Privacy Policy

1. Personal Data Collection

We collect personal data that is necessary to operate our business, provide our EOR services, and improve our website. The types of personal data we collect and the sources of that information include:

• Contact and Identity Information: This includes identifiers such as full name, email address, telephone number, physical address, and other contact details. We collect this information when you fill out forms on our site (e.g., requesting a demo or information), correspond with us, or enter into contracts. For example, if you request a proposal or create an account, we may ask for your name, business email, company name, and job title. We may also collect government-issued identifiers (such as Social Security numbers, tax identification numbers, passport or driver’s license numbers) and date of birth from employees or job candidates as needed for employment, payroll, and compliance purposes. In accordance with our MSA, each placed employee must provide necessary personal details for onboarding and payroll, and they sign any required agreements (e.g., confidentiality and IP assignment) to protect all parties’ interests.

• Professional and Employment Information: As an EOR, we collect data related to an individual’s work and education history. For placed employees (individuals we hire and assign to work under our client’s direction), we collect information such as job title, résumé/CV details, employment history, qualifications, skills, and performance information relevant to their role. We obtain much of this from the individuals themselves during the application and onboarding process, and from our clients who help select and supervise these employees. We also maintain records of the employee’s compensation, benefits enrollment, work hours, and other HR administration details as required to serve as the legal employer. For client contacts (representatives of our client companies), we collect business contact details and organizational information (company name, office address, billing contact info, etc.) to manage the services. If you apply for a job with Evolution Workforce or become a placed employee, you will be asked to provide personal information needed for hiring and compliance (such as references, background check information, bank account for payroll, emergency contact, etc.), which we will use only for those purposes and as permitted by law.

• Sensitive Personal Information: In the course of our services, we may handle categories of data considered “sensitive.” This can include government ID numbers (e.g., SSN or passport) and financial account information for payroll (collected from employees), demographic or health information (for benefits or equal opportunity compliance), or precise geolocation (if, for example, a work device’s security settings report location). We collect sensitive data only where necessary for business operations or legal obligations – for instance, we may collect nationality or citizenship status to ensure compliance with immigration or export control laws. Any sensitive personal information is closely protected and used strictly for the purposes disclosed (such as paying salaries, providing benefits, ensuring workplace safety, or complying with law) and not for secondary purposes like marketing, unless expressly permitted by law or with consent.

• Online Usage Information: When you visit our website or use our online services, we automatically collect certain data about your device and browsing actions through cookies and similar technologies. This usage data may include your IP address, device identifiers, browser type, operating system, referring URL, pages or content viewed, and dates/times of access. For example, like many companies we use cookies to remember your preferences and to understand how you navigate our site. Some cookies are necessary for site functionality, while others support analytics and advertising (see Tracking Tools in Section 2 below). You can set your browser to refuse certain cookies or alert you when cookies are being used; however, note that blocking all cookies may impact site functionality. We also log interactions such as clicks, form submissions, and referral information (e.g., what marketing campaign or external site led you to us) to better understand interest in our services.

• Sources of Personal Data: We collect personal data directly from you in most cases – for instance, when you provide information through our website forms, sign contracts, communicate with us by email/phone, or during employee onboarding processes. We also receive personal data from third-party sources in certain situations: for example, a client that engages our EOR services may share information about a selected candidate or an existing employee that will be transitioning to Evolution Workforce employment. If we recruit candidates, we might receive résumés from staffing partners or professional networking sites with your consent. Additionally, we may collect data from publicly available sources (like LinkedIn profiles for recruitment, or public corporate registries for client due diligence) and from service providers (such as background check agencies, if applicable). Finally, as noted above, we gather some data automatically via our website’s cookies and tracking tools or via our IT systems (for instance, our secure device management software may report device compliance status when a placed employee uses our equipment).

We will inform you at the point of collection if certain personal data is mandatory or optional and the purposes for which it is needed. We do not collect personal information that is not relevant to our relationship (for example, we do not seek out personal details about your family, religion, or other unrelated matters). If we ever need to collect additional categories of personal data or use existing data for new purposes, we will provide an updated notice and obtain consent if required.

2. Tracking Tools (Google Analytics, Meta Pixel, HubSpot)

Our website utilizes cookies and third-party tracking technologies to improve user experience, analyze traffic, and support our marketing efforts. In particular, we use the following tools and we disclose their operation in the interest of transparency:

• Google Analytics: We use Google Analytics, a web analytics service provided by Google, to understand how visitors use our site. Google Analytics sets cookies on your browser that collect information such as your IP address, device identifiers, browser type, the pages you visit on our site, and the page you came from. This data is transmitted to Google and aggregated to help us analyze site traffic and usage patterns. For example, Google Analytics helps us see which pages are most popular and how users navigate between pages. Google may also use this information for its own analytics and advertising purposes. We have configured Google Analytics to partially mask or anonymize IP addresses where possible. Information generated by these cookies is used by us for internal analysis, to compile reports on website activity, and to improve the site’s content and performance. Google may transfer analytics information to third parties if required by law or if those third parties process data on Google’s behalf. You can opt out of Google Analytics by using Google’s opt-out browser add-on or by adjusting your browser settings to block cookies. Please note that if you disable cookies, certain site features may not function properly.

• Meta Pixel (Facebook Pixel): We use the Meta Pixel on our site to help manage and measure our advertising on Facebook and Instagram (Meta Platforms). The Meta Pixel is a snippet of code that sends Meta data about your actions on our website. For example, if you visit our sign-up page or click on an ad for our services, the Pixel reports that activity to Meta. The Pixel can track events like page views, button clicks, form submissions, and other interactions; it can even detect if you enter information (such as an email address) on our site. Meta uses Pixel data to match website visitors with their Facebook/Instagram profiles (if known) and to optimize advertising (for instance, by creating custom audiences or showing you targeted ads related to Evolution Workforce on its platforms). The Meta Pixel automatically collects certain technical data from your browser, including HTTP headers (IP address, browser type, timestamps), device identifiers, and cookie IDs. It may also collect the URL and title of pages you view and some of the actions you take on our site. Data use: Meta uses this information to provide us with analytics about advertising performance and to personalize the ads you see on Meta services. We do not receive personal data from Meta that directly identifies you; rather, we get aggregate reports (e.g., how many users viewed or clicked an ad, or took an action on our site). However, Meta may combine the information from our site with data it holds about you in your Facebook/Instagram account, subject to Meta’s own privacy policies. You can learn more in Meta’s Privacy Policy and adjust your ad preferences or opt out of certain targeting in your Facebook settings. To broadly opt out of Meta Pixel tracking on websites, you can use browser extensions that block trackers or enable the Global Privacy Control (GPC) as described below (we will honor GPC as an opt-out signal for sharing).

• HubSpot: We use HubSpot as our customer relationship management (CRM) and marketing automation platform. HubSpot sets cookies and tracking beacons on our site to help us identify and follow up with website visitors and leads. For instance, HubSpot places a cookie that assigns a unique identifier to your browser, which allows it to recognize you on return visits and track your page clicks and form submissions on our site. If you fill out a contact form or subscribe to our newsletter, HubSpot will record the information you provide and associate it with your browsing activity (this helps us see, for example, which pages you viewed before submitting a form). HubSpot’s tracking cookies enable lead attribution (see Section 11) by capturing the source of your visit (such as an ad campaign or referral link). The data HubSpot collects through our site includes your IP address, device and browser info, pages visited, and interactions with our content. We use this data to tailor our communications and sales approach – e.g., if we see that a particular whitepaper on our site interested you, our team might follow up with related information. HubSpot cookies will only be set if you consent via our cookie banner where required by law. You can opt out of HubSpot tracking by rejecting cookies on our site’s cookie consent banner or by clearing HubSpot cookies from your browser. For more details, see HubSpot’s own privacy and cookie notices.

• Cookie Management: When you first visit our website, you will see a cookie notice or banner. Where required, we obtain your consent before setting non-essential cookies (analytics or advertising cookies). You can manage your preferences via that banner or by adjusting your browser settings to delete or block cookies. The “Help” menu of most browsers will tell you how to disable cookies or alert you when cookies are being sent. Keep in mind that some features of our site rely on cookies; disabling them might impact functionality (for example, our site might not remember your language preference, or certain interactive features might not work). We also honor the Global Privacy Control (GPC) signal – a setting or browser extension that communicates your privacy preference. If our site detects a GPC signal, we will treat it as a valid request to opt out of cookies that share data (as a “Do Not Sell or Share” request under California law).

3. CCPA/CPRA Rights

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) regarding your personal information. These include the right to receive certain disclosures and the following rights(subject to verification of your identity and any applicable exceptions):

• Right to Know/Access: You have the right to request that we disclose the personal information we have collected about you in the 12 months preceding your request. This includes the categories of personal information, the categories of sources, the business or commercial purposes for collection, the categories of third parties to whom we disclose personal information, and specific pieces of personal information we hold. Upon a verified request, we will provide either the specific information you request or an overview of our data practices in accordance with the law.

• Right to Delete: You have the right to request deletion of personal information we have collected from you and retained, subject to certain exceptions. Once we receive and confirm a verifiable deletion request, we will delete (and direct our service providers to delete) your personal information from our records, unless retaining the information is necessary for us or our service providers to: complete transactions or services you requested; detect security incidents or protect against illegal activity; comply with a legal obligation; or for other internal uses that are compatible with the context in which you provided it and permitted by law (see CCPA §1798.105(d) for exceptions). We will inform you of any denial of deletion and the reason (e.g., if an exception applies).

• Right to Correct: You have the right to request that we correct inaccurate personal information that we maintain about you. We will take into account the nature of the information and the purposes of processing when addressing a correction request, and we may require documentation to verify the correct information. If we cannot honor the request (for example, if we disagree that the data is inaccurate or if an exception applies), we will explain why.

• Right to Opt Out of Sale or Sharing: You have the right to direct us not to sell your personal information to third parties and not to share your personal information for cross-context behavioral advertising (targeted advertising). Sales: Evolution Workforce does not sell personal information for monetary consideration to any third party – we do not exchange your data for money or other valuable goods. However, the CCPA/CPRA’s definitions of “sale” and “sharing” are broad, and certain uses of third-party analytics and advertising cookies may be considered a “sale” or “share” under California law even if no money changes hands. For instance, if our site allows third-party advertising networks (like Meta or Google) to collect identifiers and internet activity information via cookies for the purpose of showing you personalized ads, that could be deemed a “sharing” of personal information. Opt-Out Mechanism: If you wish to opt out of any selling or sharing of your personal information, you can click the ‘Do Not Sell or Share My Personal Information’ link in our website footer. This link will direct you to a dedicated page where you can submit your opt-out request by completing a simple form. Your opt-out will be processed after you submit the form on that page.
  You may also enable the Global Privacy Control (GPC) in your browser, which we recognize as a valid opt-out signal. Once you opt out, we will, as applicable, disable non-essential third-party trackers on our site for that browser and refrain from any future sale or sharing of your data unless you later provide consent. If we have any offline data-sharing arrangements, we will similarly cease sharing your data for those purposes. Note that opting out through cookie-based methods is browser-specific, so if you clear cookies or use a new device/browser, you may need to opt out again.

• Right to Limit Use of Sensitive Personal Information: If we collect Sensitive Personal Information (SPI) about you (as defined by the CPRA to include things like government IDs, account credentials, precise geolocation, race/ethnicity, union membership, genetic data, etc.), you have the right to direct us to limit the use and disclosure of your SPI to certain allowable purposes. Those allowable purposes include providing the services you requested, preventing fraud or security incidents, and other core functions permitted by law. Evolution Workforce does not use sensitive personal information for purposes beyond those allowed by the CPRA (for example, we do not use or disclose sensitive data for cross-context behavioral advertising or building consumer profiles without consent). Thus, we effectively treat all sensitive data in compliance with a “limited use” requirement. If in the future we intend to use sensitive data for additional purposes, we will provide a clear “Limit the Use of My Sensitive Personal Information” option as required by law. (California residents can rest assured that any sensitive details, such as an employee’s Social Security number or passport number, are used strictly for verification, payroll, benefits, legal compliance, or other necessary services only.)

• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. This means we will not deny you goods or services, charge you a different price, or provide a different level of quality because you exercised your privacy rights. If you are an employee or prospective employee exercising your rights, it will not affect your employment prospects or any benefits to which you are entitled. In some cases, if the exercise of your rights limits our ability to process personal information (for example, if you request deletion of data needed to provide a service), we may not be able to continue the service relationship – but we will inform you of such consequences and alternatives at the time.

How to Submit a Request: To exercise your California privacy rights, you (or an authorized agent acting on your behalf) may contact us by email at info@evolution-workforce.com with the subject line “CCPA Request” and specifying which right you seek to exercise. You may also call us at +1 (212) 400-1650 to submit your request. We will need to verify your identity to a“reasonable degree of certainty” (or a “reasonably high degree”for requests for specific pieces of information) before processing your request. This may involve matching information you provide with information we have on file (such as verifying control of your email or requiring a signed declaration). If you use an authorized agent,we will require proof of the agent’s written permission to act on your behalf and may still ask you to verify your identity directly.We aim to respond to requests within 45 days, or notify you if an extension of up to 45 additional days is needed. For requests to know specific pieces of data, we will provide those via a secure method.For deletion requests, we will either confirm deletion or explain the basis for any denial (e.g., a legal exemption). For opt-out requests,we will comply as soon as feasibly possible.

If we decline to take action on are quest, you have the right to understand why. In such cases, we will provide an explanation. California law also allows you to contact the California Attorney General if you have concerns about the result of your request or if you believe your rights under CCPA/CPRA have been violated. (See Section 9 for additional state-specific remedies.)

4. Third-Party Data Sharing

We do not disclose or share personal data with third parties except as needed to run our business, fulfill our services, or as otherwise described here or required by law. When we do share data, we ensure appropriate safeguards are in place (such as contractual assurances of confidentiality and data protection from the recipient). The categories of third parties with whom Evolution Workforce may share personal data, and the context for such sharing, include:

• Client Companies: As an EOR provider, one of our primary functions is to act as the employer of record for individuals who actually work under the direction of our client companies. This means that we will share relevant personal information of a placed employee with the client that is utilizing their services. For example, if we hire an international software developer on behalf of a U.S. tech company, that client will necessarily receive the individual’s work profile and contact information, and may evaluate their résumé or background during selection. Throughout the engagement, we may share data such as the employee’s work hours, project reports, or performance feedback with the client, since the client manages the day-to-day work. All such sharing is part of the service contract with the client and is done for “business purposes” (e.g., providing the contracted HR service). The client is typically considered a separate business or controller of the personal data for their own operational purposes. We require that clients handle any personal data we share in compliance with applicable privacy laws and with at least the same level of care we do. Our contracts with clients (MSA and SOW) include confidentiality clauses to protect personal information; clients are not permitted to use personal data of placed employees for any purposes outside the scope of the placement. (Note: If a placed employee will have access to a client’s own sensitive data (for instance, the client’s customer data), the client is responsible for ensuring proper legal bases or consents are in place for that access. This ensures that all parties uphold data privacy compliance in the service relationship.)

• Service Providers (“Processors”): We share personal data with third-party service providers and vendors who perform functions on our behalf to support our operations. These providers are bound by contract to use personal data only as necessary to provide services to us and not for their own purposes, consistent with the concept of “service providers” under CCPA. Examples include:

  • Payroll and Benefits Administrators: We may use third-party payroll processors, benefits providers, insurance companies, and HR software platforms to administer salaries, health insurance, retirement plans, and other benefits for placed employees. These providers will receive personal data such as identification details, salary information, and benefits selections necessary to perform their duties. They are obligated to keep such information confidential and secure.

  • Cloud Hosting and IT Infrastructure: We utilize reputable cloud service providers (for example, for data storage, database hosting, or application hosting) to store and process data. Personal data may be stored on cloud servers operated by companies like Microsoft or Amazon Web Services, subject to strict access controls and encryption. Similarly, we may use IT management services – for instance, we deploy Microsoft Intune for device management and CrowdStrike Falcon for endpoint security on devices used by our employees. These tools, while software used on our behalf, may send certain diagnostic or usage data to the tool providers (e.g., a device’s compliance status to Microsoft’s Intune cloud) solely to enable the security functions. Such providers are not permitted to use personal info except to provide the contracted service.
    

  • Analytics and Marketing Partners: As described in Section 2, we use third-party analytics (Google) and CRM/marketing tools (HubSpot) that process personal data about website visitors. These partners act on our behalf to provide insights and marketing automation. Data shared with them (like cookie identifiers or lead information) is covered by our agreements with those companies. In the case of advertising partners (such as Meta for our Meta Pixel), those companies may be considered independent “third parties” who collect data for their own uses as well; we treat such situations as data “sharing” that you can opt out of (see Sections 2 and 12). We do not sell personal data to these partners, but we want you to be aware that when you interact with our site, these third parties might collect information under their own privacy policies as well. We contractually require any marketing or advertising vendors to comply with privacy laws and honor opt-outs (for example, if you opt out of cookies, we instruct analytics tools accordingly).
    

  • Background Check and Compliance Services: If, as part of hiring or onboarding, a background screening, identity verification, or sanctions check is required, we will share the necessary personal details with trusted agencies that provide these services. For instance, to perform a criminal background check or education verification (where lawful and agreed), we would provide the candidate’s name, ID number, or other needed data to the screening provider. Those providers are prohibited from using the data for anything beyond the requested screening and must comply with applicable consumer reporting laws.
    

  • Legal, Accounting, and Other Professional Advisors: We may disclose personal information to our external auditors, attorneys, insurers, bankers, or other professional advisors as necessary for securing their services or defending our legal rights. For example, if we undergo an audit, the auditor might have access to employee payroll records to verify our compliance with tax and labor laws. These parties are bound by confidentiality obligations (through professional standards or contractual agreements) to keep any personal data disclosed to them confidential.
    

  • Third-Party Platforms and Client-Directed Tools: In some cases, our placed employees use or access third-party software and platforms at the direction of our clients as part of their work (e.g., a client may require the use of Slack for messaging, Jira for project management, or other SaaS tools). When a placed employee uses such third-party services, any personal data they input or generate (like messages, task data, or profile information) may be stored in those third-party systems. Evolution Workforce does not control those systems and is not responsible for the data practices of those providers, beyond ensuring that initial access is provided securely. The use of those tools is governed by the client’s arrangements with those providers. Important: If a placed employee utilizes a third-party tool, the personal information (e.g., their username, communications, files) on that platform is subject to the privacy policy of the third-party provider, and any data transmitted through those platforms may be accessible to that provider or other authorized users. We advise both clients and employees to be mindful of what data is shared on external platforms and ensure it’s limited to what’s necessary. Evolution Workforce will support reasonable security configurations for those tools (for example, enabling multi-factor authentication if available) and will enforce any specific security requirements agreed with the client. However, if any data loss or breach occurs via those third-party services (outside of our control), responsibility largely lies with those service providers and/or the client’s use of them. (We will of course assist in incident investigation as needed—see the Security Measures section below.)
    

• Affiliates and Corporate Transactions: Evolution Workforce may share personal information with our corporate affiliates (entities under common ownership or control) for aligned business purposes, such as centralized management or consistent service delivery. At present, we do not have any subsidiaries or sister companies; however, if we ever share data with an affiliate, we will ensure any affiliate receiving data handles it under the same privacy and security standards described in this policy. In the event of a business transaction, such as a merger, acquisition, reorganization, or sale of all or part of our business or assets, personal data may be disclosed to potential or actual purchasers (and their professional advisors) as part of due diligence or the transfer of business assets. If ownership or control of Evolution Workforce changes, we will require the successor entity to honor the commitments we have made in this Privacy Policy regarding your personal information, or we will notify you and seek consent if required by law.

• Legal Compliance and Protection: We may disclose personal information to third parties (such as courts, law enforcement, government authorities, or opposing counsel) if we believe disclosure is necessary to: (a) comply with any applicable law, regulation, legal process, or governmental request; (b) enforce or apply our contracts (including investigating potential violations, such as suspected fraud or misuse of our services); (c) detect, prevent, or otherwise address illegal or harmful activities, security incidents, or technical issues; or (d) protect the rights, property, or safety of Evolution Workforce, our employees, our clients, or others. For instance, if a regulatory agency requests information about employees for compliance reasons, or if a subpoena or court order demands records, we may be legally obligated to provide the data. We will limit any such disclosure to the relevant requirements and will object to overly broad requests when appropriate. Additionally, if a placed employee were to raise a legal claim or there’s a dispute (e.g., a workers’ compensation claim or a lawsuit involving a placed employee’s conduct), we might share necessary information with insurers or legal representatives to handle the matter.

Other than the situations above, Evolution Workforce will not share your personal data with third parties. In particular, we do not sell your personal information to data brokers or unrelated parties,and we do not disclose personal data to third parties for their own direct marketing purposes without your consent. We also do not allow unauthorized third-party advertising networks to gather your info from our site beyond what is described in Section 2 (and you can optout of those). If our practices regarding data sharing change in the future, we will update this Privacy Policy and provide any required notices or opt-in/opt-out choices.

5. Contact Methods and Policy Updates

Contacting Us: If you have any questions, concerns, or requests regarding this Privacy Policy or how Evolution Workforce handles your personal data, please contact us by any of the following methods:

• Email: info@evolution-workforce.com – This is our dedicated email for inquiries related to privacy (e.g., questions about this Policy, requests to exercise your rights, or reports of a potential data incident). Please include your name and contact information and describe your question or request with sufficient detail.

• Phone: +1 (212) 400-1650 – You may call our offices during normal business hours and request to speak to the Privacy Officer or a member of our legal/compliance team.

• Mail: Attn: Privacy Officer, Double M Merchandise Inc. (dba Evolution Workforce), 260 West 54th Street, New York, NY 10019, USA. You may send us a written letter with any inquiries or requests. If you are exercising legal rights, please indicate that in your letter and provide a way to contact you (email or postal address) for our response.

We will endeavor to respond to any privacy-related inquiry within a reasonable timeframe. If you are an Evolution Workforce placed employee or job applicant with questions about your personal data,you may also reach out to your Evolution Workforce HR contact or account manager, who can coordinate with our privacy team.

Effective Date: This Privacy Policy was initially effective as of May 22, 2025. It reflects our data practices and commitments as of that date.

Updates to this Policy: We may update or revise this Privacy Policy from time to time to reflect changes in our practices, to keep up with new legal requirements, or for other operational, legal, or regulatory reasons. If we make material changes, we will notify users in a manner appropriate to the significance of the changes:

• For minor or routine updates (e.g., clarifying language or updating contact info), we may simply update the “Last Updated” date above and post the revised Policy on our website. Please check this page periodically to stay informed of any changes.

• For significant changes that affect your rights or how we use personal data (e.g., if we begin collecting new categories of personal information or start using data for new purposes not previously disclosed), we will provide a more prominent notice. This may include posting an announcement on our website’s homepage or login portal, or contacting you directly via email or other contact information you have provided. In certain cases, if required by law, we will seek your consent for the new processing.

Any revised Privacy Policy will be accessible on our website (likely at the same URL). The date at the top will indicate when the changes become effective. We encourage you to review our Privacy Policy whenever you access our services to stay informed about our information practices. If you continue to use our website or services after an updated Privacy Policy takes effect, it will signify your acceptance of the changes. (We will not, without your consent, use your personal information in a manner materially different than what was stated at the time it was collected from you.)

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required or permitted by law. Because the appropriate retention period can vary depending on the context and the nature of the data, we maintain internal retention guidelines and take into account various factors when determining how long to keep information:

• Operational Necessity: We keep personal information as long as needed to provide our services and run our business. For example, while you are an active client or user, we will retain your account information and contact details. If you are a placed employee, we retain your HR records for the duration of your employment with Evolution Workforce and for a period after termination as required for legal compliance or our business records. We aim to retain data for the shortest duration that serves the intended purpose. In practice, this means that if data is no longer actively used or needed, we will either delete it or anonymize it (unless an exception applies).

• Legal and Contractual Requirements: Certain laws mandate retention of records for specific periods. For instance, payroll and tax records for employees often must be kept for a number of years (e.g., IRS regulations typically require keeping employee tax forms for at least 4 years). Similarly, basic company records of contracts or services provided may be kept to comply with statutes of limitations (for example, to defend against possible legal claims, we might retain a copy of the contract and related communications for a number of years after the contract ends). We comply with applicable laws in the relevant jurisdictions concerning data retention. Where laws differ, we may apply the longest applicable retention period if that data might be relevant to requirements in multiple jurisdictions.

• Archival and Auditing Needs: We retain certain data for our legitimate interests in maintaining business continuity, financial records, and audit trails. For example, even after a placed employee leaves, we may retain a record of their employment dates, position, and salary for accounting and audit purposes. We may also keep security logs or backup archives for a certain period to ensure we can investigate security incidents or restore services in a disaster recovery scenario. These archives are protected and have strictly controlled access.

• Deletion and Anonymization: When personal data reaches the end of its retention period, we will either delete it securely or convert it into an anonymized form that no longer identifies individuals. Secure deletion may involve shredding physical documents and using technical wiping for electronic data. In some cases, rather than deleting entirely, we may anonymize data (for example, aggregate business analytics might be derived from historical data but without personal identifiers). Once anonymized, data is no longer subject to this Privacy Policy because it is not personally identifiable.

• Exceptions: If you exercise your right to deletion under applicable law, we will delete your data unless a specific exception applies (see Section 3 on CCPA deletion exceptions, which aligns with our general practices). Also, if there is ongoing litigation, audit, or an open investigation, we may preserve relevant data until it is resolved, even if that extends beyond normal retention periods – this is to comply with legal hold obligations.

In summary, Evolution Workforce strives to keep personal information for no longer than necessary. We periodically review the data we hold and erase or anonymize information that is no longer needed. If you have specific questions about how long certain data is kept, you can contact us (see Section 5), and we will try to provide guidance. For example, a California resident might request information on the retention period for their category of data under Cal. Civ. Code §1798.100. We will happily provide available details to the extent required by law.

7. COPPA/Children

Our services and website are not directed to children under the age of 13, and we do not knowingly collect or solicit personal information from children under 13 years old. In fact, due to the nature of our business (employment services for companies), we generally do not have any users or employees in that age group. The Children’s Online Privacy Protection Act (COPPA) imposes requirements on websites that collect data from children under 13,and Evolution Workforce’s policy is to avoid any such collection.

If you are under 13, please do not use or provide any information on this website or through our services. We do not intend to collect information from minors, and any information provided to us about a child should come only through a parent or legal guardian (for instance, if an employee provides dependent information for benefits, that is done by the adult parent,and we handle that data in compliance with applicable law).

In the unlikely event that we learn we have collected personal information directly from a child under 13without verified parental consent, we will promptly delete that information from our records. For example, if a child were to submit a contact form or send us an email with their information, and we realize the person is under 13, we will purge that data and not use it for any purpose (except as may be necessary to protect the child or others, as required by law). If you believe we might have any information from or about a child under 13, please contact us immediately at info@evolution-workforce.com so that we can investigate and take appropriate action.

For minors aged 13 to 16: While our website is not intended for this audience either, California law (as amended by the CPRA) requires opt-in consent to sell or share personal data of consumers between 13 and 16 years old. As noted above, we do not sell or share personal data in a manner that would trigger that requirement. Nonetheless, we want to emphasize that we do not knowingly process data of anyone under 16 for targeted advertising or any commercial sale. If a teenager (ages 13–16) in California interacts with our site, we treat any Do Not Sell/Share signal as described in Section 12. Moreover, any user under 18 in California may request removal of their posted content (though generally we do not have open forums for users to post content).

‍Employment of Minors:Evolution Workforce’s services are geared towards professional placements and, as such, we require employees to be of legal working age in their respective countries (and typically 18 or older). We do not employ children in violation of any child labor laws. Any personal data of minors that we might handle would only occur in narrow circumstances, such as processing dependent information for benefits (with parent consent) or emergency contact information. Even then, that data is used only for its intended purpose and protected appropriately.

In summary, parents and guardians should be confident that we do not seek out children’s data. We encourage all minors to obtain permission from a parent or guardian before providing any information about themselves anywhere on the internet.

8. Security Measures

Evolution Workforce takes the security of personal data very seriously. We have implemented a comprehensive information security program with administrative, technical, and physical safeguards designed to protect your personal information from unauthorized access, disclosure, loss, or misuse. We also continuously evaluate and upgrade our security measures in light of current risks and industry best practices, including those specifically relevant to EOR services (such as securing communications between international employees and U.S. clients).

Technical Measures: We utilize enterprise-grade security tools and infrastructure to protect data in transit and at rest. Some of our key security practices include:

• Encryption: We employ encryption technologies to protect personal data. This includes using SSL/TLS encryption for data in transit (so that information you enter on our website is transmitted securely) and encryption at rest for sensitive data stored in our databases or cloud storage. For example, any sensitive personal information (like government ID numbers or financial info) is stored in encrypted form or in secure systems that offer encryption.

• Endpoint and Device Security: For placed employees that use devices managed by Evolution Workforce, we implement device management and threat protection. We utilize tools such as Microsoft Intune for mobile device/application management and CrowdStrike Falcon for advanced anti-virus and endpoint threat detection on computers. This ensures that devices meet security compliance requirements (e.g., have updated software and proper configurations) and helps us detect and block malware or unauthorized intrusion attempts.

• Secure Network Access: We provide secure VPN (Virtual Private Network) access through solutions like NordLayer, requiring encryption for remote connections. When our placed employees connect to client systems or the internet from outside an office, the VPN creates an encrypted tunnel that protects the data. This is particularly important as many placed employees work remotely or from international locations.

• User Activity Monitoring and Access Control: As part of ensuring productivity and security for our remote workforce, we use monitoring tools (such as Teramind for user activity monitoring) in accordance with applicable laws. These tools can track actions on company-provided devices (like which applications are open or if high-risk behaviors occur) to prevent data exfiltration or unauthorized actions. However, this monitoring is primarily for security and compliance purposes; we do not intrude on personal privacy beyond work-related oversight, and any such monitoring is disclosed to employees as part of their onboarding (and configured to respect privacy requirements). Additionally, we enforce the principle of least privilege – employees and contractors are given access only to the systems and data necessary for their role, and such access is regularly reviewed and revoked when no longer needed.

• Secure Architecture and Testing: Our systems are built with security in mind. We segment networks to isolate sensitive information, use firewalls and intrusion detection systems to guard our perimeter, and regularly test our applications and infrastructure for vulnerabilities (via security scans and penetration tests). Any software development we undertake follows secure coding practices. We also maintain up-to-date anti-malware protection on all our servers and endpoints.

• Data Backups and Resilience: We perform regular data backups and have a business continuity/disaster recovery (BC/DR) plan to ensure that personal data is not lost inadvertently and that our services can continue or be restored in case of an incident. Backup data is encrypted and stored securely, with access limited to authorized personnel.

Organizational Measures: Alongside technical safeguards, we maintain strong organizational policies:

• Confidentiality and Training: All Evolution Workforce employees (including those we place with clients) are required to sign confidentiality agreements and undergo privacy training. This ensures they understand the sensitivity of personal data and their obligations to protect it. We have clear policies prohibiting unauthorized use or disclosure of client or employee data. Access to personal data internally is restricted to personnel who need it to perform their job duties (for example, HR staff can access employee records, but a software developer in our company would not have such access). We also train our staff on phishing awareness and how to identify and report security incidents.

• Vendor Management: We carefully vet our third-party service providers for strong security practices. We enter into data processing addendums or confidentiality agreements with vendors who handle personal data, obligating them to implement adequate safeguards (often aligning with industry standards like ISO 27001 or SOC 2). We monitor their compliance and require notifications of any breaches involving our data.

• Physical Security: Our offices and any data centers we use have physical security controls in place. This may include access badges, alarms, security personnel, and policies to prevent unauthorized physical access to computers or files. For instance, any paper records containing personal data are stored in locked cabinets, and we have clean-desk policies to ensure sensitive info isn’t left out.

• Security Policies and Governance: We have an appointed security team or officer responsible for maintaining our security program. Regular audits and reviews are conducted to ensure compliance with our policies and to adapt to new threats. We also maintain incident response plans so that in the event of a security incident, we can act swiftly and effectively to mitigate harm.

Despite all these measures, it’s important to understand that no security system is absolutely foolproof. The transmission of information via the internet and the electronic storage of data can never be guaranteed to be 100% secure. We strive to protect personal data, but we cannot warrant the security of data transmitted to our website; any transmission is at your own risk. Once we receive your information, we will use strict procedures and security features to try to prevent unauthorized access.

‍Data Breach Response: In the unfortunate event of a data breach or security incident that affects personal data, Evolution Workforce will promptly take steps to contain and investigate the incident. We have procedures to notify affected parties and regulators as required by law. For example, if a data breach involves personal information of individuals in certain jurisdictions, we will comply with breach notification laws such as California’s data breach notification statute. Our MSA also commits us to notify our clients of breaches related to the services: if either party (us or the client) becomes aware of a breach involving personal data, they must promptly notify the other. We will provide as much information as we can about what happened, what data is involved, and what we are doing in response. We will also take appropriate remedial actions, such as changing access credentials,patching vulnerabilities, and offering identity theft protection services if applicable. Our goal is transparency and partnership with our clients (and any affected data subjects) in security matters.

By implementing these security practices and constantly refining them, Evolution Workforce aims to create a safe environment for all personal data in our custody. If you have further questions about our security measures, you can contact us or visit any security resources we publish (for example, a Security or Trust Center on our website, if available).

9. State-Specific Disclosures (CA, VA, CO, CT, etc.)

In addition to the California-specific rights discussed in Section 3,several U.S. states have enacted their own privacy laws granting residents certain rights and requiring businesses to make specific disclosures. Evolution Workforce is committed to complying with all such laws to the extent they apply to our operations. Below is an overview of state-specific privacy information:

• California (CCPA/CPRA): California residents should refer to Section 3 above (CCPA/CPRA Rights) for a comprehensive explanation of their rights. Additionally, the CCPA requires us to disclose the categories of personal information we collect and the purposes and recipients for each category (the “notice at collection” and annual disclosure requirements). Categories of Personal Information Collected: In the past 12 months, Evolution Workforce has collected the following categories of personal information about consumers (as defined in California law):

  • Identifiers: e.g., real name, alias, postal address, email, phone number, online identifier, IP address, account username, or other similar identifiers.

  • Categories in Cal. Civ. Code § 1798.80(e): This includes many identifiers plus some additional data like signature, Social Security Number, driver’s license or passport number, employment history, bank account or credit card information, or other financial information. (We collect many of these from employees for HR and payroll purposes, and some from clients for billing.)

  • Protected Class Characteristics: e.g., characteristics of protected classifications under California or federal law, such as race, ethnicity, gender, marital status, disability status, or veteran status. (We may collect some of these on a voluntary basis for EEO reporting or to provide accommodations. For example, an employee may disclose a disability or a visa status indicating national origin. We do not use this information except as required by law or to meet the individual’s needs.)

  • Commercial Information: e.g., records of personal property, products or services purchased or considered, or other purchasing histories. (Generally not applicable to our business – we collect information about the services client companies purchase from us, but that relates to the client organization, not an individual consumer’s personal household purchases. We likely do not collect this category aside from possibly expense reports of employees.)

  • Biometric Information: e.g., fingerprints, facial recognition data, or other biometric identifiers. (We do not collect biometric identifiers. We do not use fingerprint scanners or facial recognition for our employees or website users. If that ever changes, we will update our policy and obtain any required consent.)

  • Internet or Electronic Activity: e.g., browsing history, search history, and interactions with websites or applications. (Yes, as detailed in our Tracking Tools section, we collect information about interactions with our website through cookies, IP logs, and similar technologies.)

  • Geolocation Data: e.g., precise geolocation. (We do not actively track precise GPS location of individuals through our site. We might infer general location (city, state, country) from an IP address for analytics or security purposes – for example, to detect if a login comes from an unusual location – but we do not collect precise location without consent. For placed employees, if they use our device management software, the device might report city-level location for security, but not precise coordinates.)

  • Sensory Information: e.g., audio, electronic, visual, or similar information. (We generally do not record calls or collect audio/visual data on our website. If you have a video meeting with us, that is not recorded unless we explicitly ask and you consent. Our user activity monitoring may capture screenshots for compliance, but that is used internally for security purposes only.)

  • Professional or Employment Information: e.g., job title, employer, employment evaluations, salary, and work history. (Yes, as an EOR we collect extensive professional information about employees and also about client representatives in a B2B context. This is a core category of data for our business.)

  • Education Information: (as defined in the federal FERPA law) – e.g., education records, degrees, transcripts. (We may collect education history and degree information from job applicants or employees, but we do not maintain educational institution records beyond what individuals provide to us. This category may overlap with professional information.)

  • Inferences: inferences drawn from other personal info to create a profile about a consumer’s preferences, characteristics, behavior, etc. (We have very limited data profiling – we might classify a website lead as “interested in Service X” based on pages viewed, or classify employees for internal talent management in broad terms. But we do not create detailed consumer profiles for marketing beyond basic segmentation. In any case, if inferences are considered personal info, California residents have rights to know and delete those, and we include them in scope when responding to requests.)

For each category collected, the purposes are those outlined in this Policy (see especially Sections 1 and 2 for collection purposes) – primarily to provide our services (employment and HR administration), maintain our website and business, communicate with users and prospective clients, support marketing (for leads), and ensure security and compliance. The sources of each category are as described in Section 1 (directly from individuals, from clients, from service providers, etc.). We disclose personal information for business purposes to the categories of recipients described in Section 4 (clients, service providers, etc.). We do not sell personal information except potentially the kind of third-party cookie sharing for advertising as explained above. In the past 12 months, we have disclosed the following categories of personal information for business purposes: Identifiers (to service providers like payroll processors and cloud hosts), 1798.80(e) information (to payroll/benefits providers, etc.), protected class data (to government agencies for reporting if required, or internally for diversity efforts), internet activity (to analytics providers and IT security providers), professional information (to clients and HR services), etc. We can provide a more detailed mapping upon request. We have not sold personal information in the traditional sense; any “sharing” we engage in for behavioral advertising purposes is described in Section 12 along with opt-out options.

• Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Other States: Residents of Virginia, Colorado, Connecticut, Utah, and any other U.S. state with comprehensive privacy laws have rights similar to those of California residents, although there are some differences in scope and terminology. If you are a resident of one of these states, you generally have the right to:

  • Confirm and Access: Confirm whether we are processing your personal data and to access such data (similar to the right to know/access).

  • Correct: Correct inaccuracies in your personal data.

  • Delete: Delete personal data that you have provided to us or that we have obtained about you.

  • Opt Out: Opt out of certain types of processing: (i) opt out of the sale of personal data (as defined by your state’s law); (ii) opt out of processing for targeted advertising; and (iii) for Virginia/Colorado/Connecticut residents, opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. (Evolution Workforce does not engage in automated profiling that produces such effects – e.g., we do not have algorithms solely deciding hiring or creditworthiness without human involvement.)

  • Non-Discrimination: Not be discriminated or retaliated against for exercising these rights (we extend our non-retaliation policy to all states).

These rights can be exercised by contacting us as described in Section 5. We will handle these requests pursuant to the requirements of each state’s law (generally within 45 days, with a possible45-day extension, similar to CCPA timelines). We may need to verify your identity and state residency before fulfilling a request.Notably, Utah’s law (UCPA) currently provides opt-out rights for sales but does not include a right to correct or a right to opt out of targeted advertising if no sale is involved. Nonetheless, we allow Utah residents to request correction of their data and to opt out of advertising cookies in line with our general practices.

‍Appeal Process (for VA, CO, CT):If we deny your request under Virginia, Colorado, or Connecticut law,you have the right to appeal our decision. We will include instructions in our response if we refuse to act on a request.Typically, to appeal, you may reply to our denial or email us atinfo@evolution-workforce.com with the subject “Appeal”within a reasonable time (e.g., within 30–60 days of our response).A different reviewer will re-evaluate the request and respond to you with the outcome of the appeal within the time required by law (for example, Virginia requires a response within 60 days). If the appeal is denied, Virginia, Colorado, and Connecticut residents additionally have the right to contact their state Attorney General to submit a complaint. We will provide you with the relevant contact information for your state’s Attorney General in our appeal denial response, as required by law.

‍Sensitive Data (VA, CO, CT):These state laws have concepts of “sensitive data” (e.g., data about health, race, precise location, etc., similar in concept to California’s sensitive personal information). In general, if we process sensitive data about you, we will obtain your consent if required. (For instance, Colorado and Connecticut require opt-in consent for processing certain sensitive data in many cases.) Most of Evolution Workforce’s processing of sensitive data is either (a)done with consent (e.g., an employee providing medical info for leave requests) or (b) falls under necessary exemptions (e.g., compliance with employment law). We will honor any state-specific rules on sensitive data — for example, not processing sensitive data of a Virginia consumer for anything other than a necessary purpose unless they have consented.

‍Authorized Agents: Some state laws (like California’s CCPA) allow you to use an authorized agent to submit requests on your behalf. If you choose to do so, we will take steps to verify the agent’s authority (e.g., requiring a signed permission from you) and also verify your identity directly with us, depending on the type of request. This is to prevent fraud or unauthorized access to your data.

‍State Contact Information: If you feel we have not addressed your request adequately, you may contact your state’s regulator for further assistance:

• California: Visit the California Attorney General’s CCPA page or call the hotline listed at oag.ca.gov/privacy/ccpa.

• Virginia: Contact the Virginia Attorney General’s Consumer Protection section (consumer@oag.state.va.us or by phone).

• Colorado: Contact the Colorado Attorney General’s Office (see coag.gov for contact details).

• Connecticut: Contact the Connecticut Attorney General’s Privacy Unit.

• Utah: Contact the Utah Division of Consumer Protection.

We provide these contacts as a resource, but of course we encourage you to work with us first so we can resolve any issue.

‍No Fees: We will not charge you for exercising your rights under these state laws, with a possible exception if a request is manifestly unfounded or excessive/repetitive, in which case the law allows a reasonable fee or our refusal. (To date, we have not needed to charge any fees for processing requests.)

‍Other States (Nebraska, Iowa,etc.): As privacy legislation evolves, we intend to extend fundamentally similar rights to all individuals, even beyond those required by law, as part of our commitment to privacy. So even if you are in a state without a specific privacy law, you can still contact us to inquire about your data, and we will handle such requests in good faith.

In summary, Evolution Workforce’s policy is to treat personal data consistently with the strongest applicable rights and to provide clear notice as required by each jurisdiction. If you have any questions about state-specific rights or how to exercise them, please reach out to us.

‍(Note: Evolution Workforce’s services are provided to U.S. companies, and we do not target or offer our services to individuals in other countries. Accordingly,this Privacy Policy focuses on U.S. privacy laws and not international laws like GDPR.)