Personnel Privacy Notice for GoFundMe & Classy

GoFundMe Group Inc. and its affiliates and subsidiaries, including Classy, Inc., GoFundMe Inc., GoFundMe Australia Pty Ltd., and GoFundMe Ireland, Limited (collectively, “GoFundMe,” “we,” “our,” or “us”) provide this Personnel Privacy Notice (this “Notice”) to their respective employees, interns (paid or unpaid), certain independent contractors and job applicants (collectively, “Personnel,” “you,” or “your”).

In connection with your job application, employment, services or otherwise, we process your Personal Data, as defined below. We think that it is very important that you understand how we use your Personal Data, and we take our obligations in this regard very seriously.

Depending on our relationship with you, we process your Personal Data in order to evaluate your candidacy, enter into an employment relationship with you or enter into an independent contractor services agreement with you and to continue to perform crucial aspects of your relationship with us, such as paying you and, for employees, providing you with benefits. There are also statutory requirements and other contractual requirements we have to comply with in relation to your employment or engagement, as well as business and operational needs we have to meet. For purposes of filling a job posting, we also need to process your Personal Data.

Most of our processing activities related to your employment and independent contractor services or job application do not require your consent. However, in limited circumstances, we may need your consent to disclose sensitive information, such as ethnicity details. Providing this consent is voluntary, and you can withdraw it at any time by contacting us as described below.

The purpose of this Notice is therefore to give you information about how we collect, process, store and otherwise use information about you, and your rights in relation to that information. We encourage you to read it carefully, and we’re here to answer any questions you may have.

What Types of Personal Data Does GoFundMe Collect about Personnel?

“Personal Data” is any data that can be used in itself or with another piece of data to identify an individual Personnel.

We collect, process and use the following categories and types of Personal Data, depending on your relationship with us:

• Identification data, such as your name, signature, employee/Staff ID, your photo (if voluntarily provided by you), payroll ID, business email address, business address, business landline, social security number, and driver’s license information;
• Personal details, such as your date and place of birth, emergency contact details, next of kin details, marital/civil partnership status, gender, details of family members (in relation to relocations), dependents, disability status, and language(s) spoken;
• Contact details, such as your home address, telephone number, and personal email address;
• Information about your role/relationship with us, such as your position, business title, employee type, management level, time type (full or part time and percentage), working time information, work location, division, department, position level, manager (name & ID), support roles, start and end date, and contract or employment status;
• Information about your salary and benefits, such as your basic salary, bonus and commission entitlements, raise amounts and percentages, allowances, insurance benefits (including information about you and your dependents that we provide to the insurer), pension plans, tax code, your bank account details and payment dates, accrued salary information, employee pay group, and information relating to your pension;
• Information about your equity compensation, such as units of stock or directorships held, details of all restricted stock units or any other entitlement to shares of stock awarded, canceled, exercised, vested, unvested or outstanding in your favor;
• Talent management information, such as information in your resume, your job history, professional qualifications, certifications, information necessary to complete a background check (where permitted by law, which may be considered “Sensitive Personal Data” in some jurisdictions), development programs planned and attended, e-learning programs, willingness to relocate, reasons for leaving your prior jobs, and information used to populate employee biographies;
• Time, and systems / buildings access monitoring information, such as CCTV images, swipe card access, IDs for IT systems, fingerprints, time recording software, internet, email, instant messaging, and telephone usage data; other information required to access company systems and applications such as system passwords, and electronic content produced by you using our systems;
• Performance and disciplinary information, such as performance and development reviews, evaluations and ratings, information about disciplinary allegations (including customer complaints), the disciplinary process and any disciplinary warnings, and details of grievances and any outcome; and
• Absence information, such as dates of leave of absence/vacation, maternity/paternity/shared parental leave, confirmation of a birth of a child, training/educational leave, family care leave, and medical leave (some of which may be considered “Sensitive Personal Data” in some jurisdictions).

In addition to the collection, processing and use of Personal Data, we collect, process and use the following additional categories of Personal Data about you which we describe as “Sensitive Personal Data”:

• Health and medical data, such as the number of sick days and the information contained in a doctor’s certificate/medical certificate for purposes of leave approval, salary payment, workforce planning, and compliance with legal obligations; information on work-related accidents for purposes of insurance compensation, work safety and compliance with legal obligations (such as reporting obligations); information on disability for purposes of accommodating the workplace and compliance with legal obligations; information on workplace leave for purposes of workforce planning and compliance with legal obligations;
• Criminal records data, in the event that we have conducted or received (where permitted by law) the results of criminal records background checks in relation to you, where relevant and appropriate to your role;
• Citizenship and work authorization data, such as information contained in your passport or other citizenship and right to work documentation or information collected for visa and immigration purposes and compliance with laws and regulations; and
• Other data, such as race/ethnicity, gender identity, pronouns, veteran status, disability and sexuality data, which you may provide voluntarily to us to help further our Diversity, Equity, Inclusion and Belonging (“DEIB”) efforts.

Why Does GoFundMe Need to Collect, Process and Use Personal Data?

We collect, process, and use Personal Data and Sensitive Personal Data for a variety of reasons linked to your employment or engagement with us. To help clarify these we have set out below a list of reasons why we collect and use this data, which may vary depending on your relationship with us (the “Processing Purposes”).

• Administering and providing compensation, including compensation benchmarking, payroll administration, invoices for services, expenses, bonuses, stock options, and other applicable incentives.
• Administering and providing applicable benefits and other work-related allowances, including reporting of benefit entitlements and take-up of benefits.
• Administering our workforce and managing the relationship, including managing work activities, tracking working hours, providing performance evaluations and promotions, producing and maintaining corporate organization charts, entity and intra-entity staffing and team management, managing and monitoring business travel, carrying out workforce analysis, conducting talent management and career development, leave management/approvals, providing references, administering ethics and compliance training, performing background checks (where permitted by law), hiring, and recruitment for other roles both during and after the end of your employment or engagement, managing disciplinary matters, grievances and terminations, managing business expenses and reimbursements, and creating and maintaining one or more internal employee directories; and monitoring and ensuring Personnel compliance with applicable policies, procedures, and laws, including conducting internal investigations.
• Conducting business operations, including providing IT systems and support to enable you and others to perform their work, operating and managing communications systems, managing company assets, allocating company assets and human resources, strategic planning, project management, business continuity, compilation of audit trails and other reporting tools, maintaining records relating to business activities, budgeting, financial management and reporting, communications, managing mergers, acquisitions, sales, re-organisations or disposals and integration with a potential purchaser.
• Complying with applicable laws, regulations, and employment-related requirements, along with the administration of those requirements, such as income tax, national insurance deductions, health and safety, employment and immigration laws, record-keeping and reporting obligations, conducting audits, pursuing legal rights and remedies, defending litigation and managing any internal complaints or claims, and conducting investigations and complying with internal policies and procedures.
• Communicating with you, other employees and third parties, such as existing or potential business partners, suppliers, users of our products and services, government officials, and recruiters.
• Communicating with your designated contacts in the case of an emergency.

Workplace Electronic Monitoring

We provide facilities and equipment for Personnel to use in connection with the business, including Internet access, telephones, hardware and software, other communications media and equipment, and any other equipment, services, and technology that comprise our communication and information systems (collectively, “GoFundMe Equipment”). GoFundMe Equipment remains at all times the property of GoFundMe.

We prioritize transparency and compliance with applicable laws. To keep our work environment secure and running smoothly, we may need to access, review, and manage files, data, and communications on GoFundMe Equipment. This includes actions such as collecting, monitoring, decrypting, deleting, copying, disclosing (including within GoFundMe and its subsidiaries and affiliates, and to third parties) and storing information. All data that is composed, transmitted, accessed, or received via GoFundMe Equipment (including via telephone, computer, email, and internet systems) is considered to be part of the official records of GoFundMe and, as such, is subject to retention and disclosure by GoFundMe to law enforcement, or other third parties, to the extent permitted under applicable law.

Personal Data we collect or receive through these processes are handled in accordance with our policies, including this Notice. Examples of workplace electronic monitoring include:

• Collecting information regarding access and use of GoFundMe Equipment and monitoring GoFundMe Equipment, including by using CCTV and badge scans, for purposes of safety and security, network security, and internal operations.
• Reviewing and using communications made by Personnel using GoFundMe Equipment for purposes of internal or external investigations, litigation and law enforcement.
• Monitoring (including those accessed through personal, portable or mobile devices) use of collaboration platforms including Gmail, Google Calendar, Google Drive, Slack and Zoom for purposes of internal operations, including to understand how Personnel use such platforms, and to enhance productivity in connection with such use.
• Using Personnel location information as determined through Personnel badge data to locate Personnel in the event of an emergency.

The Personal Data used for such purposes is collected at the time of Personnel’s use and/or access to GoFundMe Equipment.

Please be aware that your communications made using GoFundMe Equipment may not be kept private or confidential, including if Personnel send or receive personal communications using such equipment. To maintain a safe and compliant work environment, we may monitor activities to make sure everyone is following GoFundMe policies. If any issues arise, we may address them with appropriate actions, which could include disciplinary measures.

Does GoFundMe Disclose My Personal Data?

When we disclose your Personal Data, it is our policy to limit the categories of other entities who have access to that data.

We may disclose Personal Data to other parties, including to entities within and outside GoFundMe located in any jurisdictions where GoFundMe is located or conducts business, for the Processing Purposes as set forth below.

• Affiliates and Subsidiaries. We disclose your Personal Data among the GoFundMe entities, including our affiliates and subsidiaries, for purposes consistent with this Notice, including to maintain and improve effective administration of the workforce; to communicate information about us; to maintain a corporate directory; to maintain IT systems; to monitor and assure compliance with applicable policies and procedures, and applicable laws; and to respond to requests and legal demands from regulators and other authorities.
• Legal and Regulatory Authorities. Personal Data may be shared with regulators, courts, and other authorities (e.g., tax and law enforcement authorities), independent external advisors (e.g., auditors), insurance providers, pensions and benefits providers, internal compliance and investigation teams (including external advisers appointed to conduct internal investigations), as necessary, to fulfill the Processing Purposes outlined above.
• Business Transactions. As we develop our business, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution, similar event, or steps taken in anticipation of such events (e.g., due diligence in a transaction), your Personal Data may be transferred to the new employer or potential new employer as part of the transfer itself or as part of an initial review for such transfer (i.e., due diligence), subject to any rights provided by applicable law, including jurisdictions where the new employer or potential new employer are located.
• Data Processors. As necessary for the Processing Purposes set forth above, Personal Data may be disclosed with one or more third parties, whether affiliated or unaffiliated, to process Personal Data under appropriate instructions (“Data Processors”). The Data Processors may carry out instructions related to workforce administration, IT system support and maintenance, payroll and compensation, training, compliance, and other activities, and will be subject to contractual obligations to implement appropriate technical and organizational security measures to safeguard the Personal Data, and to process the Personal Data only as instructed.
• Compensation Benchmarking Providers. In order to provide you with competitive compensation, we share your Personal Data with Aon, a vendor that acts as an independent controller for your Personal Data. For Aon’s Privacy Notice, please visit Aon Privacy Statement.

What Rights Do I Have Regarding Personal Data?

We rely on Personal Data being accurate, complete, up‐to‐date, and reliable for the intended use. We expect you to inform us of any changes to your Personal Data, such as changes to contact details, beneficiaries, or any information affecting benefits or services we provide to you.

You are permitted to review, delete, and correct or update your Personal Data, with some exceptions. For example, we may be required to retain certain Personal Data pursuant to our legal obligations.

You can exercise your rights by either logging into your benefits account, filling out this form, emailing privacy-requests@gofundme.com, or calling +1 (408) 915-7998. We will not disclose any information in response to a rights request that may compromise the privacy of other persons unless required to do so by law.

For more information about your rights, please refer to the Country/Region‐Specific Disclosures section of this Notice.

For How Long Will GoFundMe Keep My Personal Data?

Where Personal Data is kept, GoFundMe will retain the data for as long as required for the purposes for which it was collected and in compliance with legal, regulatory, tax, accounting, and technical requirements. For instance, records related to your employment with us, if applicable, are kept for at least seven years. Sometimes, we may retain your Personal Data for longer periods of time if required to do so according to our regulatory obligations or to protect our legal rights or the rights of others. For example, we may keep your Personal Data for a reasonable time after you leave to ensure we have the records we need in the event of a dispute or regulatory investigation, and to ensure that any ongoing obligations can be complied with, such as complying with requests from regulators, and to contact you about future work opportunities (if you consent).

For more information, please contact us as described under the “Who Can I Contact About This Notice?” section below.

How Will GoFundMe Protect Personal Data?

We implement administrative, technical, and physical controls to reasonably and appropriately safeguard Personal Data against loss, misuse, unauthorized access, theft, modification, disclosure and destruction. We will restrict access to Personal Data under our control to those employees, service providers, agents, and contractors of GoFundMe who have a legitimate business need for such access. We will provide training to Personnel and third parties where relevant to promote awareness of our requirements and policies surrounding protection and security of Personal Data.

How Does GoFundMe Address Data Privacy Concerns?

The People and Workplace team is responsible for implementing and overseeing the administration of this Notice. All employees and contractors whose responsibilities include the collection, use, and processing of Personal Data are required to adhere to this Notice and any implementing policies. Failure to do so is deemed a serious offense, for which disciplinary action may be taken, potentially resulting in termination of employment. Equally, the misuse of Personal Data by an individual or organization acting as our agent or contractor is deemed a serious issue for which action may be taken, potentially resulting in the termination of an agreement or other action.

To raise questions or concerns about the collection, use or processing of your Personal Data, you may contact our Privacy team at privacy@gofundme.com. For escalations or complaints, please contact our Data Protection Officer at DPO@gofundme.com. Any submitted questions or concerns will be considered and responded to in accordance with our formal complaints procedures.

For further country/region specific information for Personnel located in California or outside the United States, please refer to the Country/Region‐Specific Disclosures section of this Notice.

Country/Region‐Specific Disclosures

California (US)

Personal Information Collection and Use

“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly with a California employee, independent contractor or job applicant (collectively, “California Personnel”) . In accordance with the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), we are designated as a ‘Business’ and process, in addition to the Personal Data listed above, the following categories of Personal Information.

Category of Personal Information

1. Identifiers
2. Personal Information Described in Cal. Civ. Code § 1798.80(e)
3. Characteristics of Protected Classifications under California or Federal Law
4. Professional or Employment-Related Information
5. Internet or other Electronic Network Activity Information
6. Commercial Information
7. Biometric information
8. Geolocation information
9. Audio, Electronic, Visual, Thermal, Olfactory or Similar Data
10. Inferences Drawn from Personal Information Above
11. Sensitive Personal Information

Disclosures of Personal Information

We do not currently, and have not within the preceding twelve months, sold or shared for cross-context behavioral advertising the Personal Information of California Personnel that we collect in relation to your employment, contract work for us, job application, or other such engagement.

We may disclose Personal Information of California Personnel to the following categories of recipients:

• Compensation and Benefits Providers: Including service providers that facilitate the following services, 401K administration, medical and dental benefits, insurance benefits, employee assistance programs, relocation services, payroll administration, and workplace incident management.
• Professional Advisors: Such as accountants, auditors, lawyers, insurers, bankers, and other outside professional advisors.
• Government Agencies: Such as tax authorities, regulatory bodies, law enforcement agencies (if required by law), and other regulatory reporting.
• Business Administration Providers: Such as recruiting firms, executive coaching, language training, rewards and recognition programs, and background checks (where permitted by law), and other vendors who help us manage our business operations including our GoFundMe Equipment.
• Business Partners and Other Third Parties: Such as potential business partners, acquiring entities, suppliers, customers, government bodies, and companies recruiting or considering hiring you.
• Compensation Benchmarking Providers: Such as Aon, a vendor that acts as an independent controller for your Personal Information. For Aon’s Privacy Notice, please visit Aon Privacy Statement.
• During the last twelve months, we have disclosed the following categories of Personal Information:

How to Exercise Your Rights

We take steps to keep Personal Information accurate. If you are a resident of California, you have certain rights to the Personal Information that we have collected about you. To exercise any of your rights to your Personal Information, please fill out this form, email privacy-requests@gofundme.com, or contact us by phone at +1 (408) 915-7998.

Please note that, if you submit a request to know, request to delete, or request to correct, we may ask for additional information to verify your identity (e.g., through providing your email address and checking it against our records). You may also designate an authorized agent to make a request on your behalf; however, you will still need to verify your identity directly with us before your request can be processed.

Your Rights

• Right to Know: You have the right to know what Personal Information we have collected about you, subject to certain exceptions. You may request:

(1) The categories of personal information we collected about you,
(2) The categories of sources for the personal information we collected about you,
(3) Our business or commercial purpose for collecting that personal information,
(4) The categories of third parties with whom we share that personal information,
(5) The categories of personal information that each recipient received, and
(6) The specific pieces of personal information we collected about you.

• Right to Delete Your Personal Information: You have the right to request that we delete Personal Information we collected from you, subject to certain exceptions.
• Right to Correct Inaccurate Information: If you believe that the Personal Information we maintain about you is inaccurate, you have the right to request that we correct that information.
• Right to Opt Out of Sales and Sharing of Personal Information: Although the CCPA permits you to opt out of the sale/share of Personal Information, we do not sell or share Personal Information of California Personnel.
• Right to Limit Use and Disclosure of Sensitive Personal Information: You may direct us to limit the use and disclosure of your Sensitive Personal Information to certain uses and disclosures that are permitted under the CCPA. We only use Sensitive Personal Information as permitted by applicable law.
• Right to Non-Discrimination for the Exercise of Your Privacy Rights: If you choose to exercise any of your privacy rights under applicable California privacy law, you also have the right not to receive discriminatory treatment by us, including retaliation against you as Personnel.
• Right to Appeal: If we deny your privacy request, you have the right to appeal that decision by emailing us at privacy-requests@gofundme.com. If you are still unsatisfied with our response, you have the right to file a complaint with the California State Attorney General.

Australia

“Personal Data” means “information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.”

If you do not provide us with the Personal Data we request, we may not be able to perform necessary functions as an employer.

This policy is not intended to create any rights under the Privacy Act 1988 (Cth) in respect of any employee information which would otherwise not be covered by the Act.

Security of Information

We hold your information in a combination of paper and electronic files. We will take reasonable steps to keep secure any Personal Data which we hold about Personnel, and to protect it from misuse, interference and loss, and from unauthorized access, modification or disclosure.

Your Rights

You may have a right to access and to correct your information which we collect and hold about you. For more details on how to exercise your rights, please see “What Rights Do I Have Regarding Personal Data?”

Complaints

If you wish to make a complaint about a breach of the Australian Privacy Principles, have a concern about your privacy or you have any query on how your information is collected or used, please contact us using the details below. We will respond to your query or complaint within a reasonable time. If you are dissatisfied with the response that you receive from us, you may make a complaint to the Office of the Australian Information Commissioner (OAIC). However, we encourage you to contact us first, and we will do our very best to resolve your concern.

European Union/European Economic Area (EU/EEA), Switzerland, and United Kingdom (UK)

In this Notice, you will see references to “GDPR,” which refers to the European Union’s General Data Protection Regulation. The GDPR is a European law governing your rights in relation to your Personal Data, and how organizations should protect it. The reference also includes that portion of the law of England and Wales, Scotland and Northern Ireland (collectively, the “United Kingdom” or “UK”) by virtue of section 3 of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018.

Where applicable, we comply with European data principles, which means Personal Data will be used lawfully, fairly and in a transparent way; collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes; relevant to the purposes we have told you about and limited only to those purposes; accurate and kept up to date; kept only as long as reasonably necessary for the purposes we have told you about; and kept securely.

We will provide this Notice to Personnel through appropriate communication channels to inform them about the identity of the respective GoFundMe entity acting as controller of Personal Data, the purposes for which we collect and use Personal Data, the types of third parties with which we disclose Personal Data, the choice and means GoFundMe offers Personnel for limiting the use and disclosure of their Personal Data, and how to contact GoFundMe if they have issues or concerns about their Personal Data.

We may hold and in the future collect Personal Data for employment or engagement purposes. If you are an employee of GoFundMe, you are contractually required to provide us with certain Personal Data that we need in order to process your employment and to comply with our legal duties as an employer. Without your Personal Data, we are not able to enter into an employment relationship with you.

Data Transfer

As you may expect, some of the recipients we may disclose Personal Data and Sensitive Personal Data to may be located in countries outside of the European Union (“EU”), Europe Economic Area (“EEA”), the United Kingdom, and Switzerland.

Some countries where recipients may be located already provide an adequate level of protection for Personal Data, and transfers to other countries may be protected under arrangements such as the EU Standard Contractual Clauses pursuant to Article 46(2)(c) GDPR. Transfers to any of our affiliates located outside the EU, EEA, UK and Switzerland are subject to the Standard Contractual Clauses and the UK International Data Transfer Agreement to ensure that your data is protected adequately.

If recipients are located in other countries without adequate protections for Personal Data, we will take all necessary measures to ensure that transfers out of the EEA are adequately protected as required by applicable data protection law. This will include using appropriate safeguards such as the Standard Contractual Clauses.

You can ask for a copy of the safeguards we employ to provide an adequate level of protection for your Personal Data by contacting us as described under the “Who Can I Contact About This Notice?” section below.

How to Exercise Your Rights

We take steps to keep Personal Data accurate and up to date. If you reside in the EU, EEA, UK, or Switzerland, you have certain rights to the Personal Data that we have collected about you. To exercise your rights to your Personal Data, please fill out this form, email privacy-requests@gofundme.com, or contact us by phone at +1 (408) 915-7998.

For escalations or complaints, please contact our Data Protection Officer at DPO@gofundme.com.

Your Rights

• Right of Access: You have the right to confirm with us whether your Personal Data is processed, and if it is, to request access to that Personal Data including the categories of Personal Data processed, the purpose of the processing and the recipients or categories of recipients. We do have to take into account the interests of others though, so this is not an absolute right, and if you want to request more than one copy we may charge a fee.
• Right to Rectification: You may have the right to rectify inaccurate or incomplete Personal Data concerning you.
• Right to Erasure (right to be forgotten): You may have the right to ask us to erase Personal Data concerning you.
• Right to restriction of processing: In limited circumstances, you may have the right to request that we restrict processing of your Personal Data, however where we process Personal Data and Sensitive Personal Data for the Processing Purposes we think that we have a legitimate interest in processing, which may override a request that you make.
• Right to data portability: You may have the right to receive Personal Data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit that data to another entity.
• Right to object and rights relating to automated decision-making: Under certain circumstances you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your Personal Data, including profiling, by us and we can be required to no longer process your Personal Data. This may include requesting human intervention in relation to an automated decision so that you can express your view and to contest the decision.

You also have the right to lodge a complaint with the Information Commissioner’s Office or competent data protection supervisory authority. The relevant data protection supervisory authority for each country we operate in is set out below:

Legal Basis for Processing under the GDPR

The Processing Purposes for our collection of Personal Data and Sensitive Personal Data, and the different legal bases for processing this data are as follows:

Below are the Processing Purposes and corresponding Legal Bases for Sensitive Personal Data:

When relying on the legitimate interest basis for processing your Personal Data, we will balance the legitimate interest pursued by us and, if applicable, any relevant third party with your interest and fundamental rights and freedoms in relation to the protection of your Personal Data to ensure it is appropriate for us to rely on legitimate interests and to identify any additional steps we need to take to achieve the right balance.

Changes to this Notice

We reserve the right to update and modify this Notice at any time and from time to time. We will notify you of any material updates or changes we make to this Notice. Please also review this Notice periodically for any updates or changes.

Who Can I Contact About This Notice?

If you have concerns or questions regarding this Notice, please contact us as set forth below:

For escalations or complaints, please contact our Data Protection Officer at DPO@gofundme.com.