Privacy Policy | Invisors

1. About Invisors

Invisors, LLC (hereinafter collectively referred to as the “Invisors,” “we,” “us” or “our”) takes data protection seriously and are committed to safeguarding all data in our possession and ensuring the privacy of our customers. We will only use information provided to us for specified and lawful purposes as provided under the UK and EU General Data Protection Regulations and will handle this information both respectfully and responsibility.

Invisors shall take reasonable steps to protect the Information from loss, misuse and unauthorized access, disclosure, alteration and destruction. Invisors has put in place appropriate physical, electronic and managerial procedures to safeguard and secure the Information from loss, misuse, unauthorized access or disclosure, alteration or destruction. Invisors holds an SOC2 Type II certification which is renewed annually. Invisors cannot guarantee the security of Information on or transmitted via the Internet.

Invisors shall only process Personal Information in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, Invisors shall take reasonable steps to ensure that Personal Information is accurate, complete, current and reliable for its intended use.

This privacy notice provides details about how your personal information is collected, shared and used by us. To learn more about Invisors, visit www.invisors.com. If you have any questions about this privacy notice or the practices described herein, you may contact security@invisors.com.

2. GDPR

We have revised our Privacy Notice to comply with the UK GDPR (now referred to as ‘GDPR’) ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.

3. Information covered by this Privacy Notice

This privacy notice covers personal information, including any information we collect, use and share from you, as described further below. This privacy notice applies to all Invisors websites, our products, and services (collectively, the “Services”).

When you purchase a Service from us, your personal information will be collected, used, and shared consistent with the provisions of this privacy notice.

4. Definitions

The Privacy Notice of Invisors is based on the terms used by the UK legislator for the adoption of the General Data Protection Regulation (GDPR). We use the following terms:

Personal data - Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data subject - Data subject is any identified or identifiable natural person, whose personal data are processed by the controller responsible for the processing. Within this data protection policy, the terms; “you” and “data subject” are used freely and interchangeably.
Processing - Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller - Controller responsible for the processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor - Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient - Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
Sub Processor - Sub Processor is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the processor, are authorized to process personal data.
Consent - Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

5. Information we collect from you

The information that is processed by Invisors falls into three distinct categories:

• Client, supplier and prospect contact information, including enquiries submitted via the www.invisors.com website. Invisors are a data controller in this situation.

• Data processed on behalf of our customers. Invisors are a data processor in this situation. We collect this data for the purposes described under “How We Use Your Information”.
• Personnel information in relation to Invisors company employees. Invisors are a data controller in this situation.

5.1 Data collected via our website

For each visitor to our web page, our web server may use a tracking code or collect information that your browser sends whenever you visit our Web page. This information is aggregated to provide us with usage statistics and reports on Website visits. Data relating to your online activity on our websites including the following:

IP address
browser type and version
geographic location
pages you view
how you got to our Services and any links you click on to leave our Services
your interactions with any videos we offer
issues you encounter requiring our support or assistance
any device or other method of communication you use to interact with the Services

We store this data we collect in a variety of places within our infrastructure, including system log files, back-end databases and analytics systems. Further information is available on our Cookie Policy.

5.2 Data processed on behalf of our customers

Invisors is a specialized professional services firm focused exclusively on deployment, support, and advisory services for Customers that subscribe to the Workday application (www.workday.com). In the course of providing these services, Invisors processes data, including Personal Information and HR Information, on behalf of its customers. Our purpose in processing this covered data is solely for the purpose of loading the data into the Workday application or testing outbound data files from the Workday application on behalf of our Customers. In this context, Invisors acts as a data processor and does not control the data. Invisors processes Customer Data under the explicit direction of its Customers and has no direct control or ownership of the personal data it processes. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data, should direct his or her query to the Invisors Customer (the data controller). If the Customer requests Invisors to remove the personal data to comply with data protection regulations, Invisors will respond to their request within 30 business days.

The types of personal data processed includes:

• Contact Information (name, email address, phone number, usernames, password)
• Location Data (postal address)
• Preference Data (profile/account settings such as language preference)
• Employment Data (title, past/present employers, resume/CV, educational history, professional training, performance or talent data, etc.)
• Special Categories of Data (information revealing racial or ethnic origin, trade union membership, sexual orientation)
• Other (payroll data, benefits data, system access data, compensation data, organizational/supervisory data, tax information, direct deposit data, worker documents)

6. Employee Data

Invisors needs to keep and process information about our employees for normal employment purposes. We act as a Data Controller in this capacity. The information that we hold and process will be used for our management and administrative use only. We will keep and use it to enable us to run the business and manage our relationship with employees effectively, lawfully and appropriately, during the recruitment process, whilst employed by Invisors and at the time employment ends. This includes information to enable us to comply with the employment contract (UK GDPR Article 6(1)(b)), any legal requirements (UK GDPR Article 6(1)(c)), and for Invisors to protect our legal position in the event of any legal proceedings (UK GDPR Article 6(1)(f)). If employees do not provide this data, we may in some circumstances be unable to comply with our obligations and we will inform you of the implications of that decision.

The sort of information we hold includes:

Application form and references
Right to Work evidence such as a copy of a passport and / or birth certificate
Contract of employment and any amendments to it
Correspondence about the employee
Salary information, bank details, contact and emergency contact details, records of holiday, sickness and other absences
Information required for equality monitoring policy, training records, appraisals and where appropriate disciplinary, grievances and any other formal action.

Invisors does not use solely automated processing for 'significant decisions' (those with legal or similarly significant effects) concerning employees. For any decisions assisted by automation, human oversight is ensured, upholding employees' rights to information, representation, and to contest decisions.

7. How we use your information

We use the information we collect, both on its own and combined with any other information we collect about you, for the following purposes, relying on various legal bases under the UK GDPR, including our recognised legitimate interests:

To provide the requested Services to you in line with the contract we have with the Data Controller;
To provide you with useful content;
To ensure the proper functioning of our Services, and to diagnose problems. This is for our recognised legitimate interests in network and information system security and effective intra-group administration;
To offer and improve our Services, provide requested information or support, and facilitate your use of our website;
To communicate with you and target prospective customers with our products or services. This is based on your consent where required, or our legitimate interests for direct marketing;
To assist us in offering you a personalized experience or otherwise tailor our Services to you; and
As otherwise described in this privacy notice.

We also use the information we receive in aggregated and anonymized formats to produce reports on trends and statistics, such as mobile search trends, email open rates by industry, campaign best practices or the number of users that have been exposed to, or clicked on, our websites or evaluated or purchased our products and services.

Invisors does not make "significant decisions" based solely on automated processing that produce legal or similarly significant effects for you.

8. Sharing of information

Invisors does not transfer any Personal Data we collect directly to third parties or other partners. This data is used for communication with our contacts and kept internally within Invisors.

Upon explicit direction from our Customers, we will transfer Customer Personal Data to service providers that support the Customer.These service providers may include cloud service providers, such as Workday, or other service providers such as benefits administration partners. All of these transfers are processed within the scope of our Workday deployment services for our Customers.

In the context of an onward transfer Invisors has responsibility for the processing of personal information it receives under the DPF or GDPR and subsequently transfers to a third party acting as an agent on its behalf. Invisors shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

Invisors LLC is under the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Invisors LLC will notify Customer of such request unless prohibited by law.

9. Tracking technologies and online advertising

We use cookies, web beacons, pixels, tags, scripts and other similar technologies in the course of our business, in compliance with the Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended by the Data (Use and Access) Act 2025.

For technologies requiring your consent, such as for online advertising or non-essential analytics, we ensure clear and comprehensive information is provided and consent obtained, consistent with Schedule A1, paragraph 2 of the amended PEC Regulations.

When these technologies facilitate direct marketing, defined as communication of advertising or marketing material directed to particular individuals, this is conducted in accordance with applicable laws, including obtaining consent where required. For comprehensive details, including your control options, please refer to our regularly updated Cookie Policy.

10. Choice/opt-out

You have the opportunity to choose to opt-out whether your personal information is (1) to be disclosed to a non-agent third party, or (2) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized for use.

It is not necessary for Invisors to provide this choice when a disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of the organization (Invisors or our customer). These organizations must always enter into a contract with the agent.

For sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), Invisors must obtain express written consent from our customer (Controller) or directly from individuals (when Invisors is the Controller), if such information is to be (1) disclosed to a non-agent third-party, or (2) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. In addition, Invisors treats as sensitive any personal information received from third-parties where the third-party identifies and treats the information as sensitive.

The following mechanisms are available to you to exercise your choice at any time:

10.1 Email

You always have the opportunity to opt out of our marketing communications with you or change your preferences by following a link in the footer of all non-transactional email messages from us or by emailing us at security@invisors.com.

10.2 Phone
We may contact you by telephone, with your consent where applicable, for marketing purposes. In the UK, we will check the Telephone Preference Service (TPS), Corporate Telephone Preference Service (CTPS) and our internal CRM system before making calls. If your number appears as blocked on either list, we will not call you. If you do not want to receive marketing calls, please contact customer support and we will update our records.

10.3 Cookies
Our websites use cookies – small text files that are placed on your machine to help the site provide a better user experience. In general, cookies are used to retain user preferences, store information for things like shopping baskets, and provide anonymized tracking data to third party applications like Google Analytics. As a rule, cookies will make your browsing experience better. However, you may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in your browser. We suggest consulting the Help section of your browser or taking a look at the www.internetcookies.com website which offers guidance for all modern browsers. Further details are also available in our Cookie Policy.

11. Retention of personal information

We retain your personal information to provide services to you and as otherwise necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We will retain your personal information for no more than seven years following the later of (i) the date on which you terminate your use of the Services or (ii) May 25, 2018, unless we are otherwise required by law or regulation to retain your personal information for longer.

Following this period, certain information (related to referral source, service requested, assessment findings and geographical location) will be pseudonymized for statistical purposes. This processing is carried out strictly in accordance with Article 4(5) and Chapter 8A of the UK GDPR, as amended by the Data (Use and Access) Act 2025. For these purposes, the resulting information is aggregate data that is not personal data, and Invisors does not use it for measures or decisions concerning individual data subjects.

Additionally, some reports or data may be completely anonymised for training purposes, meaning it is irreversibly de-identified and no longer constitutes personal data. All other personal data will be securely destroyed in accordance with GDPR requirements.

12. Legal basis for processing your information

We process your personal information lawfully and fairly, relying on various grounds under the UK General Data Protection Regulation (UK GDPR), as amended by the Data (Use and Access) Act 2025, and other applicable laws. When acting as a data controller, our legal bases include:

• Consent: For responding to enquiries, job applications, or for certain direct marketing activities where your consent is required by law.
• Contract: When necessary to provide our Services to you or for pre-contract steps.
• Legal Obligation: To comply with a legal duty to which Invisors is subject.
• Vital Interests: To protect your vital interests or those of another individual.
• Public Interest/Official Authority: For a task carried out in the public interest or in the exercise of official authority, as clarified by the DUAA 2025.
• Legitimate Interests: For our interests (e.g., service improvement, security) and for direct marketing activities not requiring consent, which the DUAA 2025 clarifies as a legitimate interest under UK GDPR Article 6(1)(f).Under the instruction of a controller in line with a contract with them

When Invisors acts as a data processor on behalf of our customers, the legal basis for processing is determined by our customer (the data controller); we act strictly under their instructions (see Section 5.2 for details). For statistical or training purposes, processing (including pseudonymisation) is handled as a compatible purpose under Chapter 8A of the UK GDPR, as introduced by the Data (Use and Access) Act 2025 (see Section 11 for details).

13. Your rights

Under the General Data Protection Regulation (GDPR), as amended by the Data (Use and Access) Act 2025, and other applicable data protection legislation, you have a number of rights with regards to your personal data. These include the right to request access to and rectification of, erasure of, and to restrict processing of your data in certain circumstances.

If you have provided consent, you have the right to withdraw it at any time, which will not affect the lawfulness of the processing based on consent before it's withdrawal.

We are committed to helping you exercise these rights. We will require you to verify your identity before responding to requests. To exercise any of your rights, please email security@invisors.com. We will generally respond within one month, but may extend this by up to two further months for complex or multiple requests, informing you of any extension and its reasons. We may refuse requests or apply conditions for valid legal reasons, such as when information is subject to legal professional privilege or a duty of confidentiality, and we will inform you unless providing such a reason would undermine the exemption.

13.1 Informed
You have the right to be informed about the collection and use of your personal information. In limited circumstances (e.g., statistical, research, or archiving), this right may not apply if impossible or disproportionate effort, provided appropriate safeguards are in place and information is publicly available.

13.2 Access
You have the right to know if we process your personal data and to access the data we hold about you, along with information on its use and sharing. Your access is based on a reasonable and proportionate search for the data.

13.3 Portability

Where processing is based on our contract or your consent, you have the right to receive a subset of your personal information in a structured, machine-readable format and to request its transfer to another party where technically feasible; we are not responsible for its security once received by the third party.

13.4 Rectification

You have the right to require us to correct any personal information held about you that is inaccurate and have incomplete data completed. While we assess your request, you may exercise your right to restrict our processing of the applicable data.

13.5 Erasure
You may request that we erase the personal information we hold about you:

• you believe it is no longer necessary;

• processing is unlawful but you prefer restriction to erasure;
• we no longer need the data but you require it for legal claims; or
• you have objected to our legitimate interest processing (while we determine overriding interests).

Please provide as much detail as possible on your reasons for the request to assist us in determining whether you have a valid basis for erasure.

13.6 Restriction of processing to storage only
You have a right to require us to stop processing the personal (other than for storage) if:

• you dispute its accuracy (while we verify);
• We wish to erase the personal information as the processing we are doing is unlawful, but you want us to simply restrict the use of that data;
• We no longer need the personal information for the purposes of the processing, but you require us to retain the data for the establishment, exercise, or defense of legal claims; or
• You have objected to us processing personal information we hold about you on the basis of our legitimate interest and you wish us to stop processing the personal information while we determine whether there is an overriding interest in us retaining such personal information.

13.7 Objection

You have the right to object to our processing of your data, including where processed for our recognised legitimate interests (UK GDPR Article 6(1)(e)). We will cease processing unless compelling legitimate grounds override your interests or for legal claims. You also have an absolute right to object to processing for direct marketing, including profiling, at any time

13.8 Not to be subject to automated processing
You have the right not to be subject to decisions based solely on automated processing, including profiling. This right applies unless contractually necessary, legally authorised, or based on your explicit consent. Invisors will not use automated processing to make significant decisions about you if based on a 'recognised legitimate interest'. Where such decisions are made, we implement appropriate safeguards, including providing information, enabling representations, human intervention, and contesting the decision.

13.9 The Right to Complain
You have the right to make a complaint directly to Invisors for UK GDPR infringements. You also retain the right to lodge a complaint with your local supervisory authority (the Information Commissioner's Office (ICO) in the UK) if not satisfied with our response or compliance.

14. Children

Our website and services are not directed to persons under 18. We do not knowingly collect personal information from children under 18. If a parent or guardian becomes aware that his or her child has provided us with personal information without such parent or guardian’s consent, he or she should contact us. If we become aware that a child under 18 has provided us with personal information, we will delete such information from our files.

15. Contact

Individuals with inquiries or complaints regarding our Privacy Notice should first contact Invisors LLC at:

Invisors, LLC
Attention: Will Hardy
1201 Peachtree Street NE, Suite 1500, Atlanta, GA 30361
Phone: 404.384.7947
Email: security@invisors.com

16. Compliance with Data Privacy Frameworks

Invisors processes and transfers personal data internationally in compliance with the UK General Data Protection Regulation (UK GDPR), as comprehensively amended by the Data (Use and Access) Act 2025, and other applicable data protection legislation.

We participate in and comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), as set forth by the U.S. Department of Commerce. These frameworks serve as approved mechanisms for international data transfers under the revised UK GDPR, specifically aligning with transfers approved by regulations (new Article 45A) and appropriate safeguards (new Article 46) introduced by the Data (Use and Access) Act 2025.

Invisors has certified to the U.S. Department of Commerce its adherence to the EU-U.S. DPF Principles and the Swiss-U.S. DPF Principles for personal data received from the European Union and the United Kingdom. Should conflict arise between this policy and DPF Principles, the Principles shall govern. For details and certification, visit https://www.dataprivacyframework.gov/s/.

Invisors LLC’s DPF commitments are subject to the investigatory and enforcement powers of the United States Federal Trade Commission (FTC). Unresolved DPF complaints may, under certain conditions, invoke binding arbitration. Invisors LLC commits to cooperate with the advice of panels established by EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) for unresolved human resources and non-human resources data complaints received under these DPFs.

17. Complaints

You have the right to make a complaint directly to Invisors regarding our processing of your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025. Upon receipt, Invisors will acknowledge your complaint within 30 days and will take appropriate steps to respond without undue delay, keeping you informed of the progress and outcome.

If you are dissatisfied with our response, you have the right to lodge a complaint with the UK supervisory authority, which is now known as the Information Commission (formerly the Information Commissioner's Office - ICO).

For complaints related to Invisors LLC’s commitments under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), these remain subject to the investigatory and enforcement powers of the United States Federal Trade Commission (FTC). Under certain conditions, you may invoke binding arbitration for unresolved claims. Invisors LLC also commits to cooperate with the advice of panels established by EU data protection authorities (DPAs), the UK Information Commission, and the Swiss Federal Data Protection and Information Commissioner (FDPIC) concerning unresolved complaints for both human resources and non-human resources data received under these frameworks.

18. Notification of changes

We reserve the right to modify this privacy notice at any time, so please review it frequently. If we decide to change this privacy notice in any material way, we will notify you here. Your continued use of any Services constitutes acceptance to any such changes.

Last modified July, 2025

The following clauses were updated based on the Data (Use and Access) Act 2025: 6,7,9,11,12,13,16,17