduct transfer impact assessments (“TIAs”) for processing that will involve transfers of personal data from the EU or UK to jurisdictions that have not received an adequacy decision by the European Commission, including the United States.

In such cases, it is Behaviorally’s policy to transfer personal data to such jurisdictions only where such transfers are subject to appropriate safeguards, including, but not limited to, Binding Corporate Rules or Standard Contractual Clauses, as applicable.

8. Notice, Transparency, and Consent

Notice, transparency, and consent requirements vary across jurisdictions. Behaviorally strives to make our data practices transparent, clear, and accessible. Behaviorally maintains an external Privacy Policy, available at: https://www.behaviorally.com/privacy-policy.

To the extent consent may be the basis of processing personal data, subject to applicable law, it is Behaviorally’s policy that data subjects may at any time withdraw the consent they provided for the processing of their personal data.

9. Data Classification

Data classification is necessary with respect to data collected from certain jurisdictions in which Behaviorally operates, including the European Economic Area / European Union.

As may be necessary, Behaviorally classifies data as personal data and special categories of personal data as defined by GDPR Article 4 and Article 9.

Such classification enables Behaviorally to appropriately classify personal data so that appropriate privacy and security safeguards and controls may be applied to such data and so that Behaviorally may timely respond to data subject requests, where applicable. Classification also supports Privacy by Design because it is available as a resource to business lines and developers during the design phase of products and services.

10. Record Keeping

As part of managing privacy and data governance within Behaviorally, and where required to comply with certain laws such as the GDPR, Behaviorally will maintain certain records regarding personal data processing. These records shall be set forth in Behaviorally’s Record of Processing Activities (“ROPA”).

The ROPA should describe the following information relating to personal data subject to GDPR:

  • The name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
  • The purposes of the processing;
  • A description of the categories of data subjects and of the categories of personal data;
  • The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
  • Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and the documentation of suitable safeguards;
  • Where possible, the envisaged time limits for erasure of the different categories of data;
  • Where possible, a general description of applicable technical and organizational security measures.

11. Data Subject Rights and Requests

Depending on applicable law, Behaviorally may be required to respond to and comply with certain requests from data subjects, with respect to personal data for which Behaviorally is a controller. Behaviorally may also be contractually required or otherwise expected to cooperate with customers to respond to and comply with requests concerning personal data that Behaviorally handles as a processor.

Individuals have the following rights under GDPR:

  • Right to Access. The right to request confirmation of whether personal data is processed, and if so, to request a copy of that personal data.
  • Right to Erasure. The right to request deletion of personal data.
  • Right to Rectification. The right to request the correction of inaccurate personal data.
  • Right to Object to Processing. The right to object to processing of personal data.
  • Right to Restrict Processing. The right to restrict the processing of personal data.
  • Right to Data Portability. The right to request that copy of personal data in a structured, machine-readable and commonly used format.
  • Right to Withdraw Consent. The right to withdraw consent at any time where consent was relied on to process personal data.

Individuals have the following rights under the CCPA and other U.S. state privacy laws:

  • Right to know and access. The right to know what personal data is collected, used, disclosed, and sold/shared.
  • Right to delete and erase. The right to request deletion of personal data.
  • Right to correct. The right to request the correction of inaccurate personal data.
  • Right to opt out of sale and/or sharing. The right to opt-out of the sale and/or sharing of personal data.
  • Right to limit use and disclosure. The right to limit the use or disclosure of sensitive personal data.
  • Right to non-discrimination. The not to receive discriminatory treatment for the exercise of the privacy rights.
12. Information Security and Incident Response

Behaviorally maintains an enterprise-wide information security program, designed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, considering the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Behaviorally uses the following non-exhaustive list of protections, safeguards, and countermeasures, depending on the context and use-case:

  • Encryption in transit
  • Encryption at rest
  • Access controls, including role-based access controls
  • De-identification and anonymization when necessary
  • Backups
  • Firewalls, including web application firewalls
  • Training
  • Regular security assessments and audits
  • Full disk encryption for portable devices and laptops
  • Intrusion detection and prevention systems
  • Anti-virus software
  • Multifactor authentication
  • Physical security measures
  • Secure coding practices
  • Password complexity and defensive account recovery
  • Patch management and provisions for end-of-life systems

Behaviorally also maintains an Incident Response Plan. All employees, contractors, vendors, and third parties must report any reasonably suspected or confirmed accidental, unauthorized, or unlawful access, acquisition, destruction, loss, alteration, or disclosure of personal data (“security incident”) pursuant to the Incident Response Plan. Prompt detection and reporting of security incidents can help contain and limit damage and may be necessary to comply with legal and contractual obligations. Any employee who becomes aware of an actual or suspected security incident must immediately notify the VP of IT via Contact Us form at: https://www.behaviorally.com/contact-us.

As detailed in the Incident Response Plan, in the event of a security incident:

  • We will assess and contain the security incident.
  • We will document the security incident and take corrective actions.
  • To the extent legally required, we will notify:
    • Customers, as soon as possible, but no later than the time set forth in agreements.
    • Relevant European Data Protection Authority (DPA) within 72 hours.
    • Relevant U.S. regulators within the time period required by law.
    • Affected individuals within the time period required by law.
13. Data Retention

It is Behaviorally’s policy to retain personal data only for the period necessary to provide services to our customers. Subject to applicable law and consistent with Behaviorally’s retention policies, we may retain personal data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements and policies.

We use the following criteria to set our retention periods: (i) the duration of our relationship with the individual; (ii) the purposes for processing the personal data and associated legal bases; (iii) the existence of a legal obligation as to the retention period; (iv) our contractual obligations; and (v) the advisability of retaining the information in light of our legal position (for example, applicable statutes of limitations, litigation, or regulatory investigations).


14. Vendor Management

It is Behaviorally’s policy to exercise appropriate oversight and risk management of activities conducted through relationships with third parties, including processors and sub-processors, taking into consideration the nature, magnitude, complexity, and risk potential of the arrangement. The policy and the applicable controls apply to technology vendors, including entities that provide technology or security services, software or hardware to Behaviorally and its information resources, as well as business partners and customers, including entities that have entered into a business relationship with Behaviorally in connection with the provision of our services.

There are numerous risks that may arise from Behaviorally’s use or engagement of third parties. Some of the risks are associated with the underlying activity itself, similar to the risk faced by an organization directly conducting the activity. Other potential risks arise from or are heightened by the involvement of technology vendors or partners. Behaviorally management is responsible for understanding the nature of these risks in the context of Behaviorally’s current or planned use of or relationship with the third parties.

Prior to entering into any third-party relationship, including, but not limited to, a relationship with a processor or subprocessor that may have access to, control of, possession of, or responsibility for, Behaviorally’s information resources or that of its customers, Behaviorally shall:

  • Ensure that the proposed relationship is consistent with Behaviorally’s strategic planning and overall business strategy.
  • Analyze the benefits, costs, legal aspects, and potential risks associated with the third party under consideration.
  • Identify performance criteria, internal controls, reporting needs, and contractual requirements that would be critical to the ongoing assessment and control of certain identified risks.
  • Review Behaviorally’s ability to provide adequate oversight and management of the proposed relationship on an ongoing basis.
  • Estimate the long-term financial effect of the proposed relationship.

Any processor or subprocessor engagement must be governed by a written contract that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the parties, and such other requirements as may be necessary or recommended to comply with applicable law.

15. Training and Enforcement

It is Behaviorally’s policy to maintain training and awareness procedures designed to educate and train personnel about the security practices and data protection measures of the organization, as appropriate. We provide privacy and security awareness training and initiatives to new hires and periodic refresher trainings, as needed, for existing personnel having access to personal data, which may be tailored to the personnel’s job responsibilities and supplemented by additional training and educational initiatives, as appropriate. We also make available applicable privacy and security policies via: https://www.behaviorally.com/privacy-policy.

Non-compliance may result in disciplinary action or termination of business contracts.

16. Policy History and Contact Information

This Policy and all related policies, standards, and guidelines are subject to change. Any proposed updates to this policy must be reviewed and approved by the Compliance Team, DPO, and Information Security/Information Technology.

This Section provides an historical listing of policy or procedure revisions. The Compliance Team and Information Security/Information Technology will be responsible for providing revision history.

Version Date Description Approved By
1.0 April 10, 2025 Initial policy release Stephen Omogbehin, VP of IT

If you have any questions regarding this Policy, contact us at https://www.behaviorally.com/contact-us.