California HR Data Privacy Policy

Effective Date: January 1, 2023

This privacy policy describes AllyGPO, LLC’s processing of California residents’ personal information in various human resources (HR) contexts, as required under California’s privacy law, the California Consumer Privacy Act, which is also known as the “CCPA”. We are providing this privacy policy to you to meet our obligations under the CCPA. In this privacy policy, “we”, “us”, “our”, and “AllyGPO, LLC” are used to refer to AllyGPO, LLC, its affiliates, and its business lines, including AllyRetina, AllyOncology, AllyNeurology, AllyRheumatology, AllyAnalytics, and AllyIQ (collectively, “AllyGPO, LLC”).

If you are a California resident and have interacted with us or otherwise provided us with personal information in the following HR contexts in the bulleted lists below, please read this policy carefully as it describes how we collect, use, retain, disclose, and otherwise process your personal information, and the rights you have under California law as to your personal information.

  • Current/Former Employees. You are a current or former employee of AllyGPO, LLC
  • Independent Contractor. You are a current or former contractor of AllyGPO, LLC
  • Job Applicant. You have applied to a position with AllyGPO, LLC previously, such as on https://allygpo.com/careers/.

This privacy policy also applies to California residents whose family member or friend has provided information about you to AllyGPO, LLC in an HR context, such as if:

  • You are listed as an emergency contact for a AllyGPO, LLC employee or former employee.
  • You are a beneficiary or dependent of a AllyGPO, LLC employee or former employee.

This privacy policy does not apply to our data practices outside of the HR context. For example, if you visit the business customer-facing aspects of our website (e.g., https://AllyGPO.com) the posted privacy policy will apply, and describe our data practices in that context.

In the event of a conflict between any other AllyGPO, LLC policy, statement or notice and this privacy policy, this privacy policy will prevail as to personal information collected in an HR context, unless stated otherwise.

  • Section 1 of this privacy policy provides notice of our data practices, including our collection, use, and disclosure of California residents’ personal information in an HR context.
  • Section 2 of this privacy policy provides information regarding California residents’ rights under the CCPA and how you may exercise them.
  • Sections 3-5 include other information required by the CCPA or information that we believe is helpful to provide to you as part of this privacy policy.

1. NOTICE OF DATA PRACTICES

As required by the CCPA, this privacy policy is designed to provide you with notice of our recent, historical data practices over the prior 12 months (from the Effective Date listed at the top of this privacy policy). This privacy policy will be updated at least annually.

This privacy policy also applies to our current data practices such that it is also meant to provide you with notice of personal information we collect and the purposes for which we process personal information, among other things required by the CCPA. For any new or substantially different processing activities that are not described in this privacy policy, we will notify you as required by the CCPA, including by either notifying you at the time of collecting personal information, or by updating this privacy policy earlier than required.

(a) PI Collection and Retention

The first column in the table below lists the categories of personal information we collect, while the second column provides examples of types of personal information within such category. We collect the following categories of personal information listed in the below table. We disclose or otherwise make available personal information to our vendors, affiliates, and related entities, and other parties for the purposes as more fully set forth in the table below. Generally, we disclose personal information for business purposes, and may be considered to “sell” and/or “share” certain categories of personal information to Cookie Operators, as more fully discussed in the Do Not Share/Sell section below where we describe your rights to opt out of the “sale” and “sharing” of personal information.

 

Category of PI

Examples of types of PI within category

Third Party Recipients

 1. Identifiers and contact information

Name, alias, postal address, phone number, email address, driver’s license, social security number, employee ID, IP address and other online IDs.

Disclosures for Business Purposes

  • General IT, software, and other business vendors
  • HR system and software vendors
  • Non-software HR vendors, such as background check vendors
  • Payroll and benefits vendors and providers
  • Insurance providers and brokers
  • Affiliates and related entities
  • Governmental entities (e.g., in relation to our obligations to determine employment eligibility and responding to requests pursuant to legal or regulatory process

Sale/Share: Cookie Operators

 2. Personal Records

Some PI included in this category may overlap with other categories. Examples include name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, education, employment, employment history, bank account number, medical information, or health insurance information.

Disclosures for Business Purposes

  • General IT, software, and other business vendors
  • HR system and software vendors
  • Non-software HR vendors, such as background check vendors
  • Payroll and benefits vendors and providers
  • Insurance providers and brokers
  • Affiliates and related entities
  • Governmental entities (e.g., in relation to our obligations to determine employment eligibility and responding to requests pursuant to legal or regulatory process)

Sale/Share: N/A

 3. Personal Characteristics or Traits

In some circumstances, we may collect PI that is considered protected under U.S. or California law, such as age, gender, nationality, race or information related to medical conditions, but only when that information is relevant for our business purposes (which, as discussed below, include legal obligations).

Disclosures for Business Purposes

  • General IT, software, and other business vendors
  • HR system and software vendors
  • Non-software HR vendors, such as background check vendors
  • Payroll and benefits vendors and providers
  • Insurance providers and brokers
  • Affiliates and related entities
  • Governmental entities (e.g., in relation to our obligations to determine employment eligibility and responding to requests pursuant to legal or regulatory process

Sale/Share: N/A

 4. Commercial Information

Records of products or services purchased or obtained in the HR context, such as benefits you have signed up for.

Disclosures for Business Purposes

  • General IT, software, and other business vendors
  • HR system and software vendors
  • Non-software HR vendors, such as background check vendors
  • Payroll and benefits vendors and providers
  • Insurance providers and brokers
  • Affiliates and related entities
  • Governmental entities (e.g., in relation to our obligations to determine employment eligibility and responding to requests pursuant to legal or regulatory process)

Sale/Share: N/A

 5. Biometric Information

 

Not Collected

 6. Internet Usage Information

When you use our online systems or otherwise interact with us online, we may collect browsing history, search history, and other information regarding your interaction with our internal systems and third-party applications, or other sites, applications, or content.

Disclosures for Business Purposes

  • General IT, software, and other business vendors
  • HR system and software vendors
  • Affiliates and related entities
  • Governmental entities (e.g., in relation to our obligations to determine employment eligibility and responding to requests pursuant to legal or regulatory process

Sale/Share: Cookie Operators

 7. Geolocation Data

If you use our systems or interact with us online we may gain access to the approximate location of the device or equipment you are using, or the location from which you are accessing our systems.

Disclosures for Business Purposes

  • General IT, software, and other business vendors
  • HR system and software vendors
  • Affiliates and related entities
  • Governmental entities (e.g., in relation to our obligations to determine employment eligibility and responding to requests pursuant to legal or regulatory process

Sale/Share: N/A

 8. Audio, electronic, visual, thermal, olfactory, or similar Information

Examples of this category may include security video and HR help line recordings.

Disclosures for Business Purposes

  • General IT, software, and other business vendors
  • HR system and software vendors
  • Affiliates and related entities
  • Governmental entities (e.g., in relation to our obligations to determine employment eligibility and responding to requests pursuant to legal or regulatory process

Sale/Share: N/A

 9. Professional or Employment Information

For example, if you are an applicant, your current and prior jobs and education. If you are an employee, examples include your status of employment, title, performance reviews, store location, tenure.

Disclosures for Business Purposes

  • General IT, software, and other business vendors
  • HR system and software vendors
  • Non-software HR vendors, such as background check vendors
  • Payroll and benefits vendors and providers
  • Insurance providers and brokers
  • Affiliates and related entities
  • Governmental entities (e.g., in relation to our obligations to determine employment eligibility and responding to requests pursuant to legal or regulatory process)

Sale/Share: N/A

 10. Non-public Education Records

For example, official grades, transcripts, class lists, or disciplinary records from your educational institution.

Disclosures for Business Purposes

  • General IT, software, and other business vendors
  • HR system and software vendors
  • Non-software HR vendors, such as background check vendors
  • Affiliates and related entities
  • Governmental entities (e.g., making requests pursuant to legal or regulatory process)

Sale/Share: N/A

 11. Inferences from PI Collected

We may draw inferences from other information we collect about you.

Disclosures for Business Purposes

  • General IT, software, and other business vendors
  • HR system and software vendors
  • Payroll and benefits vendors and providers
  • Insurance providers and brokers
  • Affiliates and related entities
  • Governmental entities (e.g., in relation to our obligations to determine employment eligibility and responding to requests pursuant to legal or regulatory process)

Sale/Share: N/A

 Sensitive PI

12. Social Security, driver’s license, state identification card, or passport number

 

 

For example, we collect certain government ID numbers when you apply for jobs with us or when we onboard you as an employee.

 

Disclosures for Business Purposes

  • General IT, software, and other business vendors
  • HR system and software vendors
  • Non-software HR vendors, such as background check vendors
  • Payroll and benefits vendors and providers
  • Insurance providers and brokers
  • Affiliates and related entities
  • Governmental entities (e.g., in relation to our obligations to determine employment eligibility and responding to requests pursuant to legal or regulatory process)

Sale/Share: N/A

 13. Account log-In, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account

For example, we may collect account logins in combination with passwords for some of our IT systems.

Disclosures for Business Purposes

  • General IT, software, and other business vendors
  • HR system and software vendors
  • Affiliates and related entities
  • Governmental entities (e.g., making requests pursuant to legal or regulatory process)

Sale/Share: N/A

 14. Racial or ethnic origin, religious or philosophical beliefs, or union membership

You may provide this information voluntarily in an HR context.

Disclosures for Business Purposes

  • General IT, software, and other business vendors
  • HR system and software vendors
  • Affiliates and related entities
  • Governmental entities (e.g., making requests pursuant to legal or regulatory process)

Sale/Share: N/A

 15. The contents of mail, email and text messages, unless Company is the intended recipient of the communication

Like all employers, if you utilize our email or other communications systems, we may review and monitor your communications.

Disclosures for Business Purposes

  • General IT, software, and other business vendors
  • HR system and software vendors
  • Affiliates and related entities
  • Governmental entities (e.g., making requests pursuant to legal or regulatory process)

Sale/Share: N/A

 16. PI collected and analyzed concerning health

For example, we may receive information about your health in relation to health insurance and other benefits.

Disclosures for Business Purposes

  • General IT, software, and other business vendors
  • HR system and software vendors
  • Non-software HR vendors, such as background check vendors
  • Payroll and benefits vendors and providers
  • Insurance providers and brokers
  • Affiliates and related entities
  • Governmental entities (e.g., in relation to our obligations to determine employment eligibility and responding to requests pursuant to legal or regulatory process)

Sale/Share: N/A

Scope of PI: There may be additional information that we collect that meets the definition of PI under the CCPA but is not reflected by a category above, in which case we will treat it as PI as required, but will not include it when we describe our practices by category of PI.

Retention Details: The CCPA requires us to either disclose the length of time we intend to retain each category of personal information listed above, or if that is not possible, the criteria used to determine the period of time it will be retained. Because there are so many different types of personal information in each category, and so many purposes and use cases for different data, we have determined that it is not possible to disclose in a clear manner how long we intend to retain each category. The criteria for determining the retention period is whether we have a legitimate purpose for the retention consistent with the collection purposes and applicable law, and/or a legal obligation or right to retain the data. For instance, we may maintain business records for so long as relevant to our business, and/or may have a legal obligation to hold PI for so long as potentially relevant to prospective or actual litigation or government investigation.

(b) Sources of PI

We may collect your PI from a number of sources, including:

  • You, such as when you apply for a position or become employed or engaged by us (e.g., identification/identity data, contact details, educational and employment data), or otherwise during the course of your employment or engagement
  • Your devices and our equipment and systems
  • From other personnel through interactions in the course of employment or engagement (e.g., performance reviews by your supervisor, information provided by a co-worker, etc.)
  • From third parties (e.g., background check and vendors, references, job agencies), including third-party online services, and from public sources of data
  • Our affiliates and related entities
  • If you are an emergency contact, beneficiary, or dependent, from your family member or friend who is employed by us.

(c) Use of PI

Generally, we collect, retain, use, and disclose your personal information for HR business purposes and as otherwise related to the operation of our business. Our HR business purposes include the following:

  • Recruitment
  • Employee Intake/ Onboarding/ Offboarding
  • Payroll, Reimbursements, and Timekeeping
  • Benefits
  • Employee activation initiatives and communications
  • Training programs and education
  • HR IT Systems and Security
  • Employee and Performance Management
  • Health & Safety/Occupational Health
  • Security (including electronic and of premises)
  • Other purposes disclosed at the time you provide your information or done at your direction

Additional business purposes that apply to our business more broadly, and that may apply in the HR context, include:

  • To assignees or potential assignees as part of an acquisition, merger, asset sale, or other transaction where another party assumes control over all or part of our business
  • Compliance with legal obligations or legal process;
  • Where we believe we need to in order to investigate, prevent or take action if we think someone might be using information for illegal activities, fraud, or in ways that may threaten someone’s safety or violate our policies or legal obligations;
  • Otherwise to the extent not prohibited by applicable law.

The italicized business purposes in the list are those that are specifically defined in the CCPA. Our vendors may also use your PI for business purposes and may engage their own service providers or subcontractors to enable them to perform services for us.

 

2. YOUR HR DATA RIGHTS AND HOW TO EXERCISE THEM

AllyGPO, LLC provides California residents the privacy rights described in this section, pursuant to our obligations under the CCPA. To exercise your privacy rights, or, if you are an authorized agent of another exercising privacy rights on behalf of someone else, you can submit a request by the following methods:

Call:1-866-255-9476

Write to: AllyGPO, LLC

Attn: Privacy Officer

5 Cowboys Way, Suite 300

Frisco, TX  75034

Email: privacyofficer@AllyGPO.com

Please respond to any follow-up inquiries we make, including in relation to the request verification process that we describe further below. Please be aware that we do not accept or process requests through other means (e.g., via fax, chats, social media, etc.).

(a) Right to Know/Access

You can make “right to know” (also known as “access”) requests, as described below, up to twice in a 12-month period.

(1) Categories of Personal Information

You have the right to request that we share with you certain information about our collection, use and disclosure of your PI over the 12-month period prior to the request date. You can request that we disclose to you: (1) the categories of PI we collected about you; (2) the categories of sources for the PI; (3) our business or commercial purpose for collecting or selling that PI (i.e., if we have, in fact, sold PI); (4) the categories of third parties with whom we shared that PI; (5) a list of the categories of PI disclosed for a business purpose in the prior 12 months and, for each, the categories of recipients, or that no disclosure occurred; and (6) a list of the categories of PI sold about you in the prior 12 months and, for each, the categories of recipients, or that no sale occurred.

(2) Specific Pieces

You have the right to request a transportable copy of the specific pieces of personal information we collected about you in the 12-month period preceding your request. Please note that personal information is retained by us for various time periods, so there may be certain information that we have collected about you that we do not retain for even 12 months (and thus, it would not be able to be included in our response to you).

(b) Right to Limit Sensitive PI Processing

Certain personal information qualifies as “sensitive” under CCPA, which we refer to in this privacy policy as “Sensitive PI”. You have the right to direct businesses to limit their use and disclosure of Sensitive PI if we use or disclose it beyond certain internal business purposes. We do not believe we use or disclose Sensitive PI beyond such internal business purposes, and therefore, this does not apply to our processing of Sensitive PI.

(c) Do Not Sell / Share

You have the right to opt-out of the “sale” and “sharing” of your personal information, which are defined in the CCPA in ways that are different from their normal meanings as you may understand them. “Sale” of personal information includes “making available” of personal information to a third party, and “sharing” of personal information includes the “making available” of personal information to a third party for targeted advertising that is served based on an individual’s activity across different websites, applications, or services (defined in the CCPA as “cross-context behavioral advertising” and sometimes referred to as “interest-based advertising”). Neither concept requires money to be exchanged.

“Sales” and “sharing” of personal information may occur when third party operators of cookies and other tracking technologies (“Cookie Operators”) collect information on our websites that meet the definition of personal information. We understand that giving access to personal information on our websites to certain Cookie Operators could be deemed a “sale” and/or “sharing” under the CCPA. Therefore, we will treat such personal information (e.g., cookie ID, IP address, and other online IDs and internet or other electronic activity information) collected by Cookie Operators as such, except in circumstances where they are able to act as “service providers”, which are vendors that agree to process personal information pursuant to limited purposes.

As explained above, the categories of information that we may be considered to “sell” or “share” are “identifiers” (e.g., cookie ID, IP address, and other online IDs) and “internet usage information” categories when you visit our websites to apply for a job. As a reminder, for any activity on our websites and other digital services that are not in the HR context, please visit our general privacy policy. 

Below, we provide you instructions on how to opt-out of the activities we have just described that may constitute “sale” and “sharing”.

Opt-out for cookie PI: If you want to opt-out of the Sale/Sharing of such PI, you can exercise an opt-out request on our cookie management tool by selecting Do Not Sell My Personal Information. Our cookie management tool enables you to exercise such an opt-out request and enable certain cookie preferences on your device. You must exercise your preferences on each of our websites you visit, from each browser you use, and on each device that you use. Since your browser opt-out is designated by a cookie, if you clear or block cookies, your preferences will no longer be effective and you will need to enable them again via our cookie management tool. Please be aware that if you use ad blocking software, our cookie management tool and/or our cookie banner may not appear when you visit our website, and you may have to use the link above to access the tool.

The CCPA also requires us to state that we do not knowingly “sell” or “share” the PI of Consumers under 16.

We may disclose your PI for the following purposes, which are not a “sale” or “sharing”: (i) if you direct us to disclose PI; (ii) to comply with a Consumer rights request you submit to us; (iii) disclosures amongst the entities that constitute Company as defined above, or as part of a Corporate Transaction; and (iv) as otherwise required or permitted by applicable law.

(d) Opt-Out Preference Signals (also known as Global Privacy Control or GPC)

The CCPA requires businesses to process opt-out preference signals (“OOPS”), which are signals sent by a platform, technology, or mechanism, enabled by individuals on their devices or browsers, that communicates the individual’s choice to opt-out of the “sale” and “sharing” of personal information. The opt-out preference signal is also known as GPC. To use an OOPS/GPC, you can download an internet browser or a plugin to use on your current internet browser and follow the settings to enable the OOPS/GPC.

We receive and process OOPS/GPC in a “frictionless manner”, which means that we do not (1) charge a fee for use of our website if you have enabled OOPS/GPC, (2) change your experience with any product or service if you use OOPS/GPC, or (3) display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial in response to the OOPS/GPC.

We process OOPS/GPC with respect to “sales” and “sharing” that may occur in the context of collection of personal information online by Cookie Operators, discussed above. We do not process OOPS/GPC for opt-outs of “sales” and “sharing” in any other context (e.g., offline data) because our “sale” and “sharing” activities, are limited to personal information collected online by Cookie Operators, as discussed above.

(e) Right to Delete

You have the right to request that we delete personal information that we collected directly from you. However, we may have retention rights or obligations that apply, such as for legal, security, or internal business purposes such as maintaining business records, which we will take into consideration when processing your request.

(f) Correct Your Personal Information

You have the right to request that we correct inaccuracies that you find in your personal information maintained by AllyGPO, LLC. Your request to correct is subject to our verification (discussed below) and the CCPA’s response standards.

(g) Automated Decision Making/Profiling

We may engage in processing that constitutes automated decision-making or profiling under the CCPA. However, as of the Effective Date, the definitions of these concepts, and any associated opt-out and access rights have not been added to the updated CCPA and finalized.

(h) Non-Discrimination / No Retaliation

We will not discriminate or retaliate against you in a manner prohibited by the CCPA for your exercise of your privacy rights.

 

3. VERIFYING YOUR REQUESTS, AGENT REQUESTS, AND OUR RESPONSES

 (a) Request Verification Process

As required by the CCPA, when you make a request, we will verify that you are the person you say you are, or, if you are seeking information on behalf of another person, that you are authorized to make the request on their behalf. In addition, we will compare the information you have provided to ensure that we maintain personal information about you in our systems. We may ask initially that you provide certain verifying information, such as your name, home address, email address, phone number, etc. We will review the information provided as part of your request and may ask you to provide additional information via email or other means as part of this verification process. We will not fulfill your Right to Know (Categories), Right to Know (Specific Pieces), Right to Delete, or Right to Correction request unless you have provided sufficient information for us to reasonably verify you are the Consumer about whom we collected PI. The same verification process does not apply to opt-outs of ”sale” or “sharing”, or Limitation of Sensitive PI requests, but we may apply some verification measures if we suspect fraud.

The verification standards we are required to apply for each type of request vary:

We verify your categories requests and certain deletion and correction requests (e.g., those that are less sensitive in nature) to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you. For certain deletion and correction requests (such as those that relate to personal information that is more sensitive in nature) and for specific pieces requests, we apply a verification standard of reasonably high degree of certainty. This standard includes matching at least three data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you, and may include obtaining a signed declaration from you, under penalty of perjury, that you are the individual whose personal information is the subject of the request.

If we cannot verify you in respect of certain requests, such as if you do not provide the requested information, we will still take certain action as required by the CCPA. For example:

  • If we cannot verify your deletion request, we will refer you to this privacy policy for a general description of our data practices.
  • If we cannot verify your Specific Pieces request, we will treat it as a Categories request.

(b) Agent Requests

You may use an authorized agent to make a request for you via the above methods, subject to our verification of (i) the agent, (ii) the agent’s authority to submit requests on your behalf, and (iii) of you. Once your agent’s authority is confirmed, they may exercise rights on your behalf subject to the agency requirements of applicable U.S. Privacy Laws.

(c) Our Responses

Some personal information that we maintain is insufficiently specific for us to be able to associate it with an individual (e.g., clickstream data tied only to a pseudonymous browser ID). We do not include that personal information in response to those requests. If we cannot comply with a request, we will explain the reasons in our response.

We will make commercially reasonable efforts to identify personal information that we maintain to respond to your requests. In some cases, particularly with voluminous and/or typically irrelevant data, we may suggest you receive the most recent or a summary of your PI and give you the opportunity to elect whether you want the rest. We reserve the right to direct you to where you may access and copy responsive PI yourself. We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded, or overly burdensome. If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.

 

4. OUR RIGHTS AND THE RIGHTS OF OTHERS

We may collect, use and disclose your PI as required or permitted by applicable law and this may override your rights and our obligations under the CCPA and as otherwise set forth in this privacy policy. In addition, we are not required to honor your requests to the extent that doing so would infringe upon our or another person’s or party’s rights or conflict with applicable law.

 

5. CONTACT US

If you have any questions, comments, concerns, or complaints about our privacy practices, please contact us as indicated below.

AllyGPO, LLC

Attn: Privacy Officer

5 Cowboys Way, Suite 300

Frisco, TX  75034

1-866-255-9476

privacyofficer@AllyGPO.com