1.1. What is the purpose of this document?
If you are resident in the EU, this will include the European General Data Protection Regulation (“GDPR”) or, if you are resident in a country that has adopted a local law to implement or adopt the GDPR such as the United Kingdom (together “GDPR Subjects”), the applicable local law implementing or adopting the GDPR (“Applicable Local Laws”). Please see the section “Additional Information for GDPR Subjects” below, for further information.
If you are a resident of California, this will include the California Consumer Privacy Act of 2018, which adds Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code of the State of California (“CCPA”), and any attendant regulations issued thereunder as may be amended from time to time, including but not limited to the California Privacy Rights Act of 2020 (the “CPRA”) and its implementing regulations. Please see the section “Additional Information for California Consumers” below, for further information.
Unless otherwise indicated herein or in an applicable privacy law, the terms “controller”, “data subject”, “processor”, “processing”, and “sensitive data” shall have the meanings given to them in the GDPR, and the terms “service provider”, “business”, “collects” (and “collected” and “collection”), “consumer”, “business purpose”, “sell” (and “selling”, “sale”, and “sold”), “sensitive personal information”, and “service provider” have the meanings given to them in §1798.140 of the CCPA.
When we refer to “personal data”, “personal information”, and “personally identifiable information” in this Notice, we mean any information about you from which you can be identified, and otherwise each term has the meaning given to it under the GDPR, CCPA, or other applicable privacy law. These terms do not include data where your identity has been removed, from which you cannot be identified, or that cannot be related to you (anonymous data).
1.2. What does this Notice cover?
This Notice sets out information relating to the Personal Data we collect from or about you when you apply to work for us, whether as an employee, worker, or contractor. It will apply when you submit your resume, CV, cover letter, or other materials submitted with an application form (together or each separately, an “application packet”) directly to us, through our online recruitment portal, https://lattice.com/careers, or where your application packet has been sent to us by a recruitment agent on your behalf.
1.3. How do I contact Lattice?
For the purposes of the GDPR and Applicable Local Laws, Lattice is the “data controller” of Your Data. For purposes of the CCPA, Lattice collects and processes Your Data as a “business”. In each case, this means that we are responsible for deciding how we hold and use Your Data.
If you have any queries regarding this notice or complaints about our use of Your Data, please contact us at [email protected] or at the address below and we will do our best to address your concerns or query as soon as possible.
360 Spear Street, Floor 4
San Francisco, CA 94105
2. Information about our use of your data
2.1. The kind of information we hold about you
In connection with your application for work with us, we will collect, store, and use the following categories of Personal Data about you:
- The information you have provided to us in your application packet or if you otherwise contact us about a role with us, such as by email; and
- Any information you provide to us during an interview.
This information is likely to include the following types of Your Data:
- Email address
- Phone number
- Postal address
- Date of Birth
- Employment history
- Educational history
- National ID or Social Security Number
- Personal photograph
- Veteran status
We may also collect, store and use the following types of more sensitive personal information (known as “Special Category Data”), where this information is relevant to the role you are apply for and/or you choose to disclose it to us:
- Information about your race or ethnicity;
- Information about your health or disability status, including any medical condition, health and sickness records; and
- Information about criminal convictions and offenses.
As further described in this Notice, we do not sell any of Your Data collected or processed hereunder, including any Special Category Data, nor do we use Your Data or Special Category Data for inferring characteristics about you, or for any other purposes not described in this Notice.
2.2. How is your personal information collected?
We collect personal information about you in a variety of ways. The majority of the information we collect will come directly from you in the following ways:
- Information you voluntarily upload to our careers/recruitment website;
- Notes made by our recruitment team during a recruitment interview; and
- Information from official documentation you provide to us such as for background checks.
Other details may be collected indirectly from the following sources:
- You, the candidate
- Recruitment agencies
- Your named references
- Background check providers
- Credit reference agencies
- Third-party platforms such as Indeed or LinkedIn, if these were used to apply for the role; and
- Publicly available sources such as social media sites (to the extent necessary and relevant to the job role).
If you have submitted your application through our recruitment portal, Greenhouse, we may also link the data you provide to us with other publicly available information about you that you have published on the internet, including sources such as LinkedIn and other social media profiles.
2.3. How we will use information about you
We will use the personal information we collect about you to:
- Assess your skills, qualifications, and suitability for the role advertised;
- Carry out background and reference checks, where applicable;
- Communicate with you about the recruitment process;
- Keep records related to our hiring processes;
- Comply with legal or regulatory requirements, such as right to work checks;
- Respond to requests to exercise privacy rights;
- Facilitate contract signing; and
- Perform analytics.
Our legal basis for processing Your Data in this way is that it is necessary for our legitimate interests to decide whether to appoint you to the role, since it would be beneficial to our business to appoint someone suitable to that role. Where we are processing Your Data in order to comply with legal or regulatory requirements, our legal basis is that it is necessary for compliance with a legal obligation to which we are subject. We may also seek your consent to process Your Data in specific circumstances, or process it where necessary to comply with a legal obligation or for purposes connected to legal claims.
Further, we will process certain of your personal information to decide whether to enter into an employment contract or at-will employment arrangement with you.
Once you submit your application packet to us (or your recruitment agent provides it to us), we will process that information to decide whether you meet the basic requirements to be shortlisted for the role and, if so, invite you for an interview. Generally, the process is as follows, although occasionally there may be fewer or additional steps:
- A Lattice recruiter will review your application and either move you through the process or reject you.
- If moved through, the recruiter will reach out to schedule a call with a member of the recruiting team.
- If that call goes well, a call with the hiring manager will be arranged.
- In some cases, depending on the role applied for, you will be asked to complete a “take home” assignment.
- Following this, a round or two of onsite or virtual interviews will be conducted.
- After the onsite or virtual interviews, the Lattice team will debrief.
- If the debrief is positive, the Lattice recruiter will reach out to collect references.
- After references are checked or while they are being checked, the Lattice team will extend an offer.
- Once you verbally accept the offer, a written offer will be sent to you.
- Once you sign the written offer, Lattice will conduct a background check.
2.4. What happens if you fail to provide personal data
You are not obliged to provide us with Personal Data. However, if you decline to provide information when requested, and this information is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application. For example, if we require a credit check or references for the role you have applied for and you fail to provide us with relevant details, we will not be able to take your application further.
2.5. How will we use particularly sensitive personal information
We will use your Special Category Data in the following ways, only with your consent:
- We will use information about your medical or disability status to consider whether we need to provide appropriate adjustments or accommodations during the recruitment process, for example whether adjustments need to be made during a test or interview.
- We will use information about your race or national or ethnic origin to ensure meaningful Equal Employment Opportunity/Affirmative Action record keeping, reporting, and other legal requirements. Where local law prohibits us from requesting information about race, national or ethnic origin, we will not request this information and ask that you please do not disclose this information to us.
Our legal basis for using your Special Category Data is consent. Providing U.S. Equal Opportunity Information and Self-Identification of Disability is completely voluntary.
2.6. How will we use information about criminal convictions?
If we decide to offer you the role, we may undertake checks to establish whether you have any criminal convictions and verify your identity. We will only collect criminal conviction data where it is appropriate given the nature of your role and where the law permits us to do so.
2.7. Will you be subject to automated decision-making?
You will not be subject to decisions that will have a significant impact on your candidacy based solely on automated decision-making.
2.8. Will we share your data with third parties?
We will only share Your Data with the following third parties for the purposes of processing your application:
- Background check providers
- Candidate profiling service provider (if we ask you to undertake a candidate profile test)
- Our recruitment portal provider, Greenhouse
- Contractors/consultants providing HR services to Lattice
- Our privacy compliance tool, DataGrail, to respond to privacy rights requests
All of our third-party service providers and other entities in the group are required to take appropriate security measures to protect Your Data in accordance with the law and our policies. We do not allow our third-party service providers to use Your Data for their own purposes. We only permit them to process Your Data for specified purposes and in accordance with our instructions.
2.9. What data security do we have in place?
We have put in place appropriate security measures to prevent Your Data from being accidentally lost, used or accessed in an unauthorized way, altered, or improperly disclosed. In addition, we limit access to Your Data to those employees, agents, contractors, and other third parties who have a business need-to-know. They will only process Your Data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to respond to any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
2.10. How long will we use your data for
We will retain Your Data for as long as necessary to assess your candidacy for a position with Lattice. Please note that, in certain circumstances, we may retain limited information about you for the period of time during which you are able to bring a discrimination claim under your local law. We retain the information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment process in a fair and transparent way. We will only retain the minimum amount of Personal Data required in these circumstances and will securely delete all other Personal Data that we hold about you.
2.11. Transfers of your data
Your personal information may be transferred to, and processed in, the United States and in any other country where Lattice or its affiliates, subsidiaries, or third party service providers maintain facilities or personnel. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective). We follow applicable data protection laws when transferring personal data. If you are resident in or a visitor from the EEA, United Kingdom, or Switzerland, we will protect your personal information when it is transferred outside of such locations by processing it in a territory which the European Commission has determined provides an adequate level of protection for personal information or otherwise implementing appropriate safeguards to protect your personal information, including through the use of Standard Contractual Clauses or another lawful transfer mechanism approved by the European Commission.
3. Additional information for GDPR subjects and California residents
3.1. EU privacy rights
Under the GDPR or Applicable Local Laws, you have certain rights with respect to your Personal Data, including those set forth below.
- Right to request access – you may obtain confirmation from us as to whether or not Your Data is being processed and, where that is the case, access Your Data;
- Right to erasure – you have the right to obtain the erasure of Your Data without undue delay in certain circumstances;
- Right to data portability – you have the right to receive Your Data in a structured, commonly used, and machine-readable format;
- Right to withdraw consent – where you have provided your consent to us processing Your Data, you have the right to withdraw your consent at any time. This can be done by emailing [email protected];
- Right to rectification – you have the right to obtain rectification of inaccurate personal data we hold concerning you;
- Right to restriction of processing or to object to processing – you may require us to restrict the processing we carry out on Your Data in certain circumstances or to object to us processing Your Data; and
- Right to lodge a complaint – you may lodge a complaint with the supervisory authority in the EU Member State where you are resident or where you work. For further information on your rights, please see the supervisory authority of your country or EU Member State.
3.1.1. No fee usually required
You will not have to pay a fee to access Your Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
3.1.2. What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to expedite our response.
3.1.3. Time limit to respond
We endeavor to respond to all legitimate requests within one month. However, it could take us longer than a month to respond if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
3.2. California privacy rights
California residents have the following rights with respect to their Personal Data:
- Right to request disclosure – You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
- The categories of personal information we collected about you.
- The categories of sources for the personal information we collected about you.
- Our business or commercial purpose for collecting or selling that personal information (note that we do not sell personal information collected under this Notice).
- The categories of third parties with whom we share that personal information.
- The specific pieces of personal information we collected about you (also called a data portability request).
- We do not sell personal information collected in association with your application packet. However, if we sold or disclosed your personal information for a business purpose, upon receipt of a verified request we would provide two separate lists disclosing:
- sales, identifying the personal information categories that each category of recipient purchased; and
- disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
- Right to request deletion – You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. We may deny your deletion request in certain circumstances as specified in the CCPA,including situations where we require the data to comply with our legal obligations or because we or our service providers require it to complete the transaction for which we collected the personal information.
- The right to correct inaccurate or incomplete information about you.
- The right to limit the use and disclosure of sensitive personal information.
- The right to opt-out of the sale of personal information (if we sold your personal information, which we do not).
- The right to opt-out of the processing of personal information by automated decision-making technology (as indicated above, you will not be subject to decisions based solely on the use of automated decision-making technology).
- The right to not to be discriminated against based on exercising your data protection or consumer rights (we do not discriminate against any individual for exercising such rights).
As indicated above, we do not sell any Personal Data provided to us by job candidates. We use the information solely for the purposes of the recruitment process.
3.3 Exercising your privacy rights
You can exercise your rights yourself or, depending on your country or state, you may be able to designate an authorized agent to exercise these rights on your behalf. Please note that to protect your personal information, we will verify your identity by a method appropriate to the type of request you are making. For example, this could include sending an e-mail to an address on record, or asking you to identify a recent transaction or communication. We may also request that your authorized agent sign a declaration under the penalty of perjury attesting to their designation as your authorized agent, and that they have written permission from you to make requests on your behalf. We may also need to verify your authorized agent’s identity to protect your personal information.
Please use the contact details below, if you would like to:
- Access this Notice in an alternative format;
- Exercise your rights;
- Contact Lattice’s Data Protection Officer;
- Learn more about your rights or our privacy practices;
- Designate an authorized agent to make a request on your behalf; or
- Ask a question related to this Notice, or about any of your rights available to you under an applicable data protection law.
E-Mail: [email protected]
Request Portal: https://preferences.lattice.com/privacy
Alternatively, you can write to us at:
Degree, Inc. DBA Lattice
360 Spear St, Floor 4
San Francisco, CA 94105
3.4 Background check providers
If you are applying for a role in the United States, we use the background check provider Goodhire. For applicants to positions in our UK office, we utilize the background check provider HireRight. It may be necessary to transfer your data to third parties outside the EEA in some cases. Each provider will only process your personal information with your explicit authorization and consent.
Whenever we transfer Your Data out of the EEA, we ensure a similar degree of protection is afforded to it by implementing at least one of the following safeguards:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
- With certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
Please contact us if you want further information on the specific mechanism used by us when transferring Your Data out of the EEA.
The Lattice careers website is not intended for minors under the age of 16, and Lattice does not process or disclose personal information of minors under sixteen years of age.
We reserve the right to amend this Notice at any time in order to address future developments of Lattice, its careers website, or changes in industry or the law. We will post the revised Notice online. You can determine when the Notice was revised by referring to the “Last Updated” date on the top of this Notice. Any changes will become effective upon the posting of the revised Notice online, and by continuing to use Lattice’s careers website or submitting an application packet following such changes, you will be deemed to have read, understood, and agreed to such changes. If you do not agree with the collection and processing of Your Data as described in this Notice, in whole or part, you can choose not to continue to use the careers website or apply for a role with Lattice.
By submitting an application packet, you acknowledge that you have read and understood the disclosures set forth in this Notice.