Mattermost Applicant Privacy Notice

Last Updated: September 13, 2024

Depending on the country or state where you live, you may have rights related to personal information Mattermost collects about you. Mattermost has developed this Applicant Privacy Notice (“Notice”) to help people applying to positions at Mattermost understand the personal information we collect, use, and share about you, as well as rights that may be available to you. If you are hired by Mattermost, then our policies for employees will apply to all personal information that we process about you, including personal information previously collected during the application process.

Information Collection

We collected and disclosed the following categories of personal information about our job applicants in the past 12 months, and we may also collect and disclose these categories of personal information going forward:

  • Personal and online identifiers (such as first and last name, email address, postal address, login credentials, or unique online identifiers)
  • Characteristics of legally protected classifications (such as race, gender, or sex)
  • Internet or other electronic network activity information (such as interactions with a website, application, or email)
  • Audiovisual information (such as call or videoconference recordings or other audio, electronic, visual, or similar information)
  • Professional or employment-related information (such as your employment history and resume, as well as citizenship documents for employment eligibility)
  • Education information (such as your education history and transcripts)
  • Sensitive personal information (such as passport information for eligibility purposes, in addition to other data types described above)
  • Other information about you that is linked to the personal information above (such as date of birth)

1. Legal Basis of Processing

Depending on where you live, we may need a valid legal basis to collect and process your personal information. If we do, depending on the circumstances, our valid legal basis to process each category may be:

  • Contract. We may process your personal information to perform a contract with you, or because you have requested we do something that requires us to process your personal information before creating a contract with you.
  • Legitimate Interest. We may process your personal information when it is in our legitimate interests to process the data, taking into consideration your interests, rights, and expectations. Our legitimate interests may include, for instance, determining your fitness for a particular role.
  • Consent. We may process your personal information when we have asked for your permission.
  • Legal Obligation. We may process your personal information to fulfill our legal and regulatory obligations.

2. Categories of Sources

We may collect personal information about our job applicants from the following categories of sources:

  • You.
  • Employment references.
  • Recruiters, including individuals who refer you to Mattermost.
  • Service providers.
  • Social media companies.
  • Educational institutions.
  • Background check providers.
  • Consumer reporting agencies.
  • Our affiliates.

3. Using Personal Information

We use and disclose the personal information we collect about our job applicants for our commercial and business purposes. These commercial and business purposes include, without limitation:

  • Processing, evaluating, and communicating with you about your application, including to check references, conduct background checks, and communicate with you about other jobs that may interest you.
  • Meeting other business purposes as identified in applicable laws, including:
    • Auditing and debugging;
    • Legal compliance;
    • Detecting and protecting against security incidents, fraud, and illegal activity;
    • Performing services (for us or our service provider) such as account servicing, processing orders and payments, and analytics;
    • Internal research for technological improvement;
    • Internal operations;
    • Activities to maintain and improve our business; and
    • Other one-time uses.

4. Sharing Personal information

We may disclose the personal information we collect to the following categories of recipients:

  • Service providers. We disclose the personal information we collect to our service providers, such as those who help us manage the application process.
  • Recruiters. We may disclose personal information to recruiters, such as to convey the status of your application.
  • Employment references. We may disclose personal information to references, such as to confirm the information you provided to us.
  • Background check providers. As legally permitted, we may disclose personal information to background check providers to obtain a background check.
  • Government entities. As legally required, we may provide personal information to government entities.
  • To third parties when legally required. We may also provide personal information to other third parties in response to legal process, for example, in response to a court order or a subpoena.
  • Our affiliates. We disclose the personal information we collect to our affiliated companies.

We do not sell the personal information we collect about job applicants or share such information for targeted (also known as “cross-context behavioral”) advertising purposes.

5. Retaining Personal information

Personal information may be stored by Mattermost or by service providers on our behalf. If you are hired, Mattermost will keep personal information about you for the duration of your employment with Mattermost and as otherwise required by law. If your application is not successful, we may retain your personal information as long as necessary to comply with legal requirements. We may also use your personal information in order to consider you for other job opportunities where permitted by applicable law.

6. European Privacy Rights

Individuals in the European Economic Area (“EEA”), Switzerland, or the United Kingdom (“UK”) may have certain rights with respect to personal information we process about you. Subject to certain exceptions and limitations, you may have the rights:

  • To request information regarding our processing of your personal information.
  • To obtain the rectification of any inaccurate personal information stored by us or completion of such information.
  • To obtain the erasure of your personal information stored by us.
  • To obtain the restriction of processing of your personal information.
  • To receive your personal information that you have provided to us in a structured, commonly used and machine-readable format or to demand transmission to another controller.
  • To withdraw your consent once given to us at any time.

If you reside in the EEA, Switzerland, or UK and would like to exercise any of the above rights, please submit a request through our online request form.

In addition to the above-listed rights, you may also have the right to lodge a complaint with your local data protection authority. Further information about how to contact your local data protection authority is available at https://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

7. California Privacy Rights

California residents have certain rights under the California Consumer Privacy Act (“CCPA”) related to personal information Mattermost collects. Subject to certain exceptions and limitations, you may have the rights:

  • To know the categories and specific pieces of personal information we collect, use, and disclose about you, the categories of sources from which we collected personal information about you, our purposes for collecting or disclosing personal information, and the categories of third parties to which we have disclosed personal information.
  • To request that we delete the personal information we have collected from you.
  • The correct inaccurate personal information we maintain about you.

You also have the right not to receive discriminatory treatment for the exercise of the privacy rights conferred by the CCPA.

While the CCPA provides an opt-out opportunity related to sensitive personal information, Mattermost uses and discloses sensitive personal information, as defined under the CCPA, only for purposes permitted by the CCPA that do not require an opt-out opportunity.

If you are a California resident and would like to exercise any of the above rights, please submit a request through our online request form or by emailing [email protected].

Verification Process and Required Information. In some cases, we may need to request additional information from you to verify your identity or understand the scope of your request. Generally, we verify your identity by matching the information provided in your request with the information we maintain in our records.

Authorized Agent. California residents may designate an authorized agent to submit a request on your behalf. To designate an authorized agent to make a request on your behalf, you must provide the agent with signed permission to do so and provide proof of your identity, or the agent must have a valid power of attorney. An authorized agent can make a request on your behalf through one of the submission methods noted above. For us to process the request, the authorized agent will be required to provide evidence of signed permission and your e-mail address to verify your identity, or proof of valid power of attorney.

8. International Data Transfers

If you are located in the European Union (“EU”), Switzerland, or the UK, please note that we may transfer personal information to a country that offers a level of protection that may, in certain instances, be less protective of your personal information than the jurisdiction where you reside.

For transfers like these to the United States, Mattermost complies with the EU–U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss–U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce (collectively, the “Frameworks”). Mattermost has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal information received from (i) the EU in reliance on the EU-U.S. DPF; and (ii) the UK (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Mattermost has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of personal information received from Switzerland in reliance on the Swiss-U.S. DPF.

If there are any conflicts between the terms in this Notice and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (collectively, the “DPF Principles”), the DPF Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Onward Transfers. Mattermost is accountable for the processing of personal information it receives under the Frameworks and subsequently transfers to a third party. Mattermost complies with the DPF Principles for all onward transfers of personal information from the EU, UK, and Switzerland, including the onward transfer liability provisions.

Personal Information Processing. Mattermost commits to subject to the DPF Principles all personal information received from the EU, UK, and Switzerland in reliance on the relevant Framework. Information about the types of personal information collected, the purposes for our information collection and use, as well as the types of third parties with whom we share personal information and purposes for this sharing can be found above in this Notice. We may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Dispute Resolution and Enforcement. In compliance with the DPF Principles, Mattermost commits to resolve DPF Principles-related complaints relating to your privacy and our collection or use of personal information without any charge to you. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal information received in reliance on the Frameworks should first contact us at [email protected].

When you contact us, we will work to resolve your issue quickly. Mattermost commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unsolved complaints related to human resources personal information received in reliance on the Frameworks in the context of your employment relationship with Mattermost.

You may engage the appropriate authority concerning adherence to the applicable DPF Principle, and Mattermost shall respond directly to such authorities with regard to investigations and resolutions of complaints.

Under certain conditions, more fully described on the Data Privacy Framework website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

The Federal Trade Commission has jurisdiction over Mattermost’s compliance with the EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF.

9. Changes to This Notice

If our information practices change, we will update this Notice and post the changes on this page. We encourage you to visit this page periodically to learn of any updates.

10. Contact Us

For questions or concerns about Mattermost’s privacy practices, please contact us at [email protected].