Privacy Policy

Last updated on September 23, 2024

This Privacy Policy describes how CarrotHR, Inc. (d/b/a “Assembly,” “we,” “us,” “our”) collects, uses, and shares personal information when you visit our website, joinassembly.com or use our Assembly service (the "Service").

CarrotHR, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. CarrotHR, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. CarrotHR, Inc. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Children Under the Age of 13

The Service is not intended for use by children under 13 years of age, and we do not knowingly collect any information from or about children under 13. If you are under 13, do not use the Service for any reason. If we learn we have collected or received personal information from or about a child under 13 without verification of parental consent, we will delete that information. If you believe we might have any information about a child under 13, please contact us at support@joinassembly.com.

1. Information We Collect

We collect certain personal information about you when you use our Service, including:

  • Information you provide to us: When you register for an account, fill out forms, or otherwise interact with the Service, you may provide us with personal information such as your name, email address, birth day and month, work anniversary, work location, etc.
  • Automatically collected information: We may automatically collect certain information about your device and how you interact with the Service, such as your IP address, device type, browser type, pages viewed, and time spent on the Service.

We also collect the information through the Service, which may include:

  • information that you provide by filling in forms on the Service, including information you provide when you register to use the Service or send us a request or report a problem with the Service; and
  • details of transactions you carry out through the Service.

You also may provide information to be posted on areas of the website that are visible on the Service, such as to other users in your organization or that are transmitted to third parties as part of your or your organization’s use of the Service (collectively, "User Contributions"). Your User Contributions are posted and/or transmitted at your own risk. We limit access to certain pages according to you or your organization’s usage and privacy settings, but you acknowledge that no security measures are perfect or impenetrable. In addition, you acknowledge that we cannot completely control the actions of other users of the Service with whom you may choose to share your User Contributions. Therefore, we cannot and do not guarantee that your User Contributions will not be viewed by unauthorized persons.

We collect information through Automatic Data Collection Technologies. As you navigate through and interact with the Service, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, including:

  • details of your visits to the Service, such as traffic data, logs, navigation data and other communication data and the resources that you access and use on Service; and
  • information about your computer and internet connection, including your IP address, operating system, and browser type.

The information we collect automatically is statistical data and may include personal information. This information helps us to:

  • understand our user base and usage patterns;
  • store information about your preferences, allowing us to customize our Service;
  • improve the Service and deliver a better and more personalized service; and
  • recognize you when you return to our Website.

The technologies we use for automatic data collection may include:

  • Browser cookies. A browser cookie is a small file placed on the storage unit of your device. You may refuse to accept browser cookies by adjusting the settings on your browser, and you may delete cookies that have already been placed there. However, if you refuse or delete our browser cookies, you may be unable to access certain parts of the Service or have to re-enter information in order to use the Service.
  • Web beacons. Pages of the Service and our e-mails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).

We do not collect personal information automatically, but we may tie this information to personal information about you that we collect from other sources or you provide to us.

Some content or features on the Service are served by third-parties, such as ad networks and servers, content providers, and application providers. These third parties may use cookies or other tracking technologies to collect information about you when you use the Service. For example, we use the Invisible reCAPTCHA for security purposes, and Google Analytics for analytics. We do not control these third parties’ tracking technologies or how they may be used. If you have any questions about any targeted content on the Service, you should contact the responsible provider directly. You can read more about Google Analytics and Invisible reCAPTCHA at www.google.com/policies/privacy/partners.

2. How We Use Your Information

We use the personal information we collect for the following purposes:

  • To provide and maintain the Service;
  • To communicate with you about your account or the Service;
  • To personalize your experience and improve the Service;
  • To comply with legal obligations; and
  • For other purposes with your consent.

Enhancing Services with OpenAI API:

  • To offer innovative and improved functionalities within our Assembly service, we may utilize the OpenAI API for specific features, including but not limited to, natural language processing and automation tasks. It is our priority to ensure the privacy and security of our users' information in the following ways:‍
  • No Personal Data Sharing: We do not share any personal information of our users with OpenAI. The use of OpenAI's API is carefully managed, and no personal information is retained by OpenAI.‍
  • Prohibition on Data Training Usage: We have taken measures to ensure that our customers' data are not used by OpenAI for the purpose of training their AI models. Data sent to OpenAI's API is strictly for fulfilling the requested service without contributing to the training of OpenAI's algorithms.‍
  • Commitment to Data Privacy and Security: Our use of the OpenAI API adheres to our stringent data privacy and security standards. We implement robust safeguards to prevent any unintended data sharing and continuously monitor our processes to ensure full compliance with our privacy commitments.
  • By continuing to use our Service, you acknowledge our use of the OpenAI API under these specified conditions. We are dedicated to transparency and encourage any inquiries or concerns regarding our data practices to be directed to support@joinassembly.com.
  • Google Workspace APIs Usage: We confirm that data retrieved from Google Workspace APIs is solely utilized to provide and improve our application's functionality for our customers. This data is not used for any other purposes, including developing, improving, or training generalized AI and/or ML models.

We may also use your information to contact you about our own products and services that may be of interest to you. If you do not want us to use your information in this way, please click the ‘unsubscribe’ link in the bottom of any marketing email we’ve sent you.

We may use the information we have collected from you to enable us to display advertisements for our products and services. We only retain personal information for as long as your (or your organization’s) account is active or as necessary to provide services to you or your organization under our Terms and Conditions of Service or other agreement between you or your organization and Assembly.

Please note: The California Consumer Privacy Act of 2018 (“CCPA”) requires businesses to state in their privacy policy whether or not they disclose personal information in exchange for monetary or other valuable consideration. While CCPA only covers California residents, when it goes into effect we will voluntarily extend its core rights for people to control their data to all of our users in the United States, not just those who live in California. You can learn more about the CCPA and how we comply with it here.

3. Data Sharing

We may share your personal information with third parties in the following circumstances:

  • To fulfil the purpose for which you provide it, such as to notify another user in your organization of recognition received, to activate an integration that you select with a third-party service, or to redeem points from a third-party vendor;
  • To service providers, such as payment processors, we use to support our business and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them;
  • With law enforcement or other government agencies when required by law or to protect our rights;
  • In connection with a merger, acquisition, or other corporate transaction; and
  • With your consent or at your direction.
  • If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Assembly or its personnel, customers, or others.

4. Data Transfers

Your personal information may be transferred to and processed in countries outside of the European Economic Area (EEA) or Switzerland, including the United States. We will take appropriate measures to ensure that your personal information receives an adequate level of protection in accordance with applicable data protection laws.

5. Your Rights

You have the right to review, update, and correct certain elements of your personal information by logging into the Service and visiting your account profile page.

In addition, you have the right to limit the use and disclosure of your personal data, particularly in relation to third-party sharing for purposes other than those essential for providing the service. You can manage these preferences by sending an email to support@joinassembly.com. Our team will promptly process your request, and you will be notified once your preferences have been updated. Please note that any requests to limit data sharing may impact the functionality or availability of certain features of the Service.

You may also send us an email at support@joinassembly.com to request access to, correction, or deletion of any personal information that you have provided to us. In order to accommodate such requests, we may need to delete your user account. We cannot delete all of your personal information except by also deleting your user account. Copies of some information, such as your User Contributions, may remain viewable in cached and archived pages or may have been copied or stored by other users of the Site. We will take reasonable steps to delete such information upon request, but cannot guarantee immediate deletion in all cases.

Please be aware that we may not accommodate a request to change or delete information if we believe the change would violate any law or legal requirement, cause the information to be incorrect, or if we have a separate legal basis for retaining and processing such information, such as fulfilling the terms of a contract between you (or your organization) and us.

If you wish to opt out of receiving marketing communications, you can adjust your preferences via your account settings or by contacting us directly at support@joinassembly.com. Please allow up to 30 days for us to process your request.

AI Integrations:

At Assembly, we are committed to safeguarding the privacy and security of our users' data, especially when it comes to our AI integrations. Below, we outline our data retention policies specific to different features that involve AI technology.

App Connections

App connections Sync: For files synchronized through App connections, our data retention policy ensures that these files are indexed for immediate use and then deleted after a period of 24 hours. This brief retention period is designed to balance operational needs with privacy considerations.

File Uploads

Retention Period: Files uploaded through our file upload feature are retained indefinitely until the account is canceled. However, recognizing the need for a definitive data clean-up policy once an account is canceled, we have established a 90-day retention period for these files, after which they will be permanently deleted. 

AI Analytics

For platform usage data utilized by our AI reporting tool and generated reports, we are committed to a principle of minimal data retention, retaining data only as long as necessary for the intended analytical or operational purposes. This period varies based on the specific requirements of each AI feature and is regularly reviewed to ensure compliance with legal standards and privacy best practices. While the exact duration may adjust as our AI features evolve, we aim to limit data retention to a maximum of 60 days, unless operational needs or user actions dictate a shorter period. We empower our users with the ability to manage their data, including the option to close threads, thereby prompting the deletion of associated data within the specified retention period.

Handling of Personally Identifiable Information (PII)

In our use of AI technologies, we take the utmost care to protect your personal information:

Limited Sharing of PII: Only essential personal data, such as basic employee information necessary for answering user queries and providing AI platform usage analysis, is shared with the AI tool. This approach minimizes the risk to your privacy and ensures that the data used is limited to what is strictly necessary for the service provided.

Data Usage by OpenAI: It is important to note that none of the personal data shared with the OpenAI tools is used for training their AI models. This is a key aspect of our partnership with the 3rd Party, aimed at preserving the integrity and confidentiality of your personal information.

Deletion by OpenAI: Our OpenAI partner commits to deleting the limited personal data shared with them after 30 days. This period allows our OpenAI partner to identify any potential abuse of the API while ensuring that data retention is kept to a minimum, in line with our privacy principles.

6. Data Security

We take the security of your personal information seriously and implement reasonable technical, administrative, and physical measures designed to protect your data from loss, unauthorized access, alteration, or disclosure.

The Service is hosted on secure servers provided by our hosting services provider in the United States ("US"). By using the Service or providing us with any information, you acknowledge that the processing of your information, including personal information, will take place in the US as set forth in this notice and our Terms and Conditions of Service or other agreement between you or your organization and Assembly.

We encrypt data at rest using industry-standard encryption technology, and data in transit is encrypted using TLS 1.3. We also enforce strict access control policy wherein the data is accessed by authorised company personnel.

However, the safety and security of your information also depend on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Service, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

While we take reasonable steps to protect your personal information, please note that the transmission of information over the internet is not completely secure. We cannot guarantee the security of your personal information during transmission, and any transmission of personal information is at your own risk. Once we receive your information, we apply security measures in accordance with industry best practices.

Importantly, we remain responsible for the processing of personal data by third-party service providers and onward transfers, ensuring compliance with the principles outlined in the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the DPF, and the Swiss-U.S. DPF. If our third-party data processors fail to meet these standards, we will be liable for any damage caused, except in cases where we can prove that we are not responsible for the event leading to the damage.

We encourage you to take precautions when using online services and to understand that no data transmission or storage system can be completely secure. In case of any suspected breach of your personal information, please contact us immediately at support@joinassembly.com.

7.Updates to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes to this Privacy Policy by posting the updated policy on the Service or by other appropriate means.

8. Independent Recourse Mechanism

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, CarrotHR, Inc. commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.

CarrotHR, Inc. has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction

9. Enforcement

Our organization is subject to the investigatory and enforcement powers of the Federal Trade Commission. We are committed to cooperating with these authorities and complying with their regulations and directives regarding the collection, use, and retention of personal information.

10. Contact Us

If you have any questions or concerns about this Privacy Policy or our privacy practices, you may contact us at support@joinassembly.com.