Effective Date: July 23, 2021
Please note, this Services Privacy Notice is available at www.icims.com/legal/privacy-notice-services. iCIMS maintains other privacy notices to address specific use cases applicable to iCIMS, which are available at the following locations:
iCIMS, Inc. and its subsidiaries, iCIMS International, LLC, Jibe, Inc., TextRecruit, Inc., Opening HR Limited, EasyRecrue S.A.S., and Altru Labs, Inc. (collectively, “iCIMS,” “we,” or “us”), respects the privacy of its Subscribers, their Subscriber Data, and their respective Users and Candidates, and we are committed to protecting their respective personal data. All capitalized terms used in the immediately preceding sentence shall be defined in accordance with the iCIMS Subscription Agreement.
This Services Privacy Notice (“Services Notice”) explains who we are and covers our privacy practices with respect to the collection, use, and disclosure of personal data obtained in connection with the use of our Subscription and related services, including professional services and trainings that we provide to Subscribers. This Services Notice also describes our privacy practices with respect to Subscriber and partner contact information we process for account, contract, and billing management purposes (e.g., the processing of Subscriber address and billing information) in connection with the use of our products and services, or technology provided by our partners to our Subscribers. For clarity, iCIMS collects personal data under the direction of its Subscribers and has no direct relationship with the Subscribers’ candidates. If you are a candidate of one of our Subscribers, please contact that Subscriber. This Services Notice does not cover a Subscriber’s collection, use, or disclosure of any information it stores as part of the Subscription.
For purposes of this Services Notice:
Please take the time to read this Services Notice and the related statements in their entirety to ensure you are fully informed. If you have any questions or concerns about our processing of personal data, please contact us by using the contact details under the “Contact Information” heading below.
As further described below, we collect several types of personal data from and about our Subscribers in the course of providing and supporting the Subscription.
Subscribers process Subscriber Data in the normal course of using the Subscription. Our collection, use, and disclosure of such Subscriber Data is limited to the processing permitted in the agreement executed between Subscriber and iCIMS (“Subscription Agreement”), such as providing and supporting the Subscription on behalf of Subscriber. Likewise, we process Subscriber Data at the direction of and pursuant to the instructions of our Subscribers.
As a result, under applicable data protection or privacy law, we are our Subscribers’ data processor or service provider. To that end, we also collect several types of other personal data from our Subscribers as a data processor or service provider, including:
Lastly, we collect several types of personal data from our Subscribers as a data controller or business (as defined under applicable data protection or privacy law), including:
We may use Subscriber Data to provide support, secure, and improve the Subscription, including updating and maintaining the Subscription, providing services, responding to customer service requests, and recording and monitoring customer service calls. We may also use Subscriber Data to create aggregated, anonymized Analytics. When we record customer service calls that capture Customer Personal Data and when required by law, we will let you know if a call is being recorded at the start of the call so you can decide whether or not to continue. When we create Analytics, we do not attempt to reidentify data that has been aggregated and anonymized. We will not use, disclose, sell, review, share, distribute, transfer, or reference any Subscriber Data except as permitted in the Subscription Agreement or as required by law.
We may use Customer Personal Data for account, contracting, and billing management purposes.
We may use Public Personal Data for research and development purposes (for example, to test the accuracy of artificial intelligence (“AI”) algorithms and to determine if AI algorithms produce biased output) and as reasonably necessary to comply with our legal obligations.
If we need to process personal data for an incompatible purpose not discussed in this Services Notice, we will provide notice to Subscribers or Users, as applicable, and, if required by law, seek their consent. We may process personal data without Subscribers’ or Users’ knowledge or consent only where required or permitted by applicable law. Lastly, iCIMS does not subject personal data to automated decision-making.
If you are a resident of the EEA, the UK, or Switzerland, our legal basis for collecting and using the personal data described above will depend on the personal data concerned and the context in which we collect it. However, we will normally collect and/or process your personal data pursuant to one or more of the following legal bases:
If we ask you to provide personal data to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and let you know whether the provision of your personal data is mandatory or not (as well as the possible consequences if you do not provide it). Similarly, if we collect and use your personal data in reliance on our legitimate interests (or those of a third party) that are not listed above, we will make clear to you at the relevant time what those legitimate interests are. If you have questions about or need further information concerning the legal basis on which we collect and use your personal data, please contact us using the contact details provided in the “Contact Information” section below.
Subject to the Subscription Agreement, iCIMS or its appointed service providers may collect, use, process, store and disclose personal data outside of our Subscribers’ home countries, including in the U.S., and in some cases, other countries, to provide our Subscription and related services. These countries may have data protection and privacy laws that are different than the laws of our Subscribers’ home countries. iCIMS only transfers personal data to another country in accordance with applicable data protection and privacy laws, provided there are legally adequate protections in place for the personal data. A list of iCIMS’ global offices is available here.
For Subscriber Data transferred from the EEA, UK, or Switzerland to iCIMS in the U.S., and for onward transfers of Subscriber Data to iCIMS’ appointed services providers, iCIMS and its appointed service providers will protect Subscriber Data when it is transferred from the EEA, UK, or Switzerland to the U.S. by:
For other international transfers of personal data from the EEA, the UK, and Switzerland, we will implement such measures as are necessary to ensure we provide appropriate safeguards for the transferred Subscriber Data, as agreed to with our Subscribers. For Customer Personal Data collected, used, and disclosed by iCIMS that is subject to international transfer restrictions of EU data protection law, please see the “Legal Basis for Processing,” “International Transfers,” and “EU-U.S. and Swiss-U.S. Privacy Shield Framework” sections of the iCIMS Privacy Notice.
Although iCIMS does not rely on the Privacy Shield Frameworks to protect Subscriber Data when it is transferred from the EEA, UK, or Switzerland to the U.S., iCIMS, Inc. and certain of its subsidiaries continue to participate in and certify their compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework and subject all Subscriber Data received from the EEA, the UK, and Switzerland to the Privacy Shield Principles. To learn more about the Privacy Shield Frameworks and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List.
For Customer Personal Data and Public Personal Data collected, used, and disclosed by iCIMS that is subject to international transfer restrictions of EU data protection law, please see the “Legal Basis for Processing,” “International Transfers,” and “EU-U.S. and Swiss-U.S. Privacy Shield Framework” sections of the iCIMS Privacy Notice.
If you require further information about our international transfers of personal data, please contact us by using the contact details under the “Contact Information” heading below.
iCIMS, Inc. and certain of its subsidiaries participate in and have certified their compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. iCIMS is committed to subjecting all personal data received from the EEA, the UK, and Switzerland in reliance on each Privacy Shield Framework to the Privacy Shield Principles. To learn more about the Privacy Shield Frameworks and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List.
iCIMS is responsible for the processing of personal data it receives, under the European Union’s General Data Protection Regulation (“GDPR”) and each Privacy Shield Framework, and subsequent transfers to a third party acting as an agent on its behalf. iCIMS complies with GDPR and the Privacy Shield Principles for all onward transfers of personal data from the EEA, the UK, and Switzerland, including the onward transfer liability provisions.
iCIMS recognizes that the Court of Justice of the European Union ruled in July 2020 that a certification under the EU-U.S. Privacy Shield Framework no longer can serve as the basis by which entities subject to the GDPR transfer personal data to jurisdictions outside the EEA. iCIMS also recognizes Switzerland’s announcement that the Swiss-US Privacy Shield Framework does not provide an adequate level of protection to transfer personal data from Switzerland to the U.S. Although iCIMS now relies on Standard Contractual Clauses or other lawful transfer mechanisms approved by the European Commission (or other relevant governmental authority) to transfer personal data from the EEA, the UK, and Switzerland, iCIMS will continue to maintain its Privacy Shield certification and will continue to honor its obligation to comply with the Privacy Shield Principles with respect to data that was previously transferred pursuant to the EU-U.S. Privacy Shield Framework and/or the Swiss-U.S. Privacy Shield Framework.
With respect to personal data received or transferred pursuant to GDPR, iCIMS is subject to the regulatory enforcement powers of the EU in conjunction with the U.S. Federal Trade Commission. For each Privacy Shield Framework, iCIMS is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain circumstances, iCIMS may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, but iCIMS will attempt to resist such disclosures when possible.
In compliance with GDPR and the Privacy Shield Principles, iCIMS commits to resolve complaints about our collection and use of your personal data. EEA, UK, and Swiss individuals with inquiries or complaints regarding our privacy practices should first contact iCIMS as provided in the “Contact Information” section below. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
iCIMS maintains appropriate technical and organizational measures, including, but not limited to, reasonably designed administrative, physical, and technical safeguards, designed to protect Subscriber Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The iCIMS privacy and security programs are audited by independent third parties to ensure our privacy and security measures and processes meet internationally recognized standards for the protection of personal data, which includes maintaining our ISO 27001 and 27701 certifications, as well as SOC 2 Type II audits. The Subscription allows Subscribers to implement and configure their use of the platform and enforce certain security requirements, including user access controls. iCIMS has a dedicated team responsible for monitoring and responding to security events, and it notifies Subscribers of security incidents and data breaches in accordance with its Incident Response Procedures and applicable law.
We retain Subscriber Data according to the timeframes set forth in the Subscription Agreement. We retain Customer Personal Data and Public Personal Data where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax, or accounting requirements).
If you (as a Subscriber or User) download and use any of our mobile applications (each an “App”), iCIMS will automatically collect certain information about your device, such as the type of device you use, the operating system version, the device identifier (e.g., UDID or IMEI number), and metadata related to the content you submit.
iCIMS may send you push notifications from time-to-time to update you about any events or promotions that iCIMS may be running. If you no longer wish to receive these types of communications, you may turn them off at the device level. To ensure you receive proper notifications, iCIMS will need to collect certain information about your device such as operating system and user identification information.
iCIMS does not ask for, access, or track any location-based information from your mobile device at any time while downloading or using our App.
iCIMS uses mobile analytics software to allow us to better understand the functionality of our App software on your phone. This software may record information such as how often you use the App, the events that occur within the App, aggregated usage, performance data, and where the App was downloaded from. iCIMS does not link the information iCIMS stores within the analytics software to any personal data you submit within the App.
Since each Subscriber is in control of what information, including any personal data, it collects from its Users and Candidates, how that information is used and disclosed, and how that information can be changed, Users and Candidates of the Subscription must contact the applicable Subscriber with any inquiries about how the Subscriber collects, uses, and discloses personal data, including any privacy rights or data subject access requests, including, but not limited to, how to access, rectify, correct, delete, and port personal data contained in Subscriber Data. For Subscription services that provide short code functionality, iCIMS supports its Subscribers’ compliance with applicable laws, regulations, and guidelines by providing each Subscriber with the ability to configure consent, opt-in, opt-out, and unsubscribe functionality as necessary for each Subscriber’s applicable obligations.
Where iCIMS is a data controller or business under applicable data protection or privacy law, certain jurisdictions may provide you with privacy rights regarding your personal data. In particular, you may have the right to:
These rights may be limited, for example, if fulfilling your request would reveal personal data about another individual, or if you ask us to delete personal data which we are required by law to keep or which we need to defend claims against us.
If you are a California resident, please see our Privacy Notice for California Residents for additional disclosures and information about the personal data we have collected about you over the last 12 months and rights you may have regarding your personal data.
If you do not wish to receive our email marketing communication for promotional purposes, you may opt out by clicking on the “unsubscribe” or “opt out” link in the marketing e mails we send you.
If we process your personal data in reliance upon your consent, you can contact us at any time to withdraw your consent.
To exercise any of these rights, please contact us by using the contact details under the “Contact Information” heading below.
We will respond to such requests in accordance with the requirements of applicable data protection and privacy laws. Please note that in order to fulfil your request, we may need you to provide certain personal data to verify your identity. Depending upon applicable data protection and privacy law, individuals may also designate an authorized agent to exercise these rights on their behalf.
Various browsers (i.e., Internet Explorer, Chrome, Firefox, Edge, etc.) may allow a “do not track” (DNT) setting, which sends a signal to websites visited by an individual about their browser DNT setting. At this time, there is no general agreement on how companies, like iCIMS, should interpret DNT signals. Therefore, we do not currently commit to respond to DNT signals. We will continue to monitor developments around DNT browser technology and the implementation of a standard.
We may also connect to applications or integrations hosted by third parties for mutual Subscribers. These applications and integrations will interact with the Subscription and our processing of Subscriber Data will be in accordance with this Services Notice and our Subscription Agreement.
iCIMS reserves the right to update or change this Services Notice from time to time. If we make material changes to this Services Notice, we will post it to the applicable sections of our Website prior to or at the time of the change becoming effective. We ask that you review the Services Notice periodically to stay informed about any updates or changes that we may have made.
You can see when this Services Notice was last updated by checking the “Effective Date” displayed at the top of this Services Notice.
To ask questions or comment about this Services Notice and our privacy practices or if you need to update, change, or remove your personal data or exercise any other rights, please contact us as follows: