Privacy Policy

The RefAssured Platform System

RefAssured, Inc. provides a software-as-a-service software platform that enables people who have worked with or supervised an individual to provide confidential feedback on the individual's attributes and experiences associated with a specific job. Organizations and individuals (Subscribers) use the service to send emails or text messages to a candidate and the candidate's references. The reference email or text contains a link to a web-based survey, which the reference then completes and submits electronically. Reports are either generated automatically or monitored and finalized by Subscriber personnel (such as HR staff, recruiters, hiring managers, career offices, etc.).

This Privacy Policy describes the way RefAssured collects, uses, and secures your personal information, both through our software-as-a-service software platform and on our website, www.refassured.com (collectively, "RefAssured"). By using the RefAssured services, you consent to this Privacy Policy.

General Security Policy

Your privacy is our top concern. We work hard to earn and keep your trust, so we adhere to the following principles to protect your privacy:

We will only ask for the minimum personal information required to successfully complete the RefAssured reference checking process for our Subscribers

We will never rent or sell the personal information of any user of our system (e.g. recruiter, candidate, reference, etc.) to third parties for their marketing purposes

Any sensitive information that you provide will be protected with industry standard protocols and technology.

Notice of all changes that materially affect ways in which your personal information may be used or shared will be posted in updates to our Privacy Policy or as otherwise required by applicable law. If you continue to use the RefAssured service after notice of changes have been sent to you or published on our site, you hereby provide your consent to the changed practices. RefAssured is in the process of acquiring our SOC 2 Type 2 credentials and RefAssured will review and update this Privacy Policy annually, thus RefAssured will notify all users within a responsible amount of time with updated the Privacy Policy herein.

Information Collection

Enclosed below we outline the categories of information we have collected and how it is used and how it may be shared:

Types of Personal Data We Collect	Source	Purpose for Collection	Types of Recipients that may View Said Data
Contact information: may include name, email, job title, phone number	From you or our registered users or from you for our software services	To communicate with and respond to you and our Subscribers about your reference check report and the services provided by RefAssured	We may share this information with select service providers and partners who help deliver and maintain the services along with your references and our Subscribers where needed to deliver the services
Reference feedback: such as information about your roles, professional attributes, performance at prior employers	From the references you choose to respond to our survey	To prepare the reference reports provided to our Subscribers	We may share this information with select service providers and partners who help deliver and maintain the services, along with the Subscribers who use our service.
Browsing information: such as your IP address, MAC address or other device identifier, the kind of browser or computer you use, pages and content that you visit on the website, what you click on, the state and country from which you access the Site, date and time of your visit, and web pages you linked to our website	Your interactions with the website, including using cookies and other tracking technologies explained further below	To evaluate usage of the website and improve performance and services; to deliver targeted online marketing to you; and to protect the security and integrity of the services and our website, such as preventing fraud, hacking, and other criminal activity or to meet legal obligations	Our service providers who help us with fraud protection, website analytics, and marketing
Marketing Website Interactions: Contact information you voluntarily provide (name, email, company, phone number) through forms and pop-ups; session replay data including mouse movements, clicks, scrolling, and page navigation on our public marketing website only	From you when you visit www.refassured.com and interact with forms; from your browsing behavior via analytics tools	To respond to sales inquiries; to send marketing communications about RefAssured services; to analyze and improve our marketing website user experience	Our service providers who help with marketing automation (OptinMonster) and website analytics (Inspectlet); our sales and marketing team

Note: The tools and data collection practices described for "Marketing Website Interactions" apply ONLY to our public marketing website (www.refassured.com). These tools are NOT used within the RefAssured platform where reference checking services are delivered. The reference checking platform is subject to separate, more stringent data handling practices as described throughout this policy.

Candidate Reference Services

We receive personal information about you and your references in order to perform the RefAssured reference checking process for our Subscribers.

Identity Verification (Subscriber-Elected Feature): Where a Subscriber has elected to enable identity verification, Candidates will be required to verify their identity through ID.me, a third-party identity verification service, before completing the reference check process. RefAssured redirects Candidates to ID.me's platform using a secure OpenID Connect (OIDC) authentication flow. Candidates provide their identity information directly to ID.me; RefAssured does not send Candidate personal information to ID.me to initiate the verification. Upon successful verification, ID.me returns verified identity attributes (name, email address, and phone number) to RefAssured via an OIDC callback, which RefAssured uses solely to confirm the Candidate's identity against information already on file. ID.me may collect biometric data (including facial recognition and liveness checks) as part of its identity verification process. This biometric data is collected and processed by ID.me on its own platform and is not processed by RefAssured. ID.me generally retains biometric data for up to three years after the last user interaction, or until the purpose for collection is satisfied. Candidates may request deletion of their data directly from ID.me. ID.me's data practices are governed by ID.me's own Privacy Policy, available at https://www.id.me/privacy. This section applies only to Candidates of Subscribers who have activated the identity verification feature.

RefAssured may receive background/demographic information, on a voluntary or optional basis, from job candidates. This information will not be associated with the candidate's name, email address, or any other personal information. This information will not be shared with a prospective employer. It will be used by RefAssured solely to monitor compliance with U.S. federal statutes and for other research purposes.

RefAssured may receive background/demographic information, on a voluntary or optional basis, from students and evaluators. This information will not be shared and will be solely used for research purposes.

Information We May Share

We may provide non-identifying aggregated data about the usage of our service to third parties for such purposes as we deem, in our sole discretion, to be appropriate. This information may be used for joint research purposes and will be de-identified prior to any related data transfer. We may segment our users by role (i.e., Software Engineers, Scientists), industry, geographic location, company. If you would like to be excluded from the aggregated research, please email privacy@refassured.com. We may also associate non-identifying information, such as IP address, with identifying information for purposes of fraud detection.

We may share all information that we collect on behalf of a client with that client and as directed by that client.

Third-Party Identity Verification Provider (Subscriber-Elected): Where a Subscriber has elected to enable identity verification, we partner with ID.me, Inc. to provide that service. RefAssured shares no Candidate personal data with ID.me to initiate verification; upon successful verification, ID.me transmits verified identity attributes (name, email, and phone number) to RefAssured. RefAssured has executed a Data Processing Agreement with ID.me. ID.me's collection and use of Candidate data, including any biometric data, is governed by ID.me's Privacy Policy at https://www.id.me/privacy. Candidates consent directly to ID.me's terms during the verification process. This applies only where the Subscriber has activated the identity verification feature.

Unless prohibited by applicable law, we reserve the right to transfer the information we maintain in the event we sell or transfer all or a portion of our business or assets. If we engage in such a sale or transfer, we will – where required by applicable law – make reasonable efforts to direct the recipient to use your personal information in a manner that is consistent with this Privacy Notice. After such a sale or transfer, you may contact the recipient with any inquiries concerning the processing of your personal information.

In addition, we may share your information to comply with legal and regulatory requirements, and protect against and prevent fraud, illegal activity (such as identifying and responding to incidents of hacking or misuse of our websites), and claims and other liabilities.

Cookie Policy

Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the originating web domain on your subsequent visits to that domain. Most web pages contain elements from multiple web domains so when you visit the website, your browser may receive cookies from several sources.

Cookies are useful because they allow a website to recognize a user's device. Cookies allow you to navigate between pages efficiently, remember preferences and generally improve the user experience. They can also be used to tailor advertising to your interests through tracking your browsing across websites.

Session cookies are deleted automatically when you close your browser and persistent cookies remain on your device after the browser is closed (for example to remember your user preferences when you return to the site).

We make use of analytics cookies to analyze how our visitors use our websites and to monitor Website performance. This allows us to provide a high-quality experience by customizing our offering and quickly identifying and fixing any issues that arise. For example, we might use performance cookies to keep track of which pages are most popular, which method of linking between pages is most effective, and to determine why some pages are receiving error messages. We might also use these cookies to highlight articles or site services that we think will be of interest to you based on your usage of the website. The information collected by these cookies is not associated with your personal information by us or by our contractors.

RefAssured uses "cookies," which are small pieces of information stored by your browser or other application on your computer's browser or hard drive. We use cookies to remember certain information about visitors during their visit and may store information about your activity on the RefAssured application both within the same website visit and from one visit to the next. We may use cookies to recognize you and show you content on other websites based on your visits to the RefAssured application. The "help" portion of the toolbar on most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive new cookies or how to disable cookies altogether. If you reject cookies, you may not be able to participate in certain activities or see content tailored to you. Please note that RefAssured does not control and do not guarantee the effectiveness of browser-based tools for managing cookies.

RefAssured uses Google Analytics web analytics service offered by Google to track and report website traffic. Google Analytics may leave cookies after each session. Learn how Google Analytics processes data: https://marketingplatform.google.com/about/analytics/features/.

In some jurisdictions, individuals may have the right to provide opt-in consent or withdraw consent for certain uses. If you reside in such jurisdictions, such as the European Union, you may have additional rights which are detailed below, "Access, Correction and Deletion."

You can opt out of Google Analytics here: https://tools.google.com/dlpage/gaoptout

Marketing Website Analytics and Lead Capture Tools
The following tools are used exclusively on our public marketing website (www.refassured.com) to improve user experience and communicate with potential customers. These tools are NOT used within the authenticated RefAssured reference checking platform.

Session Replay Analytics (Inspectlet): We use Inspectlet to understand how visitors interact with our marketing website and identify opportunities to improve the user experience. Inspectlet records anonymized session replays showing mouse movements, clicks, scrolling, and page navigation on our public marketing pages.

What Inspectlet records:

How visitors navigate our marketing website
Which content and features visitors engage with
Where visitors may encounter usability issues

What Inspectlet does NOT record:

Any activity within the RefAssured reference checking platform
Passwords or payment information
Content entered into forms is masked from recording (only the act of completing a form is recorded, not the specific information entered)

Session recordings are retained for 90 days and used solely to identify usability issues and improve website design. For more information about Inspectlet's privacy practices or to opt out, visit www.inspectlet.com/legal. Lead Capture Tools (OptinMonster): We use OptinMonster to display forms and pop-ups on our marketing website for lead generation purposes. When you choose to submit your information through these forms (such as your name, email, company name, or phone number), OptinMonster processes the data on our behalf in accordance with our instructions.

We use this information to:

Respond to your inquiries about RefAssured services
Send you marketing communications about our platform and offerings
Improve our marketing messaging

This data is not sold to third parties. You can unsubscribe from marketing communications at any time using the unsubscribe link in any email we send you.

Security and Storage

We hold your personal information in electronic form. To ensure your personal information is secure RefAssured is in the process of adhering to the SOC 2 Type 2 certification and security standards and your data is encrypted in transit and at rest. Service providers may process the information for us, but only ever for the sole purpose of providing our services. Where a service provider holds your information, we require them to adhere to our approved standards of security to ensure the continuing protection of your personal information. Only authorized users / employees are granted access to your personal information and our procedures ensure that your personal information is only made available to employees where necessary. We audit and monitor our employee's access to and handling of personal information.

We will retain your personal and sensitive information as directed by the Employer, or where we are a data controller when we no longer require it for any purpose for which it was collected. RefAssured will comply with its obligations to destroy, erase, or de-identify your personal information as required by applicable law.

RefAssured protects the personal information in its custody or control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks. You should be aware that confidentiality and security are not assured when information is transmitted through e-mail or wireless communication.

RefAssured is not responsible for any loss or damage suffered as a result of a breach of security or confidentiality when information is transmitted by e-mail or any other communication channels or source.

Communications & Opt-Out

As described above, Subscribers may use the service to communicate with candidates and the candidate's references through email and text message. Where applicable, candidates are required to represent and warrant that they agree to receive emails and text messages through RefAssured and that the references they designate also have consented to receive communications in that manner sent by or on behalf of the candidate. Candidates that select text as their preferred method of contact for the candidate's references and enter their mobile number(s), the candidate represents and warrants that each such reference has expressly consented to receive the texts from the candidate through RefAssured at the number provided for the purpose of job reference feedback. Note that RefAssured may partner with third parties to deliver and manage these communications on behalf of the candidate. The candidate and references can opt-out of these communications at any time, although doing so may impact the ability to use and benefit from RefAssured. Recipients of emails or text through RefAssured can opt out by clicking the opt-out link at the beginning of the survey.

Candidate Consent for Identity Verification (Where Applicable): Where a Subscriber has elected to enable identity verification, Candidates will be informed prior to being redirected to ID.me that identity verification is required by the Subscriber to complete the reference check, and that this process is performed by ID.me, a third-party service. During the ID.me verification flow, Candidates consent directly to ID.me's Terms of Service and Privacy Policy. By proceeding, Candidates acknowledge and agree to the use of ID.me for identity verification. As this verification is required by the Subscriber's configuration, declining to consent to ID.me's terms will prevent completion of the reference check for that Subscriber.

Services to Minors Not Permitted

We do not knowingly collect information from minors. To use the Site, you must be the age of legal majority in your place of residence. By using the Site, you hereby represent that you are at least the age of legal majority in your place of residence. We do not use an application or other mechanism to determine the age of users of the Site. All information provided to us will be treated as if it was provided by an adult. We will use commercially reasonable efforts to delete information associated with a minor as soon as practicable if we learn that a minor has submitted information about himself/herself to us.

Do Not Track Disclosure

Do Not Track (DNT) is a privacy preference that users can set in some web browsers, allowing users to opt-out of tracking by websites and online services. There are many methods where web browser signals and similar mechanisms can indicate your choice to disable tracking. But we may not be aware of or able to honor every such mechanism. Because there is not yet a common understanding of how to interpret web browser based "Do Not Track" (DNT) signals other than cookies, we may not respond to undefined DNT signals to our Sites or online services. More information about "do not track" is available at www.allaboutdnt.org and can also be found via https://support.google.com/chrome/answer/2790761.

For visitors to our marketing website who wish to opt out of session replay analytics, you may do so at www.inspectlet.com/legal or by enabling Do Not Track in your browser, which we will honor for Inspectlet recordings.

Note for California Residents

If you are a California resident, you may contact us to request information about circumstances in which we share certain personal information with third parties for their own marketing purposes. As described above, we will never rent or sell the personal information of any user of our system to third parties for their own marketing purposes. For questions, please contact us as privacy@refassured.com.

Residents of California also have the following rights with respect to personal information collected about them:

The right to know the categories or the specific pieces of personal information.

The right to request deletion of any personal information collected.

In addition to the submission of requests to exercise these rights directly, you may designate an authorized agent to make a request to know or request to delete on your behalf. To submit a request to know or request to delete, you should contact the relevant RefAssured Subscriber (customer). That may be a talent manager, account manager, recruiter, or the company with which you applied for a job, or a candidate who requested a reference from you.

If you are unable to identify or contact the relevant Subscriber or would like to submit regarding any personal information, we may have collected from you directly, you can contact us by emailing privacy@refassured.com. If / when you exercise these rights and submit a proper request to us, we may verify your identity by asking you for additional information. We also may use a third-party verification provider to verify your identity. RefAssured will endeavor to honor requests unless they are properly directed at a RefAssured subscriber or a lawful exemption under the CCPA applies. Please note that RefAssured is only required to honor such requests twice in a 12-month period. For the 12-month period prior to the date of this Privacy Policy, RefAssured has not sold any personal information about its clients; nor does it have any plans to do so in the future.

Marketing Website Data: Our public marketing website uses session replay analytics (Inspectlet) that may share anonymized browsing behavior data. California residents can opt out of this session recording at www.inspectlet.com/legal. This tool is not used within the RefAssured platform itself.

Identity Verification Data (California Residents, Where Applicable): Where a Subscriber has elected to enable identity verification, that verification is performed by ID.me, Inc., a third-party processor operating under its own Privacy Policy and Terms of Service. ID.me, not RefAssured, collects and controls any biometric data or government-issued identity information provided during the verification process. California residents have rights with respect to their personal information held by ID.me, including the right to know, the right to delete, and the right to opt out of the sale of personal information. These rights may be exercised directly with ID.me at https://www.id.me/privacy or by contacting ID.me at privacy@id.me. RefAssured receives only verified identity attributes (name, email, phone) from ID.me, and California residents may contact privacy@refassured.com regarding that information.

Rights of Access, Correction, & Deletion

If you reside in certain jurisdictions such as the EU and United Kingdom, you have the right to access or correct your personal information and can make this request by contacting the relevant RefAssured subscriber. That may be a talent manager, account manager, recruiter, or company with which you applied for a job, or a candidate who requested a reference from you. In addition, you may request that the Subscriber delete or restrict access to your personal data.

Retention of Personal Information

Personal information that we collect, access or process will be retained only as long as necessary for the fulfillment of the purposes for which it was collected, unless otherwise provided in agreements between RefAssured and its Subscribers or as required or authorized by law. Personal information that is no longer required to fulfill the identified purposes will be destroyed, erased or de-identified.

Identity Verification Data Retention (Where Applicable): Where a Subscriber has elected to enable identity verification, personal data collected by ID.me during that process (including any biometric data) is retained by ID.me, not RefAssured. ID.me generally retains biometric data for up to three years after the last user interaction, or until the purpose for collection is satisfied. Specific data such as selfies or video recordings may be deleted sooner (within 24 hours to 30 days) depending on partner-specific configurations. Candidates may request deletion of their data directly from ID.me. Verified identity attributes returned to RefAssured (name, email, phone) are retained by RefAssured only as long as necessary to maintain the Candidate's record in accordance with this Policy.

Visitors from Outside the United States

RefAssured product and software services are hosted inside the United States. If you are visiting our website or using our service from outside the United States, your information may be transferred to, stored and processed in the United States or other countries in accordance with this Privacy Policy. The data protection and other applicable laws of the United States or other countries may not be as comprehensive as those laws or regulations in your country or may otherwise differ from the data protection or consumer protection laws in your country. Your information may be available to government authorities under lawful orders and applicable laws in such jurisdictions. We will use an appropriate data transfer mechanism. In addition, by using RefAssured website and or software services to provide personal information, you consent to transfer your information to our facilities as described in this Privacy Policy.

Website Security

RefAssured deploys reasonable and appropriate security measures to protect against the loss, misuse, and alteration of the personal data it processes. When the Website or Software Services is accessed using browsers that support Transport Layer Security (TLS) technology protecting information using both server authentication and data encryption to help provide that personal data is safe, and secure while in transit. RefAssured also implements an advanced security method based on dynamic data and encoded session identifications and hosts the Service in a secure server environment that uses a firewall and other advanced technology to protect against interference or access from outside intruders. RefAssured also provides individual usernames and passwords, that must be entered each time a customer accesses the RefAssured software platform. Additionally, RefAssured leverages Multi-Factor Authentication (MFA) for subscriber users. These safeguards help protect against unauthorized access, maintain data accuracy, and provide for the appropriate use of personal data. Nevertheless, no method of transmission over the Internet, or method of electronic storage, is one hundred percent secure, however. Therefore, we cannot guarantee absolute security. If you have any questions about security on our Service, please contact us at security@refassured.com.

RefAssured deploys an appropriate lever of website security. The website, and its use as a data conduit, is protected by Firewalls, Secure Socket Layer (SSL) to protect data in motion, encryption to protect data at rest, regular vulnerability scanning to identify new threats and 24x7 monitoring and intrusion detection. RefAssured's hosting Platform meets the SOC 2 standards for Security and Availability Trust Services Categories.

For Additional Information

Security and Privacy is important to RefAssured. Should you have any questions about the privacy statement or any other aspect of RefAssured, Inc., please contact us via email at privacy@refassured.com.

RefAssured, Inc. – Privacy Policy