Updated 21 August 2020
Responsible data controller in the meaning of Art. 4 No. 7 GDPR is:
ThoughtWorks, Inc., 200 E Randolph St, 25th Floor, Chicago, Illinois 60601, USA; Phone: +1312 373 1000; E-Mail: email@example.com; Website: www.thoughtworks.com
You can contact the data protection officer via email at: firstname.lastname@example.org
2. General Information
During the course of carrying out our business and performing our services, ThoughtWorks collects personal data to conduct our business, provide and market our services, and meet our legal obligations. Likewise, we may also collect personal data for other purposes, which we would describe in more detail to you at the point we collect the personal data.
You may refuse to provide us with some or all of your personal data; however, this may limit the ways in which we can interact with you, including providing you with our services.
We collect personal data through our internet access logs. When you access our website, your internet address is automatically collected and is placed in our internet access logs (i.e., log files on server). We also record the URLs of the websites and pages you visit, the times and dates of such visits, information about the computer hardware and software you use.
This information may include Internet protocol (IP) addresses, browser type and version, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and/or clickstream data, number of visits, websites from which you accessed our site (Referrer), and websites that are accessed by your system via our site.
The processing of this data is necessary for the provision and the security of our website. The legal basis for this processing is Art. 6(1)(f) GDPR. We do not link these data to certain individuals. After the processing for the mentioned purposes, the data will be deleted.
On our website we use several contact forms which can be used to get in contact with us electronically. To handle your request it is necessary to provide us with a valid email address, and, in addition, we store your IP address and the time of your request to prevent any misuse of our contact forms. Alternatively, you may contact us via the e-mail addresses cited above (Section 1). If you use one of these channels, the personal data transmitted will be stored automatically by ThoughtWorks as data controller to handle our contact with you. The legal basis for this processing is Art. 6(1)(f) GDPR.
In some cases we may ask you for further information, such as name, occupation, address or telephone number. Regarding the processing of this personal data you will be asked to grant your explicit consent. The legal basis for this processing is Art. 6(1)(a) GDPR.
5. Registration on our website
If you make use of our website to register for certain services or events, or to download e-books you will be asked to provide personal data. The information inserted in the respective registration form will be transmitted to ThoughtWorks as data controller. The legal basis for the processing of data - which is necessary to provide you with the respective service - is Art. 6(1)(b) GDPR. Regarding the processing of further personal data you will be asked to grant your explicit consent, and the legal basis for that processing is Art. 6(1)(a) GDPR.
All registration forms will be provided and managed by Marketo EMEA Ltd., Cairn House, South County Business Park, Leopardstown Road, Dublin 18, Ireland (“Marketo”) as our service provider. The personal data you provide thereby will thus be collected and stored on our behalf by Marketo and shared with entities within the ThoughtWorks group of companies as related to the underlying processing and subject to ThoughtWorks ensuring that appropriate agreements are in place between the ThoughtWorks entities, which will include but is not necessarily limited to Model Clause agreements for any transfers between EU/EEA based entities and non-EU/EEA based entities (see listing of ThoughtWorks various entity offices at https://www.thoughtworks.com/contact-us.
In addition, Marketo uses functional cookies for analytic purposes, see more details in Section 12.9. Any non EU/EEA transfer of your personal data in conjunction with the processing by Marketo is covered by Model Clause agreement(s). Upon your registration, your IP-address and date and time of your registration will be collected. This allows us to prevent misuse of our services. The legal basis for this processing is Art. 6(1)(f) GDPR.
6. Application for Jobs
Our website offers the opportunity to apply for employment, either via a job advertisement published on our side, or as speculative application. If you make use of these possibilities by providing your personal data, including contact details, experiences, roles, etc. or provide (solicited or unsolicited) special categories of personal data (see Section 7), the information inserted in the application form or otherwise provided (e.g., by you including it in a resume) will be transmitted to ThoughtWorks as data controller. With regard to the processing of this personal data you will be asked to grant your explicit consent. The legal basis for this processing is Art. 6(1)(a) GDPR. We store this personal data only for internal use to handle your application. We will delete your personal data on completion of the application process if further retention is not required for the establishment, exercise or defence of legal claims occurring out of the application process, or unless this personal data are required for the formation of or performance under a contract.
Please be aware that application forms will be provided and managed by Greenhouse Software, Inc., 110 Fifth Avenue, 3rd Floor, New York, NY 10011, USA, www.greenhouse.io (“Greenhouse”) as our service provider. The personal data you provide will thus be collected and stored on our behalf by Greenhouse and shared with the respective ThoughtWorks entity(ies) processing your application.
Any non EU/EEA transfer of your personal data in conjunction with the processing by Greenhouse is covered by a Model Clause agreement for the transfer of personal data to third countries.
At your registration on the job application portal, your IP-address and date and time of your registration will be collected. This allows us to prevent misuse of our services. The legal basis for this processing is Art. 6(1)(f) GDPR.
7. Unsolicited special categories of personal data
Other than the information you provide when you apply for a job at ThoughtWorks (see Section 6), we do not generally seek to collect special categories of personal data through this site.
"Special categories of personal data" includes the various categories of personal information and data identified by privacy laws of United States, European and other jurisdictions as requiring special treatment, including in some circumstances the need to obtain explicit consent. These categories may include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning sexual orientation (Art. 9 GDPR).
Therefore, we advise you not to provide any unsolicited sensitive personal data. ThoughtWorks applies HTTPS or other appropriate technical and organizational measures to secure the personal data transmitted over its website.
We may provide the opportunity to sign-up for a periodic email newsletter by entering in your email address and confirming it by clicking on a confirmation link sent to you by us by e-mail (double opt-in). The legal basis for this processing is Art. 6(1)(a) GDPR.
In some cases we may ask you for further information, such as name, occupation, address or telephone number. Regarding the processing of this personal data you will be asked to grant your explicit consent. The legal basis for this processing is Art. 6(1)(a) GDPR.
If you subscribe for our periodic email newsletter your IP address as well as data and time of subscription will be collected and stored at ThoughtWorks as data controller. This allows us to prevent misuse of our services or of the e-mail address of the subscriber. The legal basis for this processing is Art. 6(1)(f) GDPR. This data is only used for the distribution of the newsletter. The subscription may be terminated by you at any time by following the unsubscribe instructions included in each newsletter. We will delete the relevant personal data promptly upon your unsubscribe instruction.
Our website offers publicly accessible blogs. You should be aware that any information you provide in these areas may be read, collected and used by others who read them. Our blog is managed by a third party application Feedly, which is a service of Feedly, Inc. 285 Hamilton Avenue, Suite 250, Palo Alto, CA 94301, https://feedly.com/i/welcome (“Feedly”) that may require you to register to post a comment. Feedly is a news aggregator application for various web browsers and mobile devices running iOS and Android, and it is also available as a cloud-based service. It compiles news feeds from a variety of online sources for the user to customize and share with others. We use Feedly on our website to display aggregated blogs that have been written by ThoughtWorks employees and alumni. We also display the Feedly widget on the page and clicking on it will take the user to the Feedly application. Find more information about Feedly’s privacy practices here. The legal basis for this processing is Art. 6(1) (b) and (f) GDPR.
We display personal testimonials of satisfied customers on our site in addition to other endorsements. With your consent we may post your testimonial along with your name. The legal basis for this processing is Art. 6(1)(a) GDPR. If you wish to update or delete your testimonial, you can contact us at email@example.com.
11. Cookies (General Information)
When you visit our website, the following categories of cookies will be set in your browser:
11.1 Strictly necessary cookies
These cookies are essential in order to enable you to move around a site and use its features. Without these cookies services you have asked for cannot be provided.
Registered Visitor Cookie - A unique identifier given to each registered user, used to recognize you anonymously through your visit and when you return to the site.
11.2 Performance cookies
These cookies collect information so that we can analyse how our visitors use our site. These cookies do not collect information that identifies you. All information these cookies collect is anonymous and is only used to improve how our site works.
11.3 Functional cookies
These cookies allow websites and applications to remember choices you make (e.g., such as your user name or the region you are in) and provide enhanced, more personal features.
We may use information collected from functional cookies to identify user behaviour and to serve content based on the user profile. These cookies cannot track your browsing activity on other websites. They do not gather any information about you that could be used for advertising or to record where you’ve been on the Internet outside our site.
11.4 Targeting cookies
In order to keep our website services relevant, easy to use and up-to-date, and understand interest in our services we use web analytics services to help us understand how people use the site.
Cookies allow web analytics services to recognise your browser, device, or IP address and, for example, identify whether you have visited our website before, what you have previously viewed or clicked on, and how you found us. The information is only used for statistical purposes, and it helps us to analyse patterns of user activity, user interests, and to develop a better user experience.
12. Third Party Applications
ThoughtWorks shares your personal data with third parties, in particular non-ThoughtWorks parties, only with your express consent or under another lawful basis for processing under the applicable law.
Categories of non-ThoughtWorks parties with which we share your personal data include vendors such as host and cloud service providers, marketing and mailing agencies, and sub-contractors involved in the fulfilment of our contractual obligations towards our clients. The legal basis for this processing is Art. 6(1)(f) GDPR.
Our website employs the bookmark service AddThis. AddThis is a service of Clearspring Technologies Inc., 8000 Westpark Drive, Suite 625, McLean, VA 2210, USA, http://www.addthis.com/. Each time our website receives an access request equipped with an AddThis component, the component prompts your browser to download an image of this component from AddThis. Through this process, AddThis is informed exactly which page of our website is being accessed. In addition, AddThis also records your IP address, browser type, browser language, the website previously accessed as well as the date and time you visited the site and uses this data to compile an anonymized user profile. This data allows AddThis and its partner companies to direct targeted personalized ads at website users based on their particular interests. The display of advertising material occurs based on a browser cookie put in place by AddThis, which analyzes user interaction with the website. You can permanently prevent AddThis from placing a cookie on your browser by downloading and installing the opt-out cookie available at the following link: http://www.addthis.com/privacy/opt-out.
Amazon CloudFront is a web service of Amazon Web Services, Inc., P.O. Box 81226, Seattle, WA 98108-1226, http://aws.amazon.com (“CloudFront”) that speeds up distribution of static and dynamic web content such as .html, .css, .js, and image files, to users. CloudFront delivers content through a worldwide network of data centers called edge locations. When a user requests content that is being served with CloudFront, the user is routed to the edge location that provides the lowest latency (time delay), so that content is delivered with the best possible performance.
• If the content is already in the edge location with the lowest latency, CloudFront delivers it immediately.
• If the content is not in that edge location, CloudFront retrieves it from an Amazon S3 bucket (where we have hosted our assets for the website) or an HTTP server (in our case, our production web servers in Rackspace) that has been identified as the source for the definitive version of the content.
CloudFront captures information about each request that includes system logs which captures the following information: IP address, lat/long of the server which served the request, country and date and time. More information about AWS's privacy practices can be found at https://aws.amazon.com/privacy/.
Disqus is an online service provider of Disqus, Inc, 301 Howard St, San Francisco, CA 94105, USA, https://disqus.com/ (“Disqus“), which provides a centralized discussion platform for websites. In our online services, we have integrated Disqus plugins that allow website visitors to post comments on our websites and link comments across multiple sites (including third party websites).
If you enter a page on our website which includes a Disqus plug-in, your browser will establish a direct connection to the Disqus servers from where the plug-in is loaded. The information that your browser visited the corresponding page of our online services is transmitted to Disqus, even if you do not have a Disqus account or are not logged into your account. This information is sent directly from your browser to a Disqus server in the USA and stored there.
If you log into your Disqus account at the same time, it is also possible to assign the page retrieval to your Disqus account and allow Disqus to assign your surfing behavior directly to your account.
If you want to block the transmission and storage of your data and your behaviour, you must log out of your Disqus account before you visit our website and delete any cookies placed by Disqus.
To post a comment on our website (using a Disqus plug-in), you must log into your Disqus account. When you post a comment on the website, Disqus collects information about your visit to our website and other websites, including the information you post and your IP address. Your comment will be sent directly to the Disqus servers through an iframe.
12.4 Facebook conversion pixels
We use the “Custom Audience pixel” of Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”) on our website. With its help, we can keep track of what users do after they see or click on a Facebook advertisement. This enables us to monitor the effectiveness of Facebook ads for purposes of statistics and market research. Data collected in this way is anonymous to us, which means we cannot see the personal data of individual users. However, this data is saved and processed by Facebook. Facebook can connect this data with your Facebook account and use it for its own advertising purposes, in accordance with Facebook’s Data Policy which can be found at https://www.facebook.com/about/privacy/. You can allow Facebook and its partners to place ads on and outside of Facebook. A cookie can also be saved on your device for these purposes.
Please click here if you would like to withdraw your consent https://www.facebook.com/settings/?tab=ads#_=_
12.5 Google Analytics
Our website uses Google Analytics, a web analysis service of Google, Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, www.google.com (“Google Analytics” or “Google”). Google Analytics employs cookies that are stored to your computer in order to facilitate an analysis of your use of the site. The information generated by these cookies, such as time, place and frequency of your visits to our site, including your IP address, is transmitted to Google’s location in the US and stored there.
In using Google Analytics our website employs the extension “anonymizeIp”. In doing so, Google abbreviates and thereby anonymizes your IP address before transferring it from EU/EEA member states. Google uses this information to analyze your use of our site, to compile reports for us on internet activity and to provide other services relating to our website.
Google Analytics also uses electronic images known as web beacons (sometimes called single pixel gifs) and are used along with cookies to compile aggregated statistics to analyze how our site is used.
You can find additional information on how to install the browser add-on referenced above at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
For the cases in which personal data is transferred to the US, Google has self-certified pursuant to the EU-US Privacy Shield (https://www.privacyshield.gov/EU-US-Framework).
12.6 Google Tag Manager (GTM)
● Google Analytics
● Marketo Munchkin
● Facebook Conversion Pixels
● Twitter tailored audience
12.7 Greenhouse Tracking Links
When a job application is submitted through our Greenhouse forms, we capture certain pieces of information (see Section 6 for details). In some marketing campaigns, we use ‘Greenhouse Tracking Links,’ which are URL parameters attached to inbound links to our job posts. When a job application is submitted, Greenhouse captures this parameter and is able to determine which advertising or promotional channel directed you to that job posting. This enables ThoughtWorks to gauge which channels are most effective.
Libsyn https://libsyn.com/ is an audio hosting service and publishing tool.
5001 Baum Blvd., Suite 770, Pittsburgh, PA 15213
We use Libsyn to host our external-facing podcasts on Apple Podcasts, Spotify, Google Play and other platforms. We also embed a Libsyn-generated web player onto our podcast landing pages.
12.9 LinkedIn Insight Tags
We use the “LinkedIn Insight Tag” of LinkedIn Corporation, 1000 W Maude Ave, Sunnyvale, CA 94085, USA (“LinkedIn”) on our website. It helps us with in-depth campaign reporting and insights about our website visitors. It can also be used to track conversions, retarget website visitors, and unlock additional insights about members interacting with our ads on LinkedIn.
The LinkedIn Insight Tag enables the collection of data regarding members’ visits to our website, including the URL, referrer, IP address, device and browser characteristics (User Agent), and timestamp. This data is encrypted, the IP addresses are truncated, and members’ direct identifiers are removed within seven days in order to make the data pseudonymous. This remaining, pseudonymized data is then deleted within 90 days.
LinkedIn does not share personal data with us, it only provides aggregated reports about the website audience and ad performance. LinkedIn also provides retargeting for website visitors, enabling us to show personalized ads off our website by using this data, but without identifying the member. LinkedIn members can control the use of their personal data for advertising purposes through their account settings.
12.10 LinkedIn SlideShare
LinkedIn SlideShare is a Web 2.0–based slide hosting service of LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085 USA, www.linkedin.com. Users can upload files privately or publicly in the following file formats: PowerPoint, PDF, or OpenDocument presentations. Slide decks can then be viewed on the site itself, on hand held devices or embedded on other sites. Our website uses the plugins offered by LinkedIn Slideshare to primarily share presentations and PDFs.
12.11 Marketo Munchkin
We use third party marketing software from Marketo to send our emails. This is a service provided by Marketo, Inc., 901 Mariners Island Boulevard, Suite 500, San Mateo, CA 94404 USA, www.marketo.com (“Marketo”). We use Marketo cookies as part of tracking so we have information on email open rates and click through rate as well as tracking activity on the website. For registered users (see Section 5), this data may be linked to your user profile.
How does it work?
What does Munchkin Capture?
When on a page, Munchkin automatically gathers the following information:
● Page Visits
● Link Clicks
● IP Address
● Our cookie ID.
If you prefer that we do not place this cookie on your web browser you may opt out by clicking the Do Not Track (DNT) feature in your browser. This prevents tracking for your particular browser and device.
Salesforce.com, Inc. (usually abbreviated as SF or SFDC) is an American cloud-based software company headquartered in San Francisco, California. Salesforce is the primary enterprise offering within the Salesforce platform. It provides companies with an interface for case management and task management, and a system for automatically routing and escalating important events. The Salesforce customer portal provides customers the ability to track their own cases, includes a social networking plug-in that enables the user to join the conversation about their company on social networking Web sites, provides analytical tools and other services including email alert, Google search, and access to customers' entitlement and contracts.
For our marketing purposes, the personal data which is stored in Marketo is passed over to Salesforce, where it is viewed and managed by our sales team.
More information about
Salesforce’s privacy practices can be read at https://www.salesforce.com/in/company/privacy/.
Siftrock is a Drift.com company, with headquarters at 625 1st Avenue Suite 300 Seattle, WA 98104 United States. The Company manages and mines marketing email replies to improve database hygiene and deliverability, as well as renders email reply management for marketing automation.
Siftrock enables us to parse the direct emails received by our marketing team, and update the information of the sender in Marketo and Salesforce. Details about Siftrock's policy for collecting and processing the user information can be found at https://siftrock.com/about/privacy/
SoundCloud is an online audio distribution platform provided by SoundCloud Limited, Rheinsberger Str. 76/77, 10115 Berlin, Germany, c/o JAG Shaw Baker, Berners House, 47-48 Berners Street, London W1T 3NF, UK; www.soundcloud.com, (“SoundCloud”). SoundCloud enables its users to upload, record, promote and share their originally-created sounds. On our website we use SoundCloud to share podcasts in posts, and use SoundCloud plugins on our website. When you visit our website, a connection is established with the SoundCloud servers and the plugin is shown. This provides the SoundCloud server with information about the sites you have visited on our website. If you are logged onto SoundCloud as a member, then SoundCloud may automatically assign this information to your personal user account. When you activate the plugin (e.g., by clicking the start button of an audio file), the corresponding information is also assigned to your user account. You can prevent the automatic assignment of this information by logging out of your SoundCloud account and deleting its respective cookies before logging onto our website.
User interaction with the embedded player includes the following functionality:
• duration of playback
• shares made on the podcast
However, all the information will be at an aggregated level and specificity is abstracted out. More information about SoundCloud’s privacy practices can be found at https://soundcloud.com/pages/privacy.
Sumo Logic is a cloud-based log management and analytics service of Sumo Logic, Inc., 305 Main Street, Redwood City, CA 94063, USA, www.sumologic.com (“Sumo Logic”) that leverages machine-generated big data to deliver real-time IT insights. Sumo Logic uses a piece of software called an “Installed Collector”. An Installed Collector is a Java agent that receives logs and metrics from its sources and then encrypts, compresses, and sends the data to the Sumo service. As its name implies, an Installed Collector is installed in your environment, as opposed to a Hosted Collector, which resides on the Sumo service. After installing an Installed Collector, you add sources, to which the Installed Collector connects to obtain data to send to the Sumo service.
A Sumo source is an object, configured for a specific collector that scans a particular target periodically and sends newly available data to the Installed Collector. SumoLogic collectors are baked into all the server images used by the website and collect the following information.
● IP address;
● date and time;
● session ID;
● Browser and version; and
● OS and version.
12.16 Twitter tailored audience
Tailored audiences is the tool of Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA, www.twitter.com (“Twitter”), used to target existing users and customers to create remarketing campaigns. Targeting activity can include directly reaching out to users or visitors to the ThoughtWorks website and campaign pages and/or retargeting previous customer lists. Twitter sets a minimum size limit for a tailored audience to 500 users. If the tailored audience does not match 500 Twitter users, it will display as "audience too small" and will not be available for targeting. Details about Twitter’s policies for conversion tracking and tailored audiences can be found at https://business.twitter.com/en/help/ads-policies/other-policy-requirements/policies-for-conversion-tracking-and-tailored-audiences.html.
12.17 Urchin Tracking Module (UTM)
UTM tags are not tools. UTM works as a custom URL for marketing campaigns and reports can be viewed in platforms like Google Analytics. UTM tags are appended as part of the visible URL in marketing programs to understand the specific instance of a link. UTM tag reports are observed in Google Analytics/Marketo (see Sections 12.7 and 12.9) for understanding visitors to our website – for example, if they have visited the website, clicked on a link or signed up to a conference/event. These details are collected at an aggregated level. Customizing the URL with UTM tags allows us to better understand the marketing activity, which then allows us to better serve our audience.
The tracking occurs via the UTM parameters that are appended in the URL. When a user clicks an UTM tagged URL, based on the parameters set, we will be able to track from which end source the user has interacted with that URL.
Wistia provides software for creating, managing, and sharing videos for business with a customizable player and detailed analytics. Our website uses Wistia, provided by Wistia, Inc., 17 Tudor Street, Cambridge, MA 02139, USA, www.wistia.com (“Wistia”) to host videos. Wistia includes features such as an integrated CDN (content delivery network) for faster loading, and improved quality control depending on the device type and internet speed of the user. It also features the ability to add subtitles for better clarity of the video content. Whenever you interact with any videos on our website, Wistia automatically receives and records information on its server logs from your browser including your IP address, cookie information, and the page you requested.
12.19 Zoom Communications
Zoom Video Communications is a remote conferencing services company headquartered in San Jose, California. It provides a remote conferencing service that combines video conferencing, online meetings, chat, and mobile collaboration. Zoom enables us to run virtual events and webinars for our audiences. The information collected during the virtual event / webinar registration process on our website is passed over to Zoom to ensure seamless user experience for the attendees.
Details about Zoom's policy for collecting and processing the user information can be found at https://zoom.us/privacy-and-legal
13. Social Media Links
You can find ThoughtWorks on the following social media:
These providers are controllers for the relevant data processing.
14. Deletion and Term of Storage
As soon as the purpose for data storage is achieved, or the appropriate term of storage provided for by any applicable laws or regulations expires, your personal data will be deleted consistent with this and any other applicable ThoughtWorks policies (e.g., document retention and/or records management policy) unless your personal data are required for the formation of or performance under a contract.
15. Your rights as data subject
You have the following rights:
● Right of access (Art. 15 GDPR)
In principle, you have the right to receive information on the points mentioned in Art. 15 GDPR. You also have the right to request a copy of your personal data in accordance with Art. 15 (3) GDPR.
● Right to rectification or erasure (Art. 16 and 17 GDPR)
You have the right to have incorrect personal data corrected. In addition, you have the right to demand that your personal data is deleted if further processing is no longer necessary, if processing is unlawful or if you have withdrawn your consent.
● Right to restriction of processing (Art. 18 GDPR)
If the conditions in Art. 18 GDPR are met, you have the right to have the processing of your personal data restricted, i.e. to prevent further processing for the time being.
● Right to object (Art. 21 GDPR)
If the processing of your personal data is based on Art. 6 (1)e or f GDPR, you have the right to object to the processing if the further requirements of Art. 21 GDPR are met.
● Right to data portability (Art. 20 GDPR)
Within the limits of Art. 20 GDPR, you have the right to receive your personal data in a machine-readable format in order to forward it or have it forwarded to another controller.
You can require this by sending us an email at firstname.lastname@example.org.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the location of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the applicable data protection laws and regulations.
16. Changes to the Policy