Back to Legal

GoTo Applicant Privacy Notice

Last Update: October 31, 2024

 

1. Who is GoTo?

GoTo is a global company dedicated to making IT and business communications easy, anywhere. GoTo provides Software as a Service products ("Services") that help businesses securely support and connect to what’s most important: their teams and customers.

When we use the term “GoTo” or “we” in this Applicant Privacy Notice (“Policy”), we mean GoTo Technologies USA, LLC and the other wholly owned affiliates of GoTo Group, Inc. that process personal data about applicants for employment. To help you understand which GoTo affiliate is the primary controller of your personal data, refer to this table.


2. What Data Does This Policy Cover

This Policy covers our online and offline personal data processing that we undertake in connection with GoTo’s talent acquisition activities. For example, this Policy applies when you complete an application for employment with GoTo, respond to surveys related to our interviewing process, interact with our applicant tracking tool, or interact with GoTo offline in connection with a job application, such as when you speak to our talent team on the phone or participate in interviews. It also applies, for example, when GoTo’s Talent Acquisition Team proactively contacts you about your interest in speaking with us about potential employment.

Throughout this Policy, we use the term “personal data.” This term generally means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked with an identified or identifiable individual. The laws of some jurisdictions, however, define personal data, or a similar term such as personal information, more broadly than this. Other jurisdictions’ laws may exclude certain information about you, such as your business contact details, from the definition of personal data. We will apply the definition of personal data contained in applicable privacy law.

This Policy is not a guarantee of employment. It does not constitute, create, or modify any employment agreement between you and GoTo.


3. What Data Isn’t Covered by This Policy?

  • Your Relationship with Others. This Policy does not apply to personal data that you have provided to others, such as independent recruiting agencies. They have a direct relationship with you and process your information in accordance with their policies and procedures.
  • Third-Party Websites and Applications. This Policy does not apply to any third-party websites, applications, or services, even if these are accessible through GoTo’s websites or Services or link to our websites. Examples of these sites or applications include third-party job boards or services such as LinkedIn. The owners of the third-party websites or services are responsible for establishing the terms and conditions and privacy policies for them.
  • Personal Data Subject to Other GoTo Privacy Policies. From time to time, GoTo will provide privacy policies that are tailored to specific types of interactions with certain categories of individuals. When we do this, the personal data covered by that privacy policy is not covered by this Policy. For example, when you interact with our websites, our GoTo Privacy Policy, and not this Policy, governs your interactions with GoTo. Similarly, if you are offered employment and join GoTo as an employee, you will be provided with a separate privacy policy that addresses how we process personal data of our employees.
  • Anonymized, De-identified, or Aggregated Data. Personal data that has been anonymized or de-identified can no longer identify an individual. Aggregated data is data that has been combined and does not relate to a single individual. Therefore, these data are not personal data and are not covered by this Policy.

4. How Do We Collect Personal Data?

As part of its normal business operations, GoTo collects personal data about you from the following sources:

  • From You. We may receive personal data about you when you provide it to us, such as when you provide us with your CV, resume, or cover letter, fill out an employment application or tell us about yourself during an interview, or participate in any interview assessments;
  • From Others. We may receive personal data about you from other sources, such as recruiters or candidate sourcing services, background screening organizations, individuals who have referred you for a position or who provide references about you, or from publicly available sources, including online sources, such as your LinkedIn profile, where we believe it is relevant to your application or potential future application; and
  • Through Automated Means. We may receive personal data about you automatically, such as when our employment application software logs certain information about your interactions with it.

We also may, to the extent permitted by law, combine, correct, and enrich personal data that we receive from you with data we receive from other sources and use it as described in this Policy.


5. What Personal Data Do We Collect?

We may collect the following categories of personal data about you. Although you are not required to provide any requested information to us, your failure to do so may result in not being able to continue your candidacy for a job with us.

  • Identifiers. This category of personal data includes data that serves to uniquely identify you. It includes, for example, information such as your name, alias, social media handles, contact details (such as email addresses, phone, or fax numbers or physical or postal addresses), account names, customer numbers, unique personal identifiers, signatures, online identifiers, Internet Protocol addresses, or other similar identifiers.
  • Commercial and Financial Information. This category of personal data includes information needed to facilitate transactions with GoTo, such as information required to reimburse you for travel expenses you incurred in connection with onsite interview attendance. Please note, GoTo will not ask you for your credit card information, send you cash (other than reimbursing you for reasonable expenses you incur if you travel for an interview), or ask you to send GoTo money as part of the interview process.
  • Professional or Employment-Related Information; Education History. This category of personal data relates to your eligibility for employment or right to work in the jurisdiction in which a position is located; your employment history, including your current and former employers, job titles and work locations; educational degrees and certifications obtained; professional licenses held; professional memberships and associations; training and awards; and language(s) you speak and other skills you possess.
  • Protected Characteristics. This category of personal data includes data that is typically subject to enhanced protections under applicable law, such as age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression), pregnancy or childbirth and related medical conditions, sexual orientation, and veteran or military status. We only seek to collect Protected Characteristics about you when we are authorized by law to do so, such as for diversity or equal opportunity reporting or to process accommodation requests. In many cases, you do not have to provide it to us for your application to be considered. We will tell you if the information is optional or required to process your employment application. If it is required, we will tell you why.
  • Internet or Other Electronic Network Activity Information. This category of personal data includes information about your systems or devices, such as your system or network ID, your operating system type and version, your device manufacturer and model, screen resolution, browser type and version; information about your online activity when you interact with us electronically, such as the date of your access to an application we use during the recruiting process, unique device identifiers, user name and passwords, and your usage activity and diagnostic information, including access logs, activity logs, and other similar information.
  • Audio, Electronic, Visual, or Similar Information. This category of personal data includes photographs, voicemails, and recordings (if any) made during audio or video calls with us. It may also include CCTV footage and guest badge access swipes, which may be collected, for example, if you visit one of our sites for an interview.
  • Inferences, Preferences, and Other Information. This category of personal data consists of inferences drawn from any of the information identified above, such as your contact mode preferences, the types of positions you are seeking, how you heard about the position, calendar availability, contact time preferences, language preferences, employment preferences, desired salary, benefits preferences, start date availability, willingness to relocate, your experience during the recruitment process, and other similar information.
  • Sensitive Personal Data. This category of personal data is typically defined under applicable privacy law, which may limit the way this information may be collected, used, and disclosed. We do not collect sensitive personal data unless we have complied with applicable legal requirements. This type of information may include your government ID numbers, such as your social security, driver’s license, state identification card, or passport number; your GoTo account log-in and password or credentials allowing access to your account, and information such as your race, national origin, ethnicity, religion; information about your health or disability; information about your sexual orientation; trade union affiliations; and other similar information.

6. How Do We Use Personal Data We Have Collected?

We use your personal data for the following purposes:

  • To Prepare to Enter Into, To Enter Into, and To Perform a Contract with You. We use personal data to prepare to enter into, and to enter into, contracts and other agreements with you. We also use personal data when we perform our contracts, including when we perform our obligations under them and monitor the parties’ compliance with their undertakings. Examples of contracts we may enter into with you include employment contracts (where required by law), non-disclosure agreements, and similar employment-related documentation.
  • To Operate Our Business. We may use personal data to create and administer your careers accounts with us; to process your application for employment; to communicate with you about the status of your application with us; to answer questions you have asked us; to address requests you have made or concerns you have raised; to assess your capabilities and skills; to update, maintain, use and analyze our records; to conduct reference checks; to perform background checks if you are offered a job (which, depending on your jurisdiction, may be subject to additional or separate privacy notices); to understand your experience during the recruiting and onboarding process, including what went well and how we can improve; to assist you, where required, to obtain an immigration visa or work permit; to assess our diversity, equity, and inclusion practices; to provide and operate our talent acquisition and onboarding applications; to provide you with technical support; to improve and develop our internal business processes; and to train our personnel.
  • To Conduct Research About Your Perceptions of GoTo and Your Candidate Experience. We may use personal data to research how effective our talent acquisition practices are and how we could improve them, including when we receive your feedback or survey responses or when we otherwise obtain or collect information about your experiences with or opinions about us or your overall experience throughout the talent acquisition process; when we understand how you learned about our job openings and what you like and dislike about our recruiting processes and applications; to conduct analysis and measure how our recruiting applications are used and how they perform; and to engage in social listening initiatives, such as where we review feedback and reviews about our company and our talent acquisition process on the internet and on social media sites.
  • To Provide You with Information That May Be of Interest to You. We may use your personal data to provide you with information about us, such as open positions in which you may be interested or for which you may be qualified, events in which you may be interested, our products and services, or the industry. Examples of these communications may include other GoTo job postings, information about GoTo events such as career fairs, requests to take surveys about your experience with the GoTo talent acquisition process, and information about GoTo generally. When we send these communications to you, we will include an unsubscribe link that you may select if you do not wish to receive these communications from us. You can also contact our Talent Acquisition Team or our Data Privacy Team to request to be removed from our mailing list.
  • For Security, Integrity, Safety, and Fraud Prevention. We process personal data to protect our, your, or others’ rights, privacy, health, safety, or property; to undertake reasonable efforts to monitor the use of our networks, assets, and facilities and to secure them; to address technical issues with our networks and assets; to prevent, detect, and respond to security events and incidents; to prevent and respond to alleged malicious, deceptive, fraudulent, unauthorized, or unlawful activity; and to protect public safety.
  • To Comply with Applicable Laws and with Legal and Administrative Requests; To Protect Our Rights; To Assess Compliance with Policies; and To Assert and Defend Against Claims. We use personal data to comply with our obligations under applicable law; to pursue and/or defend legal claims and manage disputes; to enforce our terms of service and other agreements; to audit our internal processes for compliance with our legal and contractual obligations and our internal policies; to monitor our information technology systems to verify that they are working as intended, such as by tracking outages or responding to reports of errors and other issues; and to respond to lawful requests from governmental authorities, including writs, subpoenas, or legal discovery processes.

7. Do We Disclose Personal Data?

We disclose your personal data: (a) to our affiliated companies that are directly or indirectly owned by our parent company, GoTo Group, Inc. where they have a business need to access your information; (b) to third parties (such as background verification providers) at your direction, with separate, specific notice to you, or with your consent; (c) to third-party service providers (such as IT systems providers), business advisors, or consultants, who need it to provide their services to us and subject to appropriate confidentiality obligations; (d) in connection with corporate transactions, such as a merger, divestiture, acquisition, reorganization, restructuring, liquidation, winding down, financing transaction, or sale of assets; and (e) as required by law or administrative order, to assert claims or rights, or to defend against legal claims.


8. Do We Sell or Share Personal Data?

Certain data privacy laws provide individuals with rights with respect to the “selling” or “sharing” of their personal data. Some of these laws, however, define the “sale” of personal data to include disclosures of personal data for commercial activities such as targeted advertising. Privacy laws may also define “sharing” of personal data as providing it to advertising networks and other companies that facilitate digital advertising for purposes of cross-context behavioral advertising. We do not sell or share your personal data that you provide us throughout the talent acquisition process. As we disclose in the GoTo Privacy Policy, however, under this broader definition, we have sold certain categories of personal data of website visitors to, or shared it with, advertising networks and other companies that facilitate digital advertising for purposes of cross-context behavioral advertising or targeted advertising. If you have visited our websites, such as our Careers webpages, your interactions with us are governed by the GoTo Privacy Policy. These activities allow us to provide more personalized information about our company and our services to individuals who may be more interested in learning about them. You can opt out of the sale or sharing of your personal data here.


9. Do We Honor Do Not Track and GPC Signals?

As part of GoTo’s website, GoTo’s Careers pages recognize GPC signals but do not respond to or honor other Do Not Track instructions, which are preferences that users can set in certain web browsers. As the Careers page is part of GoTo’s main website, interactions are governed by the GoTo Privacy Policy.


10. What Are Our Data Retention Practices?

We keep your personal data in identifiable form for no longer than needed to fulfill business purposes that are compatible with the purposes for which we collected it or as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

If you apply for a job and your application is not successful or you withdraw from consideration, GoTo will retain your personal data in connection with your application for a period of time after your application. We do so for several reasons including to assist us if we need to comply with laws that require us to retain certain, to help us defend a legal challenge regarding a recruitment decision, to help us assess and improve our recruitment practices, and where applicable, to consider you for other opportunities for which you may be qualified. If you would like to update or delete your information associated with an application that you have submitted, you can do so selecting the applicable option in your account profile in our applicant tracking system. You may also request assistance from our Talent Acquisition Team here or via email. You may also exercise your rights by submitting a request to our Individual Rights Management Portal, as set forth in Section 13 of this Policy. If you do not want us to retain your information for consideration for other roles or want us to update your information, you may request assistance from our Talent Acquisition Team here or via email. You may also exercise your rights by submitting a request to our Individual Rights Management Portal, as set forth in Section 13 of this Policy.

If you are hired, your information will become a part of your GoTo employment file and will be retained in accordance with our employment data retention practices.


11. What Are Our Security Practices

GoTo has implemented reasonable and appropriate controls designed to safeguard personal data that we collect and further process from accidental, unlawful, or unauthorized destruction, loss, alteration, access, disclosure, or use. Despite GoTo’s efforts, and due to the inherent nature of the Internet, no method of electronic data transmission or storage is 100% secure. While we strive to use reasonable means to protect your personal information, we cannot guarantee its absolute security. You should also take steps to protect your information, including restricting access to your information, securing your passwords, and using SSL/TLS to prevent interception of transmissions.


12. Where Do We Process Your Personal Data?

GoTo operates on a global basis. As a result, we may transfer your personal data to, or store or otherwise process it in, other countries or regions where data protection laws are different from those of your country and may not provide as high a level of protection as your local data protection laws. Regardless of where your personal data is transferred for processing, GoTo will process it in accordance with this privacy policy and will take steps to properly protect it under applicable data protection law. Examples of these steps may include, as applicable, obtaining your consent to transfer such information, agreeing to certain contractual undertakings, or certifying to certain frameworks.

Transfers From the EU, the UK, and Switzerland to Third Countries

Data Privacy Framework

GoTo complies with the EU-US Data Privacy Framework (“EU-US DPF”), the UK Extension to the EU-US DPF (the UK Extension), and the Swiss-US Data Privacy Framework (“Swiss-US DPF”) as set forth by the US Department of Commerce.

GoTo Audio, LLC, GoTo Communications, Inc., GoTo Technologies USA, LLC, GoTo Group, Inc., and Grasshopper Group, LLC have certified to the US Department of Commerce that they adhere to (a) the EU-US Data Privacy Framework Principles with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-US DPF and the UK Extension, and (b) the Swiss-US Data Privacy Framework Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-US DPF. If there is any conflict between the terms in this privacy policy and the EU-US DPF Principles and the UK Extension and/or the Swiss-US DPF Principles, the Principles shall govern.

To learn more about the Data Privacy Framework Program, and to view our certification, please visit https://www.dataprivacyframework.gov/s/. For more information on GoTo's commitments and your rights related to the Data Privacy Framework, please review our DPF Notice.

Standard Contractual Clauses

For personal data transfers from the EU, the UK, and Switzerland to countries whose laws have not been deemed adequate by applicable EU regulatory authorities to that are not covered by GoTo’s Data Privacy Framework certifications, GoTo’s practice is to enter into data processing addendums that incorporate the European Commission’s standard contractual clauses (the “SCCs”).

APEC Cross Border Privacy Rules System and Privacy Recognition for Processors System

GoTo's international transfer of personal data collected in participating Asia Pacific Economic Cooperation ("APEC") countries abides by the Cross-Border Privacy Rules (“CBPR”) System and Privacy Recognition for Processors ("PRP") System for the transfer of personal data. More information about our APEC CBPR certification can be found here. More information about the APEC PRP certification can be found here. If you have raised concerns to GoTo about our APEC CBPR or PRP certifications that remain unresolved, you may contact our dispute resolution provider (at no charge to you) here.


13. What Are Your Privacy Rights?

Subject to the conditions, limitations, and exceptions under applicable data privacy law, you may have certain rights with respect to your personal data. In many cases, we provide you with self-service options to exercise your personal data rights. For example, if you choose to create a Workday account with us, you may access, review, change, and delete certain personal data contained in your account profile.

We also can assist you in the exercise of your personal data rights that may apply to you under applicable data privacy law.

If you are a resident of California, the UK, the EU, Switzerland, or Brazil, please refer to the applicable regional addenda to this Policy to learn how we honor your personal data rights.

Otherwise, depending on your jurisdiction, you may have the right to request that we:

  • confirm what type of personal data we collect, use, disclose or are otherwise processing about you;
  • amend or update inaccurate or incomplete personal data about you;
  • delete or restrict the use of your personal data;
  • no longer process your personal data (including for marketing purposes);
  • provide your personal data to you in a structured, electronic format; or

To submit a privacy request, please contact our Talent Acquisition Team or visit our Individual Rights Management Portal. You may also exercise your rights by using one of the methods provided for in Section 19 of this Policy.

Once we receive your request, we will seek to verify your identity. If we cannot do so, we will not be able to act on your request. We will respond to your request within the timeframes required by applicable data privacy law. In addition, if we deny your request, or a portion of your request, we will tell you why and provide you with other information, such as the right to appeal our decision, if it applies to you.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.


14. Do We Engage in Automated Decision-Making or Profiling?

Like many companies, GoTo employs software applications that use machine learning to help us identify potentially qualified candidates by conducting automated matching and scoring for our open positions. This is a form of profiling. At GoTo, when candidates apply to a position, they submit their resume data and are provided with the opportunity to identify and self-select work-related skills that they possess. The software we use assesses candidate resume and application data, including the skills selected by the candidate, and predicts the degree to which a particular opportunity matches each candidate’s skills. It then produces a list of candidates in a rank-list manner. This software, however, does not replace human decision making. GoTo requires human review and consideration of candidate applications.


15. Do We Process Personal Data About Children?

GoTo does not seek applications to its open positions from persons under 18 years of age. If you inform us or we otherwise become aware that we have unintentionally received personal data from an individual under the age of 18 in this context, we will delete this information from our records.


16. Do We Use Cookies and Other Tracking Technologies?

As we disclose in the GoTo Privacy Policy, we use first- and third-party cookies and other tracking technologies on our sites and services. Review that privacy policy to understand your choices and how to exercise them.


17. How Do We Communicate Changes to This Privacy Policy?

We may update this Policy from time to time to reflect changes to our personal data handling practices or respond to new legal requirements and will post updates here. However, if we make any material changes that have a substantive and adverse impact on your privacy, we will provide notice on this website or notify you by email prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.


18. How Can You Contact Us with Questions and Concerns?

If you have questions or about this Policy or how we process your personal data, you can contact our People team at AskHR@goto.com. You can also contact our privacy team at privacy@goto.com.

You can also contact us via postal mail at:

North America: Attn: GoTo Privacy Team c/o Legal Team, GoTo, 333 Summer Street, Boston, MA 02210.
International: Attn: GoTo Privacy Team c/o Legal Team, GoTo, 77 Sir John Rogerson's Quay, Block C, Suite 207 Grand Canal Docklands, Dublin 2, D02 VK60, Republic of Ireland.

Finally, you can contact GoTo via telephone at 1-833-851-8340.


19. Region-Specific Addenda

The following sections provide additional information to individuals residing in the European Union (the “EU”), Switzerland, or the United Kingdom (“UK”); California; and Brazil. If the information in this section is different from the information appearing in the main body of the privacy notice, the information in this section controls.



Supplemental Notice to Individuals in the EU, Switzerland, and the UK

Legal Basis for Processing

If you are an individual located in the EU, Switzerland, or the UK, we collect and process your personal data as a controller only where we have a legal basis for doing so. We use the following legal bases to process your personal data:

  • To Prepare to Enter Into, or To Perform, a Contract with You. We process your personal data when we prepare to enter into an agreement with you, such as an employment, confidentiality, or other employment-related agreement, or when we perform our obligations to you, such as when we reimburse you for agreed-upon travel expenses, should you incur them during the interviewing process;
  • With Your Consent or Explicit Consent. From time to time, we process your personal data for purposes we communicate to you with your consent or, where required, your explicit consent. For example, we may obtain consent to send certain communications to you related to your application or other opportunities or to obtain information about you, such as from references. When we process your personal data with your consent, you may withdraw it at any time. Your withdrawal of consent will not affect the legality of our processing that occurred before you withdrew your consent;
  • To Comply with EU, Member State, UK, or Swiss law. We process your personal data to help us comply with applicable EU, Member State, Swiss, and UK laws, including tax, privacy, employment, and other laws, such as where we verify your right to work in a jurisdiction; to communicate with and respond to requests from applicable judicial authorities and tribunals, law enforcement; and other regulators, and to detect, prevent, investigate, and respond to fraudulent, harmful, unauthorized, or illegal activity;
  • To Protect Your and Others’ Vital Interests. We process personal data to prevent, detect, investigate, and respond to activities that may impact an individual’s vital interest, including public safety; and
  • For Our or Others’ Legitimate Interests, Where They Do Not Override Your Data Protection Rights. We process personal data for our or others’ legitimate interests, for example to assess and improve our talent acquisition, interview, and onboarding processes; to aggregate or de-identify personal data; to provide reasonable physical and information security measures and detect security or safety concerns or terms of service violations; where permitted by law, to send communications related to employment opportunities, events such as career fairs, our business, and our industry; to comply with non-EU, Member State, UK or Swiss laws or regulations that apply to us, including to communicate with and respond to requests from applicable judicial authorities and tribunals, law enforcement and other regulators; to provide our corporate responsibility communications; to pursue or defend legal claims and to protect our and others’ rights and properties.

Special Category Data

We generally do not seek to process special category data, and we ask that you not provide it to us unless we specifically ask for it. When we do process such data, we will do so in accordance with applicable law, including with your explicit consent; to uphold our obligations and to exercise our rights in the field of employment and social security and social protection law; to the extent permitted by law; where you have manifestly made it public, where it is necessary to protect your or others’ vital interests; to defend or pursue legal claims; where necessary for occupational medicine or to assess your working capacity, medical diagnosis and/or as otherwise permitted by law, such as where we may evaluate workplace accommodations and adjustments; where it is necessary to do so for reasons of substantial public interest, on the basis of applicable law.

Data Subject Rights

If you are in the EU, Switzerland, or the UK, you have the following rights in relation to your personal data where we process it as a controller, subject to the limitations and exceptions set forth in applicable law:

  • Right to Access. You have the right to know whether GoTo processes personal data about you and certain details about that data. You may also request a copy of that data.
  • Right to Rectification. You have the right to require that GoTo correct inaccurate personal data about you or complete incomplete personal data about you.
  • Right to Erasure. You may require GoTo to delete your personal data in certain circumstances, such as where GoTo no longer needs it to fulfill the original purpose for which it was collected and processed.
  • Right to Restrict Processing. You may require GoTo to restrict the processing of Personal Data in certain circumstances, such as during the period after you contest its validity while GoTo is confirming the legitimacy of the processing.
  • Right to Data Portability. In certain circumstances, you may have the right to obtain the personal data you have provided GoTo in a structured, commonly used and machine-readable format and require us to transmit it to another controller that you designate.
  • Right to Object. You may object to the processing by GoTo of your personal data where it is used for direct marketing purposes, where we process it based on our legitimate interests or where we process it for a task carried out in the public interest.
  • Right to Not Be Subject to Automated Decision Making. In certain circumstances, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly impacts you. GoTo routinely requires human review of processing where legal effects or other similar impacts are likely to occur.

You may submit your requests to GoTo as set forth in Section 15. We will handle your request as set forth above, and generally within 30 days of receipt. We may, in certain cases, extend our response period by an additional 30 days. If we do so, we will notify you before the original 30-day period expires. If you have any concerns regarding your request, we encourage you to contact our Data Protection Officer at privacy@goto.com. You also have the right to lodge a complaint with a supervisory authority having appropriate jurisdiction. For more information, please contact your local supervisory authority, available here.



Supplemental Notice to California Residents

Notice at Collection

The disclosures in this section supplement the sections above, apply to California residents (“Consumers”) and are required under the California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020 (collectively, the “CCPA"). For purposes of this section, the term personal data has the same meaning as “personal information” in the CCPA. If you would like to receive these disclosures in an alternative format, please contact us at privacy@goto.com.

During the 12 months prior to the date of this notice, we have collected the categories of personal data about Consumers set forth in Section 5 above from the sources identified in Section 4 above. The purposes for which we collected such information are set forth in Section 6 above. We have also identified the categories of personal data about Consumers we have sold or shared during the past 12 months in Section 8 above.

The following table provides data about the categories of recipients to whom we have disclosed each category of personal data about Consumers for a business purpose. In addition to the types of recipients identified below, we may disclose any category of personal data about Consumers to the recipients identified in Section 7 above.



Category of Personal Information: Categories of Recipients of Disclosures for a Business Purpose:
Identifiers

Internet or Other Electronic Network Activity Information

Commercial & Financial Information

Professional or Employment-related Information; Education History

Inferences, Preferences, and Other Information
Vendors and service providers, including for data analytics, vendors who help us deliver features, and marketing purposes.

Service providers who help us operate our business, including data hosting companies, payment processors, IT service providers, business consultants and advisors, security and fraud prevention consultants, and customer and contract management vendors.

Service providers whose products and services are included as components of our Sites or Services, or who may provide services for us, including data hosting providers, vendors who help provide features of the products, chat bot providers, AI technology providers, and technology services providers.

Business partners who may determine the purposes and means of processing who help to facilitate certain transactions, auditors, and resellers and channel partners who may assist in providing or who may provide Services to you.
Protected Characteristics We do not generally seek to collect this type of personal data. Where we do, we may disclose it to the following recipients:

Service providers who help us operate our business, including data hosting companies, payment processors, IT service providers, business consultants and advisors, security and fraud prevention consultants, and customer and contract management vendors.

Business partners who may determine the purposes and means of processing who help to facilitate certain transactions, such as auditors.
Audio, Electronic, Visual, or Similar Information Service providers who help us operate our business, including data hosting companies, payment processors, IT service providers (such as IVR service providers), business consultants and advisors, security and fraud prevention consultants, chatbot and other AI technology providers, and customer and contract management vendors.

Service providers whose products and services are included as components of our Sites or Services (such as those who help us provide audio and video communication services), or who may provide services for us, including data hosting providers, vendors who help provide features of the products, chat bot and other AI technology providers, and technology services providers.

Business partners who may determine the purposes and means of processing who help to facilitate certain transactions, auditors, and resellers and channel partners who may assist in providing or who may provide Services to you.
Sensitive Personal Data Service providers who help us operate our business, including data hosting companies, payment processors, IT service providers, business consultants and advisors, and security and fraud prevention consultants.

Service providers whose products and services are included as components of our Sites or Services, or who may provide services to us, including data hosting providers, vendors who help provide features of the products (such as log in or similar information). We do not require or recommend that you input any sensitive information into AI-powered features or tools, such as chatbots.

Business partners who may determine the purposes and means of processing who help to facilitate certain transactions, such as auditors. This information would only be provided to business partners where required or where you provide it.

We do not use sensitive personal data to infer characteristics about you.


California Privacy Rights

Consumers have the following rights under the CCPA:

  • Right to Know. You have the right to request that we disclose what personal information we collect, use, and disclose about you specifically.
  • Right to Delete. You have a right to request the deletion of personal information that we collect or maintain about you, subject to certain exceptions.
  • Right to Correct. You have the right to request that we correct inaccurate personal information we may have about you.
  • Right to Opt-Out of the Sale or Sharing of Personal Information. We do not sell or share the Personal Information of applicants. As a result, we do not offer the right to opt out.
  • Right to Limit the Use of Sensitive Personal Information. GoTo does not use or disclose sensitive personal information related to applicants for purposes other than to provide recruitment services or as otherwise permitted under the CCPA. As a result, we do not offer the right to limit.

GoTo will not discriminate against you for exercising any of your rights under the CCPA.

Exercising Your Rights

To submit a request to exercise your rights or for information on self-service procedures (where available), please visit our Individual Rights Manatement Portal, submit an email request to privacy@goto.com, or call us at 1-833-851-8340. We will acknowledge your request in the timeframe set forth in the CCPA and seek to verify your identity. For example, if you have a password-protected account with us, we may verify your identity through our existing authentication practices for your account. We will respond to your request in accordance with the CCPA. If we cannot verify your identity, we will not be able to act on your request. Once we have verified your identity, we will respond to your request in accordance with the CCPA. If we deny your request, we will tell you why.

Authorized Agent

You can designate an agent to make a request under the CCPA on your behalf. If an authorized agent is used to submit a request to exercise your right to know or your right to request deletion, we will verify your identity and the agent’s authority to act on your behalf.

California’s Shine the Light Law

Under California’s Shine the Light law, Consumers may ask GoTo to provide the names of third parties to whom we disclosed personal data during the preceding calendar year for their direct marketing purposes and identify the categories of personal data we disclosed to them. You may send us requests for this information to privacy@goto.com. Your request must include the statement “Shine the Light Request", your first name, your last name, your mailing address, and your certification that you are a California resident. We reserve the right to require additional information to confirm your identity and California residency.



Supplemental Notice to Individuals in Brazil

Legal Basis for Processing

If you are an individual in Brazil, we collect and process your personal data as a controller only where we have a legal basis for doing so. We use the following legal bases to process your personal data:

  • To Prepare to Enter Into, or To Perform, a Contract with You. Preparing to enter into an agreement with you, such as our terms of service or another contract or arrangement, or to perform our contractual obligations or communicate with you related to our agreements;
  • With Your Consent. When we process your personal data with your consent, we will tell you what consequences may arise if you do not provide it. If you provide your consent, you may withdraw it at any time. Subject to certain limitations under the law, when you withdraw your consent, you can ask us to delete the information about you that we processed with your consent. Your withdrawal of consent will not affect the legality of our processing that occurred before you withdrew your consent;
  • To Comply With the Law. We process your personal data to help us comply with laws that apply to us and to respond to requests from applicable judicial authorities and tribunals, law enforcement, and other regulators, and to detect, prevent, investigate, and respond to fraudulent, harmful, unauthorized, or illegal activity;
  • For the Regular Exercise of Rights in Judicial, Administrative or Arbitral Proceedings. We may process personal data when we exercise our rights to pursue or defend legal claims;
  • To Protect Your and Others’ Lives or Physical Safety. We process personal data to prevent, detect, investigate, and respond to activities that may impact an individual’s life or physical safety, such as threats of violence or harm to children;
  • For Our or Others’ Legitimate Interests, Where They Do Not Override Your Data Protection Rights. We process personal data for our or others’ legitimate interests, for example to develop, test, support, and improve our Sites and Services; to aggregate or de-identify personal data; to process personal data to perform contracts with an account owner or with a reseller; provide reasonable security measures and detect security or safety concerns or terms of service violations; where permitted by law, to send marketing and other commercial communications related to our Services and our industry; to comply with non-Brazilian laws or regulations that apply to us, including to communicate with and respond to requests from applicable judicia authorities and tribunals, law enforcement; and other regulators; to comply; to meet our corporate responsibility communications, to pursue or defend legal claims and to protect our and others’ rights and properties; and

Sensitive Personal Data

We ask that you not provide us with sensitive personal data about you unless we specifically ask for it. When we do process such data, we will do so in accordance with the law, including where we are required to do so to comply with a law that applies to us; for the regular exercise of rights, including by contract, and in judicial, administrative and arbitral proceedings; to protect your or others’ life or physical safety; and in furtherance of fraud prevention and your security (such as in the authentication of your registration to our Services).

Person In Charge (Encarregado)

GoTo has appointed a Person in Charge (Encarregado) as required by the LGPD, who may be contacted as follows:

Attn: GoTo Privacy Team c/o Legal Team (MP Kang), GoTo, 333 Summer Street, Boston, MA 02210.

You may also reach our person in charge via email at privacy@goto.com.

Data Subject Rights

You have the following rights in relation to your personal data where we process it as a controller, subject to the limitations and exceptions set forth in the law:

  • Right to Confirmation and Access. You have the right to know whether GoTo processes personal data about you and certain details about that data. You may also request a copy of that data.
  • Right to Rectification. You have the right to require that GoTo correct inaccurate or outdated personal data about you or to complete incomplete personal data about you.
  • Right to Anonymization, Blocking or Deletion. You may require GoTo to anonymize, block or delete your personal data in certain circumstances, such as where it is unnecessary, excessive, or processed in violation of law.
  • Right to Restrict Processing. You may require GoTo to restrict the processing of personal data in certain circumstances, such as during the period after you contest its validity while GoTo is confirming the legitimacy of the processing.
  • Right to Data Portability. In certain circumstances, you may have the right to require us to transmit your personal data to another service provider that you designate.
  • Right to Information About the Entities to Whom We Have Provided Your Personal Data. You may ask us to provide you with certain information about the public and private entities to whom we have provided your information.

You may submit your requests to GoTo as set forth in Section 14. We will handle your request as set forth above. For access requests, we will respond within 15 days of your request. For other requests, we will respond in a reasonable period if no time period is specified in the law. If you have any concerns regarding your request, we encourage you to contact us. You also have the right to lodge a complaint with the ANPD, Brazil’s privacy regulator, or consumer protection agencies.


GoTo Employing Entities

Americas

Brazil

GoTo Comunicacao Unificada do Brasil Ltda.
Avenida Moema, 265, 12º andar, Parte A, Planalto Paulista
São Paulo
CEP 04077-910

Canada

GoTo Technologies Canada Ltd.
410 Charest Est, Suite 250
Quebec City, QC G1K 8G3

Guatemala

GoTo Technologies Guatemala, S.A.
Km 8.5 CA Muxbal
Edificio Forum Business Muxbal, Zona 4
Santa Catarina Pinula, Guatemala 01051

Mexico

GoTo Technologies Mexico, S. de R.L. de C.V.
Patricio Sanz 1747 - Office 601, Tower C,
Colonia del Valle Sur, Alcaldia Benito
Juarez, Ciudad de México 03100

Asia Pacific

Australia

GoTo Technologies AUS Pty. Ltd.
c/o Theunissen Trollip Pty Ltd
Level 17 Angel Place
123 Pitt Street
Sydney NSW 2000

India

GoTo Technologies India Private Limited
No. 5, Prestige Khoday Tower, 3rd Floor
Raj Bhavan Road
Bengaluru KA 560001

Singapore

GoTo Technologies Singapore Pte.Ltd.
2 Shenton Way #18-01
SGX Centre 1
068804

Europe

Finland

Miradore Oy
Laserkatu 8,
53850 Lappeenranta

Germany

GoTo Technologies Germany GmbH
Ostra-Allee 9,
D-01067 Dresden

Hungary

GoTo Technologies Hungary Kft.
1088 Budapest,
Rakocsi ut 1-3, Floor 1

Ireland

GoTo Technologies Ireland Unlimited Company
77 Sir John Rogerson's Quay, Block C, Suite 207, Grand Canal Docklands
Dublin, D02 VK60

Netherlands

GoTo Technologies Europe B.V.
Huizermaatweg 566
1276LN Huizen

United Kingdom

GoTo Technologies UK Limited
5 New Street Square
London EC4A 3TW