Date of Change: July 2025
Change: New Zaelab Policy
Intent
Protecting the privacy and confidentiality of personal and client information is an important aspect of the way Zaelab (“Company”) conducts its business. Collecting, using, and disclosing personal and client information/data appropriately, responsibly, and ethically is fundamental to the company’s daily operations.
The company strives to protect and respect the personal information of its customers, employees, business partners, and so on in accordance with all applicable statutory requirements. This extends to all Processing of Personal Data by Staff, (Sub) Processors, agents or representatives- whether online or offline or by manual or automatic means. All employees must abide by the procedures and practices set out below while handling Personal Data.
The Company is often required to access, collect, store, Process or otherwise Treat Personally Identifiable Information (PII), Highly Sensitive Information (HSI), and/or Protected Health Information (PHI) regarding existing and prospective clients, client customers, business partners, employees, or any other Data Subjects as a part of our operations.
This Privacy Policy explains what Personal Data the Company collects about you and why, what we do with that information, how we share it, and how we handle the information you share in order for us to service your business needs. For the purposes of this Privacy Policy, "Personal Data" is any factual or subjective identifying information about an individual or group of individuals. This can include name, date of birth, address, income, e-mail address, social insurance number, gender, evaluations, and so forth. Please read the following carefully to understand our practices regarding Personal Data, including Personal Data of visitors to our Website and our customers (“Customers”).
This policy refers to all parties (employees, contractors, job candidates, customers, suppliers etc.) who provide any amount of information to us.
| Anonymization | Personal Data is amended in such a way that no individuals or Data Subjects can be identified from the data (whether directly or indirectly) by any means or by any person. |
|---|---|
| Authorized Personnel or Authorized Staff | Zaelab Staff member, who operates on a Need to Know and Authorized basis and is formally and properly empowered to perform specified duties associated with a project, initiative, agreement or contract. |
| Consent: Opt-in | Data Subject provides some sort of Explicit Consent, Express Consent or Unambigious, Easily Intelligible, Freely Given, Specific, Informed, Active and Transparent action indicating Data Subjects’ desire to participate in a given program or service. |
| Consent: Soft Opt-in | A long-standing contractual relationship exists between Data Subjects and Zaelab |
| Contract(s) | RFP, RFI, framework contracts, invitations to tender, strategic alliance agreements, (Sub)Processor agreements, business associate agreements, privacy statements, privacy notices, non-disclosure agreements, data protection or related compliance plans or any other contract that involves Processing Personal Data. |
| Data: Cross-border Transfer | Exporting or transferring Data Subjects’ PII, PHI or HSI (relating to People, financial management etc.) across country origins or uploading data in e.g. Country A and it is Processed in Country B. |
| Data: Process(es)(ed)(ing) or Treat(ed)(ing)(ment) | Access, align, alter, adapt, amend, change, classify collect, combine, delete, destroy, disclose, disseminate, export, handle, gather, group, lock, manage, obtain, organize, request, receive, record, retain, retrieve, process, save, store, test, transfer, transmit, transform, transport, use, or secure, view, touch or other treat Data Subjects’ Personal Data. |
| Data: Types (collectively, Personal Data) |
Note: This outlined PII, HSI, and PHI in this row primarily reflects Data Protection Laws and Regulations’ categorizations and applies despite whether the PII, HSI and PHI are publicly available; definitions may vary by country. | “Personal Data” or “Personally Identifiable Information” (PII) • Names • Home address • Phone numbers • Birthdates • Birthplace • Email address • Personal Interests • Contact Details • Documents and screenshots • Social Media accounts • Online identifiers (device, cookies, URL, metadata, geolocation, IP addresses, web beacon, HTML tracking, log files etc.) • Customer proprietary information • Personal identifiers (place of employment, personnel reports, recruitment data, job title, position, salary information, health and sickness records, severance data • Criminal records “Sensitive Data” or “Highly Sensitive Information” (HSI) • Race or ethnic origin • Gender • Sexual orientation • Religious or philosophical beliefs • Political opinions • Government ID (Social Security or social insurance ID, national ID, passport, drivers license etc.) • Financial information (bank, credit card etc) • Medical records (physical or mental, health plans etc) • Children (under 16) data Protected Health Information (PHI) • Medical or health records (physical or mental; health plans or provision of healthcare) • Biometrics (physical, physiological or behavioral) • Genetics | | Data Controller (Zaelab) | Person who, alone or jointly or in common with others, determines the purposes for which, and the manner in which any Personal Data are, or are to be, Processed. | | Data Privacy | Assures that: • the use of Data Subjects’ Personal Data is authorized, proper, permissible, and based on notified and legal basis purposes. • Data Subjects’ retain control over if and whether another Person Processes their Personal Data | | Data Privacy Violation | Personal Data is accessed by unauthorized parties, impermissibly used or misused, or Persons do not permit Data Subjects to Data Subject Access Request (DSAR). | | Data Processor | Affiliate, subsidiary, (Sub)Processor, supplier, service provider, or Person, who Treats Personal Data on the Data Controller’s behalf. | | Data Protection | The Data Privacy and Data Security components of safeguarding Personal Data from unauthorized, impermissible, improper, or unlawful Treatment or Processing. | | Data Protection Laws and Regulations: | Economic European Areas: • General Data Protection Regulation (GDPR) United Kingdom: • UK Data Protection Act • UK General Data Protection Regulation (UK GDPR) Canadian Statues: • Personal Information Protection and Electronic Documents Act (PIPEDA) • Personal Information Protection Act (PIPA Alberta and PIPA BC) • An Act Respecting the Protection of Personal Information in the Private Sector (Quebec Privacy Act) • Canada’s Anti-Spam Law (CASL) USA: • California Consumer Privacy Act (CCPA) • Virginia Consumer Data Protection Act • Colorado Privacy Act (CPA) • Connecticut Data Privacy Act (CDPA) • Utah Consumer Privacy Act • Tennessee Information Protection Act • Texas Privacy and Security Act • Oregon Consumer Privacy Act • Montana Consumer Data Privacy Act • Iowa Consumer Data Protection Act • Delaware Personal Data Privacy Act (pending signature) • Indiana Consumer Data Protection Act • New York Shield Act • Electronic Communications Privacy Act of 1986 (ECPA) • Florida SB 262 and Digital Bill of Rights South America: • Argentina: Personal Data Protection Act • Brazil: Brazilian General Data Protection Law • Colombia: Personal Data Protection Law • Costa Rica: Undisclosed Information Act and Protection in the Handling of the Personal Data of Individuals • Mexico: Federal Law for the Protection of Personal Data Held by Private Parties • Uruguay: Data Protection Law | | Data Security | Related to the necessary technological and technical security safeguards that Data Controller or Data Processors must adopt to help prevent unauthorized technical access to, disclosure of or modification of Data Subjects’ PII, PHI and HSI. | | Data Subject(s) | Identified or identifiable Person or Individual, e-communication recipient, website visitor or user, Zaelab Employee (current, former or prospective employee etc.). Data Protection Laws and Regulations view Data Subjects as the ultimate owner of their respective data and empower them with the right to have control over their Personal Data or Sensitive Personal Data. | | Data Subject- Anonymized | Data Subjects, for whom Zaelab removes any and all information that may directly or indirectly assist or lead to Data Subjects’ identification. Data that is appropriately anonymized or de-identified means that PII, PHI or HSI can never be traced by anyone, or that the personal identity could be recreated only with an unreasonable amount of time, expense and labor. | | Data Subject Access Request (DSAR) | Provides the right for requesting Data Subjects to see or view their own Personal Data or Sensitive Personal Data held by the Data Controller. DSAR must be written (online, email or post) and verbal requests are not valid DSARs. Responses may be provided physically or electronically. | | eMarketing, Direct Marketing, or Digital Marketing | Emails, texts, or any other digital or electronic individual or mass communications that contain news, information, advertising or promotions about a program product, tool, service, event or something similar, including through an email, or on a website, social media or other outlets, or via phone on Zaelab or on Zaelab’s customer behalf. | | eMarketing- Online Privacy- Cookies | Any means of accessing or storing information regarding Data Subjects’ through simple text files, having a unique number stored on the Users’ computer by the Users’ web browser, which provides a method of identifying each Users’ session while using an application on Zaelab’s website. | | European (EU) Economic Areas (EEAs) | Countries that are members of the EEAs- The 27 EU Member States: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lichtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden. | | Need to Know and Authorized Access | Access to Personal Data or other information should be limited to Authorized Personnel with demonstrable Need to Know for fulfilling obligations (legal, job performance or contractual). Persons are not entitled to access Personal Data or other information merely because it would be convenient for them to know or because of their status, position, rank or level of authorized access. | | (Sub)Processor | Any third party appointed by the Data Processor to Treat Personal Data (e.g., supplier, vendor, subcontractor or similar parties) on behalf of the Data Controller. |
This policy outlines the company’s commitment to privacy and establishes the methods by which privacy is ensured. This policy applies to all employee and customer Personal Data in the company’s care, custody, and control.
Business information is confidential information related to a specific business that is not readily available to the public, such as names of executive officers, business registration numbers, proprietary information, and financial status. Business information is treated and handled with the same level of confidentiality, privacy, and respect as Personal Data.
Consent occurs and is considered obtained by Zaelab when an individual provides express consent orally, in writing, or through an applicable online action. Before being asked to provide consent, individuals will be provided with the reasons their Personal Data is being collected, how it will be used and stored, and any disclosure or possible disclosure of the information.
Implied consent is granted by the individual where consent may reasonably be inferred from the action or inaction of the individual. Where possible, this should always be followed up by a Zaelab representative to obtain express consent.
Zaelab collects and uses personal data solely for the purpose of conducting business and developing an understanding of its customers. The Company hereby asserts that personal data may only be used for the following purposes: