Global Employee Privacy Notice
Last Updated - November 4th 2022
At Twilio, we believe everyone, whether they’re our customers, job applicants, employees or contractors, deserves a “no shenanigans” approach to their personal data. To that end, we have crafted this Global Employee Privacy Notice (Notice) to provide job applicants and members of our workforce with clear, detailed, and easy-to-read information about Twilio and its group companies’ privacy practices and how we collect, use, process, and transfer personal data.
We have built our global privacy program based on our Binding Corporate Rules (BCRs), which serve as our code of conduct that governs our global processing of personal data. This means that we are committed to data protection measures that go above and beyond what local laws require and no matter where you are located, whether in the United States, the European Economic Area (EEA), the United Kingdom (UK), Latin America, or the Asia-Pacific region, we provide the same high level of protection. This Notice has been translated into Estonian, French, German, Japanese, Spanish, and Swedish.
If you are looking for information about how we collect personal data from visitors of our website or users of our products and services, please review the Twilio Privacy Notice.
The defined terms we have used in this Notice have the following meanings:
- “Applicant” means an individual who has submitted information to Twilio (such as a resume or job application) in order to apply to be a Team Member, or who has otherwise given consent to be considered as a candidate for a position.
- “computing resources” includes all electronic systems, networks, applications, equipment, devices, software, and means of communication operated and managed by Twilio. As examples, these include but are not limited to, critical business systems, networks, personal computers, laptop computers, personal digital assistants, peripheral equipment such as disk drives, USB drives, printers, electronic mail, Instant Messaging, telephones, computer enabled ID cards and voicemail or other electronic communications or other information systems provided by or on behalf of Twilio or operated on Twilio computer or telecommunications hardware or use for conducting Twilio business.
- “monitor” (and “monitoring”) includes, but is not limited to, intercepting, accessing, reviewing, collecting, recording, processing, organizing, storing, retrieving, transferring, tracking, dissemination, blocking, combining, aligning, modifying, deleting (e.g. wiping) and removing electronic data related to or contained on computing resources.
- “personal data” (and “data”) means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “processing” (and “process”) means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- “Team Member” means a full or part time Twilio employee, director and Board member, as well as members of our extended workforce, including non-executive directors, independent contractors, contingent, or agency workers and interns.
- “Twilio'' means Twilio Inc. and its group companies including those members listed in our Binding Corporate Rules.
The majority of this Notice applies equally to Applicants and Team Members. To the extent there are differences for Applicants, we highlight those throughout this Notice.
The personal data we process about you may vary according to whether you are an Applicant or Team Member, the type of processing we conduct, the jurisdiction you are located in, and local legal requirements. We have described the main types of personal data we process in the table below.
Examples of what this means
Name, photograph, date of birth, government identifiers, and employee identification number, and badges.
Home address, telephone, email addresses, and emergency contact details.
Information related to applicant qualifications, past employment, interview notes, references, immigration status and documentation, residency permits and visas, national ID/passport, and other official documentation in support of authentication or eligibility for employment (e.g. Form I-9 in the US).
Information related to your qualifications, your role at Twilio such as position information, role changes, resignation/termination, resume/CV, office location, employment contracts, performance and disciplinary records, academic/professional qualifications, criminal records data, immigration status and documentation, residency permits and visas, national ID/passport, occupational health assessments and work-related accidents, training and employee resource group participation.
Information related to employment benefits we provide to you such as spouse and dependent information, health information (including vaccination status), vacation, leaves of absence, and accommodations information.
Performance and management data
Information related to performance evaluations or reviews, disciplinary actions and grievances, and training and development plans.
Banking details, tax information, payroll information, withholdings, salary, expenses, company allowances, and commission and stock and equity grants.
Systems and asset use data
Information required to provide access to Twilio's computing resources such as IP addresses, log files, login information, software/hardware inventories, internal communications and video and audio recordings, and information collected by internal Twilio applications provided to employees such as employee communications tools and platforms. This also includes asset allocation data and data used for security and business continuity purposes and information required to use Twilio sites including from CCTV, access, and security controls.
Date of birth, gender, race/ethnicity, veteran status, disability, sexual orientation and gender expression, as well as information relating to other demographic categories. Team Members can view their demographic data in Workday.
Other information you share with us
Information you choose to provide including hobbies, social preferences, answers to feedback surveys, and participation in programs like WePledge.
We only process your personal data where we have a legitimate business reason or legal requirement to do so. The table below outlines the main reasons for processing and the types of data involved.
Why we process your personal data
Data categories we process
Hiring. During the hiring process, we process Applicant personal data to determine suitability and eligibility for a role. This includes verifying qualifications. It may also include administering background checks and establishing your right to work in a specific jurisdiction.
Identification data, Contact data, Hiring data
Compensation and Benefits. We use this information to manage payroll, taxes, and benefits as well as to process work-related claims (e.g., worker compensation, insurance claims, expense and travel management) and leaves of absence.
Identification data, Contact data, Employment data, Benefits data, Financial data
Training. We use this information to help us with creating and updating Team Member training and other development opportunities and enforcing mandatory training completions.
Performance reviews. We use this information to review how you are performing at work and to help determine your work performance requirements and career development needs.
Identification data, Contact data, Employment data, Performance and management data, Financial data
Legal requirements. We use this information to comply with laws and regulations (e.g. labor and employment laws, health and safety, tax, anti-discrimination laws) or to exercise or defend our legal rights.
Identification data, Contact data, Employment data, Hiring data, Benefits data, Performance and management data, Financial data, Systems and asset use data, Demographic data
Contacts. We use this information internally to compile employee directories or send documents or items to home addresses.
Identification data, Contact data, Employment data
Security & IT. We use this information to maintain the security of Twilio’s computing resources, assets and premises and, provide you with access to them, to manage our general operations and assets, to provide services to you as necessary for your role, and to protect your personal safety.
Identification data, Contact data, Employment data, Hiring data, Systems and asset data
Emergencies. We use this information to help us establish emergency contacts for you and respond to and manage emergencies, crises, and business continuity.
Identification data, Contact data, Benefits data
Investigations and Disciplinary actions. We use this information when necessary to investigate and support decisions on disciplinary actions or terminations, conduct grievance management, or when necessary to detect fraud or other types of wrongdoing.
Identification data, Contact data, Employment data, Benefits data, Financial data, Systems and asset data
DEI goals. We use this information as necessary to help us understand the diversity of our workforce and to support core business diversity, equity, and inclusion initiatives.
Day-to-day business operations. We may use this information for other legitimate purposes that are reasonably required for day-to-day operations at Twilio, such as managing our relationship with our employees, accounting, financial reporting, business analytics, employee surveys, operational and strategic business planning, mergers and acquisitions, real estate management, business travel, and expense management.
Identification data, Contact data, Employment data, Hiring data, Benefits data, Financial data, Systems and asset data, Other information you share with us
When we collect your personal data, we generally do so directly from you or from a third party when you have given us permission. We will only use this data for the reasons we originally collected it and if we need to use the data for another legitimate business reason, we will notify you directly and get your permission where required. If we ask you to provide personal data not described above, the reason for doing so will be made clear to you at the point we collect it.
Jurisdictions With Special Requirements
Legal Basis to Process — If you are from a jurisdiction that requires a legal basis for processing personal data (such as the EEA, UK, or Brazil), Twilio’s legal basis will depend on the personal data concerned and the context in which we collect it. We will normally collect personal data from you only where we need the data to carry out our employment contract with you, to comply with our legal obligations or exercise rights in the field of employment, or where the processing is in our legitimate interests, provided this is not overridden by your data protection interests or fundamental rights and freedoms. You can see examples of the data we use for our legitimate interests in carrying out our day-to-day business operations in the table above. We also rely on your consent in certain situations — for example, processing sensitive personal data related to your current health status or to provide access to optional social activities.
If we ask you to provide personal data to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and let you know whether providing your personal data is mandatory or not, as well as the possible consequences if you do not provide it.
Similarly, if we collect and use your personal data in reliance on our legitimate interests (or those of a third party) that are not listed in the table above, we will make clear to you at the relevant time what those legitimate interests are.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal data, please contact us using the contact details provided in the Questions? section below.
Data Controllers — If you are located in the EEA or the UK, the data controller of your personal data will be the corporate entity that manages the hiring process or employs you (e.g. Twilio Ireland Limited for employees based in Ireland).
What is Our Commitment to Processing Demographic Data?
Global workforce diversity, equity, and inclusion is a priority for us. We collect certain demographic data such as race, ethnicity, sexual orientation, disability, and military status to help us understand the diversity of our workforce and to support core business diversity, equity, and inclusion initiatives. In some circumstances, we may also need to use this data to comply with local laws. We generally collect this information on a voluntary consensual basis, and you are not required to provide it unless it is necessary for us to comply with a legal obligation. We will not share your data without your permission unless we are legally required to do so.
We do not sell your personal data or share your personal data for the purpose of behavioural advertising and we do not allow any personal data to be used by third parties for their own marketing purposes. You can see the type of third parties we might need to share your personal data with, and our reasons for doing so, in the table below. We will obtain your consent to any disclosure of your personal data where required by law.
Why We Share It
Team Members, Contractors, and Twilio Group Companies
To establish, manage, or terminate your employment with Twilio.
Consultants and Advisors
To seek legal advice from external lawyers and advice from other professionals such as accountants, management consultants.
To enable third parties to provide services to you on behalf of Twilio such as recruitment providers, financial investment service providers, insurance providers, healthcare providers and other benefits providers, payroll support services.
Partners in Corporate Transactions and their professional advisors
In connection with the sale, assignment or other transfer of all or part of our business.
Government Authorities or Law Enforcement
- If we in good faith believe we are compelled by any applicable law, regulation, legal process or government authority; or
- Where necessary to exercise, establish or defend legal rights, including to enforce our agreements and policies.
Other Third Parties
- To protect Twilio’s rights or property;
- To protect Twilio, our other customers, or the public from harm or illegal activities;
- To respond to an emergency which we believe in good faith requires us to disclose personal data to prevent harm; or
- With your consent, such as for social events hosted by Employee Resource Groups
All vendors we engage to process your personal data on our behalf go through a robust privacy and security vetting process and are required to contract with us on terms that ensure the appropriate use and protection of your personal data.
As a global organization, we may need to transfer your personal data outside your home jurisdiction to Twilio group companies, including our headquarters in the US, and other countries. These countries may have data protection laws that are different from the laws of your region. We will only transfer personal data to another country in accordance with applicable data protection laws, and provided there is adequate protection in place for the data.
Internal Transfers — We have established and implemented a set of Binding Corporate Rules for controllers to ensure adequate protection for internal transfers of personal data between Twilio Group Members in the European Union and elsewhere. Our privacy practices, described in this Notice, comply with the APEC Cross Border Privacy Rules (“CBPR”). The APEC CBPR system provide a framework for organizations to ensure protection of personal data transferred among participating APEC economies. More information about the APEC framework can be found here.
While we do not rely on the Data Privacy Framework (DPF) for cross-border data transfers, we still adhere to the DPF Principles as a matter of good practice and we maintain our Data Privacy Framework certification. To learn more about the DPF program, and to view our certification, please visit https://www.dataprivacyframework.gov/s/.
External Transfers — If we need to transfer your personal data outside Twilio to a third party who handles that data on our behalf (e.g. payroll providers) we rely on other agreements, such as Standard Contractual Clauses.
We respect your expectation of privacy and only monitor your individual activity if we have a reasonable, proportionate, and legal reason for doing so. Our normal monitoring use cases are outlined in the table below and you can find additional information about the circumstances under which we monitor Team Members in the Global Acceptable Use Policy (please note that this link is not available to Applicants).
Type of Monitoring
Our reasons for monitoring your activity
We monitor the physical activity and presence in our offices of Applicants and Team Members with badge readers, sign-in sheets, and surveillance cameras. The data we capture may include Identification data, Employment data, and Systems and asset use data. Where we have in-office cameras, we post signs to let you know.
To prevent unauthorized access to our offices and to protect Team Members, authorized visitors, and our property.
For some Team Member roles, we may monitor interactions when you speak to customers or potential customers.
For training, verification, or quality assurance purposes.
We may monitor the electronic activity of Team Members on our IT and communications systems and network. This electronic activity includes log files and content sent over our network and specifically may include Systems and asset use data, no matter where generated. Please also review the “Being an Owner” Section of the Global Code of Conduct (this link is not available to Applicants) for additional information on electronic monitoring.
- Validating business transactions and archiving;
- For network and device management and support;
- Protection of confidential information, intellectual property and other business interests;
- To protect our internal systems from security risks, including potential exposure to viruses and malware;
- For compliance with a legal obligation; and
- Other legitimate purposes as permitted by applicable law.
We may conduct individual level monitoring of Team Members’ use of physical or IT assets.
To investigate breaches of Twilio policies and procedures, or other unlawful or improper acts.
In situations where individual monitoring is justified and lawful, we will conduct our monitoring in a way that is proportionate, as minimally invasive as possible, and with all necessary internal approvals.
Team members — We will keep your data for as long as we need it to carry out the purposes we've described above, or as otherwise required by applicable law. Generally, this means we will keep your data until the end of your employment or contract with us, plus the period of time required by the law of the country you are employed in or a reasonable period of time to respond to any inquiries, deal with legal, tax, accounting, or administrative matters, or to provide you with ongoing pensions or other benefits. We seek to minimize our retention of data wherever possible.
Where we have no continuing legitimate business need or legal requirement to process your data, we will either delete or anonymize it or, if this is not possible (for example, because your data has been stored in backup archives), then we will securely store your data and isolate it from any further processing until deletion is possible. If you have a specific question about how long we store your data, please reach out to us using the contact details provided in the Questions? section below.
Applicants — If you apply for a job with us, we retain your data to determine your eligibility for a current or future role with us. The retention periods vary depending on your location and local legal requirements. For example, in the US we retain Applicant data for three years and in Ireland for one year. If you have specific questions about how long we retain your data for other jurisdictions please contact us using the contact information provided in the Questions? section below.
Regardless of whether you are an Applicant or Team Member you have the right to make choices about your personal data. Where applicable and in certain circumstances, these legal rights include:
- The right to update your data if it’s out of date, incomplete, or inaccurate;
- The right to request confirmation that we are processing your data and be provided with access to the data we process about you;
- The right to have your data deleted;
- The right to restrict the processing of your data;
- The right to transmit your data to another organization;
- The right to object to the processing of your personal data;
- The right to withdraw consent for data you’ve provided to us on a consensual basis; or
- The right to obtain information about the entities Twilio has shared your data with.
Team Members — We provide you with a number of tools to help you update, access, or delete some of your data, as detailed below. To exercise other rights, please contact the Privacy Team via our service portal.
Applicants — Please contact the recruiter you worked with or the Privacy Team via email at firstname.lastname@example.org to exercise your rights.
I would Like to:
Update my data
Workday & Email. If your personal data changes during the course of your time at Twilio, please use the Workday Guide: Add/Update Personal & Self Identification Information or Workday Guide: Add/Update Contact Information to update that data or contact HR Ops (HROps@twilio.com) to note those changes.
Access my data or receive a copy of my data
Workday & Email. Workday allows you to see the data that we hold about you and download a copy. If we have data that you cannot access via Workday, then you may make a request by emailing your HR Business Partner or by using the contact details provided in the Questions? section below. Please note that we might need to refuse access to personal data in certain cases, such as when providing access might infringe someone else’s privacy rights.
Delete my data or withdraw consent
Workday & Email. You can ask that we delete personal data that you believe is inaccurate or no longer relevant by emailing your HR Business Partner or by using the contact details provided in the Questions? section below. In addition, you can go into Workday and remove some of the data you’ve chosen to share with us, such as demographic data. We might need to refuse deletion of personal data in certain cases, such as when providing deletion might impact our legal obligations.
We use appropriate technical and organizational security measures to protect the security of your personal data both online and offline including the implementation of access controls, firewalls, network intrusion detection, and use of anti-virus software. These measures vary based on the sensitivity of the personal data we collect, process, and store, and the current state of technology. We also take measures to ensure that third parties that process personal data on our behalf also have appropriate security controls in place.
In addition, in accordance with Twilio’s Code of Conduct and related training, each Team Member has a responsibility to protect data they have access to. Please also see the What Are Your Responsibilities section below for more information on our expectations of Team Members.
We need your help to keep our records accurate and current. This means that we need you to be vigilant with keeping information like your address, phone number, and personal email up to date. In some cases, failing to provide us with accurate data will impact our ability to function as a business and to comply with legal obligations.
We rely on you to “Be an Owner.” Team Members with access to personal data must endeavor to make wise choices about how they use data. This means ensuring that you are thoroughly assessing (1) why you need the data, (2) whether that use fits the uses outlined above in What Personal Data Do We Process and Why Do We Process It?, and (3) whether there is another way to get to your goals without using personal data. After assessing, it’s equally important to ensure that you maintain good data security practices for the data in your possession, report data misuse, whether accidental or malicious, and keep up with required training.
We rely on our Team Members to keep data confidential. You may use this data only as necessary for the performance of your role and must protect the confidentiality of personal data at all times.
We hope we can resolve any disputes relating to our data protection practices between us. However, if you have a dispute with us relating to our data protection practices, you can raise your concern or dispute by contacting our Privacy Team either via email at email@example.com.
Alternatively you can contact us by mail at any of the following addresses:
Twilio Ireland Limited
Right to Complain to a Supervisory Authority — While we hope we can resolve any dispute between us, you have the right to lodge a complaint with the supervisory authority in the country where you work or where you consider any data protection rules to have been breached.
Rights under Twilio’s Binding Corporate Rules for Controller — You may have additional rights under our BCRs in the EU and other countries that recognise the BCRs. For example, where you believe your personal data has been transferred by an EU-based Twilio company to our US headquarters and processed by the US company in breach of the BCRs, you may have a right to:
- Lodge a complaint with the Twilio company that transferred your data outside Europe;
- Lodge a complaint with the supervisory authority in the same country as the Twilio company that transferred your data outside Europe; and
- Bring a court action against the Twilio company that transferred your data outside Europe.
APEC CBPR Participation. If you have an unresolved privacy or data use concerns related to Twilio's participation in CBPR certification that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Team members — Please direct questions or inquiries about this Notice to the Privacy Team using our service portal. Alternatively, you may also raise any questions or concerns directly with your line manager or your HR Business Partner.
Applicants — Please direct any questions or inquiries about this Notice to the Privacy Team via email to firstname.lastname@example.org.
Changes to this Notice
You can see when this Notice was last updated by checking the "last updated" date displayed at the top. If we update this Notice in a way that impacts your rights, we will provide advance notice to you by sending an email via the address we have on file for you. We will comply with applicable law with respect to any changes we make to this Notice and seek your consent to any material changes if this is required by applicable law.