Privacy Policy

Last Updated: October 1, 2024

Welcome to Forma! If you have any questions at all about this Privacy Policy, please do not hesitate to contact us at privacy@joinforma.com.
‍

1. APPLICABILITY OF THIS PRIVACY POLICY
   • Forma (“Forma”, “we”, “us”) is a service provider which allows employers to flexibly design and scale benefits programs for their employees. When operating its service, Forma collects personal information about you in connection with your visit to the Forma website (“Site”), your use of the Forma employee benefits platform at joinforma.com (“Forma Platform”), and the benefits connected to your use of the Forma Platform, including any mobile or desktop application (collectively the “Service”). We separately collect personal information in relation to our sales prospecting, partnerships and service provider relationships, sending updates if you have shown an interest in our progress (e.g. newsletters and product update communications), and when you otherwise interact with us and provide this information. As used herein, “Personal Information” means information that we collect about you that relates to you or that can be used to identify you.
   • This Privacy Policy applies in the following events:
     • When you are visiting the Site, you interact with us in your capacity as a representative of a company who is our customer, you are a service provider/partner of Forma, a sales prospect or otherwise interact with Forma, then Forma will be the controller and therefore responsible under applicable privacy laws for your Personal Information. In that case, this entire Privacy Policy will apply and set out Forma’s privacy practices and your rights. Please review this Privacy Policy carefully before using the Service and contact us if you have questions.
     • When you are using the Forma Platform and any related benefit services as an employee, Forma will be the processor of your Personal Information for the entity that is our customer and who is likely your employer (your “Employer”) . This means that we will only process such Personal Information on the instructions of your Employer, for your Employer’s benefit program management purposes. In that case, your Employer will be responsible for your Personal Information and you should refer to their privacy policy to contact them or exercise your rights. In any event, the summary information included in the “FORMA AS A PROCESSOR” section at the end of this Privacy Policy describes how the Forma Platform generally functions where Forma is a processor.
     • When you choose to spend your benefits on any item listed within the Forma Platform marketplace, you will be entering into a separate contractual relationship with the relevant vendor/service provider and your Personal Information (including any extra data you provide for purposes of that transaction) will be shared with that vendor/service provider as necessary to provide the requested service to you. Please note that the vendor/service provider will be an independent controller of your Personal Information and will process your Personal Information in line with their own privacy policy which will likely be on their website. We may update this Privacy Policy from time to time to reflect changes in our privacy practices. If we make any material changes, we will notify you. Changes that materially affect your rights or our obligations will go into effect thirty (30) days following such notification, at which point we will update the “Last Updated” date at the top of the page. Non-material changes or clarifications will take effect immediately. We encourage you to periodically check the Site for updates.
2. WHAT INFORMATION DO WE COLLECT?‍
   • We collect the following Personal Information about you:
   • Information you give us:
     • Your name, email address and marketing preferences when you register to receive any kind of marketing communication from us;
     • Your name and content of your communication when you contact us or otherwise interact with us, including via web forms, phone, email, post or social media.
     • Your name, contact information, and your survey responses when you participate in and complete any of our surveys we may ask you to complete for research purposes or to help direct Forma activities.
     • Your personal email address when you subscribe to a service or make any purchases on your Forma Platform marketplace. If you are located in the US we will collect this by default, otherwise we will only collect this if you choose to provide it to us.
     • Your phone number, for security reasons when you use our card services (e.g. multi-factor authentication, receive fraud text alerts for card transactions).
     • Other information you voluntarily submit to Forma.
   • Information we get from third parties:
     • Your name, contact details, job title and company where you are an employee or representative of any of the companies we have a relationship with (e.g. a customer, supplier or partner of Forma), we may be provided with your Personal Information by your affiliated company during the course of this relationship.
   • Information we get from your use of the Site and/or Service:
     • Details of how you use the Site and/or Service.
     • Your internet protocol address (i.e., IP address), internet service provider or carrier name, and, if you access the Site or Service from a mobile application, your unique mobile device ID number and non-email authentication.
     • Browser and device information and information collected through Tracking Technologies (defined below), such as cookies, pixel tags, and other technologies.
     • If you use our Site and/or Service from a mobile device, that device will send us data about your location based on your phone settings. We will ask you to opt-in before we use GPS or other tools to identify your precise location. Not applicable in the APAC region.
3. HOW DO WE USE THE INFORMATION WE COLLECT?
   • To service your employer. We process certain Personal Information about you only to the extent needed to service your Employer in managing your benefits in accordance with its benefit program/policy, which it operates in line with its own privacy policy (eg name, business email address, employment status, stipend usage data). Forma is a “processor” in this situation and the “FORMA AS A PROCESSOR” section at the end of this Privacy Policy describes in more detail how we process your Personal Information as a processor on behalf of your Employer.
   • To facilitate your use of the Forma marketplace. We process certain data only to the extent needed to facilitate your use of the Forma marketplace (including sharing your Personal Information with vendors/service providers to allow them to provide you with services you have requested from them on the Forma marketplace and in processing their transactions for this purpose (e.g., credit card details, delivery address, personal email address). The vendor/service provider is an independent “controller” of your Personal Information in this situation and their  processing of your Personal Information is subject to their own privacy policies and terms.
   • For our own purposes as controller of your Personal Information. We only use your Personal Information where we have a lawful basis (lawful reason) to do so under applicable privacy laws. Lawful bases on which we rely include your consent where you have given it, the legitimate interests of our business such as operating and providing the Site to you, and where we have a legal obligation. In particular, we use the information we collect as controllers:
   • With Your Consent
     • To send you marketing communications via email where you have agreed to receive these communications. We will only do this in line with your marketing preferences and you can opt-out of receiving these communications at any time by selecting the unsubscribe link in any email we send you, or by contacting us.
   • Where we have a Legitimate Interest
     • To contact you and to manage our relationship with you and/or your company where you are the representative of a customer/supplier with whom we have a business relationship.
     • To register you for our surveys and to analyze the responses you have provided to our survey questions.
     • To respond to your inquiries and fulfill your requests, for example, when you send us questions, suggestions, compliments or complaints, or when you request information about our Service. We may also take this information into account when improving the Service.
     • To send you information including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages
     • To make sure you are able to use our Site and Service, to monitor how our Site and Service are being used, to help us discover and fix any problems with our website and to determine what country you are in when you use our Site and Service.
     • To protect, investigate, and deter against fraudulent, unauthorized, or illegal activity.
     • To contact you on your personal email address (if we collect this information from you) about a pending subscription/purchase on your Forma Platform marketplace (including to transfer your contact details to the relevant service provider, fulfill claims you have made or issue you with a reimbursement) where you no longer have access to the Forma Platform of your Employer.
     • Automatically: Personal Information is collected automatically when you access the Forma Platform using an electronic device, including an activity log unique to you that collects certain administrative and traffic information including your device details, device location, source IP address, time of access, date of access, web page(s) visited, language use, software crash reports and type of browser used. Personal Information is also collected from your electronic device through cookies and similar technologies (e.g. web beacons, pixel tags, etc.) placed on your device.
   • Where we have a Legal Obligation
     • We use your Personal Information to comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities, and audit our internal processes for compliance with legal requirements.
4. DO WE SHARE YOUR PERSONAL INFORMATION?‍
   • We share your Personal Information in the following circumstances:
     • Service Providers: We work with a wide range of third parties who provide services on our behalf, notably banking services, website hosting service providers, bulk email and SMS services, hosted database service, cloud computing services, advertising services, data analysts, application service providers, and other non-governmental organizations. We do not authorize them to use or disclose your Personal Information except in connection with providing their services.
     • Payment processors: We work with payment processors to help process credit card transactions and other payment methods made through the Site and Service. These payment processors will store certain information about you. Please refer to their privacy policies to learn more about how they use your Personal Information. If you are provided with a payment card by one of our customers, your use of that card is subject to the Stripe Card Agreement found at https://stripe.com/card-program/legal and the Stripe Privacy Policy found at https://stripe.com/privacy. By using a payment card provided by one of our customers, you consent to Stripe’s collection, use, retention, and disclosure of your Personal Information pursuant to the Stripe Card Agreement and Stripe Privacy Policy.
     • We may also transfer your Personal Information to a third party as a result of a merger, acquisition, reorganization or similar transaction; when required by law or to respond to legal process; to protect our customers; to protect lives; to maintain the security of the Site and/or Service; and to protect Forma's rights or property. In such event, and to the extent legally permitted, we will notify you and, if there are material changes in relation to the processing of your Personal Information, give you an opportunity to consent to such changes.
     • We may share your Personal Information with our affiliates, meaning an entity that controls, is controlled by, or is under common control with Forma. Our affiliates will use the Personal Information we share in a manner consistent with this Privacy Policy.
     • We will also share Personal Information with companies, organizations or individuals outside of Forma if we have a good-faith belief that access, use, preservation, or disclosure of your Personal Information is reasonably necessary to (1) detect or protect against fraud or security issues, to enforce our Terms of Service, (2) meet any enforceable government request, (3) defend against legal claims, or protect against harm our legal rights or safety, or that of our staff and/or users.
     • We share your Personal Information where you give us express permission to do so in the course of your relationship with us from time to time
5. RETENTION OF YOUR PERSONAL INFORMATION
   
   • We generally retain your Personal Information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy. This will generally be for the duration of time you interact with us, however, there may be situations where we retain your Personal Information for a longer or shorter period. When determining the relevant retention periods for your Personal Information, we take into account the following factors: (a) any permissions you give us with regards to your Personal Information; (b) our contractual obligations and rights in relation to the Personal Information involved; (c) our legal obligation(s) under relevant laws to retain data for a certain period of time; (d) our legitimate business and commercial interests; (e) whether retention is advisable in light of our legal position (such as with regard to applicable statute of limitations, investigations, litigation, and other potential and actual disputes); and (f) any guidelines issued by relevant data protection authorities.
6. COOKIE POLICY - WHAT ARE TRACKING TECHNOLOGIES, SUCH AS COOKIES AND WEB BEACONS, AND HOW DO WE USE THEM?
   • How Do We Use Them?‍
     • We, or third parties we do business with, may use certain technologies to automatically collect log files and other information about your usage of, and the devices you use to access, the Site and the Service (“Tracking Technologies”). For example, we may use Tracking Technologies like cookies, log files, web beacons, session replay scripts, or similar technologies to help us analyze our web page flow, customize our services, content and advertising, measure promotional effectiveness and promote trust and safety.
     • You may delete and block all cookies from our Site and/or Service, but parts of the Site and/or Service will not work. We want to be open about our cookie use.
     • Even if you are only browsing the Site and/or Service, certain information (including computer and connection information, browser type and version, operating system and platform details, and the time of accessing the Site and/or Service) is automatically collected about you. This information will be collected every time you access the Site and/or Service and it will be used for the purposes outlined in this Privacy Policy.
     • You can reduce the information cookies collected from your device. An easy way of doing this is often to change the settings in your browser. If you do that you should know that (a) your use of the Site and/or Service may be adversely affected (and possibly entirely prevented), (b) your experience of this and other sites that use cookies to enhance or personalize your experience may be adversely affected, and (c) you may not be presented with advertising that reflects the way that you use our and other sites. You find out how to make these changes to your browser at this site: www.allaboutcookies.org/manage-cookies/. Unless you have adjusted your browser settings so that it will refuse cookies, our system will send cookies as soon as you visit our Site and/or access our Service. By using the Site and/or Service you consent to this, unless you change your browser settings.
     • Web beacons may be used to track the traffic patterns of users from one page to another in order to maximize web traffic flow. Our third-party advertising service providers may also use web beacons to recognize you when you visit the Site or access the Service and to help determine how you found the Site and/or Service. If you would like more information about this and to know your choices about not having this information used by these companies, please visit: the Digital Advertising Alliance’s website, http://www.aboutads.info/, or the Network Advertising Initiative’s website, http://networkadvertising.org/consumer/opt_out.asp.
7. HOW DO WE SECURE YOUR PERSONAL INFORMATION?
   
   • We take reasonable steps to protect your Personal Information against unauthorized access, alteration, disclosure, misuse, or destruction. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. The safety and security of your Personal Information also depends on you. You are solely responsible for keeping your membership details confidential, including any access credentials like passwords or mobile device PINs.
8. YOUR RIGHTS REGARDING YOUR PERSONAL INFORMATION
   
   • By law, you have a number of rights (subject to certain conditions and exceptions) when it comes to your Personal Information that we hold as controller and can exercise any of these rights by contacting us at privacy@joinforma.com.
   • You have the right to object to us processing your Personal Information where we rely on “legitimate interest” (see the “How We Use Your Personal Information” section above) as a lawful basis for processing your Personal Information or where we are processing your Personal Information for any direct marketing purposes (e.g. to send you newsletters).
   • You also have the right to:
     • Request access to your Personal Information (commonly known as a “data subject access request”) and receive a copy of it, along with supplemental transparency information similar to what is provided in this notice.
     • Request correction of the Personal Information that we hold about you if it is incomplete or inaccurate.
     • Request erasure of your Personal Information where there is no good reason for us continuing to process it or where you have successfully exercised your right to object to our processing of your Personal Information.
     • Request the restriction of processing of your Personal Information, for example, if you want us to establish its accuracy or the reason for processing it.
     • Request portability of your Personal Information. If required to do so, we will provide you or another party with any Personal Information we have obtained from you, in a structured, machine readable and reusable format.
     • Withdraw consent to the processing of your Personal Information at any time where we rely on your consent as a lawful basis for processing your Personal Information. This won’t affect anything we have used your Personal Information for before you withdraw your consent.
     • Not be subject to decisions based solely on automated processing (including profiling) which have a legal effect on you or a similarly significant effect on you. This is relevant where we decide to use automated systems to process your Personal Information with no real human involvement.
     • Lodge a complaint about the way we handle or process your Personal Information with a data protection regulator.
9. LINKS TO THIRD PARTY WEBSITES
   • We may provide links to other websites. We have no control over these websites and they are subject to their own terms of use and privacy policies. As such, we do not endorse and are not responsible for the availability of, or for any content, advertising, products, or other materials on or available from, these third party websites.
10. HOW WE RESPOND TO DO NOT TRACK SIGNALS
    • Your browser settings may allow you to automatically transmit a Do Not Track signal to websites and other online services you visit. We do not alter our practices when we receive a Do Not Track signal from a visitor’s browser because we do not track our visitors to provide targeted advertising. To find out more about Do Not Track, please visit http://www.allaboutdnt.com.
11. CHILDREN UNDER 16
    • The Service is not directed to individuals who are under the age of sixteen (16) and we do not solicit nor knowingly collect Personal Information from children under the age of sixteen (16). If you believe that we have unknowingly collected any Personal Information from someone under the age of sixteen (16), please contact us immediately at privacy@joinforma.com and the information will be deleted.
12. A NOTE TO USERS OUTSIDE THE UNITED STATES
    • Forma is based in the United States and so any of your Personal Information shared with Forma will be processed in the United States and may be collected, transferred to, stored and otherwise processed in any country where we have facilities or in which we engage service providers, in particular the United States. Please note that the US may have data protection laws less stringent than or otherwise different from the laws in effect in your country.
    • If you are located in the United Kingdom (UK) or European Economic Area (EEA), and we share your Personal Information to parties in the US and any other countries not  recognized as adequate for the transfer of your Personal Information, to the extent a safeguard is required under law for such transfers of your Personal Information, we have put in place Standard Contractual Clauses approved by the EU Commission (for EEA transfers) and the UK government approved international data transfer agreement/addendum (for UK transfers). Please contact us for further details on the safeguards in place and how to obtain a copy using the contact details below.
13. FORMA AS A PROCESSOR
    • As mentioned above, where you are an authorized user of the Forma Platform, your Employer is the controller of your Personal Information in relation to your use of the Forma Platform and is responsible for providing you with transparency information (like what we have generally provided in this Privacy Notice) on how your Personal Information is used. To keep you informed, we have provided a short summary of how your Personal Information is generally processed on behalf of your Employer when you use the Forma Platform. Please note that the summary provided here is for information purposes only and does not override any other privacy notices or transparency information provided to you by your Employer which apply to the Forma Platform.
    • Personal Information we Collect
      We collect the following Personal Information from you when you use the Forma Platform:
      • From You: Personal Information you provide when you sign-up for a Forma account and update your profile from time to time, the benefits you utilize on your Forma platform, customer support communications with us and any other information you provide to us or generate in connection with the Forma Platform, such as details of financial transactions you participate in on the Forma Platform, including the amount, currency, and method of payment.
      • From Third Parties: Personal Information we receive about you from your Employer for the purposes of setting you up on the Forma Platform (including enabling you to utilize the Forma Platform as envisioned by your Employer) and provided to us by any of our partners or service providers in connection with your use of the Forma Platform.
    • How we Use Personal Information
      • We only use your Personal Information as instructed by your Employer, for the purposes of providing you with the Forma Platform and for the purposes of improving our business, services and product.
    • How we Share Personal Information
      • We only share your Personal Information when instructed to do so by your Employer, however sharing of your Personal Information is generally done by Forma only for the purposes of providing you with the Forma Platform. Your Personal Information will be shared with our service providers who ensure the Forma Platform works properly (e.g., banking services providers, hosting providers, communication providers, payment services providers and our customer service providers), the companies we enter into partnerships with to provide you with benefits on the Forma Platform, and our customer who is the controller of your Personal Information.
    • Retention of Personal Information
      • We follow your Employer’s retention rules since they are controllers of your Personal Information. However, in line with our company retention practices we will generally delete your Personal Information when you become an inactive user for an extended period of time (this will likely be if you are no longer engaged by your Employer). The specific time will have been agreed with your Employer.
    • Data Subject Rights
      • As controller of your Personal Information, your Employer will be responsible for complying with any requests you make exercising data subject rights concerning your use of the Forma Platform and you will need to contact your Employer directly to exercise your data subject rights. However, please note that the Forma Platform is designed to allow you to delete and correct the information on your user account subject to any restrictions put in place by your employer.
    • International Transfers
      • As noted above, Forma is located in the US, processing your Personal Information in the US when you use the Forma Platform and has engaged service providers in the US who also process your Personal Information. It is also possible that your Personal Information may be processed in other territories where Forma has operations. If you are in the UK and EU, we have put in place Standard Contractual Clauses approved by the EU Commission (for EEA transfers) and the UK government approved international data transfer agreement/addendum (for UK transfers) with your Employer and (where legally required to do) with our service providers in the US or in countries not recognized as adequate for the transfer of your Personal Information. These are approved safeguards for the protection of your Personal Information when transferred internationally - you can ask your Employer about these international transfer safeguards.

CONTACT US

If you have any questions about this Policy, your Personal Information, or the Site and/or Service, you can contact us by email at privacy@joinforma.com or by mailing us at the below address:

Forma
c/o Data Protection Officer
47000 Warm Springs Blvd., Suite 1-170
Fremont, CA 94539
USA

Please contact us if you have any complaints or concerns with respect to your privacy. If you believe we are unable to assist you, you have the right to lodge a complaint with a supervisory authority in the relevant jurisdiction. However, we are committed to working with you to resolve any complaint or concern you may have with respect to your privacy.

Please contact your Employer first about any privacy concerns if Forma is acting only as the processor of your Personal Information in connection with the Forma Platform.

Data that wasn’t provided by your employer can be updated or deleted at your request by visiting https://forma.privacy.saymine.io/forma.