Effective Date: 3 April 2026

EXTERNAL PRIVACY POLICY

Flatirons Solutions, Inc. (“Flatirons” the “Company”, “we”, “us” and the possessive “our”), a Delaware corporation with its headquarters at 5755 Central Avenue, Suite A, Boulder, Colorado 80301, together with its affiliates is committed to protecting your Personal Information, which is information that alone, or with other information, identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person (“Personal Information”). The term “Personal Information” is interpreted broadly to include the definition of “Personal Information” as used in the California Consumer Privacy Act (“CCPA”) and the definition of “personal data” as used in the General Data Protection Regulation in effect in the European Union (“GDPR”). Flatirons processes Personal Information in accordance with the principles of transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability called for by the EU-U.S. Data Privacy Framework, UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, and the implementing principles for each of those frameworks (collectively, “DPF Principles”).

We have created this Privacy Policy (this “Privacy Policy”) to describe how we collect, use, store, and disclose Personal Information, including any Personal Information that we collect from the website on which this Privacy Policy is posted (“Website”). This Privacy Policy is incorporated into and made a part of the Terms of Service (the “TOS”) Agreement among us and the various customers and other visitors to our Website (collectively, “Visitors” or “you”). Capitalized terms used but not otherwise defined in this Privacy Policy have the meanings given to them in the TOS. Flatirons is a “Service Provider” for its customers, and as such, the TOS describes the business purposes for which Flatirons collects and processes Personal Information (such purposes, the “Services”). To allow Flatirons to provide the Services, and for Visitors to use the Website, Flatirons must collect and be permitted to disseminate certain information as further described in the TOS and this Privacy Policy.

When we determine the purposes and means of processing (e.g., Website, marketing, recruiting), we act as a ‘controller’ (EU/UK) and a ‘business’ (U.S. state laws). When we process personal information on behalf of our customers under a written agreement, we act as a ‘processor’/‘service provider’/‘contractor’ and follow our customers’ instructions.

Please read this Privacy Policy carefully. By accessing or using this Website or otherwise providing us with Personal Information, you acknowledge, accept the terms of, and consent to our privacy practices as outlined in this Privacy Policy. If you do not want to agree to our privacy practices contained in this Privacy Policy, do not use the Website, or provide any Personal Information to us. We reserve the right, at any time, to modify, update, or revise this Privacy Policy. We will post those revisions to our Website, and your continued use of the Website will constitute your consent to the modifications. You should review this Privacy Policy periodically to keep up to date on the most current versions. If you have any questions or concerns, please contact us at [email protected].

If you are a California resident, additional information applicable to California residents is below in the Section titled, “Your California Privacy Rights.”

If you are a resident of the European Union, additional information applicable to European residents is below in the Section titled, “EU and UK Residents.”

I. Information We Collect.

The Personal Information we may request from you includes:

  • Your name;
  • Surname;
  • Email address;
  • Phone number;
  • Contact preferences;
  • Employer and employment information;
  • Region;
  • Information relating to your educational and professional experience, CV, and references;
  • Recruitment and Job Application information;
  • Internet Protocol address;
  • Passwords and other online identifiers;
  • The equipment you use to access our Website;
  • The times and dates you access our Website;
  • Your physical address and other information identifying your location;
  • Closed-Circuit Television (CCTV) footage and related visual information collected for security surveillance purposes; and
  • Your birthdate.

II. Sensitive Information.

Some of the information may be considered “special” or “sensitive” in certain jurisdictions, for example, your racial or ethnic origins, sexual orientation, and religious beliefs. We do not intentionally collect or process sensitive personal information unless permitted or required by law, or where necessary for a specific disclosed purpose.

III. How We Collect Your Information.

We collect information from you in a variety of ways, depending on how you interact with the Services, the choices you make, and the products and features you use, including, but not limited to:

  • Receiving information you provide to us voluntarily by interacting with our Website, filling out forms, requesting services or support, or reporting a problem;
  • Receiving and maintaining copies of your correspondence (including email addresses) order placements, work requests, or problem reports, and communications during the performance of services through our Website (such as issue reporting and support services tools).
  • Automatically collecting information as you navigate through our systems and Website, including usage details, IP addresses, information about your computer, operating system, and browser, and information collected through cookies, web beacons, sensors, and other tracking technologies (see Cookie Policy below). This information does not reveal your specific identity but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, location, information about your use of our Services, and other technical information. This information is primarily used for our internal analytics and reporting purposes.
  • Collecting and maintaining CCTV footage and related visual information through security surveillance systems at our premises for safety and security purposes.

We may also take the Personal Information we receive from individuals responding to our surveys, remove any personally identifying information, such as names and phone numbers, to create anonymous profiles (“Profiles”), and combine (or aggregate) it with the other Profiles. These combined Profiles may contain information about the gender, age, education, employment, industry sector, or other demographic information of our customers, which we use to improve the quality of our services to you and to develop new services and products. These combined Profiles may be shared with third parties.

If you seek to apply for employment with us via the Website, you will be redirected to our third-party Applicant Tracking System (ATS), Pinpoint, and your application process will be governed by Pinpoint’s privacy policy posted at: https://flatironssolutions.pinpointhq.com/privacy-policy
Any application data you share with Pinpoint may be shared with us to consider your application. We may also use AI-enabled features available within Pinpoint to assist our recruitment team in reviewing and summarizing job applications, matching relevant skills, and summarizing interview feedback; however, all hiring decisions are made by our recruitment team and are not based solely on automated processing.

When you browse our Website, we also automatically collect and aggregate other information about you using cookies, web beacons, tracking pixels, and related tracking technologies, browser analytics tools, server logs, and similar technologies. These tracking technologies may be implemented and placed by us or by third-party vendors on our behalf, and they allow us to collect information by automated means. For example, information about how many web pages you have used, what hyperlinks you clicked, access times, and number of visits may be collected. We may also collect geo-location information through your IP address and mobile devices. This information may be aggregated or de-identified in some cases and is used for internal analysis and reporting purposes.

We use Google Analytics to collect and process information about your use of the Website. Google sets cookies on your browser or device, and then your web browser will automatically send information to Google. Google uses this information to provide us with reports that we use to better understand and measure how users interact with our Website.

To learn more about how Google uses data, visit Google’s Privacy Policy and Google’s page on “How Google uses data when you use our partners’ sites or apps.” You may download the Google Analytics Opt-out Browser Add-on for each web browser you use, but this does not prevent the use of other analytics tools. To learn more about Google Analytics cookies, visit Google Analytics Cookie Usage on Websites.

IV. Cookie Policy.

Cookies are small data files stored on your hard drive by the Website. Cookies do many different jobs, like letting you navigate between pages efficiently, remembering your preferences, and generally improving the user experience.

  1. Cookies our Website Uses. We use session cookies, performance cookies, functionality cookies, and targeting cookies.
Session Cookies. These cookies are essential to enable users to move around our Website and use its features, such as accessing secure areas of our Website.
Performance Cookies. These cookies allow us to see which areas and features are popular and to count visits to our Websites. These cookies do not collect information that identifies an individual visitor. The information collected through these cookies may be aggregated or de-identified and is used to help us understand and improve how the Website is used.
Functionality Cookies. These cookies allow the Website to remember choices you make (such as your language or the region you are in) and provide enhanced, more personal features to improve your experience. These cookies are required for basic site functionality and therefore they are always enabled. The information these cookies collect may be anonymized, and they cannot track your browsing activity on other websites.
Targeting Cookies. These cookies are used for web analytics purposes. The information collected through these cookies may be aggregated or de-identified and is used to help us understand and improve how the Website is used.
  1. Managing cookies. Many website browsers automatically accept cookies, but you can change your browser settings. However, if you choose to disable cookies from our Website, you may not be able to use certain features of the site. You can visit www.aboutcookies.org to learn about how to delete and control cookies using the major browser types. We also may collect information by periodically conducting business and individual customer surveys. These surveys help us to improve the types of products and services we offer and how we provide them to you.
  2. Do Not Track. Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track (“DNT”) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this time, there is no uniform industry or legal standard for recognizing or honoring DNT signals, so we do not respond to them. We will honor Global Privacy Control (GPC) signals where required by applicable law.
  3. Server Logs and Web Beacons. Web server logs are activity records created when Visitors visit web pages, such as search terms, device information, browser information, IP address, access times, and pages viewed. Web Beacons are electronic files that allow us to recognize and count Visitors and can be used to determine response rates to our communications. Log and usage data is service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type, and settings and information about your activity in the Services (such as the date/time stamps associated with your usage, pages and files viewed, searches, and other actions you take such as which features you use), device event information (such as system activity, error reports and hardware settings).
  4. Device Information. We may also use sensors to collect information about your devices, such as location, hardware and software, operating system, device memory, advertising identifiers, application identifiers, browser type, language, time zone; and other sensor device information. We may ask for permission to collect images and other information from your device’s camera.
  5. Location Data. We collect location data such as information about your device’s location. For example, we may use GPS and other technologies to collect geolocation data that tells us your current location (based on your IP address). You can opt out of allowing us to collect this information by disabling your Location setting on your device. However, if you choose to opt out, you may not be able to use certain aspects of the Services.

V. Children and Minors.

Our Website is not intended for children under 18 years of age. No one under age 18 may provide any personal information to or on the Website. We do not knowingly collect personal information from children under 18 years of age or the equivalent age as specified by law in your jurisdiction, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18 or the equivalent age as specified by law in your jurisdiction or that you are the parent or guardian of such a minor and consent to such minor’s use of the Services. If we learn we have collected or received personal information from a child under 18 or the equivalent age as specified by law in your jurisdiction without verification of parental consent, we will take reasonable measures to delete that information. If you believe we might have any information from or about a child under 18 or the equivalent age as specified by law in your jurisdiction, please contact us at [email protected]. California residents under 16 may have additional rights regarding the collection and sale of their personal information.

VI. The purposes for which we collect your Personal Information.

We take your privacy seriously and only use your Personal Information in lawful ways to process your Personal Information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law. The lawful reasons for collecting and processing your information are: (1) because you have entered into a contract for us to supply goods and services to you; (2) we have a legitimate interest in using your information (for example, to provide and improve our services, customer support and show you advertisements we think will be of interest to you,) but we only rely on this legitimate interest reason when we think our use of your information doesn’t significantly impact your privacy rights or there is a compelling reason to do so; and (3) to comply with applicable law. You can review, change, and update your Personal Information at any time. In addition, we collect your Personal Information to:

  • Enable your access and use of the Website so you can create and log in to your account, as well as keep your account in working order;
  • Operate and improve our services;
  • Support recruitment activities, including processing applications submitted through Pinpoint;
  • Understand you and your preferences to enhance your experience and enjoyment using our services;
  • Request feedback from you and respond to your feedback, comments, and questions and provide customer service;
  • Provide and deliver products and services you request;
  • Send you related information, including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages;
  • Communicate with you about products and services we offer, if this is in accordance with your marketing preferences. You can opt out of our marketing emails at any time;
  • Create an individual profile for you, where applicable and with your consent, to enhance your user experience;
  • Track and analyze activity on our Website;
  • Detect fraud, spam, abuse, security incidents, and other harmful activity;
  • Conduct security investigations and risk assessments;
  • Support security and incident monitoring through CCTV;
  • Send messages, marketing, advertising, and other information (including information about our partner campaigns and services) and improve our marketing and promotional campaigns;
  • Measure and improve our advertising;
  • Enable us to comply with applicable law, regulatory requirements, and contractual obligations and enforce our TOS; and
  • Other purposes that we may describe when you provide the information or that you otherwise consent to.

Additional Information if you are located in the EU, UK, or Canada.
If you are located in the EU or UK, the following information also applies to you.
The GDPR and UK GDPR require us to explain the valid legal bases we rely on in order to process your Personal Information, which includes:

  • Consent. We may process your Personal Information if you have given us permission (i.e., consent) to use your personal information for a specific purpose. You can withdraw your consent at any time.
  • Performance of a Contract. We may process your Personal Information when we believe it is necessary to fulfill our contractual obligations to you, your employer, or another third-party service provider, including providing our Services or at your request prior to entering into a contract with you, your employer, or other third party.
  • Legitimate Interests. We may process your Personal Information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms, such as:
  • Send users information about special offers and discounts on our products and services;
  • Analyze how our Services are used so we can improve them to engage and retain users;
  • Support our marketing activities;
  • Diagnose problems and/or prevent fraudulent activities; and
  • Understand how our users use our products and services so we can improve user experience
  • Legal Obligations. We may process your Personal Information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.
  • Vital Interests. We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.

If you are located in Canada, the following information also applies to you.

Consent. We may process your Personal Information if you have given us specific permission (i.e., express consent) for a specific purpose, or in situations where your permission can be inferred (i.e., implied consent). You can withdraw your consent at any time.

In some exceptional cases, we may be legally permitted under applicable law to process your information without your consent, including, for example:

  • If the collection is clearly in the interests of an individual, and consent cannot be obtained in a timely way
  • For investigations, and fraud detection, and prevention
  • For business transactions provided, certain conditions are met
  • If it is contained in a witness statement and the collection is necessary to assess, process, or settle an insurance claim
  • For identifying injured, ill, or deceased persons and communicating with next of kin
  • If we have reasonable grounds to believe an individual has been, is, or may be a victim of financial abuse
  • If it is reasonable to expect collection and use with consent would compromise the availability or the accuracy of the information, and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province
  • If disclosure is required to comply with a subpoena, warrant, court order, or rules of the court relating to the production of records
  • If it was produced by an individual in the course of their employment, business, or profession and the collection is consistent with the purposes for which the information was produced
  • If the collection is solely for journalistic, artistic, or literary purposes
  • If the information is publicly available and is specified by the regulations
  • We may disclose de-identified information for approved research or statistics projects, subject to ethics oversight and confidentiality commitments

VII. Customer Contact.

When you provide us with your email and other contact information, you authorize us to contact you in accordance with this Privacy Policy and the TOS. We may use the information we collect to contact you by email to provide you with news and updates related to our or our partners’ products and services, invitations to events hosted by other industry organizations or us, notices of new promotions, and information on other similar events. We may also contact you by email to respond to your comments and questions, notify you of changes to your account, or send you information regarding our services, including confirmations, invoices, technical notices, updates, security alerts, support and administrative messages. You may opt out of receiving marketing emails from us by following the directions in the marketing email you receive.

VIII. Disclosure To Third Parties.

We will not sell your Personal Information. We may share your Personal Information with any of our affiliates and subsidiaries who must comply with this Privacy Policy. We may also share your Personal Information with third parties that provide services for us, with vendors to help us host and manage the Website, support and maintain our software, and deliver products for us, with customers who access the Website and other third parties such as the following:

  • Contractors and Service Providers. We may share your Personal Information with contractors, service providers, and other third parties who provide services to us, who are bound by obligations to keep Personal Information confidential, use Personal Information only for authorized and approved purposes, and provide the same level of protection of Personal Information as are required by the DPF Principles, and if such third party is unable to meet those obligations that it ceases processing the Personal Information. This means that they also commit to protecting the data they hold on our behalf and to retaining it for the period we instruct. Third parties are required to maintain the same level of protection as mandated by the DPF Principles.
  • Business Partners. We may share information about you with business partners. Our Website may also contain third-party links, third-party integrations, or offer co-branded or third-party-branded services. Flatirons is not responsible for the content and/or collection of data at websites other than our Website, even if linked to or from our Website. You must review the applicable privacy policies of any websites linked to our Website to assess your rights under those policies.
  • Merger or Acquisition. If we become involved in a merger, asset sale, financing, liquidation or bankruptcy, or sale/acquisition of all or some portion of our business, we may share your information with the other party to such transactions before and after the transaction closes.
  • Marketing. We may share information about you with third-party providers for their products or services. We also may use your information to send you email marketing, direct mail marketing, and other marketing of our products and services (and those of our partners). We may let other companies, on our behalf, and for the purposes provided herein, use cookies, web beacons, and similar technologies to collect information about how you use our services over time. Some companies we use in our Services may use information to measure the performance of ads and deliver more relevant ads on our behalf. You can opt out of marketing emails by clicking the link labeled “unsubscribe” at the bottom of any marketing email we send you. Please note that even if you opt out of marketing communications, we may still need to contact you. You have the right to opt out of giving your consent to share your personal information for marketing purposes at any time by contacting us at [email protected].
  • Legal Compliance. We may also share your Personal Information with third parties where it is necessary to: (1) conform to legal requirements or comply with a legal process, such as a search warrant, subpoena, or court order; (2) protect and defend the rights or property of Flatirons; (3) to enforce a license and services agreement or other contractual obligations (including the TOS and our billing and collections policies); (4) detect and resolve fraud or security concerns; (5) respond to allegations by third parties that your use of the Website violates their rights (including intellectual property rights), property, confidentiality, or safety or (6) in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We reserve the right to take any and all appropriate legal action, including referral to law enforcement agencies. You waive and hold us and our affiliates, licensees, licensors, and service providers harmless from any claims resulting from any action taken by any of them during, or because of investigations or legal process.
  • To Protect Us and Others. We may disclose Personal Information when we believe, in good faith, that such disclosure is appropriate or necessary to (i) take precautions against liability, (ii) protect ourselves or others from fraudulent, abusive, or unlawful uses or activity, (iii) investigate and defend ourselves against any third-party claims or allegations, (iv) protect the security or integrity of the Website and any facilities or equipment used to make our products and services available, or (v) protect our property or other legal rights, or protect the rights, property, or safety of others.
  • Other. We may also share your Personal Information for the express purposes for which you provided it to us or that you otherwise consent to.

IX. Retention.

We will keep Personal Information only for the period necessary to fulfil the purposes described in this Privacy Policy and for which the information was collected, unless a longer retention period is permitted or required by applicable law or the DPF Principles. For example, we reserve the right to maintain information on customers who have violated our Privacy Policy, the TOS, or any other license and services agreement between our company and a customer, or for the purposes of reasonably serving customer relations, compliance and legal considerations, auditing, security, and fraud prevention.

When we have no ongoing legitimate business need to process your Personal Information, we will either delete or anonymize such information, or, if this is not possible (for example, because your Personal Information has been stored in backup archives), then we will securely store your Personal Information and isolate it from any further processing until deletion is possible.

X. Accessing and Correcting Your Information.

You can review and change your Personal Information by logging into the Website and visiting your account profile page. You may also send us an email at [email protected] to request access to, correct, delete, or withdraw consent for our processing of any personal information that you have provided to us. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect. Residents of certain states may have additional personal information rights and choices.

XI. Social Media.

We are active on social media, including Facebook, Twitter, Vimeo, and LinkedIn (“Social Media”). Anything you post on Social Media is public information and will not be treated confidentially, but information we obtain from public sources must still comply with certain DPF Principles. We may post (or re-post) on the Website and our Social Media pages any comments or content that you post on our Social Media pages. Your use of Social Media is governed by the privacy policies and terms of the providers that own and operate those websites and not by this Privacy Policy. We encourage you to review those policies and terms.

XII. International Data Transfers-EU-US Data Privacy Framework (DPF), UK Extension of the US DPF, and Swiss-US DPF.

If you are accessing our Services from outside the United States, please be aware that your information may be transferred to, stored by, and processed by us in our facilities and in the facilities of the third parties (including cloud service providers) with whom we may share your Personal Information in the United States, France, Denmark, Norway, India, and other countries. If you are a resident in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, then these countries may not have data protection laws as comprehensive as those in your country. However, we will take necessary measures to protect your personal information in accordance with this Privacy Policy and applicable law. Flatirons will not transfer Personal Information from the European Economic Area (“EEA”). the United Kingdom (“UK”) or Switzerland to outside the EEA, UK, or Switzerland unless such transfer is made in accordance with an adequacy decision by the European Commission or is otherwise compliant with GDPR and the DPF Principles.

  1. EU-US, UK Extension to the EU-US, and Swiss-US Data Privacy Framework. Flatirons complies with the EU-US Data Privacy Framework (EU-U.S. DFP), the UK Extension to the EU-U.S. DFP, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DFP) as set forth by the U.S. Department of Commerce and is committed to maintaining compliance with these frameworks and the DPF Principles, including any updates or changes, as part of our ongoing commitment to data privacy. Flatirons has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. (UK DPF Principles), and the Swiss-U.S. Data Privacy Framework Principles (Swiss DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF Principles. The EU-U.S. DPF Principles, the UK Principles, and the Swiss DPF Principles are sometimes referred to in this policy collectively as “DPF Principles”. If there is any conflict between the terms of this Privacy Policy and the DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov.
  2. Flatirons’ EU-U.S. DPF, UK Extension of the EU-U.S. DPF and Swiss-U.S. DPF certification covers the following subsidiaries and affiliates in the United States: Flatirons Solutions, Inc. To provide adequate protection for personal data from EU, UK or Swiss member countries received in the United States, Flatirons has elected to self-certify to the EU-U.S. DPF, UK Extension of the EU-U.S. DPF, and Swiss-U.S. DPF Principles. Flatirons Solutions, Inc. and its subsidiaries and affiliates in the U.S. adhere to the EU-U.S. DPF Principles.
  3. Flatirons is subject to the investigatory and enforcement authority of the U.S. Federal Trade Commission (“FTC”). For more information about the EU-U.S. DPF, and UK Extension of the EU-U.S. DPF, see the U.S. Department of Commerce’s EU-U.S. DPF, UK Extension of the EU-U.S. DPF, and Swiss-U.S. DPF website located at https://www.dataprivacyframework.gov. To review our representation on the EU-U.S. DPF, UK Extension of the EU-U.S. DPF and Swiss-U.S. DPF list, please see the U.S. Department of Commerce’s EU-U.S. DPF, UK Extension of the EU-U.S. DPF, and Swiss-U.S. DPF self-certification list located at https://www.dataprivacyframework.gov/s/participant-search.
  4. Flatirons is subject to the enforcement and sanctioning powers of the FTC in regard to our processing of personal data that we receive from the EU, UK, or Switzerland and our compliance with the EU-U.S. DPF, UK Extension of the EU-U.S. DPF, and Swiss-U.S. DPF. In compliance with the EU-U.S. DPF, UK Extension of the EU-U.S. DPF, and Swiss-U.S. DPF, Flatirons commits to referring unresolved complaints concerning our handling of personal data in reliance on the EU-U.S. DPF, UK Extension of the EU-U.S. DPF, and Swiss-U.S. DPF to an alternative dispute resolution provider based in the United States. European Union, UK, or Swiss individuals with inquiries or complaints regarding this should first contact Flatirons at [email protected] to try to resolve the inquiry or complaint. Flatirons will respond to your complaint within 45 days of our receipt of the complaint. If you have any unresolved privacy or data use concerns that we have not satisfactorily addressed, please contact the International Center for Dispute Resolution, international division of the American Arbitration Association (ICDR-AAA), our U.S.-based third-party dispute resolution provider (free of charge) at https://go.adr.org/dpf_irm.html or email to [email protected]. If your complaint is not resolved through this process, you may file a complaint with the Federal Trade Commission (FTC). Under certain conditions, you may be able to invoke binding arbitration under Annex 1 of the EU- U.S. DPF Principles. For more information on binding arbitration, see the Data Privacy Framework Program website located at https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction. If an individual submits a complaint to a Data Protection Authority the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC), as applicable (collectively, “DPA”) in the EU or EEA, UK, or Switzerland, the U.S. Department of Commerce’s International Trade Administration (ITA) has committed to receive, review, and undertake best efforts to facilitate resolution of the complaint and to respond to the DPA within 90 days. Flatirons commits to cooperate with DPAs in the investigation and resolution of complaints brought under the DPF Principles; and will comply with any advice given by the DPAs where the DPAs take the view that the organization needs to take specific action to comply with the DPF Principles.
  5. Under the Onward Transfer Principle, if Flatirons transfers personal data to a third party acting as a controller, it will comply with the DPF Principles and enter into a contract with the third-party controller that provides that the Personal Information will only be processed for limited and specified purposes consistent with your consent and that the third party will provide the same level of protection as the DPF Principles. Flatirons remains responsible for any of your Personal Information that is shared on our behalf with third parties acting as our agents for external processing. In addition, if Flatirons transfers your Personal Information to third parties, acting as our agent, Flatirons will (i) transfer such data only for limited and specified purposes, (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the DPF Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Information transferred in a manner consistent with Flatirons’ obligations under the DPF Principles; (iv) require the agent to notify Flatirons if it determines that it can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles; (v) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing, and (vi) provide a summary or representative copy of the relevant privacy provisions of its contract with that agent. Flatirons remains responsible if its agents process your Personal Information in a manner inconsistent with this Privacy Policy or the DPF Principles, unless we can demonstrate that we are not responsible for the event giving rise to the damage. Flatirons is subject to the investigatory and enforcement powers of the FTC.

XIII. EU and UK Residents.

For purposes of this section the terms “personal data”, “processing” and “automated decision” have the same meanings set forth under the EU General Data Protection Regulation 2016/679 (“GDPR”) and the UK General Data Protection Regulation (“UK GDPR”). This section only applies to you if you are located in the EU/EEA or UK

  1. Legal Basis for Processing. When Flatirons processes your personal data, it has a legal basis for doing so as required under GDPR. Flatirons will only process your personal data if: (i) it has received your express opt-in consent for such processing, (ii) the processing is necessary for performance of a contract, (iii) the processing is necessary for a legal obligation to which Flatirons is subject, (iv) the processing is necessary to protect your vital interests, (v) the processing is necessary for a task carried out in the public interest, or (vi) if Flatirons or a third party has a legitimate interest that is not overridden by your interests or fundamental rights and freedoms.
  2. Right to Withdraw Your Consent. If you provide your consent for us to process your personal data, you may withdraw your consent at any time by emailing [email protected] to request such change.
  3. Marketing. Flatirons does not process personal data for the purpose of marketing without first obtaining your express, opt-in consent or having a legitimate interest in doing so. You have the right to object to the processing of your personal data for marketing purposes at any time by contacting us at [email protected].
  4. Automated Decision Making. Flatirons does not make any automated decisions on your behalf or about you without first obtaining your express, opt-in consent. In connection with recruitment, Flatirons may use AI-enabled features available through Pinpoint to assist in reviewing and summarizing applications and related recruitment information; however, all hiring decisions are made by our recruitment team and are not based solely on automated processing. If we secure your consent to engage in automated decision-making, you have the right to object to the processing of personal data via automated decision-making at any time by contacting us at [email protected].
  5. Your Rights and Choices. GDPR provides certain rights to individuals in relation to their personal data. Accordingly, you may have the following rights under GDPR, although some exceptions apply. We will comply with any requests made relating to the following rights if required by applicable law. We may require you to prove your identity before we modify, provide, delete, or transfer your personal data.
  • Right of Access. You have the right to be informed of and request access to the personal data we process about you. This allows you to receive a copy of the personal data we hold about you and to review it for accuracy. In addition, you have the right to correct, amend, or delete information where it is inaccurate, or has been processed in violation of the DPF Principles.
  • Right to Rectification. You have the right to request that we amend or update inaccurate or incomplete personal data.
  • Right to Erasure (Deletion). You have the right to request deletion of your personal data. Upon your written request, we will delete or destroy your personal data. Although our systems are designed to carry out our deletion practices promptly, we cannot promise that deletion will occur within a specific timeframe and the deletion process could occur over several months. Further, there may be legal requirements to store your personal data, and we may need to suspend those deletion practices if we receive a valid legal process asking us to preserve content or, if otherwise necessary, to comply with the law or legal process. To the extent that data or information about you does not constitute personal data, it may not be feasible to delete or destroy such data, and in such cases, that data will be made “de-identified or anonymized” such that the historical information, content, logs, and related information is not personally identifiable. Once personal data is deleted or destroyed, it cannot be retrieved.
  • Right to Restrict. Under certain circumstances, you have the right to request that we temporarily or permanently stop processing all or some of your personal data.
  • Right to Object. Under certain circumstances, you have the right to object to our processing of your personal data, such as for direct marketing purposes or when automated decision making is used. You have the choice to opt-out of allowing us to disclose your personal data to third parties for a purpose that is materially different from the purpose for which the personal data was originally collected. Your right to opt-out of having your personal data used for direct marketing purposes may be exercised at any time.
  • Right to Data Portability. You have the right to request a copy of your personal data in electronic format and further request that we send such personal data to another party.
  • Communication Preferences and Opt-Outs. You have the right to stop receiving communications from us at any time by contacting [email protected], at no additional cost.
  • Right to Lodge a Complaint – You have the right to lodge a complaint with the applicable supervisory authority. Although you are not legally required to do so, we ask that you first contact us so we can make reasonable efforts to address your complaint.
  • Right to Know. You have the right to request access to the following information: (a) the categories of personal data we collected from you in the prior 12-month period, (b) the categories of sources from which the personal data was collected, (c) the business or commercial purpose for collecting your personal data (d) the categories of personal data that we sold to third parties or otherwise disclosed for a business purpose in the prior 12-month period, and (e) the categories of third parties to whom we shared your personal data.
  1. Transfer to Third Parties and Countries. Flatirons will only transfer EU data subject’s personal data to third parties located outside of the EU when it has ensured appropriate safeguards for such personal data, such as through the standard contractual clauses with such third party or, as provided above, in accordance with the EU-U.S. Data Privacy Framework Principles, the UK Extension to the EU-U.S. Data Privacy Framework Principles, and the Swiss-U.S. Data Privacy Framework Principles. Flatirons may also be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

XIV. USA Residents.

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have the right to request access to and receive details about the Personal Information we maintain about you and how we have processed it, correct inaccuracies, get a copy of, or delete your Personal Information. You may also have the right to withdraw your consent to our processing of your Personal Information. These rights may be limited in some circumstances by applicable law.

Your Rights Regarding Personal Information Under CCPA. You have rights under the CCPA, and certain other US state data protection laws. However, these rights are not absolute, and in certain cases, we may decline your request as permitted by law. These rights may include:

  • Right to know whether or not we are processing your personal data
  • Right to access your personal data
  • Right to correct inaccuracies in your personal data
  • Right to request the deletion of your personal data
  • Right to obtain a copy of the personal data you previously shared with us
  • Right to non-discrimination for exercising your rights
  • Right to opt out of the processing of your personal data if it is used for targeted advertising (or sharing as defined under California’s privacy law), the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects (“profiling”)
  • Depending upon the state where you live, you may also have the following rights:
  • Right to access the categories of personal data being processed (as permitted by applicable law, including the privacy law in Minnesota)
  • Right to obtain a list of the categories of third parties to which we have disclosed personal data (as permitted by applicable law, including the privacy law in California, Delaware, and Maryland)
  • Right to obtain a list of specific third parties to which we have disclosed personal data (as permitted by applicable law, including the privacy law in Minnesota and Oregon)
  • Right to review, understand, question, and correct how personal data has been profiled (as permitted by applicable law, including the privacy law in Minnesota)
  • Right to limit use and disclosure of sensitive personal data (as permitted by applicable law, including the privacy law in California)
  • Right to opt out of the collection of sensitive data and personal data collected through the operation of a voice or facial recognition feature (as permitted by applicable law, including the privacy law in Florida)

How to Exercise Your Rights.
To exercise these rights, you can contact us by submitting a data subject access request, by emailing us at [email protected], by calling us at +1 (303) 544-0514, or mailing us at 5755 Central Avenue, Suite A, Boulder, CO 80301, United States., or by referring to the contact details at the bottom of this document. We will honor your opt-out preferences if you enact the Global Privacy Control (GPC) opt-out signal on your browser.
Agents and Verification.
Under certain US state data protection laws, you can designate an authorized agent to make a request on your behalf. We may deny a request from an authorized agent that does not submit proof that they have been validly authorized to act on your behalf in accordance with applicable laws. Upon receiving your request, we will need to verify your identity to determine that you are the same person about whom we have the information in our system. We will only use personal information provided in your request to verify your identity or authority to make the request. However, if we cannot verify your identity from the information already maintained by us, we may request that you provide additional information for the purposes of verifying your identity and for security or fraud-prevention purposes. If you submit the request through an authorized agent, we may need to collect additional information to verify your identity before processing your request and the agent will need to provide a written and signed permission from you to submit such acrequest on your behalf.
Appeals.
Under certain US state data protection laws, if we decline to take action regarding your request, you may appeal our decision by emailing us at [email protected]. We will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If your appeal is denied, you may submit a complaint to your state attorney general.

XV. California Residents.

This section applies only to California consumers. In this section only, any capitalized terms not defined in this Privacy Policy have the meanings set forth in the California Consumer Privacy Act of 2018 as it has been amended (the “CCPA”).

  1. Categories of Personal Information. We collect the following categories of Personal Information (as defined by the CCPA):
  • Identifiers: This category includes names, addresses, phone numbers, unique personal identifiers, online identifiers, IP addresses, email addresses, account names, and similar identifiers.
  • Customer Records: This category includes all information included as “Customer Records” under the California Customer Records Statute, including names, business addresses, business telephone numbers, business addresses and sites, and employment information.
  • Commercial Information: This category includes records of personal property, products or services purchased, obtained, or considered, or tendencies.
  • Internet Activity: This category includes browsing history, search history, and information on your interaction with our Website or advertisements.
  • Geolocation Data: This category includes location data inferred from your device IP address.
  • Audio and Visual Information: This category includes closed-circuit (CCTV) images, photographs, and video of you, and audio recordings as may relate to your application.
  • Employment Information: This category includes current or past employment history.
  • Education Information: This category includes education records directly related to a student, maintained by educational institutions.
  1. Categories of Sources from which Personal Information is Collected. We collect Personal Information from the following categories of sources:
  • Directly from you.
  • Indirectly from you, from your activities on our Website.
  • Automatically using cookies and other tracking technologies.
  • Publicly available information.
  • Directly from vendors and other contractual counterparties.
  • Through communications with prospective customers and other businesses and their representatives.
  1. Purposes for Collecting Personal Information. Our purposes for collecting your Personal Information are described elsewhere in this Privacy Policy.
  2. Categories of Third Parties / Service Providers with whom Personal Information is Shared. The categories of third parties and/or service providers with whom we share your Personal Information are described elsewhere in this Privacy Policy.

Categories of Personal Information We Collect.
The table below shows the categories of Personal Information we have collected in the past twelve (12) months for “Business Purposes” (as defined in the CCPA) and the retention period for each category. The table includes illustrative examples of each category and does not reflect the actual Personal Information we have collected from you.

Category Examples Collected Retention Period
A. Identifiers Contact details, such as real name, alias, postal address, telephone or mobile contact number, unique personal identifier, online identifier, audio and visual identifiers, Internet Protocol address, email address, and account name. YES For the duration of the account.
B. Personal Information (as defined in the California Customer Records statute) Name, contact information, education, employment, employment history, and financial information. YES For the duration of the account.
C. Protected classification characteristics under state or federal law Gender, age, date of birth, race and ethnicity, national origin, marital status, and other demographic data YES For the duration of the account.
D. Commercial information Transaction information, purchase history, financial details, and payment information NO
E. Biometric information Fingerprints and voiceprints NO
F. Internet or other similar network activity Browsing history, search history, online behavior, interest data, and interactions with our and other websites, applications, systems, and advertisements YES For the duration of the account.
G. Geolocation data Device location YES For the duration of the account.
H. Audio, electronic, sensory, or similar information Images and audio, video or call recordings created in connection with our business activities NO
I. Professional or employment-related information Business contact details in order to provide you our Services at a business level or job title, work history, and professional qualifications if you apply for a job with us YES For the duration of the account.
J. Education Information Student records and directory information YES For the duration of the account.
K. Inferences drawn from collected personal information Inferences drawn from any of the collected personal information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics NO
L. Sensitive Personal Information NO

We do not disclose “Sensitive Personal Information” other than Permitted SPI Purposes, as required by the CCPA. In the last 12 months, we have not Sold your Personal Information, and we currently do not Sell Personal Information. “Sold” / “Sell” has the definition set forth in the CCPA. We do not collect, sell, or share Personal Information about consumers under the age of 16. We have disclosed the following categories of personal information to third parties for a business or commercial purpose in the preceding twelve (12) months: Category A. Identifiers; Category B. Personal information as defined in the California Customer Records law; Category C. Characteristics of protected classifications under state or federal law; Category F. Internet or other electronic network activity information Category G. Geolocation data; Category I. Professional or employment-related information; and Category J. Education information.

  1. Right to Know. California residents have the right to request access to the following information: (a) the categories of Personal Information we collected from you in the prior 12-month period, (b) the categories of sources from which the Personal Information was collected, (c) the business or commercial purpose for collecting or Sold your Personal Information, (d) the categories of Personal Information that we Sold to third parties or otherwise disclosed for a business purpose in the prior 12-month period, and (e) the categories of third parties to whom we Sold or shared your Personal Information.
  2. Right to Access. You have a right to request that we disclose to you the specific pieces of Personal Information that we have collected about you in the prior 12-month period.
  3. Right to Deletion and Correction. You have a right to request that we delete Personal Information we collected from you or correct Personal Information that you tell us is inaccurate.
  4. How to Exercise Your Rights of Access and Deletion. To exercise your California rights described in this section, you may submit your request to us by contacting us at [email protected].
  5. Who May Exercise Your Right to Know, Access, and Deletion? You may make a request to exercise the above rights to know, access, and deletion on behalf of yourself or on behalf of a child if you are a parent or legal guardian of the child. In addition, you may authorize an agent to exercise these rights on your behalf if you provide the agent with written permission and, if the agent is a business, the agent is registered with the California Secretary of State. If an authorized agent contacts us to exercise the above rights, we will need to verify their identity as well as your identity. We will also require proof of your written authorization to the agent both to act as your agent and to submit the request to us, unless the agent is subject to a Power of Attorney under California probate laws.
  6. Verification of Your Request to Know, Access, and Deletion. Once we receive your request, we will contact you to confirm receipt of your request. In addition, we may contact you to provide us with additional information to allow us to verify your identity based on the Personal Information we have in our systems. To verify your request, you must provide sufficient information that allows us to reasonably verify you are the person who is the subject of the Personal Information you have requested. This information may vary depending on the Personal Information we already have. Certain types of requests may require additional verification to ensure you are who you say you are. If you have used an agent to make your request, we will also need to verify the identity of the agent. Verification of your request may require you, or your agent if applicable, to sign a declaration under penalty of perjury verifying your identity. We may deny your request as permitted by law if we are unable to verify your identity, or if an agent makes the request on your behalf, if we are unable to verify their identity or proof of their authorization, or if an exception to your right to deletion applies that would allow us to retain the information.
  7. When We Will Respond to Your Request to Know, Access, and Deletion. We will confirm receipt of your request within 10 business days. We will respond to your request within 30 calendar days. If we require additional time to respond, we will inform you of the reason. Any disclosures we provide will only cover the 12-month period preceding receipt of your request. We may charge a fee to process or respond to your request if it is excessive, repetitive, or manifestly unfounded.
  8. Shine the Light. California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and want to make such a request, please email us by using the “Contact Us” section of the Website and include the phrase “California Privacy Request” in the subject line, along with your name, address, and email address. We will respond to you within thirty days of receiving such a request. You also have the right to opt out of sales or sharing for cross-content behavioral advertising purposes.
  9. Non-Discrimination. We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not deny you goods or services, charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties, provide you a different level or quality of goods or services, or suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
  10. Retention. We maintain a Data Retention Policy that requires us to only retain Personal Information for as long as necessary for the purposes for which the Personal Information was collected, subject to the requirements of applicable law and the DPF Principles.

XVI. Public Forums.

Please remember that any information you may disclose in any “Subscriber Directory”, or other public areas of our Websites or the internet becomes public information. You should exercise caution when deciding to disclose Personal Information in these public areas.

XVII. Our Company’s Commitment to Data Security.

We use commercially reasonable technical and organizational measures to help secure Personal Information against accidental loss, unauthorized use or misuse, and alteration appropriate to the type of Personal Information processed.
The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Website, you are responsible for keeping this password confidential. We ask you not to share your password with anyone. We urge you to be careful about giving out information in public areas of the Website, like message boards. The information you share in public areas may be viewed by any user of the Website.
You understand that no data transmission over the internet or device can be guaranteed, and you should not expect such transmission to be completely secure or that your Personal Information will remain secure in all circumstances. While we strive to protect Personal Information, we do not guarantee the security of Personal Information, and you provide Personal Information at your own risk. We cannot guarantee that your Personal Information will not be accessed, disclosed, altered, or destroyed because of an attack on our systems or networks or any other event beyond our reasonable control. We expressly disclaim any representation or warranty, whether express or implied, with respect to ensuring, guaranteeing, or otherwise offering any definitive promise of security in connection with your Personal Information.
In the event of a data breach that may compromise your Personal Information, we will notify you and the relevant authorities without undue delay, and no later than 72 hours after becoming aware of the breach, for jurisdictions so required by GDPR or other applicable laws or regulations. The notification will include the nature of the breach, the potential consequences, and the measures we are taking to address the breach and mitigate its potential effects. We will use the contact information associated with your account to provide this notification, so please ensure your contact details are up to date.

XVIII. Where to Direct Questions about Our Privacy Policy.

If you have questions or comments about this notice, you may contact our Data Protection Officer (DPO) by email at [email protected], by phone at (303) 627-6518, or contact us by post at:

Flatirons Solutions, Inc.
Data Protection Officer
5755 Central Avenue, Suite A
Boulder, CO 80301
United States

 

XIX. Revisions to This Privacy Policy.

Our company reserves the right to revise, amend, or modify this Privacy Policy, our TOS, and our other policies and agreements at any time and in any manner, by updating this posting. We will provide you with notice of any material changes to these policies and terms. Your use of this Website following such notice constitutes your acknowledgment and acceptance of their changes.

Website editor: Flatirons Solutions, Inc.
Registered address: 5755 Central Avenue, Suite A, Boulder, Colorado 80301, United States, registered agent address: The Corporation Trust Company, Corporation Trust Center, 1209 Orange Street, Wilmington, DE 19801, United States
Telephone: +1 (303) 544-0514
Email: [email protected].
Publication Director: Stephen Cameron.
Hosting: WP Engine, 504 Lavaca Street, Suite 1000, Austin, TX 78701, United States, +1-877-973-6446.