Information we collect and how we collect it
When you access our Site or use the Services, we collect and store certain information about you, including “personal information.” Personal information is information that, alone or in combination with other information in our possession, could be used to personally identify you. We collect the following categories of personal information and other information as described below.
How we use your information
We use information that we collect about you for the following purposes:
To develop and provide you with the Site and Services, including to:
- operate the Site, manage accounts and provide the Services
- determine your eligibility for our Services and our partners’ programs
- improve, personalize, and enable your use of the Site and Services
- develop new products and features
To protect Gusto, our users, and the public, and comply with applicable law, regulation, or legal process, including to:
- validate user information for fraud and risk detection purposes
- resolve disputes and protect the rights of users and third parties
- respond to claims and legal process (such as subpoenas and court orders)
- monitor and enforce compliance with the applicable Terms of Service
- prevent or stop any activity that may be illegal, unethical, or legally actionable
To operate our business, including to:
- process payment transactions
- manage and enforce contracts with you or with third parties
- manage our corporate governance, compliance and auditing practices
- recruit new hires, if you submit an application for employment with Gusto
- generate anonymized or aggregated data
To communicate with you as part of your use of Services, including to:
- respond to requests or questions you submit to our support staff
- send you surveys and get your feedback about the Services
- otherwise contact you with Services-related notices
To advertise and market to you, including to:
- determine your eligibility for certain programs, events, and offers
- inform you of our or our partners’ products, services, features or promotions
- provide you with newsletters, articles, reports, and announcements
- develop “interest-based” or “personalized advertising,” including through cross-device tracking
For any other purpose for which you, your employer, or your employer’s agent expressly authorize us to use your information.
When and with whom we share your information
We will only share your information with the categories of third parties listed below for the purposes described above in the “Use of Your Information” section, unless otherwise noted at the point of collection.
Service Providers that have signed an agreement with us that limits how they use your information and promises to keep your information confidential. Examples include:
- banks, financial institutions, and credit bureaus
- companies or organizations that provide services such as website hosting (ex: AWS), customer management (ex: Salesforce) and customer service
Business Partners with whom we jointly offer products or services. Examples include:
- insurance carriers and third-party administrators, for users of the Benefits Service. We will share your protected health information (as defined in 45 C.F.R. Part 160) only as is (i) authorized by you; (ii) necessary for us to provide you with the Benefits Service; and (iii) compliant with the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”), as amended from time to time.
- third-party partners that provide services through our Site or Services, such as accounting software (ex: Xero) and 401(k) management (ex: Guideline). Some partners offer you their services through Gusto’s Application Program Interface (API) or Software Development Kits (SDKs). For more information about Gusto’s use of APIs and SDKs, please contact us.
Advertising Partners that deliver advertisements about us to you, including Advertising Partners that utilize Tracking Technologies in order to deliver advertisements that are personalized to you when you visit their websites (“interest-based advertising” or “personalized advertising”)
Government agencies, including taxing authorities and their authorized collectors, in the countries in which we operate, only as necessary for us to provide you with the Services.
Other parties under the circumstances described below:
- for legal reasons, including:
- with companies that verify your identity for us and detect fraud
- with legal and financial advisors, auditors, examiners, and certain (including potential) investors
- with companies that may acquire us, if we are involved in a merger, acquisition, or sale of assets
- to comply with applicable law, regulation, or legal process, including to:
- comply with law enforcement or national security requests
- comply with legal process, such as a court order or subpoena (including in a country other than your home country)
- protect your, our, or others’ rights, property, or safety
- enforce our policies or contracts and collect amounts owed to us
- assist with an investigation or prosecution of suspected or actual illegal activity
- to manage the referral program, including emailing potential customers that you have referred to us, which reference your name as the referral source
- to further public policy goals, including:
- publishing reports that incorporate aggregated, non-personally identifiable information about customer attributes, transactions, and behavior
- sharing data containing aggregated and/or non-personally identifiable customer information with non-profit or non-partisan organizations, academic institutions, think tanks, trade associations, consultancies, or similar organizations, only if they have signed an agreement with us that restricts how they can store, access, share, and use the information
- for any other purpose and to any other person with whom you, your employer, or your employer’s agent expressly authorize us to share your information
Your privacy choices and rights
Your Privacy Rights. Depending on where you reside and in accordance with applicable law, you may have the following rights with regard to your Personal Information:
- Notice
- Access
- Data Portability
- Erasure
- Correction
- Opt Out of Sales of Personal Information
For a description of these rights, please see the applicable chart in Section 5 of this Privacy Policy. In addition, you may have the right to opt out of targeted advertising and profiling, to the extent that profiling makes decisions that produce legal or similarly significant effects concerning you. To exercise any of these rights please contact us using the resources in the “Contact Information” Section below. If you would like to opt out of targeted advertising, the sale of your Personal Information, or profiling, you may submit your opt-out request here: Consumer Request Portal
In the event you choose to exercise your rights under applicable law, we will verify your request in accordance with the “Verification” Section in Section 5 of this Privacy Policy.
Where we collect sensitive Personal Information from you, we will only do so where we have obtained your prior express consent, if required by law.
Your Privacy Choices. The privacy choices you may have about your personal information are determined by applicable law and are described below.
- Email and Text Messages. You can opt out of our promotional emails by using the unsubscribe link located at the bottom of our promotional emails, contacting us as described below, or visiting https://go.gusto.com/pls-dont-leave-us.html. You can opt out of text messages from us by replying “STOP” or contacting us as described below. If you decide to opt-out, we may still send you non-promotional communications such as your payday emails and messages about your account.
- Mobile Notifications. We may send you push notifications through our mobile app. You can opt out from receiving push notifications by changing the settings on your mobile device.
- “Do Not Track.” Do Not Track (“DNT”) is a privacy setting you can set on some web browsers that signals to websites like ours that you don’t want your online activities to be tracked. At this time, we do not respond to DNT signals sent to us by your web browser.
- Cookies and Interest-Based Advertising. You may stop us from sending Tracking Technologies to your browser by changing the settings on your browser. However, if you block all Tracking Technologies, our Services may not work properly. Please note you must separately opt out in each browser and on each device. You can learn how to manage your cookies on these popular browsers by clicking on the links below.
- Google Chrome. For more information, visit Google Chrome
- Internet Explorer. For more information, visit Internet Explorer
- Mozilla Firefox. For more information, visit Mozilla Firefox
- Safari – Desktop. For more information, visit Safari (Desktop)
- Safari – Mobile. For more information, visit Safari (Mobile)
- Android – Browser. For more information, visit Android Browser
You may stop us from personalizing our advertisements to you on some mobile applications by following the instructions for Android, iOS, and others. You may also opt out of receiving targeted ads from advertising partners that participate in self-regulatory programs, such as the Network Advertising Initiative, the Digital Advertising Alliance, the European Digital Advertising Alliance, and the Digital Advertising Alliance of Canada.
Security
We employ administrative, physical and technical measures designed to protect your information from unauthorized access and to comply with applicable privacy laws in the states and countries in which we operate. Your personal information will be kept on our servers or on those of our service providers and only those employees that require it for the purposes of their duties will have access to your personal information. We have also implemented controls which require our third-party service providers and partners to have appropriate safeguards to protect your personal information However, despite these efforts, no security measures are perfect or impenetrable and no method of data transmission can be guaranteed to prevent any interception or other type of misuse. We also depend on you to protect your information. If you become aware of any breach of security or privacy, please notify us immediately. To the fullest extent permitted by applicable law, we do not accept liability for unauthorized disclosure.
International data transfers
All information processed by us or our service providers may be transferred, processed, or stored anywhere in the world, including in countries that may have data protection laws that are different from the laws where you live. Your information may be accessible to the courts, law enforcement, and national security authorities of the United States. We endeavor to safeguard your information consistent with the requirements of applicable laws. If your personal information is transferred to a country other than your home country, we will take measures to protect your personal information with appropriate contract clauses. To obtain more information about Gusto’s policies and practices with respect to service providers outside your country, please contact us as set forth below.
Links to Other Sites
This Privacy Policy only covers the privacy practices of Gusto. It does not apply to the practices of third-party websites, services, or applications, even those who we have partnered or integrated with. Third-party services handle your information in accordance with their own practices and privacy policies. We are not responsible for their policies, practices, or handling of your information.
Our policy toward children
The Service is not directed to children under 16. However, if a child under the age of 13 is dependent on a benefits plan covered by the Benefits Service, we may collect information about the child (solely as needed to provide the Benefits Service) from the child’s parent or legal guardian, or from insurance carriers and third-party administrators.
Notice to California consumers
This Section applies to our collection and use of “Personal Information” if you are a resident of California, as required by the California Consumer Privacy Act of 2018 and its implementing regulations, as amended by the California Privacy Rights Act (the “CPRA”). This Section describes (1) the categories of Personal Information, collected and disclosed by us, subject to CPRA, (2) your privacy rights under CPRA, and (3) how to exercise your rights.
When we use the term “Personal Information” in the context of the CPRA, we mean information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household.
If you would like to receive a copy of this Section in an alternate format (e.g., printable) or language, please contact us using the information found below in this Privacy Policy.
Categories of Personal Information Collected, Used, and Disclosed
| Category of Personal Information | Categories of Third Parties to whom Personal Information is Disclosed for a Business Purpose |
|---|---|
| Identifiers (ex: name, email address, mailing address, phone number, signature) | Service Providers and Business Partners (as described in Section 3 of this Privacy Policy) |
| Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) (ex: Social Security number, passport number, driver’s license or state identification card number, insurance policy number, employment, employment history, financial information, medical information, or health insurance information) | Service Providers and Business Partners (as described in Section 3 of this Privacy Policy) |
| Protected classification characteristics under California or federal law (ex: age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, gender, sex, sexual orientation, veteran or military status, genetic information (including familial genetic information) | Service Providers and Business Partners (as described in Section 3 of this Privacy Policy) |
| Commercial information (ex: sales engagement history) | Service Providers and Business Partners (as described in Section 3 of this Privacy Policy) |
| Biometric information (ex: photographs of office visitors for identification badges) | Service Providers and Business Partners (as described in Section 3 of this Privacy Policy) |
| Internet or other electronic network activity information (ex: IP address, unique personal identifier, web history, advertising history) | Service Providers and Business Partners (as described in Section 3 of this Privacy Policy) |
| Geolocation data (ex: the location from which you’re logging in) | Service Providers and Business Partners (as described in Section 3 of this Privacy Policy) |
| Employment-related information (ex: employment history, employer name) | Service Providers and Business Partners (as described in Section 3 of this Privacy Policy) |
| Education information (ex: education history) | Service Providers and Business Partners (as described in Section 3 of this Privacy Policy) |
We obtain the above Personal Information from the sources identified in Section 1 of this Privacy Policy. We use the above Personal Information for the business purposes set forth in Section 2 of this Privacy Policy. We also disclose the above Personal Information for the purposes set forth in Section 3 above.
Retention of Data: We will retain each category of your Personal Information for as long as necessary to fulfill the purposes described in the “How We Use Your Information” section above, unless otherwise required by applicable laws. Criteria we will use to determine how long we will retain your information include whether: we need your information to provide you with products or services you have requested; we continue to have a relationship with you or your employer; you or your employer have requested information, products, or services from us; we have a legal right or obligation to continue to retain your information; we have an obligation to a third party that involves your information; our retention or recordkeeping policies and obligations dictate that we retain your information; we have an interest in providing you with information about our products or services; and we have another business purpose for retaining your information.
Your California Privacy Rights
If you are a resident of California, you have the following rights:
| Privacy Right | Description |
|---|---|
| Notice | The right to be notified of what categories of Personal Information will be collected at or before the point of collection and the purposes for which they will be used and shared. |
| Access | The right to request the categories of Personal Information that we collected in the previous twelve (12) months, the categories of sources from which the Personal Information was collected, the specific pieces of Personal Information we have collected about you, and the business purposes for which such Personal Information is collected and shared. You may also have the right to request the categories of Personal Information which were disclosed for business purposes, and the categories of third parties in the twelve (12) months preceding your request for your Personal Information. |
| Data Portability | The right to receive the Personal Information you have previously provided to us |
| Erasure | The right to have your Personal Information deleted. However, please be aware that we may not fulfill your request for deletion if we (or our service provider(s)) are required or permitted to retain your Personal Information for one or more of the following categories of purposes: (1) to complete a transaction for which the Personal Information was collected, provide a good or service requested by you, or complete a contract between us and you; (2) to ensure our website integrity, security, and functionality; (3) to comply with applicable law or a legal obligation, or exercise rights under the law (including free speech rights); or (4) to otherwise use your Personal Information internally, in a lawful manner that is compatible with the context in which you provided it. |
| Correction | You have the right to request that we correct any incorrect Personal Information that we collect or retain about you, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see below), we will correct (and direct any of our service providers that hold your data on our behalf to correct) your Personal Information from our records, unless an exception applies. We may deny your correction request if (a) we believe the Personal Information we maintain about you is accurate; (b) correcting the information would be impossible or involve disproportionate; or (c) if the request conflicts with our legal obligations. |
| Automated Decision Making | You have the right to request information about the logic involved in automated decision-making and a description of the likely outcome of processes, and the right to opt out. We do not currently engage in any automated decision-making practices. |
| To Opt Out of Sales or Sharing of Personal Information | We do not sell or share your Personal Information. However, if we did, you would have the right to opt out of the sale or sharing of your Personal Information. |
| Limit Use of Sensitive Personal Information | You have the right to limit the use of your sensitive Personal Information (e.g. Social Security number and driver’s license information) to only that which is necessary for providing our Services. |
Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf(authorized agent,) may make a request related to your Personal Information. You may also make a request on behalf of your minor child.
You may only make a request for access or data portability twice within a 12-month period. The request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
Exercising your individual privacy rights
To exercise any of the privacy rights afforded to you under applicable data protection law, please submit a request to us by emailing us at [email protected]
Please use this link to submit your request: Consumer Request Portal
California Residents: If you would like to opt out of sharing or the sales of your Personal Information, you may submit your opt-out request here or if you would like to limit the use of your sensitive Personal Information, you may submit your request by emailing us at [email protected].
Verification: We must verify your identity before fulfilling your requests. If we cannot initially verify your identity, we may request additional information to complete the verification process. We will only use Personal Information provided in a request to verify the requestor’s identity. If you are an authorized agent making a request on behalf of a California consumer, we will also need to verify your identity, which may require proof of your written authorization or evidence of a power of attorney.
We endeavor to respond to requests within the time period required by applicable law. If we require more time, we will inform you of the reason and extension period in writing.
If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.
We do not charge a fee to process or respond to your request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
We cannot respond to your request or provide you with Personal Information if we cannot verify your identity and confirm the Personal Information relates to you. Making a verifiable consumer request does not require you to create an account with us.
We may deny certain requests, or only fulfill some in part, as permitted or required by law. For example, if you request to delete Personal Information, we may retain Personal Information that we need to retain for legal purposes.
Right to Non-Discrimination for the Exercise of a Consumer’s Privacy Rights
You have the right not to receive discriminatory treatment from Gusto for exercising the privacy rights granted by the CCPA.
Notice to Nevada residents
If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Information to third parties who intend to license or sell that Personal Information. Please note that we do not currently sell your Personal Information as sales are defined in Nevada Revised Statutes Chapter 603A. If you have any questions, please contact us as set forth below.
Changes to this privacy policy
Any information that we collect is subject to the Privacy Policy in effect at the time such information is collected. We may, however, modify and revise our Privacy Policy from time to time. If we make any material changes to this policy, we will notify you of such changes by posting them on the Site, informing you through the Services, or sending you an email or other notification, and we will indicate when such changes will become effective. By continuing to access or use the Site or the Services after those changes become effective, you agree to be bound by the revised policy.
Contact information
If you have any questions about our privacy practices or this Privacy Policy, or to exercise your privacy rights as detailed in this Privacy Policy, please contact us at:
Gusto
Attn: Privacy Program Director
525 20th Street
San Francisco, CA 94107