Date Last Revised: October 4, 2021
This Privacy & Security Policy explains how we protect personal data provided through our website craft.co (the “Site”) and how we use that personal data in connection with our service offered through the Site (the “Service”). The Service consists of, among other things, a database of information concerning companies (the “Database”), which includes certain personal data about those companies’ leadership, management, and personnel. “Personal data” for purposes of this Policy means information that identifies or is identifiable to a living natural person. This Policy covers both our collection and processing of personal data regarding users of the Craft Site and Service. For our policy concerning our collection and processing of personal data in the Craft Database, see the Craft Database Information Policy
1. We care about the privacy of Craft users.
Simply put, we do not and will not sell or rent your personal information to anyone, for any reason, at any time. Craft uses and discloses your personal information only as follows:
- to fulfill your requests for certain products and services;
- to analyze site usage and improve the Service;
- to deliver to you any notices and communications relevant to your use of the Service;
- for research, planning, troubleshooting problems;
- to third-party contractors that provide services (e.g. email notifications) to Craft and are bound by these same privacy restrictions;
- to enforce Craft’s Terms of Service; and
- as otherwise set forth in this Privacy and Security Policy.
Craft may make anonymous or aggregate personal information available, and disclose such data only in a non-personally identifiable manner, to:
- Users of the Service for purposes of comparison to the broader community;
- Organizations approved by Craft that conduct research into career management and development; and
- Advertisers and other third parties for their marketing and promotional purposes.
Such information does not identify you individually. Access to any personal information you provide is strictly restricted and used in accordance with specific internal procedures and safeguard governing access, in order to operate, develop or improve the Service.
We do not knowingly collect or solicit personal information from anyone under the age of 16. If you are under 16, please do not attempt to register for the Service or send any personal information about yourself to us. If we learn that we have collected personal information from a child under age 16, we will delete that information as quickly as possible. If you believe that a child under 16 may have provided us personal information, please contact us at email@example.com.
2. Online session information and use is only used to improve your experience.
When you visit Craft.co, we may collect technical and navigational information, such as computer browser type, Internet protocol address, pages visited, and average time spent on our Site. This information may be used, for example, to alert you to software compatibility issues, or it may be analyzed to improve our Site’s design and functionality.
“Cookies” are alphanumeric identifiers in the form of text files that are inserted and stored by your Web browser on your computer’s hard drive. Craft may set and access cookies on your computer to track and store information about your preferences. Craft may gather information about you through cookie technology. For example, Craft may assign a cookie to you, to limit the amount of times you see a particular notification. Please note that most Internet browsers will allow you to stop cookies from being stored on your computer and to delete cookies stored on your computer. If you choose to eliminate cookies, the full functionality of the Site or Service may be impaired for you.
3. Third Parties.
- Lucky Orange, a usage analysis service we use to help improve usability and the customer experience. To view and manage data that Lucky Orange has collected about you on our behalf, or to opt out of future tracking please visit its data privacy management tool here: https://privacy.luckyorange.com.
Some parts of our Service may include social media features, such as the Facebook “like” button, and widgets, such as the “share this” button. These social media features are either hosted by a third party or hosted directly on our Service. When you use these tools, the party that provides the tool, the third party that operates the social media services, and/or we may receive information about you. By using these tools or by communicating with us through social media services, you acknowledge that some information, including personal information, from your social media services will be transmitted to us, and that information is therefore is covered by this Privacy and Security Policy, and some information, including personal information, may be shared with the third party services, and that information is therefore governed by their privacy policies.
When we interact with you on social media services, the information you share with us which can be seen by anyone other than you, us and the relevant social media service is not covered by this Privacy and Security Policy. Only information you share with us privately (i.e., through direct messages, private chat, etc.) is covered by this Privacy and Security Policy.
Finally, you can also register with our Service and create a Service account via certain third-party services such as LinkedIn (each, an “SNS Account”), if and when such functionality is available. If you choose to create a Service account through one of your SNS Accounts, you may have to provide us with your username (or user ID) so that your identity can be authenticated by the SNS Account. When the authentication is complete, we’ll be able to link your account with the SNS Account. That linking may allow us to access certain personal data, such as your name and email address, your user ID for the SNS Account, data tokens used to implement single sign-on and connect with your SNS Account profile, and other personal data that your privacy settings on the SNS Account permit us to access, in connection with creating your Service account. We don’t receive or store passwords for any of your SNS Accounts.
4. Disclosure of your information.
Craft may disclose your personal information:
- to third-party contractors that provide services (e.g. email notifications or hosting services) to Craft and are bound by these same privacy restrictions;
- to the third-party analytics providers identified in Section 3, although in this case we will disclose only information your browser automatically provides, not personally identifiable information like your name, email address, or similar contact information;
- or to an acquirer as indicated in Section 5.
Craft also reserves the right (and you authorize Craft) to share or disclose your personal information when Craft determines, in its sole discretion, that the disclosure of such information is necessary or appropriate:
- To prevent prohibited or illegal activities; or
- When required by any applicable law, rule regulation, subpoena or other lawful request of public authorities, including to meet national security or law enforcement requirements.
When we disclose personal information for these purposes, we can’t necessarily predict who the recipients may be, but could include law enforcement agencies, national security agencies, our lawyers, and courts.
5. Your data may be transferred upon change of control but only in accordance with this Policy.
Personal information may be transferred to a third party as a result of a sale, acquisition, merger, reorganization or other change of control. If we sell, merge or transfer any part of our business, part of the sale may include your personal information. If so, you will be asked if you’d like to stop receiving promotional information following any change of control.
6. You can delete your data.
When you request us to delete your account for the Service, your data will be permanently expunged from our primary production servers and further access to your account will not be possible. We will also promptly disconnect any connection we had established to your Account Information and delete all account credentials. However, portions of your data, consisting of aggregate data derived from your Account Information, may remain on our production servers indefinitely. Your data may also remain on a backup server or media. Craft keeps these backups to ensure our continued ability to provide the Service to you in the event of malfunction or damage to our primary production servers. We also reserve the right to use any aggregated or anonymous data derived from or incorporating your personal information.
7. We use reasonable efforts to secure your data.
We use a combination of firewall barriers, encryption techniques and authentication procedures, among others, to maintain the security of your online session and to protect Craft.co accounts and systems from unauthorized access.
When you register for the Service, Craft requires a password or SNS Account user ID and data token from you for your privacy and security. Craft transmits information such as your Registration Information for Craft.co or Account Credentials securely.
Our databases are protected from general employee access both physically and logically. We encrypt your Service password so that your password cannot be recovered, even by us. All backup drives and tapes also are encrypted.
8. Our service promotes secure communications with encryption.
From the time you submit your Login ID and Password or your SNS Account user ID and data token, these communications between your computer and Craft.co are encrypted. This enables client and server applications to communicate in a way that is designed to prevent eavesdropping, tampering and message forgery.
9. You are responsible for maintaining the confidentiality of your Login ID and Password.
If you have a security related concern, please contact us at firstname.lastname@example.org. We will work closely with you to ensure a rapid and personal response to your concerns.
10. Information for Persons Outside the U.S.
If you use our Site or Service outside of the United States, you understand that we may collect, process, and store your personal information in the United States and other countries. The laws in the U.S. regarding personal information may be different from the laws of your state or country. Any such transfers will comply with safeguards as required by relevant law.
11. Certain Rights for Persons Outside the U.S.
If you are a resident of the EEA, UK, or Switzerland, you have the following rights: the right to access your person, rectification or erasure of, and/or restriction of processing or objection to processing of your personal data, and in certain cases, the right to data portability. If you have any questions or want to exercise any of your rights with respect to your personal data, please contact Craft at email@example.com. Before we process any request, we may request personal information to verify your identity where allowed by law. Where permitted by local law, we may reject requests that are unreasonable or impractical. Finally, you also have the right to at no cost to lodge a complaint with your local data protection authorities. This right may also exist in other countries.
12. We post updates on our website whenever there is a change to our Privacy and Security Policy.
We update this Privacy & Security Policy periodically. The date last revised appears at the top of the Policy. Changes take effect immediately upon posting.
13. Contact us if you have any questions or concerns.
If you have questions, comments, concerns or feedback regarding this Privacy and Security Policy or any other privacy or security concern, please send us an e-mail at firstname.lastname@example.org.
14. Organizational Security
- Information Security Program: We have an Information Security Program in place that is communicated throughout the organization. Our Information Security Program follows the criteria set forth by the SOC 2 Framework. SOC 2 is a widely known information security auditing procedure created by the American Institute of Certified Public Accountants.
- Roles and Responsibilities: We have an Information Security Program in place that is communicated throughout the organization. Our Information Security Program follows the criteria set forth by the SOC 2 Framework. SOC 2 is a widely known information security auditing procedure created by the American Institute of Certified Public Accountants.
- Security Awareness Training: Our team members are required to go through employee security awareness training covering industry standard practices and information security topics such as phishing and password management.
- Confidentiality: We perform background checks on all new team members in accordance with local laws.
15. Cloud Security
- Cloud Infrastructure Security: All of our services are hosted with Amazon Web Services (AWS) They employ a robust security program with multiple certifications. For more information on our provider’s security processes, please visit AWS Security
- Data Hosting Security: All of our data is hosted on Amazon Web Services (AWS) databases. These databases are all located in the United States. Please reference the above vendor specific documentation linked above for more information.
- Encryption at Rest: All databases are encrypted at rest.
- Encryption in Transit: Our applications encrypt in transit with TLS/SSL only.
- Vulnerability Scanning: We perform vulnerability scanning and actively monitor for threats.
- Logging and Monitoring: We actively monitor and log various cloud services.
- Business Continuity and Disaster Recovery: We use our data hosting provider’s backup services to reduce any risk of data loss in the event of a hardware failure. We utilize monitoring services to alert the team in the event of any failures affecting users.
- Incident Response: We have a process for handling information security events which includes escalation procedures, rapid mitigation and communication.
16. Access Security
- Permissions and Authentication: Access to cloud infrastructure and other sensitive tools are limited to authorized employees who require it for their role. Where available we have Single Sign-on (SSO), 2-factor authentication (2FA) and strong password policies to ensure access to cloud services are protected.
- Least Privilege Access Control: We follow the principle of least privilege with respect to identity and access management.
- Quarterly Access Reviews: We perform quarterly access reviews of all team members with access to sensitive systems.
- Password Requirements: All team members are required to adhere to a minimum set of password requirements and complexity for access.
- Password Managers: All company issued laptops utilize a password manager for team members to manage passwords and maintain password complexity.
17. Vendor and Risk Management
- Annual Risk Assessments: We undergo at least annual risk assessments to identify any potential threats, including considerations for fraud.
- Vendor Risk Management: Vendor risk is determined and the appropriate vendor reviews are performed prior to authorizing a new vendor.
18. Contact us for security questions or reporting
If you have any questions, comments or concerns or if you wish to report a potential security issue, please contact email@example.com