Rokt Privacy Statement and Notice at Collection for Personnel

Last Updated: October 26, 2023

Rokt Inc. and its subsidiaries (“Rokt”, “we”, “us”, or “our”) are committed to safeguarding and maintaining the privacy of our employees, contractors, consultants, and other personnel (“you”, “your”, or “Personnel”). This Privacy Statement and Notice at Collection for Personnel (“Privacy Statement”) describes how Rokt collects, uses, stores, and disposes personal data collected about you in the context of your employment at, or engagement with, Rokt. This Privacy Statement does not apply to interactions you may have with Rokt outside of your employment, contracting, or consulting capacity.

The controller of your personal data is the Rokt legal entity that hired or engaged you.

1. What Personal Data We Collect

We may collect, receive, and develop several categories of personal data about you over the course of your employment or engagement with us, including:

  • Contact information: We collect your full name, postal address, email address, home telephone number, mobile phone number, and date of birth. We may also request basic contact information for an emergency contact.
  • Family members and dependents: In certain countries, we collect information about your family members and dependents, such as in the context of your beneficiary enrollment forms.
  • Government identification: We collect your government identification numbers and documents, such as a social security number or national insurance number, driver's license number, government identification card, and/or passport number.
  • Demographics and information about legally protected classifications: We may collect basic demographic information about you, such as where you were born, your zip code, age (and date of birth), gender, nationality, primary language, visa status, citizenship, and socioeconomic status. In order to comply with legal requirements or our own diversity and workforce initiatives, or to make workplace accommodations, we may also collect information about protected classifications, such as race/ethnicity, , marital status, pregnancy status, disability status, and military/veteran status. Not all of these categories are mandatory for you to provide.
  • Job-related information: We collect or create records with information about your role with Rokt, such as job title, work history, business contact information, assignments, educational details and background, professional certifications, performance goals, career planning, evaluations, training records, policy compliance records, disciplinary records, and absences.
  • Compensation and benefits information: We collect information about your salary, bonuses, commissions, hours and overtime, leaves of absence, benefits enrollments, and dependent information (such as their names and relationship to you).
  • Bank and financial information: We collect your bank details (for payroll and reimbursement purposes only).
  • Commercial information: If applicable, we will collect information about your business travel and expense records for reimbursement and planning purposes.
  • Internet, network, and IT information: We collect information about your usage of Rokt’s websites, intranet, hardware, and devices. For instance, we log when and where you sign in and out from our network, and we collect information about what websites you visit while using our network, your browsing and search history on our network, the content of your work emails, and your publicly available social media activity. We also collect the username and password you create to access your Rokt account. In short, we may review records of anything you do on the Rokt network or using Rokt devices and hardware.
  • Audio, visual, CCTV, and surveillance information: We may collect or access voicemails stored on our systems, recordings of meetings or video conferences, and footage from CCTV video surveillance cameras. We may take photos of you, including headshots for purposes of security badges. We keep a record of which security access points you scan in and out of using your security badge.
  • Preferences: From time to time, we may ask you to provide information about your hobbies, leisure activities, membership in voluntary or civic organizations, and preferences regarding travel, hours, food for company events, and the like.
  • Location information: We may collect location information regarding Rokt devices.
  • Health and medical information: We may collect limited information about health and medical issues, such as on-the-job injuries and medical conditions or disabilities that require workplace accommodations. We also collect information related to requests for leave for medical reasons. We may collect your health insurance information, such as a policy number.
  • Inferences: We may draw inferences about you, based on information collected above.
  • Sensitive personal data: Certain of the above personal data elements are considered sensitive personal data under privacy laws and may be subject to heightened rights and protections. Of the information elements described above, some or all of the following may be treated as sensitive personal data under local privacy laws: government identification numbers, Rokt account login credentials, financial account numbers, and health information.

2. How We Use Personal Data

We use the personal data we collect from and about you for various business purposes, including:

  • Human resource administration: We may use personal data to manage Personnel matters; to communicate with Personnel; to plan and arrange work supplies and workspaces; to fulfill record keeping and reporting responsibilities; to resolve internal grievances and disciplinary issues; to administer workers’ compensation claims; to make business travel arrangements; to manage Personnel-related emergencies, including health emergencies; to administer compensation, bonuses, other forms of compensation, reimbursements, insurance, and other benefits (as permitted by law); to manage vacation, sick leave, and other leaves of absence; to track hours and attendance; to conduct workplace investigations; and to monitor compliance with Rokt policies and training requirements. For contractors and consultants, we also use personal data to execute our contracts with you and perform our obligations under any such contracts or agreements.
  • Employee development and quality of life: We may use personal data to evaluate your continued suitability in your position; to conduct surveys and solicit feedback; to maintain a Personnel directory; to facilitate communication, interaction, and collaboration among Personnel; to arrange meetings and manage Rokt-sponsored events and public service activities; to promote Rokt as a place to work; for reporting and data analytics/trend analysis; to provide, evaluate, and manage training; to evaluate job performance and consider employees for other internal positions or promotions; to conduct performance appraisals and reviews; to assist with professional licensing; to develop a talent pool and plan for succession; for career development activities; for diversity and inclusion programs; to arrange team-building and other morale-related activities; to create Personnel recognition and awards programs; to recognize and celebrate special occasions; and to design Personnel retention programs.
  • Monitoring and security: We use personal data to protect and secure Rokt’s physical locations and facilities, electronic networks, Personnel, and guests. We may monitor usage of Rokt networks and systems, company assets, and other electronic resources or IT assets, including, from time to time, recording video conferences for record-keeping and training purposes. We may also use personal data to conduct internal audits and investigations; to report suspected criminal conduct to law enforcement and cooperate in investigations; to control access to secure facilities; to monitor compliance with Rokt policies; to exercise our rights under applicable law; and to support any claim or defense in a case or before any court of law or regulatory body.
  • Marketing initiatives: For certain roles, we may use your name, photograph, work history, brief bio, and/or other personal data in our marketing or promotional materials.
  • Managing health issues: We use your health information to the extent necessary to comply with our legal obligations, such as to accommodate disabilities. In addition, we may use your health information to the extent necessary for workers’ compensation purposes; for occupational health and safety surveillance; compliance and record-keeping; to conduct fitness-for-duty examinations; to administer leaves of absence and sick time; to provide a wellness program; and to respond to a Personnel’s medical emergency.
  • Legal compliance and reporting: In certain jurisdictions, we may be required to track and report on workforce statistics, such as statistics about hiring and retention of members of protected classifications.
  • Location data: We may collect location information about your devices as part of our compliance tracking and data security protocols.
  • Corporate transactions, mergers, and acquisitions: We may use personal data in connection with the planning for, analysis of, or execution of a corporate transaction, sale, assignment of assets, merger, divestiture, or other changes of control or financial status of Rokt Inc. or any of its subsidiaries or affiliates.
  • Other lawful purposes: We may use personal data to manage and operate information technology and communications systems, risk management and insurance functions, budgeting, financial management and reporting, and strategic planning; to manage litigation involving Rokt, and other legal disputes and inquiries and to meet legal and regulatory requirements; to monitor the activities of our employees; to manage licenses, permits, and authorizations applicable to our business operations; to verify your identity in the event you make a request pursuant to this Privacy Statement; to protect the rights, property, or safety of Rokt; and as otherwise expressly consented by you from time to time.

Note about our lawful basis for processing personal data about Personnel: We normally collect personal data from and about Personnel only: (i) where we need the personal data to perform a contract with you (such as to fulfill our employment or contracting agreement with you), (ii) where the processing is in our legitimate interests and not overridden by your rights (such as to maintain our working relationship with Personnel and conduct routine business functions, such as administering payroll and benefits, keeping a record of performance evaluations and attendance, or maintaining a central database of contact information), or (iii) where we have your consent to do so. In less common cases, we may also have a legal obligation to collect personal data from or about you to protect your vital interests or those of another person.

3. When and How We Collect Personal Data

We collect personal data from and about you in various ways, including:

  • Directly from you: We receive certain personal data directly from you, such as when you complete assessments or surveys, complete employment onboarding paperwork, enroll in benefits programs, or communicate with us.
  • Automated technologies and tracking tools: We use a variety of tracking tools and technologies that can automatically collect information about how you access or use Rokt’s electronic resources (e.g., computers, mobile devices, telephones, and printers), electronic key cards, and your browsing behavior and search terms on the intranet and internet.
  • Internally generated records: We generate certain records of personal data internally, such as when we conduct performance assessments and evaluations.
  • Affiliated companies: We may get certain personal data about you if you work on a cross-enterprise team or if you are under consideration for a transfer from one Rokt entity to another.
  • Service providers and other businesses: We may get personal data about you from job references, business partners, professional employer organizations or staffing agencies, background check providers, our vendors and service providers, and/or insurance companies.
  • Publicly available sources: We may get personal data about you from social media sites, job boards, public profiles, and other public online sources.
  • CCTV, surveillance, and recording technologies: We use CCTV and video surveillance in certain common areas of Rokt facilities, which will incidentally capture and record your appearance.
  • Acquired company: If you were an employee of a company that Rokt acquired and you transfer to Rokt in connection with such transaction, we may receive personal data about you from the acquired business.

4. We Disclose Some Personal Data to Others

We disclose certain personal data of Personnel under the following circumstances:

  • Internally within Rokt: On a need-to-know basis, other Personnel within Rokt will have access to relevant personal data about you in order for such other Personnel to perform their own job functions.
  • With Rokt affiliates and subsidiaries: We may share your personal data with our affiliates and subsidiaries under common control.
  • With service providers, tech providers or other business partners: We may share your personal data with vendors who perform functions on our behalf, such as Software as a Service providers, hosting companies, payroll service providers, insurance firms, pension funds/trustees, auditors, accounting companies, banks and financial institutions, travel management service providers, and security services providers. Our internal database and intranet providers will have access to your personal data. We can share your contact details with our business partner for maintenance of business relationship purposes as part of your job duties.
  • Mergers, acquisitions, transfers, and other business dealings: As part of our business operations, we may disclose your Rokt business contact information to customers and clients for business transactions and discussions. If Rokt becomes involved in a merger, consolidation, acquisition, sale of assets, joint venture, securities offering, bankruptcy, reorganization, liquidation, dissolution, or other transaction or if the ownership of all or substantially all of our business otherwise changes, we may share or transfer your personal data to other parties in connection with due diligence processes and the transfer of assets. Also, if any bankruptcy or reorganization proceeding is brought by or against us, all such information may be considered an asset of ours, and as such may be sold or transferred to other parties.
  • Marketing materials and public announcements: With prior notice to you, we may disclose basic, non-sensitive personal data to the public as part of a press release or marketing materials. For example, we may include basic biographical information about you in a public announcement about promotions or awards. We also post photos to our social media accounts, some of which contain images of our employees; when we do this, visitors to our social media pages may see pictures that depict our employees.
  • For legal compliance: We may disclose your personal data to outside parties to comply with a legal obligation, law enforcement request, or court order; when we believe in good faith that the law requires it; at the request of governmental authorities conducting an investigation; to verify or enforce our employment or other applicable policies; to respond to an emergency; or otherwise to protect the rights, property, safety, or security of other Personnel, customers, visitors, or members of the public.
  • Other disclosures: We may disclose your personal data for other reasons that we describe to you from time to time as permitted by law.
  • Non-personal data: We may disclose information that has been de-identified or aggregated (such that it does not identify or relate to you) with other parties for any purpose. This may include aggregated demographic statistics about our workforce, for instance.

5. Your Privacy Rights

If provided for by local privacy law, and depending on where you are located, you may make some or all of the following requests with regard to your personal data that Rokt collects about Personnel in the employment, contracting, and consulting context:

  • Access / Portability / Right to Know: You may have the right to request the following specific disclosures regarding the personal data we have collected about you:
    • A portable copy of the specific pieces of personal data we have collected about you;
    • A list of categories of personal data we have collected about you;
    • A list of categories of sources from which such personal data was collected;
    • A list of categories of personal data that we sold or disclosed for a business purpose about you;
    • A list of categories of third parties to whom the personal data was sold or disclosed for a business purpose;
    • The business or commercial purpose for collecting your personal data; and/or
    • Information about the logic involved in any automated decision-making processes used by Rokt (if applicable), as well as a description of the likely outcome of the process with respect to you.
  • Deletion / Erasure: Upon your verified request, and subject to important exceptions, we will delete the personal data we have collected about you. This deletion right will not apply in situations where applicable law authorizes or requires us to retain specific elements of personal data. Please note that there are many state and federal legal requirements for Rokt related to Personnel personal data recordkeeping, and any deletion request will be subject to those requirements.
  • Correct or update your personal data: You may have the right to request that we correct, update, or modify the personal data we maintain about you, so that your internal records are accurate and current. We have the right to confirm the validity and accuracy of your requested changes, and we have our own legal obligations to maintain records that are accurate to the best of our knowledge.
  • Sales and Sharing of Personal Data for Behavioral Advertising: We do not “sell” or “share” your personal data (as those terms are defined under applicable privacy laws) that we collect or receive in the employment, contracting, and consulting context.
  • Object to processing: You may be able to object to the processing of your personal data, where we carry out such processing on the grounds of our legitimate interests.
  • Restrict processing: You may be able to ask us to restrict processing of your personal data or block the further use of your personal data. When processing is restricted, we can still store and retain your personal data.
  • Refuse or withdraw consent: If we have collected and processed your personal data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.
  • Sensitive personal data: In reference to the sensitive personal data identified in Section 1 above, where allowed by applicable laws, you may be able to request that we limit our use and disclosure of such information only for those purposes specified under applicable privacy laws.
  • Opt-out of automated decision-making: You may have the right to request to opt-out of any profiling or automated decision-making undertaken by Rokt in relation to your employment or engagement (if applicable).

To submit a privacy request relating to your Personnel-related personal data, please send an email to privacy@rokt.com or submit a service desk request ticket via People Team Service Desk. You will not be discriminated against for exercising the above rights.

We may deny certain requests, or fulfill a request only in part, based on our legal rights and obligations. For example, we may retain Personal Data as permitted or required by law, such as for tax or other record keeping purposes.

You have the right to complain to a data protection authority about our collection and use of your personal data, including if you are not satisfied with our response to your privacy requests. For more information, please contact your local data protection authority. Contact details for data protection authorities in the European Economic Area and the United Kingdom are available here.

We will take reasonable steps to verify your identity prior to responding to your requests. The verification steps will vary depending on the sensitivity of the personal data, the type of request, and whether you are a current employee or a former employee.

You may designate an authorized agent to make a request on your behalf by following the same steps described above. When submitting the request, please ensure the authorized agent identifies himself/herself/itself as your authorized agent.

6. Additional Privacy Disclosures for California Residents

For purposes of California privacy law, California residents should note the following additional information when it comes to our processing of Personnel personal data:

  • Categories of personal data collected. We may collect the following categories of personal data, as more fully described in Section 1 above:
    • Identifiers (including your name, address, internet protocol (IP) address, government identification numbers, email address, phone number, and/or other similar identifiers);
    • Personal data as defined in Cal. Civ. Code § 1798.80(e), such as your name, contact information, education, employment, employment history, and bank account information;
    • Characteristics of protected classifications, such as age (and date of birth), gender, military or veteran status, marital status, disability status, and pregnancy status;
    • Commercial information, such as your business travel and expense records;
    • Internet or other electronic network activity information, such as browsing history, search history, online behavior, interactions with our applications and systems, and your use of Rokt IT assets;
    • Professional or employment-related information, such as job title and business contact information, work history and professional experience, performance evaluations, and records of trainings taken;
    • Education information, such as your educational institutions attended, degrees and certifications received, and academic transcripts.
    • Audio, electronic, and visual information, such as photographs of you, recordings of online meetings, recordings of phone calls, and CCTV recordings;
    • Sensitive personal data, as already disclosed above, such as government identification numbers, race/ethnicity, health information, and bank account information for direct deposit;
    • Audio, electronic, visual, thermal, olfactory, or similar information, such as CCTV recordings, audio recordings, and photos taken for security purposes; and
    • Inferences about you drawn from the above categories of personal data.
  • Purpose for processing your personal data. We use the above categories of personal data (including sensitive personal data) for the purposes described in Section 2 above.
  • Categories of sources of personal data. We collect the above categories of personal data (including sensitive personal data) from the following categories of sources, as more fully described in Section 3 above:
    • Directly from you;
    • Automatically from your devices and Rokt-issued hardware or IT assets;
    • From our service providers;
    • From social media;
    • From our business partners, such as staffing agencies, insurance companies, and professional employer organizations;
    • From internally generated sources, such as records, notes, and evaluations created by your co-workers and superiors about you;
    • From surveillance technologies in and around Rokt facilities (e.g., CCTV and audio recording technologies);
    • From publicly available sources, such as professional networking sites, job boards, public profiles, credentialing and licensing organizations; and
    • From our corporate affiliates, subsidiaries, and/or parents.
  • Categories of recipients to whom we disclose personal data. We may disclose your personal data (including sensitive personal data) to the following categories of third parties, as more fully described in Section 4 above:
    • Rokt affiliates and subsidiaries;
    • Service providers (such as companies that host or operate our networks and intranet, process payroll, analyze data, and/or provide legal, accounting, auditing, or other professional services), other business partners (such as vendors, customers etc.);
    • Law enforcement or as required by legal obligations or court orders;
    • In the context of a corporate restructuring or similar transaction;
    • For public announcements (e.g., press releases to announce promotions or hirings); and
    • Third parties to whom you or your agents authorize us to disclose your personal data.
  • Sales” and “Sharing”. We do not “sell” or “share” Personnel personal data (as those terms are defined under California privacy law), and we do not knowingly “sell” or “share” the personal data of individuals under 16 years of age.
  • Sensitive personal data. We do not use or disclose sensitive personal data for purposes other than those specified under applicable California privacy regulations.

7. Retention of Personal Data

We retain each of the categories of personal data (including sensitive personal data) for as long as we have an ongoing legitimate business need to do so (for example, to administer the Personnel relationship with current and active Personnel, and to comply with record keeping obligations under applicable employment, tax, or accounting laws). The criteria we use to determine whether we have an ongoing legitimate business need to retain personal data include: (i) regulatory requirements that we are subject to, including laws and regulations related to tax, employment, accounting, and securities, (ii) whether a legal claim might be brought against us, for which the personal data would be relevant, (iii) the necessity of the personal data to administer our employment, contracting, or consulting arrangement with you, and (iv) the types and sensitivity of the personal data being processed.

When we have no ongoing legitimate business need to process your personal data, we will either delete or anonymize it or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.

8. International Transfers

Rokt Inc. is a multinational company, and its Personnel-related functions are located in various countries. As such, we may transfer your personal data to a different jurisdiction or country from where you are located. For Personnel whose personal data is subject to the EU General Data Protection Regulation or UK General Data Protection Regulation, please note that Rokt relies on the European Union Standard Contractual Clauses to transfer personal data from the European Economic Area, Switzerland, and United Kingdom to locations throughout the world, including to the United States. The standard of data protection in these jurisdictions may not be as protective as in the EEA, Switzerland or UK. Further, Rokt and its subsidiaries need to rely on services provided by third parties in order to manage the Personnel relationship, which third parties can be based anywhere in the world. In the event that personal data is provided to a foreign subsidiary or an outsourced third party, Rokt will remain the data controller, we will enter into a processing agreement with such third party-processor, and we will contractually require an adequate level of security and privacy controls before transferring the personal data.

9. Security

Rokt implements commercially reasonable security safeguards and utilizes industry standard physical and procedural security controls designed to protect Personnel personal data. This includes, but is not limited to, firewalls, access controls, system level security, data protection training and other procedures designed to protect information from unauthorized access. Hard copy employee files are restricted and are available only to authorized individuals based upon department and employment responsibilities. However, no method of online or hard copy transmission or storage of personal data is 100% secure, and we cannot guarantee or warrant that your personal data will always be free from unauthorized access, acquisition, or deletion.

10. Policy Changes

Rokt may from time to time revise this Privacy Statement in its sole and absolute discretion to reflect changes in our business practices or new disclosure requirements under applicable privacy laws. If we revise this Privacy Statement, we will notify Personnel by posting the updated Privacy Statement on internal channels and/or by sending you a notification by email or other writing, in accordance with applicable privacy laws. Changes to the Privacy Statement will become effective and will apply to the information collected starting on the date Rokt posts the revised Privacy Statement. If we are required by applicable data protection laws to seek your consent to any changes in use of your personal data described in our updated Privacy Statement, then we will do that.

11. Contact Us

If you have any questions or concerns about this Privacy Statement, the privacy practices of Rokt, our collection or use of your personal data, or you wish to exercise privacy rights with respect to your personal data, please contact us at privacy@rokt.com.

Our Data Protection Officer can be contacted at dpo@rokt.com.

Rokt Inc. is the parent company of the Rokt Group, with subsidiary companies operating in Australia, the United Kingdom, Japan, Singapore, and the USA. For a list of our offices, and contact details, go to https://rokt.com/about-us.

Lionheart Squared (Europe) Ltd., with offices at 2 Pembroke House, Upper Pembroke Street 28-32, Dublin, D02 EK84 Ireland is designated as a representative within the European Union for all members of the Rokt Group that are located outside of the European Economic Area.

Lionheart Squared (Europe) Ltd. shall be addressed in addition to other members of the Rokt Group by supervisory authorities and data subjects on all issues related to processing for the purposes of ensuring compliance with the General Data Protection Regulation (Regulation 2016/679).

Further, Rokt’s UK Representative is Rokt (UK) Limited, located at Aviation House 125 Kingsway, London WC2B 6NH United Kingdom.