Global Applicant Privacy Notice
Last Updated - February 14th, 2024
Overview of Privacy at Twilio
At Twilio, we believe everyone, whether they’re our customers, job applicants, employees or contractors, deserves a “no shenanigans” approach to their personal data. To that end, we have crafted this Global Applicant Privacy Notice (Notice) to provide job applicants with information about our privacy practices and how we collect, use, store, and transfer personal data.
We have built our global privacy program based on our Binding Corporate Rules (BCRs), which serve as our code of conduct that governs our global processing of personal data. This means that we are committed to data protection measures that go above and beyond what local laws require and no matter where you are located, whether in the United States, the European Economic Area (EEA), the United Kingdom (UK), Latin America, or the Asia-Pacific region, we provide the same high level of protection.
If you are looking for information about how we collect personal data from visitors of our website or users of our products and services, please review the Twilio Privacy Notice.
The defined terms we have used in this Notice have the following meanings:
“Applicant” means an individual who has submitted information to Twilio (such as a resume or job application) in order to apply to be a Team Member, or who has otherwise given consent to be considered as a candidate for a position.
“personal data” (and “data”) means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“processing” (and “process”) means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Team Member” means a full or part time Twilio employee, director and Board member, as well as members of our extended workforce, including non-executive directors, independent contractors, contingent, or agency workers and interns.
“Twilio'' means Twilio Inc. and its group companies including those members listed in our Binding Corporate Rules.
What Personal Data Do We Process and Why Do We Process it?
We have described the main types of personal data we process in the table below.
Data categories
Examples of what this means
Identification data
Name, photograph, date of birth, government identifiers, as applicable.
Contact data
Home address, telephone, email addresses.
Hiring data
Information related to your qualifications, past employment, interview notes,background checks as legally permitted, education verification, references, whether you are subject to any prior employer obligations, desired salary, immigration status and documentation, residency permits and visas, national ID/passport, and other official documentation in support of authentication or eligibility for employment (e.g. Form I-9 in the US).
Demographic data
Date of birth, gender, race/ethnicity, veteran status, disability, sexual orientation and gender expression, as well as information relating to other demographic categories.
Information you choose to provide to us during your application for a position at Twilio, such as health information relating to a request for an accommodation during the hiring process.
Please note that the personal data we process about you may differ based on local legal requirements and the specific processing we conduct. We only process your personal data where we have a legitimate business reason or legal requirement to do so. The table below outlines the main reasons for processing and the types of data involved.
Why we process your personal data
Data categories we process
Hiring. During the hiring process, we process Applicant personal data to determine suitability and eligibility for a role. This includes verifying qualifications. It may also include administering background checks, as legally permitted and establishing your right to work in a specific jurisdiction.
Identification data, Contact data, Hiring data, Other Information you share with us.
Legal requirements. We use this information to comply with laws and regulations (e.g. labor and employment laws, health and safety, tax, whistleblowing, anti-discrimination laws) or to exercise or defend our legal rights.
Identification data, Contact data, Hiring data, Demographic data, Other Information you share with us.
DEI Goals. We use this information, when you choose to provide it for this purpose, as necessary to help us understand the diversity of our candidate pool and to support core business diversity, equity, and inclusion initiatives.
Demographic data
When we collect your personal data, we generally do so directly from you or from a third party when you have given us permission. We will only use this data for the reasons we originally collected it and if we need to use the data for another legitimate business reason, we will notify you directly and get your permission where required. If we ask you to provide personal data not described above, the reason for doing so will be made clear to you at the point we collect it.
Jurisdictions With Special Requirements
Legal Basis to Process — If you are from a jurisdiction that requires a legal basis for processing personal data (such as the EEA, UK, or Brazil), Twilio’s legal basis will depend on the personal data concerned and the context in which we collect it. We will normally collect personal data from you only where we need the data to assess your application for a position at Twilio, to comply with our legal obligations, or where the processing is in our legitimate interests, provided this is not overridden by your data protection interests or fundamental rights and freedoms. You can see examples of the data we use for our legitimate interests in processing your application in the hiring section of the table above. We also rely on your consent in certain situations — for example, processing sensitive personal data related to demographic categories.
If we ask you to provide personal data to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and let you know whether providing your personal data is mandatory or not, as well as the possible consequences if you do not provide it.
Similarly, if we collect and use your personal data in reliance on our legitimate interests (or those of a third party) that are not listed in the table above, we will make clear to you at the relevant time what those legitimate interests are.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal data, please contact us using the contact details provided in the Questions? section below.
Data Controllers — If you are located in the EEA or the UK, the data controller of your personal data will be the corporate entity that manages the hiring process (e.g. Twilio Ireland Limited for employees based in Ireland).
What is Our Commitment to Processing Demographic Data?
Global workforce diversity, equity, and inclusion is a priority for us. We collect certain demographic data such as race, ethnicity, sexual orientation, disability, and military status to help us to support core business diversity, equity, and inclusion initiatives. In some circumstances, we may also need to use this data to comply with local laws. We generally collect this information on a voluntary consensual basis at the outset of your application, and you are not required to provide it unless it is necessary for us to comply with a legal obligation. We will not share your data without your permission unless we are legally required to do so.
We do not sell your personal data or share your personal data for the purpose of behavioral advertising and we do not allow any personal data to be used by third parties for their own marketing purposes. You can see the type of third parties we might need to share your personal data with, and our reasons for doing so, in the table below. We will obtain your consent to any disclosure of your personal data where required by law
Recipients
Why We Share It
Team Members and Twilio Group Companies
To manage the referral process and establish your employment with Twilio.
Consultants and Advisors
To seek legal advice from external lawyers and advice from other professionals such as accountants, management consultants.
Service Providers
To enable third parties to provide services to you on behalf of Twilio such as recruitment providers, financial investment service providers, insurance providers, healthcare providers and other benefits providers, payroll support services.
Partners in Corporate Transactions and their professional advisors
In connection with the sale, assignment or other transfer of all or part of our business.
Government Authorities or Law Enforcement
- If we in good faith believe we are compelled by any applicable law, regulation, legal process or government authority; or
- Where necessary to exercise, establish or defend legal rights, including to enforce our agreements and policies.
Other Third Parties
- To protect Twilio’s rights or property;
- To protect Twilio, our other customers, or the public from harm or illegal activities;
- To respond to an emergency which we believe in good faith requires us to disclose personal data to prevent harm; or
- With your consent, such as for social events hosted by Employee Resource Groups
All vendors we engage to process your personal data on our behalf go through a robust privacy and security vetting process and are required to contract with us on terms that ensure the appropriate use and protection of your personal data.
As a global organization, we may need to transfer your personal data outside your home jurisdiction to Twilio group companies, including our headquarters in the US, and other countries. These countries may have data protection laws that are different from the laws of your region. We will only transfer personal data to another country in accordance with applicable data protection laws, and provided there is adequate protection in place for the data.
Internal Transfers — We have established and implemented a set of Binding Corporate Rules for controllers to ensure adequate protection for internal transfers of personal data between Twilio Group Members in the European Union and elsewhere. Our privacy practices, described in this Notice, comply with the APEC Cross Border Privacy Rules (“CBPR”). The APEC CBPR system provide a framework for organizations to ensure protection of personal data transferred among participating APEC economies. More information about the APEC framework can be found here.
While we do not rely on the EU-US Data Privacy Framework or Swiss-U.S. Data Privacy Framework (collectively “DPF”) for cross-border data transfers of Applicant data, we still adhere to the DPF Principles for all personal data that we process as a matter of good practice. To learn more about the DPF Program, please visit the DPF Website here.
External Transfers — If we need to transfer your personal data outside Twilio to a third party who handles that data on our behalf (e.g. payroll providers) we rely on other agreements, such as Standard Contractual Clauses.
We respect your expectation of privacy and only monitor your individual activity if we have a reasonable, proportionate, and legal reason for doing so.
If you visit a Twilio office as part of your application, we monitor your physical activity with badge readers, sign-in sheets, and surveillance cameras. The data we capture may include Identification data. Where we have in-office cameras, we post signs to let you know. We do this to prevent unauthorized access to our offices and to protect Team Members, authorized visitors, and our property.
When you apply for a job with us, we retain your data to determine your eligibility for a current or future role with us. The retention periods vary depending on your location and local legal requirements. (Add for Germany-note for retention schedule)(Discuss the difference between unsuccessful and successful applicants)For example, in the U.S for unsuccessful applicants we retain Applicant data for three years,in Ireland for one year, and in Germany six months. Retention periods for successful applicants that move on to become Twilio employees are governed by the Twilio Global Employee Privacy Notice. If you have specific questions about how long we retain your data for other jurisdictions please contact us using the contact information provided in the Questions? section below.
As an applicant you have the right to make choices about your personal data. Where applicable and in certain circumstances, these legal rights include:
- The right to update your data if it’s out of date, incomplete, or inaccurate;
- The right to request confirmation that we are processing your data and be provided with access to the data we process about you;
- The right to have your data deleted;
- The right to restrict the processing of your data;
- The right to transmit your data to another organization;
- The right to object to the processing of your personal data;
- The right to withdraw consent for data you’ve provided to us on a consensual basis; or
- The right to obtain information about the entities Twilio has shared your data with.
Please contact the recruiter you worked with or the Privacy Team via email at privacy@twilio.com to exercise your rights.
We use appropriate technical and organizational security measures to protect the security of your personal data both online and offline including the implementation of access controls, firewalls, network intrusion detection, and use of anti-virus software. These measures vary based on the sensitivity of the personal data we collect, process, and store, and the current state of technology. We also take measures to ensure that third parties that process personal data on our behalf also have appropriate security controls in place.
We hope we can resolve any disputes relating to our data protection practices between us. However, if you have a dispute with us relating to our data protection practices, you can raise your concern or dispute by contacting our Privacy Team either via email at privacy@twilio.com or, if you are based in Germany, by contacting our German Data Protection Officer via email at Germany-DPO@twilio.com.
Alternatively you can contact us by mail at any of the following addresses:
|
Worldwide Headquarters |
EEA Headquarters |
|---|---|
|
Twilio Inc. |
Twilio Ireland Limited |
Right to Complain to a Supervisory Authority — While we hope we can resolve any dispute between us, you have the right to lodge a complaint with the supervisory authority in the country where you work or where you consider any data protection rules to have been breached.
Rights under Twilio’s Binding Corporate Rules for Controller — You may have additional rights under our BCRs in the EU and other countries that recognise the BCRs. For example, where you believe your personal data has been transferred by an EU-based Twilio company to our US headquarters and processed by the US company in breach of the BCRs, you may have a right to:
- Lodge a complaint with the Twilio company that transferred your data outside Europe;
- Lodge a complaint with the supervisory authority in the same country as the Twilio company that transferred your data outside Europe; and
- Bring a court action against the Twilio company that transferred your data outside Europe.
Please direct any questions or inquiries about this Notice to the Privacy Team via email to privacy@twilio.com.
Changes to this Notice
You can see when this Notice was last updated by checking the "last updated" date displayed at the top. If we update this Notice in a way that impacts your rights, we will provide advance notice to you by sending an email via the address we have on file for you. We will comply with applicable law with respect to any changes we make to this Notice and seek your consent to any material changes if this is required by applicable law.