California Employee Privacy Notice
Effective Date: January 1, 2023
Phreesia, Inc. (“Phreesia,” “we” or “us”) is providing this notice to employees who are California residents to identify the categories of personal information that may be collected from or about them and the reasons why Phreesia processes such information. This California Employee Privacy Notice is intended to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and does not apply to any employees who are not California residents.
- “Personal information” has the meaning defined in the CCPA. Personal information includes information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked—directly or indirectly—to you.
- “Process,” “processed” or “processing” means any operation or set of operations that is performed with personal information, whether or not by automated means. By way of example, processing can include collection, storage, use, and disclosure of personal information.
- “Employees,” “employee” or “you” means an identified or identifiable natural person who (1) is a California resident and (2) is a Phreesia job applicant, employee, contractor or prospective candidate. In this Privacy Notice, “job applicant” means any person who has submitted his or her job application to Phreesia; “employee” means any person who is employed by Phreesia as a full-time or part-time employee or temporary worker; “contractor” means a natural person other than an employee who provides a service pursuant to a written contract; and a “prospective candidate” means a person who has not yet submitted his or her job application to Phreesia, but about whom we gather information and with whom we may communicate about a potential position.
- Personal Information We Collect About Employees
Listed below are the categories of personal information that Phreesia may process about employees:
- Identifiers, including real name, alias, postal address, unique personal identifiers, email, account name, social security number, driver’s license number, passport number or other similar identifiers. “Unique personal identifiers” are persistent identifiers that can be used to recognize an employee, or a device linked to an employee, over time and across different services, including but not limited to: a device identifier; an Internet Protocol address; cookies, beacons, pixel tags or similar technology; a unique pseudonym or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers.
- Characteristics of Protected Classifications Under California or Federal Law and Other Sensitive Personal Information, including the following: race, skin color, citizenship, legal authorization to work in the United States, religion, sex/gender (including pregnancy, childbirth, breastfeeding and/ or related medical conditions), gender identity and preferred pronouns, gender expression, sexual orientation, marital status, medical, disability, military or veteran status, request for family care leave, request for leave for an employee’s own serious health condition, request for parental leave, and age.
- Full-Face Images and Video Recordings of you.
- Professional or Employment-Related Information, including job-related data maintained as part of the employment relationship that is present in: a job application or resume; an employment contract; a contractor agreement; a performance review; a disciplinary record; photos; vaccination status; information from employee expenses; browsing and search history; payroll and benefits-related data; internal and external contact information; or information captured from video, audio, systems, and other forms of monitoring or surveillance.
- Education Information, including information about an employee’s educational background, such as degrees, certifications, education records, transcripts, payment, and coursework.
- Inferences, including any information drawn from any of the personal information categories referenced above that creates a profile of an employee that reflects the employee’s characteristics, attitudes, intelligence, abilities, and aptitudes.
- Sources of Personal Information
We may collect personal information directly from you, automatically from devices you use, and from third parties.
- Use of Employee Personal Information
Phreesia uses employees’ personal information for employment-related activities, such as: making hiring decisions; facilitating employees’ enrollment in benefits programs; managing payroll, salaries, expense reimbursement, and leaves of absence; conducting performance reviews; monitoring work-related licenses and credentials; providing human resources services; maintaining contact information; providing emergency assistance; monitoring work eligibility and immigration matters; conducting internal business activities, including performing analytics and conducting staff surveys; administering and monitoring the workplace; maintaining security on devices and websites; and complying with applicable law or regulatory requirements.
- Disclosure of Employee Personal Information
Phreesia does not sell your personal information. However, we may disclose certain personal information for a business purpose, including to vendors who assist us in our uses of personal information as described above. We also may disclose your personal information, with your consent, to comply with applicable legal or regulatory requirements, or in connection with a business transfer.
- Retention of Employee Personal Information
We may retain your personal information for as long as it is necessary for fulfilling the purposes for which we collected it, to satisfy legal and regulatory requirements, or as required or permitted by applicable law.
- Your Rights and How to Exercise Them
- Right to Know and Access the Personal Information We Collect and Share
The CCPA gives you the right to request that we disclose the specific pieces of personal information we have collected about you, which we will do after we receive and validate your request.
When you make a request to receive your personal information, we will send you a list of the categories of personal information that we may have disclosed about you, as well as the categories of third parties to whom your personal information may have been disclosed.
You have the right to make two free requests within any 12-month period. We will make the disclosure within 45 days of receiving your request, unless we request an extension. In the event that we reasonably need a 45-day extension, we will notify you of the extension within the initial 45-day period.
- Right of Deletion
You have the right to request that we delete your personal information, subject to certain exceptions. After we receive and validate your request, we will delete your personal information, as well as direct our service providers to delete your personal information, unless an exception applies.
- Right of Correction
You have a right to request that we correct inaccurate personal information, which we will do after we receive and validate your request.
- Right to Non-Discrimination
You have the right not to be subject to discriminatory treatment for the exercise of your privacy rights under the CCPA. We will not discriminate or retaliate against you for exercising your privacy rights.
- Right to Know and Access the Personal Information We Collect and Share
This Notice will be updated regularly to reflect changes in our business, legal or regulatory obligations.
- How to Contact Us and Exercise Your Rights
If you or an authorized agent have questions about, or wish to exercise, your rights under this notice, you may reach us at firstname.lastname@example.org or by calling 844-520-0002 toll-free and leaving a voicemail message.
We may ask you for additional information to verify your identity, such as the date you submitted information to us or a copy of government-issued identification.