ProSearch’s principal business is as a provider of eDiscovery services, including processing, hosting, production, data analytics and data management services.
A critical component of ProSearch’s global success has been our effort to reduce or eliminate data protection and data privacy risks across every aspect of our business. To that end, we will only collect and process personal data in the manner described in this Privacy Notice (“Notice”), consistent with all our obligations under applicable local, state, national and international laws.
Should you have any questions regarding this Notice specifically or how we collect and use personal data generally, please contact us at privacy@ProSearch.com.
This Notice describes the types of personal data that ProSearch may collect or process, how we may use and disclose that personal data, and how you may exercise any rights you may have regarding the processing of your personal data.
This Notice applies to personal data collected or processed by us online, when we provide products or services, and in other situations where we interact with individuals directly. Please carefully review this Notice.
In relation to our eDiscovery services, ProSearch is a data processor under the General Data Protection Regulation (GDPR). Processors act on the documented instructions of the data controller for whom they provide services, and do not make independent decisions regarding the handling and processing of data. Accordingly, ProSearch does not collect or use client data for any purpose incompatible with those purposes authorized in its client agreements. Personal information is not stored except as directed by our clients, who own the data, and does not transfer to third parties except as authorized and directed by the client.
In limited instances, ProSearch and its affiliates may also act as a data controller, including for collection of employee data, recruitment data, and data related to business administration tasks.
Collection of Personal Data
“Personal Data” is any and all data that relates to an identifiable person who can be directly or indirectly identified from that data, such as name, address, email address, telephone number, or credit card number. Personal Data in some jurisdictions can include information that indirectly identifies a person, even absent other identifying information.
We collect your Personal Data when you:
- Sign up for informational or marketing materials
- Participate in our events, conferences or training sessions
- Ask us a question by contacting us
- Apply for employment with us
- Serve as an employee or contractor with us
- Interact with us as a client, vendor, supplier or business partner
- Purchase, use or receive our services as a client or on behalf of one of our clients
We will process any Personal Data we collect in accordance with applicable law and as explained in this Notice.
Data from the EU, UK and Switzerland (Data Privacy Framework)
ProSearch fully complies with the following data transfer framework agreements as set forth by the U.S. Department of Commerce:
- EU-U.S. Data Privacy Framework (EU-U.S. DPF)
- the UK Extension to the EU-U.S. DPF
- the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF)
ProSearch has fully certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of Personal Data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.
ProSearch has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF.
To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Commitment to the DPF Principles extends to all ProSearch entities and affiliates, including ProSearch Strategies Ireland Limited (PSIL – Dublin, Ireland) and Prosk Services India Private Limited in Hyderabad, India.
Data from California, USA
For the purposes of California law, ProSearch does not sell and has never sold, including within the past twelve (12) months, Personal Data of any California residents, including those under age sixteen (16).
Processing of Personal Data
ProSearch obtains Personal Data from individuals directly, our customers and our business partners.
We process the Personal Data we obtain for the following purposes:
- to provide our products and services
- to communicate with clients, partners, and others
- to identify and authenticate users
- to detect security incidents
- to ensure the appropriate use of our products and services
- to improve our product and service offerings
- for administrative purposes
- for marketing, internal research, and development
Types of Personal Data
The types of Personal Data we process include:
- Identity and Contact Information – Examples: First and last name, email address, postal address, phone number, job title, account username and password, and Internet Protocol address (“IP address”). This type of data may be used:
- in connection with inquiries made by a client, potential client, or applicant for employment
- to provide our eDiscovery services
- Demographic Information – Examples: Age, gender, marital status, disability, and date of birth. Demographic information may be used to assess compliance with certain applicable laws and diversity initiatives.
- Commercial and Financial Information – Examples: Transaction records, client service records, financial transaction history, and account numbers. This type of information may be used to:
- provide our eDiscovery services
- support compliance with legal obligations
- Professional and Educational Information – Examples: Job title, employer, skills, employment history, degrees, certifications, trainings, and enrollment in marketing events/initiative. This type of information may be used:
- to assess application for employment
- for marketing purposes, including conferences and networking events
- Technical Information – Examples: IP addresses, browser information, device information, cookies or other similar technologies, and geolocation information. Technical information may be used:
- to protect against cyber security incidents
- for marketing purposes and content
ProSearch has the following legal bases for processing Personal Data:
- for the purposes of our legitimate interests
- to comply with a legal obligation
- to perform a contract
- in circumstances where we have requested and received consent and for other purposes that may be required or allowed by law
Recipients of Personal Data obtained by ProSearch may include:
- ProSearch and its subsidiaries
- business/HR administration vendors
- partners in our provision of products and services
In rare circumstances, ProSearch may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Data security is extremely important to us, and we have implemented suitable technical and organizational measures to protect against the unlawful destruction, loss, alteration and unauthorized disclosure of or access to the Personal Data we collect. These controls encompass all appropriate technical and organizational measures to ensure the confidentiality, integrity and availability of such data, as well as resilience of IT systems.
- ProSearch is certified to ISO\IEC 27001:2013 standards and holds a SOC 2 Type 2 attestation.
- Security infrastructure and safeguards in place at ProSearch (Los Angeles, CA), ProSearch Strategies Ireland Limited (PSIL – Dublin, Ireland) and Prosk Services India Private Limited (ProSearch India) exceed industry standards, in line with the requirements of ProSearch’s ISO/IEC 27001 certification.
- ProSearch complies with all requirements of the EU-US Data Privacy Framework (DPF), the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and the Health Insurance Portability and Accountability Act (HIPAA), in addition to other local, state, national and international data privacy regulations.
- ProSearch fully complies with all applicable International Traffic in Arms Regulations (ITAR).
Data Subject Rights
Under the applicable jurisdiction’s data protection laws, you have and may exercise the following rights with respect to some or all of your Personal Data held at ProSearch:
- the right to request access to your Personal Data (including under GDPR Article 15)
- the right to request that we rectify or erase your Personal Data (including under GDPR Articles 16 and 17)
- the right to request that we restrict or block the processing of your Personal Data (including under GDPR Articles 18, 21 and 22)
- the right to provide your Personal Data directly to another, i.e., a right to data portability (including under GDPR Article 20)
- the right to withdraw previously provided consent to processing (including under GDPR Article 21)
To exercise these rights, please write to us at privacy@ProSearch.com.
Rights under the CCPA
The CCPA provides California consumers rights regarding their Personal Information (as defined in the CCPA). If you reside in a United States jurisdiction that has enacted a data privacy law, we extend the same rights the CCPA grants to California consumers to you, except where we specify otherwise.
The categories of Personal Data we collect are generally described in the section above titled: Collection of Personal Data. For the purposes of this section, “Personal Information” is the same as the “Personal Data” referred to in that section.
Under the CCPA, qualifying California consumers may have the following rights:
Right to Know, Access, Correct and Delete
A California consumer has the CCPA rights to request that we disclose what Personal Information we collect, use, disclose, share or disclosed for a business purpose.
We may deny deletion requests, in whole or in part, with respect to information we reasonably need to:
- Comply with a legal obligation
- Allow you, other consumer, or us to exercise free-speech rights or other legal rights
- Perform a contract with you or
- If we use the information for solely internal purposes reasonably aligned with consumer expectations
Rights to Opt-Out of Sharing/Sale and Limit Use of Sensitive Information
You also have the CCPA rights to direct us (1) not to share or sell your Personal Information and (2) to limit our disclosure and your use of “sensitive personal information” necessary to provide the website to you.
Although California consumers have the right to opt-out of sharing or selling of Personal Information we do not share or sell and have never shared or sold Personal Information with any third party.
We do not collect “sensitive personal information” as it is defined in the CCPA and we therefore do not provide a mechanism to opt out of the use of such information.
The CCPA prohibits us from discriminating against you if you exercise rights under the CCPA. You do not need to exercise this CCPA right. We never retaliate against anyone exercising their rights under the CCPA.
Because we do not collect Sensitive Personal Information or sell or share any Personal Information, our website is not presently configured to honor any global opt-out preference signal sent from California IP addresses to the website through browser or device-level settings, provided the signal complies with CCPA’s requirements.
To submit a request to exercise a CCPA right, please submit a request as follows:
3250 Wilshire Blvd.
Los Angeles, California 90010
(with “Personal Information Request” in the subject line of your e-mail)
If we receive any request, a California consumer must provide sufficient information to identify the consumer, such as name, email address, home or work address, or other such information that is on record with us so that we can match such information to the Personal Information that we maintain. Do not provide social security numbers, driver’s license numbers, account numbers, credit or debit card numbers, medical information or health information with requests. If requests are unclear or submitted through means other than as outlined above, we will provide the California consumer with specific directions on how to submit the request or remedy any deficiencies. If the requests are unclear we may respond with direction on how to remedy the deficiencies.
If we cannot verify the identity of the consumer making the request, we may deny the request in full or in part.
Responding to Requests
We will respond to your request as quickly as we can, taking into account the nature of your request and the volume of pending requests. For California consumers, we will confirm receipt of your CCPA request within 10 days and will substantively respond within 45 days, unless we provide an explanation why an additional 45 days is necessary. California residents may submit rights requests through an authorized agent. We may request proof that the person who is the subject of the request authorized an agent to submit a privacy request on their behalf.
The content of our response will vary with the nature of your request, but we will always respond in accordance with any deadlines or requirements specified by the laws that apply to you.
Under certain circumstances, we may be unable to provide responsive Personal Information, such as when disclosure would create a substantial, articulable and unreasonable risk to the security of the information, users’ accounts with us, or the security or our systems and networks. We do not disclose account passwords or other non-personal information that enables users to access accounts. We also will not disclose California consumers’ social security numbers, driver’s license numbers or other government-issued identification numbers, financial account numbers, any health insurance or medication identification numbers.
We also will not disclose California consumers’ social security numbers, driver’s license numbers or other government-issued identification numbers, financial account numbers, any health insurance or medication identification numbers, or account passwords and security questions and answers.
We reserve the right to retain an archive of any information about you to the extent permitted by law. We also retain de-identified or aggregate data derived from information about you.
California Do Not Track Disclosures
Although some browsers currently offer a “do not track (‘DNT’) option,” no common industry standard for DNT exists. We therefore do not currently commit to responding to browsers’ DNT signals.
Civil Code 1798.83
Under certain circumstances, California Civil Code Section 1798.83 states that, upon receipt of a request by a California consumer, a business may be required to provide detailed information regarding how that business has shared that customer’s Personal Information with third parties for direct marketing purposes. However, the foregoing does not apply to businesses like ours that do not disclose Personal Information to third parties for direct marketing purposes without prior approval or give customers a free mechanism to opt out of having their Personal Information disclosed to third parties for their direct marketing purposes.
Optimizing our service across multiple jurisdictions often requires a level of collaboration amongst our IT, engineering, application support, and client services and solutions teams. These teams, spread across ProSearch’s operating locations in Ireland, the US and India, must often access client data for the purpose of performing operational, support and maintenance tasks.
EU data protection authorities (DPA) have viewed transfers as encompassing both the transmission of Personal Data outside the European Economic Area (EEA) and remote access to Personal Data stored in the EEA by a person located outside the EEA.
Accordingly, ProSearch Ireland and ProSearch US, and ProSearch Ireland and Prosk Services India Private Limited (ProSearch India), have entered into EU Processor-to-Processor Standard Contractual Clauses (SCC) for access to data necessary for service provision hosted in Ireland by ProSearch. Remote, secure access in this context is afforded to ProSearch teams located in the US and India.
The SCCs provide the appropriate safeguards and mechanisms for data transfer from the EEA to the US and India, pursuant to GDPR Article 46(2)(f).
The Processor-to-Processor SCCs in place between ProSearch Ireland (data exporter) and ProSearch US (data importer) require that a Transfer Impact Assessment (TIA) is performed.
ProSearch has further committed to refer unresolved privacy complaints under the Data Privacy Framework to an independent dispute resolution mechanism.
For this purpose, we use the Better Business Bureau, operated by the BBB National Programs, an independent dispute resolution provider.
If you do not receive timely acknowledgment of a complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf for more information and/or to file a complaint.
ProSearch further commits to cooperate with EU data protection authorities (DPAs), the UK Information Commissioner’s Office (UK ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC), and to comply with the advice given by such authorities regarding data transferred from the EU, UK and Switzerland in the context of our operations.
ProSearch is, moreover, subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
Please note that if your complaint is not resolved through any of these channels, under limited circumstances, individuals may invoke the right to “last resort” binding arbitration before a Data Privacy Framework panel naming the data owners and ProSearch.
Cookies and Similar Tools
On our website, we may use “cookies,” web beacons, and other technologies to help us serve users and evaluate and improve the content or functions of our services. A cookie is a small piece of data (a unique numeric code) sent from a website or application and stored on a user’s device while the user is browsing the website or using the application.
Common uses for cookies include:
- identifying users
- keeping track of users’ preferences regarding content
- optimizing site navigation
Except where prohibited by law, by using our website and not disabling cookies, you consent to their use.
ProSearch does not knowingly collect, maintain, disclose, or otherwise process Personal Data from minors under the age of sixteen (16), or the equivalent minimum age depending on jurisdiction (“Child(ren)”).
ProSearch may use Third-Party Sub-Processors to deliver services. Where we engage data processors, we will ensure they work under a specified contract and that the appropriate technical safeguards are in place to ensure your data remains secure.
Direct Marketing and “Do Not Track” Signals
We do not track website visitors over time and across third-party websites to provide targeted advertising.
California residents are entitled to contact us to request information about whether we have disclosed Personal Data to third parties for the third parties’ direct marketing purposes. Under the California “Shine the Light” law, California residents may opt out of our disclosure of Personal Data to third parties for their direct marketing purposes. You may choose to opt out of the sharing of your Personal Data with third parties for marketing purposes. To make such a request, please send an email to privacy@ProSearch.com with the subject heading “California Privacy Rights.” In your request, please attest to the fact that you are a California resident and provide a current California address for our response. Please be aware that not all information sharing is covered by the California privacy rights requirements and only covered information sharing will be included in our response. We reserve our right not to respond to requests submitted to addresses other than the address specified in this paragraph.
European Union/United Kingdom/Switzerland
We do not process client Personal Data for marketing purposes. We may use business contact information to provide you with information on other services that may be of use to you. If you wish to opt out of these communications, please email privacy@ProSearch.com.
Retention of Data
ProSearch will continue to process your Personal Data for as long as is reasonably necessary to comply with our contractual or legal obligations, or to pursue our legitimate interests. For more information, please email privacy@ProSearch.com.
Changes to This Privacy Notice
We may update this Notice from time to time without notice. As such, you should review this Notice periodically.
If you have any questions, including how to access this Notice in an alternative format, please email us at privacy@ProSearch.com.