Privacy Policy (archived)
This is not the most up-to-date version of our privacy policy. Find the current privacy policy here.
Last updated: 1/8/2024
Privacy Statement
All terms capitalized but not defined herein will have the definition given to such term under GDPR.
This Privacy Policy describes how Fringe processes personal data pertaining to persons that interact with it as website/ platform visitors/ users or direct beneficiaries (meaning how such personal data is: collected; stored; accessed; processed and shared); as well as which are the Legal Basis towards such Processing activities.
This Privacy Policy is provided to you in accordance with the following personal data protection legislation:
- The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 also known as the General Data Protection Regulation (the “GDPR”), which became enforceable across the EU and the EEA from May 25th, 2018 having replaced the previous Directive 95/46/EC; In Ireland, the national law, which amongst other things, gives further effect to the GDPR, is the Data Protection Act 2018 (‘the 2018 Act’).
- The Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 also known as the ePrivacy Directive, amending the Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws;
- The California Consumer Privacy Act 2018 (the “CCPA”), assembly Bill of the State of California United States of America No. 375, under CHAPTER 55, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by Governor June 28, 2018. And the CPRA (a ballot initiative) that amended the CCPA by including additional privacy protections for consumers passed in Nov. 2020.
The primary goal of processing personal data is to identify authorized users (logged in users) of the Fringe platform and to enable service delivery of the Fringe platform.
Fringe understands that personal data may represent a risk to you if accessed by unauthorized third parties; Fringe has therefore developed a set of policies, operational processes, and mechanisms (technological and human-based) to ensure that the personal data entrusted by you to Fringe will be maintained, handled and shared in a manner that warrants its security, accuracy, confidentiality, and privacy.
Personal data is exclusively processed under the scope and purpose of agreed services between Fringe and a corporate entity facilitating your access to the Fringe platform (the “Corporate Client”) or you, the direct beneficiary (the user who has accepted to continue benefiting from perks and benefits of using the Fringe platform in connection with being an employee of one of Fringe’s Corporate Clients or otherwise).
Each and every data subject maintains full control over the personal data that pertains to them, as well as the Personal Data Processing Activities undertaken by Fringe (as defined under both the GDPR as Data Subject’s Rights and also the rights described under the CCPA).
* * * * *
Applicability
Fringe reserves the right to modify this Privacy Policy at all times by posting an updated timestamped version on its website(s).
* * * * *
Questions Regarding this Policy
All questions or requests regarding the processing of the personal data under our control or processing may be addressed to dataprivacy@fringe.us
Fringe DPO contacts
Mr. Chris Luhrman
Country: US
email: dataprivacy@fringe.us
phone: 8042200775
* * * * *
Fringe Core Activity – Service Catalog and “Legal Basis”
Fringe provides a set of services to other companies as well as natural persons, delivery of which requires “Personal Data Processing Activities”.
Fringe enables Corporate Clients to provide their staff with additional benefits and perks in the form of points toward the purchase of products and services enabled by third parties.
In this scenario, Fringe acts as a Processor whereas the Corporate Client is the Controller, hence the Legal Basis for Fringe to Process the Personal Data consists of a “Contractual Obligation” to the Controller.
When an employee leaves an organization towards which Fringe is delivering its services, Fringe reaches out to that employee asking if he/ she wishes to continue benefiting from the benefits and perks as an independent individual and if that Data Subject accepts, the service continues, whereas if the employee refuses their access to the platform will cease and their data handled in accordance with our Privacy Policy, Terms of Use and our data obligations as a processor.
The Legal Basis in the case of this service is “Explicit Consent”.
* * * * *
What ‘Personal Data’ is subject to processing by Fringe?
Fringe Marketplace service requires that the following categories of Personal Data be processed:
- Contact Data (e.g. Name; Email; Phone number)
- Demographic Data (e.g. Date of Birth, Gender)
- Location Data (e.g. Country; City; State)
- Professional Information (e.g. Company; Role)
- Financial Information (e.g. Credit Card Number)
- Operational (e.g. Attributed benefits; Points; Transaction History)
* * * * *
What Processing is performed to ‘Personal Data’?
Gathering/Collection and Processing
In general Fringe exclusively gathers the Personal Data directly from the Corporate Clients regarding their employee; however, when an employee leaves a Corporate Client but remains a beneficiary, the personal data may be collected from the employee, subject to their consent.
Initially, the personal data is submitted by the Controller (Corporate Client) to Fringe for processing.
In this case the processing is authorized explicitly by the Corporate Client and by the employee using a benefit on the Fringe platform.
When the employee (who has left the organization of the Corporate Client) becomes a direct beneficiary, the Processing is authorized by the employee while making use of the available benefits and perks.
Sharing and Hosting
Fringe is an online platform, which primarily stores its data and information online or digitally.
To process personal data, Fringe relies on certain partners to deliver ervices. Fringe shares only the minimum amount of personal data necessary for those services to be delivered. Fringe shares personal data with the following third-party services providers:
- Salesforce
- AWS
Depending on the circumstances, Fringe acts either as the Controller or the initial processor with these “partners” which act as “processors or sub processors” for Fringe.” The partners will not conduct any “personal data processing activities” activities to information registered, submitted, or conveyed by Fringe unless under the scope of contracted services agreed and documented under an existing Data Processing Agreement (DPA) between the parties governed by applicable personal data protection legislation.
* * * * *
How is the Security, Privacy and Confidentiality of ‘Personal Data’ assured?
Fringe’s technology and processes are configured and monitored in accordance with industry standards. Fringe has reviewed and adopted changes to its operational processes to materially comply with the GDPR’s requirements regarding the protection of personal data.
For details, see Fringe’s Security & Trust page.
* * * * *
How long is “Personal Data” maintained?
Fringe retains data according to its services’ lifecycle with the goals a) to hold “personal data” for no longer than necessary and b) to minimize the risk of deleting information that Fringe needs to provide its services.
Fringe will retain data in accordance with the following general retention schedules:
- In the case of Fringe’s service coming to an end with a given Corporate Client then Fringe will erase the employee’s data from Fringe’s databases within 90 days.
- In the case where a user is no longer associated with a Corporate Client and does not provide individual consent, personal data will be managed according to applicable data protection laws and/or Client contractual obligations and requirements.
- In the case the employee indicates to Fringe that he or she would like to continue using Fringe’s services, Fringe will maintain the employee’s data until the employee terminates his or her account.
Fringe retains the right to retain data longer than the periods listed above if required by applicable law or at the request of a governmental or regulatory authority.
* * * * *
How are “Data Subjects’” rights exercised?
Those users who are no longer associated with a Corporate Client may exercise their data rights directly with Fringe. Those users who are employees of a Corporate Client must contact their employer to exercise such rights.
Under the GDPR, the user has the following set of rights:
[GDPR] Right of access. The right to obtain from the Controller confirmation as to whether his/ her personal data is being processed, and, where that is the case, access to such personal data as well as related information. Fringe will share the personal data over a secure channel, and that (depending on the type of data as well as volume) may imply the need to convey a “password” via an alternative communication channel to the data subject to ensure authorized secure access. Users may exercise this right by reviewing information on Fringe’s website user account area or by submitting a request as detailed below.
[CCPA] Right to know and access your personal information – similar to the Right of Access under the GDPR, California resident natural persons have the right to:
- Know the categories of personal information we collect and the categories of sources from which we got the information;
- Know the business or commercial purposes for which we collect and share personal information;
- Know the categories of third parties and other entities with whom we share personal information; and
- Access the specific pieces of personal information we have collected about you.
[GDPR] Right to rectification. The right to obtain the rectification of inaccurate personal data pertaining to that data subject. Users may directly amend existing information on Fringe’s website user account area or by submitting a request as detailed below.
[GDPR] Right to erasure. The right to have personal data pertaining to him/ her that is processed by Fringe erased and processing ceases, unless the Controller has a legal duty or a legitimate ground to retain certain data, in which case the data subject will be informed. This right may be exercised by submitting a request as detailed below.
[CCPA] Right to deletion – persons who reside in the state of California may, in some circumstances, ask us to delete their personal data/ information.
We may refuse the exercise of such right if it prevents us from exercising legal defense, it violates a legal obligation, or if there is the risk that by doing so, Fringe would be unable to fulfill a contractual obligation.
[GDPR] The right to restrict processing. Under relevant conditions set out by the law, the right to request and have in place processing restrictions (in scope and purpose) towards personal data that pertains to him/ her. When exercising this right, the user must be specific about which processing activities he or she is requesting be restricted. The Controller must provide feedback to the user either confirming the completion of the request or detailing any potential collateral impact that may derive from implementing the request and asking for additional confirmation prior to implementing the request. This right may be exercised by submitting a request as detailed below.
[GDPR] The right to object to processing. A user has the right to object to processing activities under this Privacy Policy. The exercise of this right may also occur where the user wishes to opt-out from an existing Service (and not necessarily canceling the Service). When exercising this right, the user must be specific about which processing activities he or she is requesting be stopped. The Controller must provide feedback to the user either confirming the completion of the request or detailing any potential collateral impact that may derive from implementing the request and asking for additional confirmation prior to implementing the request. This right may be exercised by submitting a request as detailed below.
[CCPA] Right to opt out of sales – We do not “sell” your data
[GDPR] Right to data portability. The right to receive the personal data pertaining to the user, in a structured, commonly used and machine-readable format as well as the right to transmit such personal data to another controller without hindrance. Fringe will share the personal data over a secure channel. Such transfer may require that Fringe provide a “password” via an alternative communication channel to the user to access the personal data.
[GDPR] Right to be informed about a Personal Data Breach. The user has the right to be informed of any unauthorized disclosure or potential disclosure of his or her personal data to unauthorized third parties within 72 hours of its occurrence.
[GDPR] Right to lodge a complaint with a supervisory authority. The user has the right to lodge a complaint regarding Fringe’s processing activities to any of the EU Member States data protection Supervisory Authorities.
[CCPA] Right to be free from discrimination – A user may exercise any of the above rights without fear of being discriminated against. Fringe is, however, permitted to provide a different price or rate to you if the difference is directly related to the value provided to you by your data.
For any of the above-mentioned CCPA related rights, you may designate an authorized agent to make a request on your behalf. In the request, you or your authorized agent, must provide information sufficient for us to confirm the identity of an authorized agent. We are required to verify that your agent has been properly authorized to request information on your behalf and this may take additional time to fulfill your request.
We will use the information you provide to make your CCPA rights requests to verify your identity, identify the personal information we may hold about you, and act upon your request.
We strongly recommend that you submit the email and postal address that you used when you created accounts, ordered subscriptions, or signed up for a newsletter. After you submit a CCPA rights request you will be required to verify access to the email address you submitted. You will receive an email with a follow-up link to complete your email verification process. You are required to verify your email in order for us to proceed with your CCPA rights requests. Please check your spam or junk folder in case you can’t see the verification email in your inbox.
Any EU user may exercise his/ her rights under “GDPR” by reaching out to Fringe’ “DPO'' through the email address dataprivacy@fringe.us or via the appropriate representative listed below. If you have any questions, complaints or wish to exercise your rights under “GDPR”, indicate so in your message:
- Purpose: Question; Complaint; Exercise of the “Data Subject’s” rights under “GDPR”
- WHAT triggered your need to contact us?
- WHEN did the root cause which triggered the need to contact us took place?
- If a Member, your Member ID, or if not a mobile phone number or alternative personal email address so we may proceed with a two-factor authentication process.
Why the need to provide alternative personal contact?
Under “GDPR” only the “data subject” may exercise his or her rights. As a result, Fringe must ensure and document that the data subject or his or her legal representatives are the ones interacting with the company.
EU Representative
Osano International Compliance Services Limited
ATTN: NZ77
3 Dublin Landings
North Wall Quay
Dublin 1
D01C4E0
UK RepresentativeOsano UK Compliance LTDATTN: NZ7742-46 Fountain StreetBelfastAntrimBT1 - 5EF