iCIMS, Inc. and its subsidiaries, iCIMS International, LLC, TextRecruit, Inc., Opening HR Limited, EasyRecrue S.A.S., Candidate ID Ltd, and SkillSurvey, Inc. (collectively, “iCIMS,” “we,” or “us”), respects the privacy of its Subscribers, their Subscriber Data, and their respective Users, Candidates, and Survey Recipients, and we are committed to protecting their respective personal data. All capitalized terms used in the immediately preceding sentence shall be defined in accordance with the iCIMS Subscription Agreement and/or applicable addendum.

This Services Privacy Notice (“Services Notice”) explains who we are and covers our privacy practices with respect to the collection, use, and disclosure of personal data obtained in connection with the use of our Subscription and related services, including professional services and trainings that we provide to Subscribers. This Services Notice also describes our privacy practices with respect to the processing of personal data for iCIMS’ legitimate business operations incident to administration and delivery of our Subscription to Subscribers, and for our other legitimate purposes relating to iCIMS’ business operations, including contact information for employees of Subscribers, prospects, and partners that we process for account, contract, communication, and billing management purposes (e.g., the processing of Subscribers’ employee’s address and billing information) in connection with the use or potential use of our software and services, or technology provided by our partners to our Subscribers. For clarity, iCIMS collects the personal data of Candidates and Survey Recipients under the direction of its Subscribers and has no direct relationship with such Subscribers’ Candidates or Survey Recipients. If you are a Candidate or Survey Recipient of one of our Subscribers, please contact that Subscriber.

For purposes of this Services Notice:

• The term “personal data” means any information which relates to an identified or identifiable, living individual that directly or indirectly references one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity. Personal data excludes anonymous data.

Please take the time to read this Services Notice and the related statements in their entirety to ensure you are fully informed. If you have any questions or concerns about our processing of personal data, please contact us by using the contact details under the “Contact Information” heading below.

As further described below, we collect several types of personal data from and about our Subscribers in the course of providing and supporting the Subscription.

Subscribers process Subscriber Data in the normal course of using the Subscription. Our collection, use, and disclosure of such Subscriber Data is limited to the processing permitted in the agreement(s) executed between Subscriber and iCIMS (“Subscription Agreement”) or processing required or permitted by applicable law, such as providing and supporting the Subscription on behalf of Subscriber. Likewise, we process Subscriber Data at the direction of and pursuant to the instructions of our Subscribers.

As a result, under applicable data protection or privacy law, we are our Subscribers’ data processor or service provider. To that end, we also collect several types of other personal data from our Subscribers as a data processor or service provider, including:

• Personal data and correspondence from Subscribers, Users, Candidates, and Survey Recipients submitted, imported, uploaded, or transferred to us in connection with our services and use of the Subscription, including personal data that is collected automatically when that is the intended purpose of the Subscription.
• Personal data we receive from our partners and service providers in connection with our services and the use of the Subscription.
• Personal data collected via our mobile applications.

Lastly, we collect several types of personal data from our Subscribers or prospects as a data controller or business (as defined under applicable data protection or privacy law), including:

• Personal data collected as part of administration and delivery of our Subscription to Subscribers (including personal data collected as part of providing due diligence materials and other information about our Subscription to prospects and personal data collected automatically in connection with the use of our Subscription and related services) and our accounting, billing, contracting, communication, customer support, and security operations, including, but not limited to, a Subscriber’s company name and address, payment details such as credit card or financial account information, and business representative’s contact information (“Customer Personal Data”).
• Personal data that is made available to the general public by our Subscribers in the normal course of using the Subscription, including, but not limited to, videos posted to public websites and social media platforms (“Public Personal Data”).

We may use Subscriber Data and Customer Personal Data to provide support, secure, and improve the Subscription, including updating and maintaining the Subscription, providing services, responding to customer service requests, recording and monitoring customer service calls, and tracking the browsing and email actions of Users, Candidates, and Survey Recipients (when such tracking is the intended purpose of the Subscription). When we record customer service calls that capture Customer Personal Data and when required by law, we will let you know if a call is being recorded at the start of the call so you can decide whether or not to continue. We may also use Subscriber Data to create aggregated, anonymized Analytics. When we create Analytics, we maintain and use Analytics in deidentified form and do not attempt to reidentify data that has been aggregated and anonymized. We will not use, disclose, sell, review, share, distribute, transfer, or reference any Subscriber Data except as permitted in the Subscription Agreement or as required or permitted by law.

We may use Customer Personal Data for account, billing, contracting, internal reporting, communication (including to provide information about our software and services, such as via telemarketing calls and marketing emails, in accordance with indicated marketing preferences), customer support, and security management purposes, as well as for exercising, establishing, or defending our legal rights or complying with applicable legal obligations. For example, if a customer requests to schedule a meeting with us to discuss or provide feedback about our software and services, iCIMS will use Customer Personal Data to schedule the meeting and communicate with the customer.

We may use Public Personal Data for research and development purposes (for example, to test the accuracy of artificial intelligence (“AI”) algorithms and to determine if AI algorithms produce biased output) and as reasonably necessary to comply with our legal obligations.

Our processing of Personal Data for the purposes described in this Services Notice also includes the use of automated methods of processing, including sentiment analysis, machine learning, artificial intelligence, and generative intelligence capabilities. to analyze your Personal Data, determine trends, or create automated or AI-generated responses or other content. When you interact with the chatbot on our Website, we may also store the transcript for the purposes described in this Services Notice.

If we need to process personal data for an incompatible purpose not discussed in this Services Notice, we will provide notice to Subscribers, Users, Candidates, or Survey Recipients as applicable, and, if required by law, seek their consent. We may process personal data without Subscribers’, Users’, Candidates’, or Survey Recipients’ knowledge or consent only where required or permitted by applicable law or the Subscription Agreement.

iCIMS limits access to personal data to only those who need access to perform their tasks and duties, and to third parties who have a legitimate purpose for processing or accessing it. As such, we may share personal data as described in this Services Notice to the following categories of recipients:

• To our subsidiaries, affiliates, or their or our successors or assigns (including those located outside the European Economic Area (“EEA”), the United Kingdom (“UK”), and Switzerland) as necessary to support provision of the Subscription.
• To Survey Recipients, peer references, and other third parties when necessary to deliver the Subscription to our Subscriber.
• To our private equity investors, Vista Equity Partners and TA Associates, and their affiliates, contractors, service providers, and other third parties, including Vista Consulting Group, which will process the personal data on the basis of its legitimate interests in overseeing the administration, research, and business operations of iCIMS.
• To our contractors, business partners, and service providers who require the data to assist us in providing, supporting, and securing our Subscription and to assist with providing services on behalf of our Subscribers, provided such parties provide at least the same level of privacy protection as is required of iCIMS. These companies are authorized to use personal data only as necessary to provide these services to us.
• To a potential buyer (and its agents and advisors) and our agents and advisors in connection with any proposed merger, acquisition, or any form of sale or transfer of some or all of our assets (including in the event of a reorganization, dissolution or liquidation), in which case Subscriber Data and personal data held by us about our Subscribers and Users will be among the assets transferred to the buyer or acquirer.
• To our subsidiaries, affiliates, agents, advisors, contractors, business partners, and service providers as necessary for iCIMS’ legitimate business operations incident to administration and delivery of our Subscription to Subscribers, and for our other legitimate purposes relating to iCIMS’ business operations, including account, billing, contracting, internal reporting, communication, customer support, and security management purposes.
• To a third party under the following circumstances where we, in good faith,: (i) believe we are compelled by applicable law or regulation, judicial request from a court of competent jurisdiction, or another legal process or government order (in each case, where iCIMS is unable to resist such disclosure); (ii) find it necessary to exercise, establish or defend our legal rights; (iii) seek to enforce or apply the terms of the Subscription Agreement; (iv) seek to protect iCIMS’ rights or property; (v) seek to protect iCIMS, our Subscribers, or the public from harm or illegal activities; (vi) seek to respond to an emergency which requires us to disclose data to prevent harm; or (vii) rely on your consent.
• To the general public when Subscribers use functionality within the Subscription to make certain content containing Subscriber Data publicly available. For example, all materials, comments, and other content shared on or through iCIMS Video Studio are subject to being shared with job applicants, website visitors, and social media followers who are under no obligation of confidentiality, and therefore such content is public.
• In accordance with a Subscriber’s instructions.

Please note that we do not sell (as defined in applicable data protection and privacy laws) personal data (and will not sell it without providing any required notices and/or opt-in/opt-out rights).

If you are a resident of the EEA, the UK, or Switzerland, our legal basis for collecting and using the personal data described above will depend on the personal data concerned and the context in which we collect it. However, we will normally collect and/or process your personal data pursuant to one or more of the following legal bases:

• The processing is in our legitimate interests which do not override your data protection interests or fundamental rights and freedoms.
• The processing is necessary to perform a contract with you.
• The processing is necessary to comply with our legal obligations.
• We may also seek your consent to process or retain your personal data in certain, limited circumstances that we clearly identify to you.
• In some limited cases, we may need the personal data to protect your vital interests or those of another person; for example, we may need to share your personal data with third parties for security reasons (when we believe in good faith that disclosure is necessary to protect our rights, protect your or others’ safety, to investigate fraud, or respond to a related government request).

If we ask you to provide personal data to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and let you know whether the provision of your personal data is mandatory or not (as well as the possible consequences if you do not provide it). Similarly, if we collect and use your personal data in reliance on our legitimate interests (or those of a third party) that are not listed above, we will make clear to you at the relevant time what those legitimate interests are. If you have questions about or need further information concerning the legal basis on which we collect and use your personal data, please contact us using the contact details provided in the “Contact Information” section below.

Subject to the Subscription Agreement, iCIMS or its appointed service providers or contractors may collect, use, process, store and disclose personal data outside of our Subscribers’ home countries, including in the U.S., and in some cases, other countries, to provide our Subscription and related services. These countries may have data protection and privacy laws that are different than the laws of our Subscribers’ home countries. iCIMS only transfers personal data to another country in accordance with applicable data protection and privacy laws, provided there are legally adequate protections in place for the personal data. A list of iCIMS’ global offices is available here.

For Subscriber Data transferred from the EEA, UK, or Switzerland to iCIMS in the U.S., and for onward transfers of Subscriber Data to iCIMS’ appointed service providers or contractors, iCIMS and its appointed service providers and contractors will protect Subscriber Data when it is transferred from the EEA, UK, or Switzerland to the U.S. by:

• Processing Subscriber Data in a territory which the European Commission (or other relevant governmental authority) has determined provides an adequate level of protection for personal data; or
• Implementing appropriate safeguards to protect Subscriber Data, including through the use of Standard Contractual Clauses or another lawful transfer mechanism approved by the European Commission (or other relevant governmental authority) .

For other international transfers of personal data from the EEA, the UK, and Switzerland, we will implement such measures as are necessary to ensure we provide appropriate safeguards for the transferred Subscriber Data, as agreed to with our Subscribers.

For Customer Personal Data and Public Personal Data collected, used, and disclosed by iCIMS that is subject to international transfer restrictions of EU, UK, or Swiss data protection law, please see the “Legal Basis for Processing,” “International Transfers,” and “Data Privacy Framework” sections of the iCIMS Privacy Notice.

If you require further information about our international transfers of personal data, please contact us by using the contact details under the “Contact Information” heading below.

iCIMS, Inc. and certain of its subsidiaries listed here comply with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. iCIMS has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the EEA in reliance on the EU-U.S. DPF and from the UK (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. iCIMS has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Notice and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program and to view our certification, please visit https://www.dataprivacyframework.gov/.

iCIMS is responsible for the processing of personal data it receives under the, DPF and subsequently transfers to a third party acting as an agent on its behalf. iCIMS complies with the DPF for all onward transfers of personal data from the EEA, the UK, and Switzerland, including the onward transfer liability provisions.

Although iCIMS also relies on Standard Contractual Clauses or other lawful transfer mechanisms approved by the European Commission (or other relevant governmental authority) to transfer personal data from the EEA, the UK, and Switzerland, iCIMS is committed to maintaining its DPF certification and will honor its obligation to comply with the DPF Principles.

The Federal Trade Commission has jurisdiction over iCIMS’ compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. In certain circumstances, iCIMS may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, but iCIMS will attempt to resist such disclosures when possible.

EEA, UK, and Swiss individuals with inquiries or complaints regarding our privacy practices should first contact iCIMS as provided in the “Contact Information” section below. In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, iCIMS commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to TRUSTe, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://feedback-form.truste.com/watchdog/request for more information or to file a complaint. The services of TRUSTe are provided at no cost to you.

For complaints regarding DPF compliance not resolved by any of the other DPF mechanisms, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website.

iCIMS maintains appropriate technical and organizational measures, including, but not limited to, reasonably designed administrative, physical, and technical safeguards, designed to protect Subscriber Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The iCIMS privacy and security programs are audited by independent third parties to ensure our privacy and security measures and processes meet internationally recognized standards for the protection of personal data, which includes maintaining our ISO 27001 and 27701 certifications, as well as SOC 2 Type II audits. The Subscription allows Subscribers to implement and configure certain settings related to their use of the platform and to enforce certain security requirements, including user access controls. iCIMS has a dedicated team responsible for monitoring and responding to security events, and it notifies Subscribers of security incidents and data breaches in accordance with its incident response procedures and applicable law.

If you (as a Subscriber, User, or Candidate) download and use any of our mobile applications (each an “App”), iCIMS will automatically collect certain information about your device, such as the type of device you use, the operating system version, the device identifier (e.g., UDID or IMEI number), and metadata related to the content you submit.
iCIMS may send you push notifications from time-to-time to update you about any events or promotions that iCIMS may be running. If you no longer wish to receive these types of communications, you may turn them off at the device level. To ensure you receive proper notifications, iCIMS will need to collect certain information about your device such as operating system and user identification information.

iCIMS does not ask for, access, or track any location-based information from your mobile device at any time while downloading or using our App.

iCIMS uses mobile analytics software to allow us to better understand the functionality of our App software on your phone. This software may record information such as how often you use the App, the events that occur within the App, aggregated usage, performance data, and where the App was downloaded from. iCIMS does not link the information iCIMS stores within the analytics software to any personal data you submit within the App.

Since each Subscriber is in control of what information, including any personal data, it collects from its Users, Candidates, and Survey Recipients, how that information is used and disclosed, and how that information can be changed, Users, Candidates, and Survey Recipients of the Subscription must contact the applicable Subscriber with any inquiries about how the Subscriber collects, uses, and discloses personal data, including any privacy rights or data subject access requests, including, but not limited to, how to access, rectify, correct, delete, and port personal data contained in Subscriber Data. For Subscription services that provide short code functionality, iCIMS supports its Subscribers’ compliance with applicable laws, regulations, and guidelines by providing each Subscriber with the ability to configure consent, opt-in, opt-out, and unsubscribe functionality as necessary for each Subscriber’s applicable obligations.

Where iCIMS is a data controller or business under applicable data protection or privacy law, certain jurisdictions may provide you with privacy rights regarding your personal data. In particular, you may have the right to:

• be informed about your personal data;
• access your personal data;
• correct any personal data that is inaccurate;
• have your personal data erased;
• restrict or suppress your personal data;
• obtain and reuse your personal data;
• object to the processing of your personal data;
• object to how your personal data is used in automated decision making, if applicable.
• lodge a complaint with a supervisory authority; and
• obtain a copy of Standard Contractual Clauses (if applicable).

These rights may be limited, for example, if fulfilling your request would reveal personal data about another individual, or if you ask us to delete personal data which we are required by law to keep or which we need to defend claims against us.

If you are a California resident, please see our Privacy Notice for California Residents for additional disclosures and information about the personal data we have collected about you over the last 12 months and rights you may have regarding your personal data.

If you do not wish to receive our email marketing communication for promotional purposes, you may opt out by clicking on the “unsubscribe” or “opt out” link in the marketing e mails we send you.

If we process your personal data in reliance upon your consent, you can contact us at any time to withdraw your consent.

To exercise any of these rights, please contact us by using the contact details under the “Contact Information” heading below.

We will respond to such requests in accordance with the requirements of applicable data protection and privacy laws. Please note that in order to fulfil your request, we may need you to provide certain personal data to verify your identity. Depending upon applicable data protection and privacy law, individuals may also designate an authorized agent to exercise these rights on their behalf.

Various browsers (i.e., Internet Explorer, Chrome, Firefox, Edge, etc.) allow a “do not track” (DNT) setting, which sends a signal to websites visited by an individual about their browser DNT setting. At this time, there is no general agreement on how companies, like iCIMS, should interpret DNT signals. Therefore, we do not currently commit to respond to DNT signals. We will continue to monitor developments around DNT browser technology and the implementation of a standard.

We may also connect to applications or integrations hosted by third parties for mutual Subscribers. These applications and integrations will interact with the Subscription and our processing of Subscriber Data will be in accordance with this Services Notice and our Subscription Agreement.

For clarity, this Services Notice does not apply to personal data collected, used, or disclosed by Subscribers as part of those third-party applications, integrations, or websites. The use of any data you make available to a third-party is subject to that third-party’s privacy policy or notice and your agreements, if any, with the third-party.

iCIMS does not offer its Subscription and related services for purchase by children and our Subscription and related services are not directed to or intended to be used by anyone under the age of 18. Our Subscribers determine how their Subscription and related services are used. If a Subscriber elects to have children under the age of 18 use the Subscription or related services, the Subscriber assumes all liability and risks related to such use and is solely responsible for ensuring that such use does not violate any law or regulation.