Jump to the California Consumer Privacy Notice




CBRE, Inc., together with its subsidiaries (collectively, “CBRE”, “we”, “us” or “our”), recognize that when you use Host Work, you’re trusting us with your personal information. We understand this is a big responsibility and recognize the importance of respecting and giving you control over your privacy.

This Privacy Notice (“Notice”) is meant to help you understand:

  • what personal information we collect about you,
  • how we use, disclose and safeguard your personal information,
  • how you can update, manage, export, and delete your information,
  • how you can use settings within your device to control your privacy, and
  • how you can contact us about our privacy practices.

The Types of Information We Collect and How We Use It

 

The categories of personal information we collect and how we use such information is set out below.

Personal information we collect and how we use it:

Employment Information—the name of your employer, your business email address, and your office location

We collect your business email address when you register with Host Work and verify it with Employment Information provided by your employer to offer you Host Work and to manage our relationship with you, including to contact you about Host Work services. We have a legitimate business interest to use this information for these purposes.

When you purchase food or beverages through the Marketplace or register for events or classes, we may share your name, office location, and email address with our third-party vendors to enable them to fulfill your order or give you access to an event or class. We have a legitimate business purpose to use this information for these purposes.

Your Personal Contact Information—personal (non-business) email address

If you provide us with your personal email address, we will collect that information to provide you with Host Work. We have a legitimate business interest in collecting this information for these purposes.

Device Information—Calendar information

We collect information your work calendar to determine your availability for meetings and to allow you to reserve space at your workplace. We also use room reservation information from your calendar to determine space usage at your workplace. We have a legitimate business interest to collect this information for these purposes.

Device Information—unique ID, frequency of use, click tracking

We generate a unique customer ID for the mobile device on which you download the Host Work app. We collect information on how you use the app, such as how often you use it and which items you click on and combine it with this unique customer ID to enable us to generate anonymized analytics and reports. We do this to improve our app and better serve our customers. We have a legitimate business interest to collect this information for these purposes.

Device Location—Data Location tracking

When you are at your employer’s workplace where Host Work is enabled, we track your device location to connect you with coworkers who are at the same workplace, to enable wayfinding within your office, and to offer you other location-based services. We rely on your express consent to collect this information for these purposes. You may withdraw this consent at any time by adjusting your device settings to not permit the Host Work app to use your location.

Payment Card Information—name, payment card number, expiration date and security code

If you add add your payment card information (PCI) into the Host Work app, we send that data to Stripe, our payment card vendor. We do not store your PCI. Your device will store your PCI and send your PCI to Stripe whenever you make a purchase through Host Work. We have a legitimate interest in collecting and transmitting your PCI to Stripe to allow you to make purchases through Host Work.

Food and Beverage Purchase History—the food and beverages order and the cost

When you purchase food or beverages from a third-party vendor through Host Work, we will collect information relating to such purchases to customize our services for you, including providing recommendations. We rely on your express consent to collect this information for these purposes.

Marketplace Orders and Registrations—information collected by our vendors

When you purchase food or beverages through the Marketplace or register for events or classes, we may facilitate the collection of information by our vendors through the app. These vendors are the controllers of this information, and we encourage you to read our vendors’ privacy notices to understand how they will use and store your information.

Service Requests—any information you voluntarily provide

When you submit a service request through the app, we may use any information you provide in order to fulfill your request. We have a legitimate business interest to use this information for these purposes.

Your Contact Information provided by a Third-Party—name, business or personal (non-business) email addresses

For any person who visits a Host Work workplace, other than a registered Host Work user, a third party (i.e. a Host Work user) may provide us with your name and business or personal email address. We use this information to allow you access to our workplace. We have a legitimate business interest in collecting this information for these purposes.

Other Uses:


We may also use the personal information we obtain about you for the following purposes:

  • Creating and managing any accounts you may have with us and responding to your inquiries;
  • Operating, evaluating and improving our business (including developing new products and services; managing our communications; determining the effectiveness of and optimizing our services; analyzing our products and services; and facilitating the functionality of the Host Work app)
  • Preparing and furnishing aggregated data reports to your employer containing anonymized or pseudonymized information
  • Enforcing our Terms and Conditions or other legal rights.

If you object to us using information in other ways you may communicate your objection to us as specified below under “Your Privacy Rights.”

Third Parties with Whom We Share Your Personal Information

Service Providers:

 

We may share your personal information with companies acting as our authorized agents in providing our services, including the following categories of service provider:

  • infrastructure and IT service providers, including cloud service providers
  • external auditors and advisors
  • cookie analytics providers
  • online advertisers
  • providers of website testing / analytics services

Each service provider must agree to implement and maintain reasonable security procedures and practices appropriate to the nature of your information in order to protect your personal information from unauthorized access, destruction, use, modification or disclosure. Because we operate globally, we may transfer your information to countries or jurisdictions that do not provide the same level of data protection as the country in which you are based. If we make such a transfer, we will, or our vendors will, as applicable, provide for the proper safeguards required by applicable law to ensure that your information is protected. More information on International Data Transfers of your personal information is below.

Where we share your personal information for our legitimate interests you can object to this disclosure. Please be aware that when you object to disclosure of your personal information for CBRE’s legitimate interests it may affect the services we provide to you. More information on Your Privacy Rights is below.

Legally Affiliated Entities:

 

In the event that CBRE is merged, or in the event of a transfer of our assets, Site or operations, CBRE may disclose or transfer your personal information in connection with such transaction. In the event of such a transfer, CBRE will notify you via email or by posting a prominent notice on our Site for 30 days of any such change in ownership of CBRE resulting in a change of control of your personal information. We may also share your personal information with CBRE affiliates in order to provide or offer services to you.

Legally Compelled Disclosure:

We will also disclose your personal information when required to do so by law, for example, in response to a court order or a subpoena or other legal obligation, in response to lawful requests by public authorities, including to meet national security or law enforcement agency's requirements, or in special cases when we have reason to believe that disclosing your personal information is necessary to identify, contact or bring legal action against someone who may be causing injury to or interference with (whether intentionally or unintentionally) our rights or property.

International Data Transfers

Processing in the US and Elsewhere:

 

CBRE is a global business. We may transfer the personal information we collect about you to recipients, and your personal information may be stored and processed, in countries other than the country in which the information was originally collected, including the United States and elsewhere that may have less stringent data protection laws than the country in which you initially provided the information.

When we transfer your information to countries other than the country in which the information was originally collected, we will protect your information as described in this Notice or as otherwise disclosed to you at the time the data is collected (e.g. via program specific privacy notice) and will comply with all applicable data protection laws in making such transfers.

If you are located in a non-US jurisdiction, the transfer of personal information is necessary to provide you with the requested information and/or to perform any requested service. To the extent permitted by law, such submission also constitutes your consent for the cross-border transfer.

With respect to transfers originating from the European Economic Area to the United States and other non-EEA jurisdictions:

  • CBRE US affiliates are EU-US and Swiss-US Privacy Shield certified, and
  • CBRE has executed EU Standard Contractual Clauses with respect to personal information collected in the European Economic Area and transferred to CBRE in the United States and elsewhere.

Where required by applicable law, you may ask for further information on the safeguards that we have put in place to safeguard the transfer of your data to outside of the EEA by contacting us as indicated below.

Privacy Shield Certification:

 

CBRE complies with the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding personal information that is collected by CBRE affiliates or corporate customers located in the European Economic Area and/or United Kingdom and/or Switzerland and transferred to CBRE, Inc. and its wholly owned US-based affiliates, which include CBRE Global Investors LLC, CBRE GWS Puerto Rico Inc., CBRE Clarion Securities LLC, CBRE Security Services, Inc., CBRE Heery Inc., CBRE HMF, Inc., CBRE Multifamily Capital, Inc., CBRE Capital Markets, Inc., and Trammell Crow Company LLC, and CBRE Technical Services, LLC in the United States (“CBRE US”). This Notice supplements the data protection notices that Clients and Client contacts may have received. CBRE has certified to the Department of Commerce that it adheres to the Privacy Shield Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability. If there is any conflict between the terms in this Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/. CBRE is subject to investigatory enforcement powers of the Federal Trade Commission as it relates to conformation with Privacy Shield requirements.

Independent Recourse of Privacy Shield Complaints

 

In compliance with the EU-US and Swiss-US Privacy Shield Principles, CBRE commits to resolve complaints about our collection or use of your personal information. EU, United Kingdom and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact CBRE at: [email protected].

CBRE has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit www.jamsadr.com for more information or to file a complaint. The services of JAMS are provided at no cost to you. You have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by JAMS. For additional information on binding arbitration, visit: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

Security


CBRE endeavors to protect the security of your personal information and your choices for its intended use. We use Secure Sockets Layer/Transport Layer Security (SSL/TLS) technology to protect the transmission of your personal information. We store your personal information on a secure server, and use procedures designed to protect the personal information we collect from unauthorized access, destruction, use, modification or disclosure.

Although we will take (and require our third-party providers to take) commercially reasonable security precautions regarding your personal information collected from and stored on the Site, due to the open nature of the Internet, we cannot guarantee that any of your personal information stored on our servers, or transmitted to or from a user, will be free from unauthorized access, and we disclaim any liability for any theft or loss of, unauthorized access or damage to, or interception of any data or communications. By using Host Work, you acknowledge that you understand and agree to assume these risks.

How Long We Keep Your Personal Information


We will only retain the personal information we collect about you for as long as necessary for the purpose for which that information was collected, and to the extent permitted by applicable laws. We take steps to ensure that when we no longer need to use your personal information, we remove it from our systems and records and/or take steps to anonymize it so that you can no longer be identified from it (unless we need to keep your information to comply with legal or regulatory obligations to which we are subject).

 

Your Privacy Rights

Requesting Access to Your Personal Information and Other Rights:

 

You may also have rights under applicable law to request to review, access, correct, delete, port or object to our processing of your personal information, and lodge a complaint with a supervisory authority. If so, you may do so by making a request on CBRE’s data subject rights portal or submitting your request to [email protected]

Independent Recourse for Privacy Shield Complaints:

 

Information about independent recourse for Privacy Shield complaints can be found above.

Our Privacy Policy


For more information on CBRE, Inc.’s privacy practices, consult our Privacy Policy.

Changes to this Notice


We are a rapidly evolving, global business. We will continue to assess this Notice against new technologies and services, business practices as well as our clients’ needs, and make changes to this Policy from time to time as required. If we make any material changes to this Notice, we will update the Notice here. If the changes are significant, we will provide notice through the app and/or via email notification.

Contact Us


You are always free to contact us if you have questions or concerns regarding this Notice. You may contact us by emailing [email protected] or by writing to us at 321 North Clark Street, Suite 3400, Chicago, Illinois 60654, Attention: Global Director, Data Privacy.

Visitors in Europe, the Middle East or Africa:

 

If you are located in Europe, the Middle East or Africa, you may also e-mail us at [email protected] or write to us at St. Martins Court, 10 Paternoster Row, London EC4M 7HP, United Kingdom, Attention: EMEA Director, Data Privacy.

Visitors in Asia or the Pacific:

 

If you are located in Asia or the Pacific, you may also e-mail us at [email protected] or write to us at 40/F GT Tower International, 6813 Ayala Ave. cor H.V. Dela Costa Street, Salcedo Village, Makati City, Philippines 1227, Attention: APAC Senior Manager, Data Privacy.


HOST WORK—CALIFORNIA CONSUMER PRIVACY NOTICE


Effective Date: January 1, 2020
Last Reviewed on: December 27, 2019

This California Personal Information Privacy Notice (“Notice”) supplements the Host Work Privacy Notice. This Notice applies solely to consumers who use Host Work who reside in the State of California (“you”) and generally explains how CBRE collects and uses your Personal Information in the context of your use of the Host Work App and the Host Services. We adopt this Notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and other California privacy laws.

We reserve the right to update this Notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your Personal Information.

CONTENTS


1. HOW “PERSONAL INFORMATION” IS DEFINED IN THIS NOTICE


“Personal Information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household. “Personal information” does not include information publicly and lawfully made available in government records, deidentified or aggregate information about California consumers or households, and information excluded from the CCPA’s scope (for example, health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) and personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994).


2. PERSONAL INFORMATION WE COLLECT, PURPOSES OF USE AND SOURCES


In this section we set out what categories of Personal Information we collect about you, how we use it, and the sources of such Personal information. This section is to be read together with, and supplements, the information we provide in the Host Work Privacy Notice.

  1. General Information

For general notice on the categories of personal information we may collect and the business or commercial purposes for the use of such Personal Information, please refer to the following information in the Host Work Privacy Notice:

  • The Types of Information We Collect and How We Use It
  1. Your Right to Know About Personal Information Collected in the last 12 months

In the last 12 months, CBRE has collected the categories of Personal Information described in the table below. The categories included in the table have been defined in a way that we believe will be meaningful to you:

  • In the second column, we have provided reference to the corresponding category or categories of Personal Information specified in the CCPA. A description of such categories follows directly after this table.
  • In the third column, we set out the business or commercial purpose for use of such information.
  • In the fourth column, we set out the categories of sources from which such information was collected.
  • In the fifth column, we set out the categories of third parties with whom Personal Information is shared.

Categories of PI collected CCPA Category (See Below) Business or Commercial Purpose(s) Categories of Sources Categories of Third Parties with whom PI is Shared*
Employment Information—the name of your employer, your business email address, and your office location A, B, I
  • To verify your Employment Information provided by your employer to offer you Host Work.
  • To manage our relationship with you, including to contact you about Host Work services.
  • Individual
  • Individual's employer
  • Service Providers
  • Aggregated data back to your Employer.
  • Third-party vendors - When you purchase goods or services through the Marketplace or register for events or classes, we may share your name, office location, and email address with our third-party vendors to enable them to fulfill your order or give you access to an event or class.
Your Personal Contact Information—personal (non-business) email address A, B We use your contact information for your account and to provide you with the Host Work service. Individual Service Providers
As a guest to a Host Work location—Your Contact Information provided by a Third-Party—name, business or personal (non-business) email addresses A, B For any person who visits a Host Work workplace, other than a registered Host Work user, a third party (i.e. a Host Work user) may provide us with your name and business or personal email address. We use this information to allow you access to our workplace. Third party Service Providers
Device Information—Calendar information A, B, K We collect information your work calendar to determine your availability for meetings and to allow you to reserve space at your workplace. We also use room reservation information from your calendar to determine space usage at your workplace. Individual Service Providers
Device Information—unique ID, frequency of use, click tracking F We generate a unique customer ID for the mobile device on which you download the Host Work app. We collect information on how you use the app, such as how often you use it and which items you click on and combine it with this unique customer ID to enable us to generate anonymized analytics and reports. We do this to improve our app and better serve our customers. Individual
  • Service Providers
  • Aggregated data back to your Employer.
Device Location Data—Location tracking G When you are at your employer’s workplace where Host Work is enabled, we track your device location to connect you with coworkers who are at the same workplace, to enable wayfinding within your office, and to offer you other location-based services. We rely on your express consent to collect this information for these purposes. Individual Service Providers
Payment Card Information—name, payment card number, expiration date and security code A, B If you add your payment card information (PCI) into the Host Work app, we send that data to Stripe, our payment card vendor. We do not store your PCI. Your device will store your PCI and send your PCI to Stripe whenever you make a purchase through Host Work. We have a legitimate interest in collecting and transmitting your PCI to Stripe to allow you to make purchases through Host Work. Individual Stripe, our payment card vendor
Marketplace Order History—the goods or services ordered and the cost A, B, D, K When you purchase goods or services from a third-party vendor through Host Work, we will collect information relating to such purchases to customize our services for you, including providing recommendations. We rely on your express consent to collect this information for these purposes.
  • Individual
  • Third-party vendor
Service Providers

The 11 enumerated categories under the definition of “Personal Information” in the CCPA, some of which are referenced in the second column of the table above, are:

(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

(B) Any categories of personal information described in subdivision (e) of Section 1798.80 of the California Civil Code.

(C) Characteristics of protected classifications under California or federal law, including age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).

(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

(E) Biometric information (defined in the CCPA as an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information).

(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.

(G) Geolocation data.

(H) Audio, electronic, visual, thermal, olfactory, or similar information.

(I) Professional or employment-related information.

(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).

(K) Inferences drawn from any other type(s) of Personal Information as defined by the CCPA to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.


3. DISCLOSURE OF YOUR PERSONAL INFORMATION


  1. General Information

For general information on the categories of third parties with whom we share your Personal Information, please refer to the following information in the Host Work Privacy Notice:

  • Third Parties With Whom We Share Your Personal Information
  1. Your Right to Know About Personal Information Shared in the last 12 months

In the last twelve (12) months, in the course of operating our business, CBRE has disclosed all of the categories of Personal Information identified in column 1 of the table above to the following categories of third parties for a business purpose.

  • Our affiliates.
  • Service providers, such as:
    • infrastructure and IT service providers, including cloud service providers
    • external auditors and advisors
    • cookie analytics providers
    • online advertisers
    • providers of website testing / analytics services
  • Third parties to whom you or your agents authorize us to disclose your personal information in connection with products or services we provide to you, including in government filings.

We do share aggregated, de-identified data with your Employer to report general statistical information about engagement with the Host Work App.

When you order goods or services through the Marketplace, we facilitate the collection of your name, office location, and email address by our third-party vendors to enable them to fulfill your order or give you access to an event or class, subject to a Marketplace Vendor Agreement. Please contact the Marketplace Vendor directly if you have any questions regarding the handling of your Personal Information by a Marketplace Vendor.

4. SALE OF YOUR PERSONAL INFORMATION


  1. Your Right to Know About the Sale of Your Personal Information

California law requires that we provide you with information about certain disclosures of Personal Information to third parties, where the disclosure involves monetary or other consideration. California treats these disclosures as “sales” of information, even if no money changes hands. In the twelve (12) months preceding January 1, 2020, we “sold” certain categories of Personal Information to third parties for a business or commercial purpose, as described in the chart below. As of January 1, 2020, we do not engage in the sale of Personal Information.

  1. Categories of Personal Information Sold

  2. Categories of PI collected CCPA Category (See Above) Categories of Third Parties to whom such PI categories are sold
    Contact information & Your Professional Information A, B
    • Sponsors & Business Partners
    Event Attendance Information A, B, D
    • Sponsors & Business Partners
    Cookie data A, F, K
    • Advertising Networks

5. RIGHT TO KNOW, ACCESS, AND TO DELETE YOUR PERSONAL INFORMATION


As a consumer residing in the state of the State of California, you have the right to request that: (i) CBRE discloses the categories of Personal Information that we collected, the categories of the sources of such Personal Information, the business or commercial purposes for collecting such Personal Information, the categories of third parties to whom we disclosed such Personal Information, and/or, if we sold or disclosed your Personal Information, the categories of Personal Information that each category of recipient purchased or obtained, and/or (i) that we provide you with copies of such Personal Information. You may make two such (2) requests in any 12-month period.

Subject to certain exceptions, you may also request that we delete any Personal Information about you that we may hold. We may have grounds to deny your deletion request as provided for in the CCPA.

Upon receipt of your request to know, for access, or for deletion, we will need to reasonably verify that you are the person about whom we collected Personal Information. We may do so by asking for additional information (“Verifiable Information”) to compare against the information we hold about you, or if you have an account with us, by asking you to log in to that account. We will only use Verifiable Information to verify your identity or authority to make the request. We may also ask you to provide additional detail or clarify your request to allow us to properly understand, evaluate and respond to it.

Types of Verifiable Information we may ask for depend on the context of your relationship with CBRE, but may include:

  • Name of a CBRE employee with whom you interacted,
  • Date or other details of a transaction you had with CBRE,
  • Email address, phone number, or other contact information we may have on file for you.

6. HOW TO EXERCISE YOUR RIGHTS


You may exercise your rights to know, access, delete or opt out by completing the form in our Data Subject Rights Portal or by calling us at +1 (866) 428 4722. We will ask for your name, email address, and your relationship to us in order to begin processing your request.

You may authorize someone to submit a rights request on your behalf. You may do this by providing that person with power of attorney pursuant to the California Probate Code. Alternatively, you may provide that person with signed, written permission to submit requests on your behalf, but we will still require you to verify your identity with us directly by one of the methods listed above. In either case, we will also require that person to verify their personal identity via one of the above methods, or, in the case of a business entity, by response to communications directed at a well-known internet domain associated with that business or to contacts provided in that entity’s official filings with the California Secretary of State.

7. NON-DISCRIMINATION FOR EXERCISING RIGHTS


We are prohibited from discriminating against you because you exercised any of your rights to know, access, delete or opt-out of the sale of your Personal Information.

8. DISCLOSURES FOR THIRD PARTIES’ DIRECT MARKETING


Under California’s Shine the Light Act, users of our Website who are California residents may request certain information regarding our disclosure of their Personal Information to third parties (if any), if such information is used for such third parties’ direct marketing purposes. (See Section 4 above). To make such a request, please send an email [email protected] or write us at: CBRE, Inc., 321 North Clark Street, Suite 3400, Chicago, Illinois 60654, Attention: Global Director, Data Privacy.