I'm not a lawyer, but I've done enough SaaS contracts to know how to parse legalese.
https://info.bravado.co/privacy-policy
"Bravado values the privacy of our visitors and Members and we take measures to implement reasonable security controls for the protection of their information. California law and more specifically CCPA define ‘personal information’ very broadly as information that relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. It could include identifiers such as IP addresses or device identifiers, in addition to names and addresses. This Supplemental Privacy Notice for California Residents provides additional information regarding Bravado’s practices and your rights if you are a resident of California."
Bravado has the right to collect information about us when we use the service, but CCPA calls out:
"Professional or employment-related information. Current or past job history or performance evaluations is only shared with: Service providers. Users when shared in User Content".
So they can share it with potential employers if you apply for a job via Bravado jobs. Or it can be shared if you dox yourself.
More egregious...
"Biometric information. Under California law, biometric information includes any physiological or behavioral characteristics that can be used to establish your identity, such as a fingerprint or an image of your face from which a faceprint can be created. Bravado does not create or store faceprints of our Members"
According to privacy policy this information is "never shared".
However, many (if not all) users got emails yesterday that included:
• Current and past job history
• Images of our faces (apparently scraped from LinkedIn profiles).
(see image attached)
Luckily there is recourse:
"Your Privacy Rights. In accordance with applicable law, you may have the right to: (i) request confirmation of whether we are processing your personal information; (ii) obtain access to or a copy of your personal information; (iii) receive an electronic copy of personal information that you have provided to us, or ask us to send that information to another company (the “right of data portability”); (iv) object to or restrict our uses of your personal information; (v) seek correction or amendment of inaccurate, untrue, incomplete, or improperly processed personal information; (vi) withdraw your consent; and (vii) request erasure of personal information held about you by us, subject to certain exceptions prescribed by law. If you would like to exercise any of these rights, please contact us at [email protected] or as set forth below."
11 comments