expresso · hoozyu · Client Portal
Contact us:
sales@elaura.com
ElauraLegalPrivacy: Elaura & GDPR

Privacy: Elaura & GDPR

The EU General Data Protection Regulation (GDPR) takes effect from May 25th 2018. This document sets out how Elaura Asia Pte Ltd and its subsidiaries (collectively, "Elaura") actively comply with this Regulation; most of this has been our established policy since we commenced operations.

Scope of Data Collection

Summary

In general, Elaura handles very minimal Personal Data, other than processed Birkman Profiles for individuals and the minimum information required to connect a client with their Birkman Profile (name and email address; additionally we may also have organisation name, address and team or proposed role and other relevant information in the case of organisational development, role benchmarking, recruitment or other programmes).

As Birkman Data has a long shelf-life (i.e. it is valuable to the individual respondent for periods in excess of two or three decades) we retain access to name, email and Birkman Results indefinitely. We encourage our individual users to keep us updated with changes of email address so that we can more readily serve them at a future date.

The optional additional data mentioned above - organisation, team, role etc - is only kept for as long as we are working with that organisation and we have not yet been informed that the individual respondent is no longer employed there. While working with organisations we ask them to provide updated employee lists at regular intervals, precisely for this reason, i.e. so we can remove additional data held on those who are no longer employees.

If you have previously completed a Birkman Questionnaire for Elaura and have now left the employer who paid for your profile, you can ensure that we delete information connecting you to that employer, or delete your Birkman profile altogether, by contacting us at privacy@elaura.com

Our platform products (expresso and hoozyu) use an individual's email address as the system-wide unique identifier and username plus an encrypted password in order to access their data stored on our servers (see technical document at elaura.com/data for more details).

Elaura does not track the activity of individuals for marketing or other value-creating purposes; there is limited tracking used by our platform products (expresso and hoozyu - see below for details).

The opt-in newsletter system we use (Mailchimp / Mandrill) tracks the opening of emails by default. Subscribers can unsubscribe from our newsletters at any time, which removes their data from the mailing list.

Our hoozyu product includes 5 informational emails sent by Mailchimp as part of the product, one per day for five days; we have now implemented an opt-in email step for this list, users can opt out of these emails whenever they like; and all users are deleted within a month after they receive the fifth email.

We use Typeform to collect survey data as part of our ongoing quality assurance and R&D effort. Once processed and anonymised, we delete all personally identifiable data.

That is the limit of our data collection.

Here is the Detail

  1. Elaura's business consists in supplying an Assessment Tool (The Birkman Method or "TBM") to individuals, institutions and organisations.
  2. Birkman International ("BI"), the publishers of TBM, do the majority of the data collection involved in our business, and are themselves fully GDPR compliant. See birkman.com/gdpr for full details.
  3. Elaura has no access to the biographical data collected by BI, with the exception of Firstname, Lastname, Date of Birth and Gender.
  4. Elaura also has no access to the actual answers given by an individual to the Birkman Questionnaire ("the Q"); we only recieve the processed results of the Q. See elaura.com/data for more details
  5. Elaura does not collect tracking data from its public websites or marketing activities.
  6. We do conduct limited tracking on our platforms, expresso and hoozyu. In that context, the cookies we deploy are for "session" purposes (keeping an individual connected to the right server during a session) and the limited tracking we do (simply of when a user logs in to the platform) is for diagnostic purposes in the case of a user experiencing problems with the system. The cookies expire and are deleted at the end of the session; our server logs are overwritten typically after a week.
  7. As required by the EUs own VAT MOSS Regulation, we track and retain the IP address of online purchasers of our products as part of the required proof of purchaser residency for VAT assignment purposes (this data cannot be relinquished or deleted for seven years, by law).
  8. Elaura never transfers or sells Personal Data to third parties.
  9. As mentioned above, by default we retain access to the Birkman Profiles of all our past clients, in order that we can serve them at a future date (we regularly have individuals contact us for a fresh, updated, copy of their report, five, ten or even fifteen years after they first took the Q). See below for details of the Right to be Forgotten.
  10. Our Banks and Payment Platforms necessarily keep some details of payments made, but we have no access to the account numbers or card details of our customers.
  11. The additional data mentioned in the previous section (e.g. name of organisation, team, role etc) is stored separately from profile data and deleted when no longer required for the purpose it was collected.

Purpose of Data Collection

Depending on whether an individual is completing the TBM Questionnaire ("the Q") for their own use, or have been asked to do so by a current or prospective employer, the purpose of the Data Collection may vary. It may include one or more of the following:

  • To give them a better understanding of themselves, including their motivations and perspectives.
  • To enable them to plan their career and professional development, or their next career move.
  • To enable their current employer to better understand how to deploy their talent and services.
  • To enable them and their team to function more effectively together, or across functions.
  • To enable their current employer to benchmark best fit for the role the individual currently performs (normally only applicable to roles occupied by multiple individuals).
  • To help diagnose and remediate a relational issue in a team or workplace.
  • To illuminate a specific operational or performance issue, or to map capacity, culture and potential of the organisation in part or as a whole.
  • To enable a prospective employer to decide whether or not the individual is a good fit for a specific role.

It should be noted that all of these purposes have a positive intent, even where they may focus on a problem area; Elaura does not undertake work where there is any intent to put individuals at a disadvantage.

It is incumbent upon Organisations employing Elaura's products and services that they should communicate the objectives and proposed uses of the TBM data clearly to their employees before such data is collected.

The Four Rights under GDPR

Notwithstanding anything written above, except where otherwise specified by law, all EU citizens have the following four rights, and which we generally extend to all our individual clients.

1. Right to be Forgotten

An individual may request that their data be deleted, either by Elaura alone (in which case Elaura will delete the individual's data from all servers and backups, and ask BI to remove our access to the individual's results); or by both Elaura and BI, in which case BI will also delete all their data. Please note that the latter case is irrevocable: once deleted, it will never be possible to access those TBM results again. If only Elaura deletes the individual's data, then the individual can access their data later by contacting BI direct.

2. Right to Object

An individual may prohibit certain uses of their data, or the collection of certain kinds of data. This will normally mean that the individual decides not to complete the Q or otherwise participate in a specific programme. Refusal to participate may of course put the individual at a disadvantage viz a vis their current or prospective employer (e.g. it may exclude them from consideration for a particular role), but that is an issue over which Elaura has no control.

3. Right to Rectification

If you believe that Elaura or BI is holding incomplete or incorrect data relating to you, you have the right to ask for this to be rectified. In this case you must contact the data processor directly: privacy@elaura.com in the case of Elaura and privacy@birkman.com in the case of BI

4. Right of Access

Individuals have the right to know what data about them is being processed and how. This document lays out the information which Elaura collects and processes; or you can visit birkman.com/gdpr to see how BI collects and processes data. If you require additional information from Elaura on the data it collects and processes, please contact privacy@elaura.com

If you believe that Elaura or BI is holding incomplete or incorrect data relating to you, you have the right to ask for this to be rectified. In this case you must contact the data processor directly: privacy@elaura.com in the case of Elaura and privacy@birkman.com in the case of BI