Twilio Employee Privacy Notice
Last Updated October 30, 2018
We believe that our employees, just like our customers, deserve a “no shenanigans” approach to their personal data. To that end, we have put together this privacy notice to give you a better understanding of what personal data we collect from you as an employee or employee applicant, what we use that personal data for, and to whom we disclose that data.
(For information about Twilio’s collection of data from visitors to its website or users of its products and services, click here. For translations of the Twilio Employee Privacy Notice, select Estonian, German, Spanish, or Swedish. The translated versions are provided for convenience only. In the event of any difference in meaning between the English language version and any translated version, the English language version will prevail.)
For purposes of this notice:
- The words “our,” “us,” “we,” and “Twilio” refer to Twilio Inc., our subsidiaries and other affiliates (which includes any person or entity that controls us, is controlled by us, or is under common control with us, such as our subsidiary, parent company, or our employees).
- The term “employee” refers to all employees, directors, officers and Board members of Twilio, or other consultants and individual contractors engaged by Twilio;
- The term “employee applicant” will refer to individuals who have submitted information to Twilio (such as a resume or job application) in order to apply to be a Twilio employee;
- The term “personal data” means any information which relates to an identifiable, living individual and references one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.
- The term “sensitive personal data” means personal data about physical or mental health, racial or ethnic origin, political or religious views, trade union membership, sexual orientation, genetic data, biometric information, the commission or alleged commission of crime or related proceedings, personal data of children, and, in some countries, financial information. Sensitive personal data is usually subject to even stricter controls and protections.
Compliance With Local Laws
This privacy notice is a general guide to how Twilio treats employee and employee applicant personal data.
You should be aware that data privacy laws can vary in different jurisdictions where Twilio operates and has employees. Twilio’s policy is to comply with local laws, including requirements in certain countries that Twilio notify its employees in that country of its personal data practices, and in some cases, obtain consent to those practices.
Where local laws are stricter than the policies described in this notice, Twilio has adopted specific privacy practices in those locations to satisfy those stricter requirements. Where local laws are less strict than this policy, the protections described in this notice will apply.
What Personal Data Do We Collect and How Do We Collect It?
Twilio collects and stores different types of personal data about employees and employee applicants such as:
- Identification data – such as your name, gender, photograph, date of birth, employee identification number, languages.
- Contact details – such as home address, telephone, email addresses, and emergency contact details.
- Employment details – such as job title/position, office location, hire dates, employment contracts, performance and disciplinary records, grievance procedures, sickness/holiday records.
- Educational and professional background – such as academic/professional qualifications, education, CV/résumé, reference letters and interview notes, criminal records data (for vetting purposes, where permissible and in accordance with applicable law).
- National identifiers – such as national ID/passport, immigration status and documentation, visas, social security numbers (US only), national insurance numbers.
- Spouse, beneficiary & dependents information, marital status.
- Financial information – such as banking details, tax information, payroll information, withholdings, salary, benefits, expenses, company allowances, stock and equity grants.
- IT information – information required to provide access to Twilio’s IT systems and networks such as IP addresses, log files, login information, software/hardware inventories. For further information about how we process IT information, see our “Monitoring” section below.
- Other information you choose to share with us – e.g. hobbies, social preferences etc.
We may also collect certain demographic data that qualifies as sensitive personal data, such as race, ethnicity, sexual orientation, and disability to help us understand the diversity of our workforce. This information, when collected, is generally done so on a voluntary consensual basis, and employee and employee applicants are not required to provide this information, unless it is necessary for us to collect such information to comply with our legal obligations.
Most often, the personal data we collect from employees and employee applicants is collected from them directly. In some cases, we may collect personal data about employees and employee applicants from third parties, for example, when we perform background checks that are necessary for the role to be performed by the employee. In most circumstances, we will get your permission before we collect personal data about you from a third party.
If we ask you to provide any other personal data not described above, then the personal data we will ask you to provide, and the reasons why we ask you to provide it, will be made clear to you at the point we collect it.
What Do We Use the Personal Data For?
Twilio uses and discloses the personal data that we collect primarily for the purposes of managing our employment relationship with you, along with other business purposes. Such uses include:
- determining eligibility for hiring, including the verification of references and qualifications and, where permitted by law, administering background checks;
- administering payroll and benefits as well as processing employee work-related claims (e.g., worker compensation, insurance claims, etc.);
- establishing training and/or development requirements;
- reviewing work performance and determining performance requirements;
- disciplinary actions or termination;
- establishing emergency contacts;
- complying with laws and regulations (e.g. labor and employment laws, health and safety, tax, anti-discrimination laws), under judicial authorization, or to exercise or defend legal rights;
- compiling internal directories, such as employee directories;
- to detect fraud or other types of wrongdoing;
- IT security and administration; and
- for other legitimate purposes reasonably required for day-to-day operations, such as accounting, financial reporting and business planning.
We may also use your personal data for other lawful purposes which we will tell you about, and provided that we get your consent to that use, if required by law to do so.
Legal Basis for Processing Personal Data (EEA Employees Only)
If you are an employee in the European Economic Area (EEA), our legal basis for collecting and using the personal data described above will depend on the personal data concerned and the context in which we collect it. However, we will normally collect personal data from you only where we have your consent to do so, where we need the personal data to carry out our employment contract with you, where we need the personal data to comply with our legal obligations or exercise rights in the field of employment, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may need the personal data to protect your vital interests or those of another person (for example, we may need to share your personal data with third parties in the event of an emergency at work).
If we ask you to provide personal data to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and let you know whether the provision of your personal data is mandatory or not (as well as the possible consequences if you do not provide it).
Similarly, if we collect and use your personal data in reliance on our legitimate interests (or those of a third party) that are not listed above, we will make clear to you at the relevant time what those legitimate interests are.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal data, please contact us using the contact details provided in the “Questions?” section below.
Twilio physically and electronically monitors its offices, and use of our IT and communications systems, for specific purposes.
For example, we may monitor employees’ activity and presence in our offices with badge readers, sign-in sheets, and surveillance cameras. We generally do these things to prevent unauthorized access to our offices and to protect employees, authorized visitors, and our property.
Twilio may also monitor or record activity on our IT and communications systems and network, such as internet traffic, website filtering, email communications or systems accessed. More information on electronic monitoring is in the Twilio Property Section of the Employee Handbook.
Where permitted by law, we may also carry out monitoring for other purposes such as:
- Proof of business transactions and archiving;
- Training and evaluation of employees;
- Protection of confidential information, intellectual property and other business interests;
- To investigate breaches of Twilio policies and procedures, or other unlawful or improper acts;
- For compliance with a legal obligation;
- Other legitimate purposes as permitted by applicable law.
In the process of monitoring Twilio’s offices, systems, network and work-related activities, we may come across employees’ or employee applicants’ personal data. Monitoring will be done in a manner that is proportionate and only as required or permitted by applicable law. Twilio will always strive to respect employees’ reasonable privacy expectations.
Lastly, we want you to be aware that all Twilio employee work product as well as tools used to generate that work product, wherever stored, belongs to Twilio and we may review and monitor them for the purposes described above.
With Whom Do We Share Your Data?
We take care to allow your personal data to be accessed only by those who really need to in order to perform their tasks and duties, and to third parties who have a legitimate purpose for accessing it.
We may share your personal data with other employees, other Twilio group companies, contractors, consultants and service providers who require the data to assist Twilio to establish, manage or terminate your employment with Twilio, including parties that provide products or services to us or on our behalf and parties that collaborate with us to provide services to you. For example, we engage third parties such as employee benefit plan providers, payroll support services and employee travel management services. In some cases, these parties may also provide certain IT and data processing services to us so that we can operate our business. When we share personal data with these parties we typically require that they use or disclose that personal data only as instructed by Twilio and in a manner consistent with this Privacy Notice. We also enter into contracts with these parties to make sure they respect the confidentiality of your personal data and have appropriate data security measures in place.
If we go through a corporate sale, merger, reorganization, dissolution or similar event, personal data we gather from you may be transferred in connection with such an event. Any acquirer or successor of Twilio may continue to use the data as described in this notice provided that the acquirer or successor is bound by appropriate agreements or obligations and may only use or disclose your personal data in a manner consistent with the use and disclosure provisions of this notice, or unless you consent otherwise.
We may also disclose your personal data to a third party under the following circumstances:
- if we in good faith believe we are compelled by any applicable law, regulation, legal process or government authority;
- where necessary to exercise, establish or defend legal rights, including to enforce our agreements and policies;
- to protect Twilio’s rights or property;
- in connection with regular reporting activities to other members of the Twilio corporate family;
- to protect Twilio, our other customers, or the public from harm or illegal activities;
- to respond to an emergency which we believe in good faith requires us to disclose data to prevent harm; or
- with your consent.
International Operations and Transfers Out of Your Home Jurisdiction
Your personal data may be collected, used, processed, stored or disclosed by us and our service providers outside your home jurisdiction, including in the U.S., and in some cases, other countries. These countries may have data protection laws that are different the laws of your country. Twilio only transfers personal data to another country, including within the Twilio corporate family, in accordance with applicable privacy laws, and provided there is adequate protection in place for the data.
Twilio has established and implemented a set of Binding Corporate Rules (“BCRs”) for international transfers between Twilio entities in the European Union and Twilio entities elsewhere. These have been approved by European Union Data Protection Authorities and are a commitment by Twilio to adequately protect personal information that Twilio processes regardless of where the information resides. You can access Twilio’s BCRs here.
Additionally, where Twilio's BCRs do not apply, we will rely on European Commission’s Standard Contractual Clauses for transfers of personal data between the Twilio group companies, which require all group companies to protect personal data they process from the European Economic Area in accordance with EU data protection laws. Our Commission’s Standard Contractual Clauses can be provided on request.
We will ensure your personal data is treated in accordance with this Privacy Notice and our Binding Corporate Rules wherever we process it.
How Do We Secure Your Data?
We use appropriate technical and organizational security measures to protect the security of your personal data both online and offline including the implementation of access controls, implementation of firewalls, network intrusion detection and use of anti-virus software. Please note that no system is completely secure. So, while we strive to protect your data, we cannot guarantee that unauthorized access, hacking, data loss or a data breach will never occur.
How Do You Update Your Personal Data?
It is important that the information contained in our records is both accurate and current. We offer various self-help tools that will allow you to update certain of your personal data in our records. If your personal data changes during the course of your employment, please use these self-help tools to update that data, where available, or let HR Ops (HROps@twilio.com) know of those changes.
How Can You Request Access to Your Personal Data?
Several of Twilio’s self-service tools allow you to see and/or update personal data that we hold. If we have personal data that you cannot access via these self-service systems, then you may make a request to your HR Business Partner. Please make this request in writing (email is fine). We may ask you for information to verify your identity and evaluate your right to access the personal data requested. You can also ask that we delete personal data that you believe is inaccurate or no longer relevant in this same way.
What Other Rights Do You have Over Your Personal Data?
In addition to being able to update, correct, and access your personal data, you may also have other data protection rights.
For example, if we have collected and processed your personal data with your consent, then you have the right to withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we carried out prior to your withdrawal, nor will it affect processing of your personal data carried out in reliance on other lawful grounds other than consent.
Also, starting May 2018, if you are an employee in certain regions (such as the EEA), you may have certain additional rights in relation to your personal data, such as:
- The right to object to processing of your personal data, ask us to restrict processing of your personal data, or request portability of your personal data.
- To have your personal data erased in a number of other circumstances, such as where it has been unlawfully processed, or where there is no overriding legitimate grounds for the processing.
You can make any of these requests by using the contact details provided in the “Questions?” section below. We will respond to all requests in accordance with applicable data protection laws.
How Long Do We Retain Your Personal Data?
We will keep your personal data for as long as is needed to carry out the purposes we’ve described above, or as otherwise required by law. Generally, this means we will keep your personal data until the end of your employment with us, plus a reasonable period of time after that where necessary to respond to any employment inquiries, deal with legal, tax, accounting or administrative matters, or to provide you with ongoing pensions or other benefits.
Where we have no continuing legitimate business need to process your personal data, we will either delete or anonymize it or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.
Revisions to This Privacy Notice
We may, from time to time, make updates or changes to this privacy notice because of changes in applicable laws or regulations or because of changes in our personal data practices. We will give you notice of any material changes that impact your personal data, and where consent is necessary to make a change apply to our practices with respect to your personal data, we will not apply the changes to your personal data until we have that consent.
You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the top of this Privacy Notice.
Questions or inquiries about this notice can be directed to firstname.lastname@example.org. Alternatively, you may also raise any questions or concerns directly with your line manager, your local HR team, or through the Privacy Team.
Further, for our EU employees:
- The data controller of your personal data will be the corporate entity that employs you (e.g. Twilio Ireland Limited for employees based in Ireland).
- You also have the right to lodge any complaints or concerns with your local data protection authority. You can find a list of the European DPAs here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm
For employees of Twilio in Germany, questions or inquiries about employee-related privacy issues can be directed to Germany-DPO@twilio.com.