This document establishes The Ultimate Software Group, Inc. ("Ultimate", or "We") Privacy Notice. This document is in accordance to ISO/IEC 27001:2013 and establishes Control A18.1.4 - Privacy and Protection of Personally Identifiable Information and ISO/IEC 27018:2014 and establishes applicable controls in Annex A - Public cloud PII processor extended control set for PI protection.
This Privacy Notice applies to all Personal Information ("PI") received by Ultimate from its customers, employees, website visitors and job applicants (including its Subsidiaries) (each which may be individually referred to herein as "you" or "your") in any format including electronic, paper, or verbal. For purposes of this Notice, "PI" means any information collected by Ultimate that identifies or could be used by Ultimate to identify an individual. As a subset of the larger group listed herein above, Ultimate processes information of employees of its customers under the direction of its customers and has no direct relationship with such customers' employees whose personal data it may process on the customer's behalf.
Ultimate respects the privacy of our customers, employees, website visitors, and job applicants. We believe it is important for you to understand the type of information we collect about you and how that information is used. We recognize the need for appropriate safeguards and management of Personal Information ("PI") that we collect about you. This Privacy Notice sets forth the privacy principles that govern our processing of your PI.
When you are an applicant or employee of our Customer, our Privacy Notice may apply in some cases where the Customer's notice may apply in others.Examples of where Ultimate's Privacy Notice applies include, but are not limited to:
- Ultimate branded sign-on pages
- Applicants creating a profile or applying for a position with Ultimate Software
- Customer branded sign-on pages
- Applicants creating a profile or applying for a position with a Customer of Ultimate Software.
Ultimate's privacy practices, described in this Privacy Notice, comply with the APEC Cross Border Privacy Rules System (CBPR). The APEC CBPR system provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies. More information about the APEC framework can be found at https://www.apec.org/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/CBPR/CBPR-PoliciesRulesGuidelines.ashx.
Ultimate complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union (and if the United Kingdom leaves the EU, then the United Kingdom) and/or Switzerland, as applicable to the United States in reliance on Privacy Shield. Ultimate Software has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this Privacy Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
Ultimate is responsible for the processing of personal data, defined as any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, it receives, under the applicable Privacy Shield Framework, and, on occasion, subsequently transfers to a third party acting as an agent on its behalf. Ultimate Software complies with the Privacy Shield Principles for all onward transfers of personal data from the European Union (and if the United Kingdom leaves the EU, then the United Kingdom) and/or Switzerland, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Ultimate is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Ultimate may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
California Privacy Notice
Pursuant to the California Consumer Privacy Act ("CCPA") this section applies to individuals who reside in the State of California ("Consumers"), as defined under the law, and fulfills our obligation to provide Consumers with a California-specific Privacy Notice. Effective January 1, 2020, this section supplements the information contained in our existing Privacy Notice (above and below). In the event of a conflict with any other portion of our general Privacy Notice, this Notice shall control in relation to Ultimate's obligations and a Consumer's right under CCPA.
Information that We Collect: We collect Personal Information ("PI"), as defined under the CCPA, which includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked directly or indirectly, with a particular consumer or household.
Please review the below to learn more about (1) the categories of PI that Ultimate has collected about Consumers within the last twelve (12) months, (2) the categories of sources from which the PI was collected, (3) the business or commercial purpose(s) for collection and/or disclosure, and (4) the categories of third parties with whom We share PI.
|Category||Examples||Categories of Sources||Purpose(s)||Categories of 3rd Parties with whom we share|
|Personal Identifiers||Name (not alias), Address, Unique Personal Identifier, IP Address, Account Name, Social Security Number or other similar identifiers||Categories of Sources 1, 2, 3.||Purposes for Collection 1,3,4||Categories of 3rd Parties 1,2,3,4,5|
|Personal Information categories described in subdivision (e) of Section 1798.80||Name, Social Security number, physical characteristics or description, passport or state identification (including driver's license) number, education and employment history, financial information, medical information or other similar identifiers||Categories of Sources 1, 2, 3.||Purposes for Collection 1,3,4||Categories of 3rd Parties 1,2,3,4,5|
|Characteristics of Protected Classifications under California or federal law||Age, date of birth, gender, military or veteran status, marital status, nationality, citizenship, pregnancy and related medical conditions, genetic information or other similar identifiers||Categories of Sources 1||Purposes for Collection 1,4||Categories of 3rd Parties 1,2,3,5|
|Commercial Information||Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies||Categories of Sources 2||Purposes for Collection 1,2||Categories of 3rd Parties 1,2,4|
|Biometric Information||Includes (but not limited to) imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns and voice recordings, from which an identifier template, such as a faceprint or a voiceprint can be extracted.
Additionally, keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health or exercise data that contain identifying information.
|Categories of Sources 1||Purposes for Collection 1,2,3||Categories of 3rd Parties 2,3,5|
|Internet or other electronic network activity information||Information including (but not limited to) browsing history and search history||Categories of Sources 3||Purposes for Collection 2,3||Categories of 3rd Parties 1,2,4,5|
|Geolocation data||Information used to identify your physical location, for example, to notify you of job openings, for payroll tax purposes and for the use of our time-related products.||Categories of Sources 1,3||Purposes for Collection 1,3,4||Categories of 3rd Parties 4|
|Audio, electronic, visual, thermal, olfactory or other similar information||Chat communications, video conferencing, webcasts, customer support.||Categories of Sources 1,2,3||Purposes for Collection 1,2||Categories of 3rd Parties 1,2,4,5|
|Professional or employment related information||Current or former job history, qualifications and skills, performance evaluations, payroll information, employment benefit information||Categories of Sources 1,2,3||Purposes for Collection 1,3,4||Categories of 3rd Parties 1,2,3,4,5|
|Inferences drawn from any of the information identified in the above categories used to create a profile about a consumer||Consumer profile reflecting the Consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes||Categories of Sources 1||Purposes for Collection 1,2,3||Categories of 3rd Parties 2|
Categories of Sources from which We collect PI:
- Directly from a Consumer, employee, applicant or prospect, when you provide us with your PI
- Ex: When you contact Ultimate via our website, email, phone or other similar methods
- Ex: Our Customers (in the provision of services)
- Ex: Information the Consumer has voluntarily made public (i.e. for our use in background checks)
- Ex: Information you have shared on social media platforms, specifically publicly visible accounts (i.e. LinkedIn)
- Ex: Directly (through your submission of information, for a webinar)
- Ex: Indirectly (through information disclosed by your device or browser, such as IP address)
Purposes for Collection:
- To fulfill the purpose(s) for which the information was collected/provided
- Ex: To provide the Services or Products contracted for with our Customers, at their direction
- Ex: To provide you with information, products, or services you have requested from us or that may be of interest to you
- Ex: To provide customer service and support
- Ex: Legitimate purposes including, but not limited to, human resource business reasons such as personalized job opportunities, payroll processing, tax purposes, and the provision of employment benefits
Categories of 3rd Parties with whom We share your PI:
- Service Providers
- Affiliates/Subsidiaries and Related Entities
- Third parties to whom you or your agents authorize us to disclose your PI in connection with Products or Services we provide to you
- External advisors, such as auditors or outside legal counsel
- Governmental, legal, regulatory, or other similar authorities and/or local government agencies, upon request or where required
Your Rights: The CCPA provides individuals with various privacy-related rights ("Rights") relating to their Personal Information. This section provides you with information regarding these Rights.
Right to a Notice: At or before the point of collection of PI, Consumers, Employees, Job Applicants and other individuals residing in the State of California are entitled to a notice that provides the categories of PI collected about them, and the purposes for that collection.
Request to Know/Right of Access: A Consumer has the right to request information regarding our collection, disclosure, sale and/or use of their PI over the previous twelve (12) months. A Consumer may request that Ultimate disclose:
- Categories of PI that We have collected about you;
- Categories of sources from which your PI is collected;
- Categories of PI about you that We have sold or disclosed for a business purpose;
- Categories of third parties to whom the PI was sold or disclosed for a business purpose;
- The business or commercial purpose for collecting or selling PI; and
- Specific pieces of PI that We have collected about you.
When providing you with your information electronically, Ultimate will, to the extent possible, deliver the information in a portable manner that allows you to transfer the information to another entity.
Ultimate may reject your request to know if your identity cannot be verified (your request is not a verifiable consumer request), or if the information has already been provided twice within a twelve (12) month period. Ultimate may also refuse to provide you with specific pieces of information that We have collected about you if disclosure creates a substantial, articulable, and unreasonable risk to the security of that PI, your account with Ultimate or the security of our systems.
Right of Deletion: A Consumer has the right to request the deletion of any PI that We have collected from them, or that We maintain about them. Following our receipt of your verifiable consumer request, Ultimate will delete (and direct our Service Providers to delete) your PI, subject to the exceptions permitted under the CCPA, and any legal obligations We have to retain that information.
Right to Opt-Out of the Sale of your Personal Information: The CCPA provides a Consumer with the right to opt-out of the sale (as defined under the law) of his/her PI. Ultimate does not sell PI, and thus does not provide you with a mechanism for opting-out.
Right to Non-Discrimination: Ultimate will not discriminate against a Consumer in response to the decision to exercise any of the privacy rights granted to you under the CCPA.
Asserting Your Rights - Submitting a Request to Know or Delete: As previously stated, Ultimate may reject your request if We cannot verify your identity. Please follow the instructions below, and provide the requested information to allow us to adequately address your request.
If you are a current or former employee of Ultimate residing in the State of California, you may submit your request via email at firstname.lastname@example.org. In the email, please indicate which Right you are exercising. In order to verify your identity, your request must include the following:
- Your full name and email address associated with your profile;
- Your preferred contact phone number; and
- Your hire date, which can be found by current or former employees (up to one year following termination) within your profile, or on your offer letter. We require your hire date to be provided in the MM/DD/YY format.
If you previously applied for employment with Ultimate (job applicants) and reside in the State of California, you may submit your request via email at email@example.com. In the email, please indicate which Right you are exercising. In order to verify your identity, your request must include the following:
- Your full name and email address associated with your profile;
- Your preferred contact phone number; and
- The number of employment opportunities you have applied for with Ultimate, as well as the Job Title and Job Code associated with each application, which can be found in your profile, under the Applications tab.
If you are a current or former employee or job applicant of one of Ultimate's customers, please contact your employer/former employer directly.
If you have provided Ultimate with your information via our website (i.e. through a Webinar or for a Whitepaper) and reside in the State of California, please click here.
Authorized Agents: You may exercise your right to know or your request for deletion of your PI, through the use of an authorized agent. A request from an authorized agent on your behalf will only be accepted if the authorized agent provides us with written proof they are authorized to act on your behalf. We may also first require the authorized agent to verify their identity, before accepting the request. Ultimate may deny requests from authorized agents that fail to provide proof of their status as an authorized agent or verification of their identity.
Changes to this Notice
The practices described in this California-specific Notice are the current practices approved on December 20, 2019. Ultimate reserves the right to modify or amend this Notice at any time. We encourage you to periodically review this page for the latest information on our privacy practices.
At any time, you may contact Ultimate with questions or concerns about this Notice at firstname.lastname@example.org. Written responses may also be submitted to:
The Ultimate Software Group
Attention: Vice President of Privacy, Risk & Compliance
2000 Ultimate Way
Weston, FL 33326
How Personal Information is Collected
Ultimate collects PI about a visitor to our website only when the visitor chooses to provide such information. On certain pages, for example, a visitor has the opportunity to provide his/her PI such as his/her name, company, address, phone number, and e-mail address. Any Personal Information you provide when using this website will only be used in accordance with this Privacy Notice. By supplying such information to Ultimate, a visitor can request details about Ultimate, including information about the company's product line and investor information, or sign up for company-sponsored events or use the company's support website.
If you are a resident of the European Union or the United Kingdom (in the event it leaves the EU), and would like to request access to your Personal Information and/or request erasure (right to be forgotten) of Personal Information previously provided, please click here.
Website / Cookies and other Tracking Technologies
In order to improve the content and format of our site, Ultimate uses website tracking software to automatically capture technical information that is then stored in our server's log files. This information may include, but is not limited to, user domain, the type of Internet browser being used, which of our Web pages is visited, and the amount of time spent on our site.
We have also implemented the following Google Analytics Advertising features for our paid advertising:
- Remarketing with Google Analytics;
- Google Display Network Impression Reporting;
- Google Analytics Demographics and Interest Reporting; and
- Integrated services that require Google Analytics to collect data for advertising purposes, including the collection of data via advertising cookies and identifiers.
If you wish to opt out of the Google Analytics Advertising features that We use, click here.
Ultimate Software Job Applicants and Employees
Ultimate collects PI such as name, address, email address, SSN from job applicants and employees of Ultimate for, among other things, legitimate human resource business reasons such as payroll administration, filling employment positions, maintaining accurate benefits records, meeting governmental reporting requirements, security, health and safety management, performance management, company network access, and authentication. Ultimate does not engage in automated decision making. European Union or United Kingdom residents (in the event it leaves the EU), who have created an applicant profile and/or applied for employment opportunities with Ultimate wishing to exercise applicable rights under GDPR can refer to instructions within their profile under Consent and Privacy.
Ultimate collects PI such as name, address, email address, SSN from customers of Ultimate who use our solution. The information may be collected through our SaaS solution, or by members of our support team who provide support to customers. The type of PI collected is similar to the information collected under the "Ultimate Software Job Applicants and Employees" paragraph, above.
Ultimate collects information under the direction of its customers and has no direct relationship with the individuals whose personal data it processes. Contact the customer that you interact with directly for requests or questions related to access, correction, amendment or deletion of data. We may transfer personal information to companies that help us provide our service. Transfers to subsequent third parties are covered by the service agreements with our customers. The use of information collected through our SaaS solution shall be limited to the purpose of providing the products(s) and service(s) for which the customer has engaged Ultimate.
We use mobile analytics software to allow us to better understand the functionality of our Mobile Software on your phone. This software may record information such as how often you use the application, the events that occur within the application, aggregated usage, performance data, and where the application was downloaded from. We do not link the information we store within the analytics software to any personally identifiable information you submit within the mobile application.
Use of Your Personal Information
We use your PI to provide you with the services, which Ultimate is contractually obligated to provide to you, or to assist you in completing a transaction, or communicate with you about our products or services. We use PI from website visitors to respond to any inquiries such visitors make to our website and to provide you with related information of interest to you. We do not sell or rent your PI to third parties.
We may disclose your PI if we are required to do so by law or we in good faith believe that such action is necessary to (1) comply with the law or with legal process; (2) protect and defend our rights and property; (3) protect against misuse or unauthorized use of our website; or (4) protect the personal safety or property of our users or the public (among other things, this means that if you provide false information or attempt to pose as someone else, information about you may be disclosed as part of any investigation into your actions).
Other than as stated in this Privacy Notice, we will endeavor not to release your PI to unknown or unaffiliated third parties, and we will not cross-reference your PI with that of any other customer or entity.
Sharing of Your Personal Information
Ultimate may contract with third-party providers to perform certain functions on our behalf or to enhance our existing product and service offerings. Examples include providing marketing assistance, product, and service support. These third parties may have access to your PI only to the extent necessary to provide these services, however, they are bound by confidentiality agreements before any information is provided to them, and they are restricted from using the information for other purposes.
Selling of Your Personal Information
Ultimate Software does not sell Personal Information.
Links to Non-Ultimate Software websites and Third Parties
Ultimate will take reasonable steps to provide that your PI is accurate, complete, and current, to its intended use. We provide individuals with reasonable access to the PI that they provide to us, as well as the ability to review and correct such information. For access requests please see the section on Notice above, which provides information for various types of data subjects and how you can exercise this right. We will respond to your request within a reasonable timeframe.
Ultimate will only retain PI as long as is necessary to comply with our legal obligations, resolve disputes, and as applicable to agreements with our customers.
Both the EU- U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield Framework provide EU citizens and Swiss citizens, respectively, with a right to access their PI. Ultimate has no direct business relationship with the individuals whose personal data it processes (individuals of our customers). If you are an individual of one of our customers, please direct your query to Ultimate's customer with whom you do have a business relationship.
To protect your privacy and security, we also take reasonable steps to verify your identity, before granting access to your PI. In addition, we may limit or deny access to PI where providing such access would be unreasonably burdensome or expensive in the circumstances, or as otherwise permitted by Privacy Shield.
To prevent unauthorized access or disclosure, to maintain data accuracy, and to allow only the appropriate use of your PI, we utilize physical, technical, and administrative controls and procedures to safeguard the information we collect.
To protect the confidentiality, integrity, and availability of your PI, Ultimate utilizes a variety of physical and logical access controls, firewalls, intrusion detection/prevention systems, network and database monitoring, anti-virus, and backup systems. We use encrypted sessions when collecting or transferring sensitive data through our websites.
We limit access to your PI and data to those persons who have a specific business purpose for maintaining and processing such information. Ultimate's employees who have been granted physical access to your PI are made aware of their responsibilities to protect the confidentiality, integrity, and availability of that information and have been provided training and instruction on how to do so.
As to its own employees and its own job applicants, Ultimate will take reasonable steps to provide that PI is accurate, complete, and current, to its intended use. Ultimate will only use PI in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual.
Enforcement and Verification
Ultimate will conduct periodic assessments to validate its continued adherence to this Privacy Notice.
Where Ultimate has knowledge that one of Ultimate's employees or third parties is using or disclosing PI in a manner contrary to this Privacy Notice, Ultimate will take reasonable steps to prevent or stop the use or disclosure. Ultimate holds its employees and agents accountable for maintaining the trust that our customers place in our company.
Ultimate will investigate and attempt to resolve complaints and disputes regarding the use and disclosure of PI in accordance with the principles contained in this Notice. Ultimate agrees to cooperate with Data Protection Authorities located in the European Union and the Federal Data Protection and Information Commissioner located in Switzerland, or authorized representatives for disputes specific to Human Resource information received from the European Union and Switzerland. All other disputes that cannot be resolved between Ultimate and the complainant will be handled in accordance with applicable dispute resolution procedures through our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. We strongly encourage you to raise any complaints you may have with regard to this Privacy Notice and/or our activation of this Notice to us prior to proceeding to the arbitration procedure described in this paragraph.
Changes to This Privacy Notice
The practices described in this Notice are the current PI protection policies approved on May 6, 2020. Ultimate reserves the right to modify or amend this Notice at any time consistent with the Privacy Shield Principles. We encourage you to periodically review this page for the latest information on our privacy practices.
At any time, you may contact Ultimate with questions or concerns about this Privacy Notice at email@example.com. Written responses may also be submitted to:
The Ultimate Software Group
Attention: Vice President of Privacy, Risk & Compliance
2000 Ultimate Way
Weston, FL 33326
Those residing in the EU may contact the external Data Protection Officer (DPO) via email at DPO@ultimatesoftware.com. The DPO also serves as Ultimate Software's representative in Europe and is located at:
53 rue d'Hauteville,
75010 Paris, France