CBRE, Inc., together with its subsidiaries (collectively, “CBRE”, “we”, “us” or “our”), recognize that when you use Host Work, you’re trusting us with your personal information. We understand this is a big responsibility and recognize the importance of respecting and giving you control over your privacy.
This Privacy Notice (“Notice
”) is meant to help you understand:
- what personal information we collect about you,
- how we use, disclose and safeguard your personal information,
- how you can update, manage, export, and delete your information,
- how you can use settings within your device to control your privacy, and
- how you can contact us about our privacy practices.
The Types of Information We Collect and How We Use It
The categories of personal information we collect and how we use such information is set out below.
Personal information we collect and how we use it:
Employment Information—the name of your employer, your business email address, and your office location
We collect your business email address when you register with Host Work and verify it with Employment Information provided by your employer to offer you Host Work and to manage our relationship with you, including to contact you about Host Work services. We have a legitimate business interest to use this information for these purposes.
When you purchase food or beverages through the Marketplace or register for events or classes, we may share your name, office location, and email address with our third-party vendors to enable them to fulfill your order or give you access to an event or class. We have a legitimate business purpose to use this information for these purposes.
Your Personal Contact Information—personal (non-business) email address
If you provide us with your personal email address, we will collect that information to provide you with Host Work. We have a legitimate business interest in collecting this information for these purposes.
Device Information—Calendar information
We collect information your work calendar to determine your availability for meetings and to allow you to reserve space at your workplace. We also use room reservation information from your calendar to determine space usage at your workplace. We have a legitimate business interest to collect this information for these purposes.
Device Information—unique ID, frequency of use, click tracking
We generate a unique customer ID for the mobile device on which you download the Host Work app. We collect information on how you use the app, such as how often you use it and which items you click on and combine it with this unique customer ID to enable us to generate anonymized analytics and reports. We do this to improve our app and better serve our customers. We have a legitimate business interest to collect this information for these purposes.
Device Location—Data Location tracking
When you are at your employer’s workplace where Host Work is enabled, we track your device location to connect you with coworkers who are at the same workplace, to enable wayfinding within your office, and to offer you other location-based services. We rely on your express consent to collect this information for these purposes. You may withdraw this consent at any time by adjusting your device settings to not permit the Host Work app to use your location.
Payment Card Information—name, payment card number, expiration date and security code
If you add add your payment card information (PCI) into the Host Work app, we send that data to Stripe, our payment card vendor. We do not store your PCI. Your device will store your PCI and send your PCI to Stripe whenever you make a purchase through Host Work. We have a legitimate interest in collecting and transmitting your PCI to Stripe to allow you to make purchases through Host Work.
Food and Beverage Purchase History—the food and beverages order and the cost
When you purchase food or beverages from a third-party vendor through Host Work, we will collect information relating to such purchases to customize our services for you, including providing recommendations. We rely on your express consent to collect this information for these purposes.
Marketplace Orders and Registrations—information collected by our vendors
When you purchase food or beverages through the Marketplace or register for events or classes, we may facilitate the collection of information by our vendors through the app. These vendors are the controllers of this information, and we encourage you to read our vendors’ privacy notices to understand how they will use and store your information.
Service Requests—any information you voluntarily provide
When you submit a service request through the app, we may use any information you provide in order to fulfill your request. We have a legitimate business interest to use this information for these purposes.
Your Contact Information provided by a Third-Party—name, business or personal (non-business) email addresses
For any person who visits a Host Work workplace, other than a registered Host Work user, a third party (i.e. a Host Work user) may provide us with your name and business or personal email address. We use this information to allow you access to our workplace. We have a legitimate business interest in collecting this information for these purposes.
We may also use the personal information we obtain about you for the following purposes:
- Creating and managing any accounts you may have with us and responding to your inquiries;
- Operating, evaluating and improving our business (including developing new products and services; managing our communications; determining the effectiveness of and optimizing our services; analyzing our products and services; and facilitating the functionality of the Host Work app)
- Preparing and furnishing aggregated data reports to your employer containing anonymized or pseudonymized information
- Enforcing our Terms and Conditions or other legal rights.
If you object to us using information in other ways you may communicate your objection to us as specified below under “Your Privacy Rights.”
Third Parties with Whom We Share Your Personal Information
We may share your personal information with companies acting as our authorized agents in providing our services, including the following categories of service provider:
- infrastructure and IT service providers, including cloud service providers
- external auditors and advisors
- cookie analytics providers
- online advertisers
- providers of website testing / analytics services
Each service provider must agree to implement and maintain reasonable security procedures and practices appropriate to the nature of your information in order to protect your personal information from unauthorized access, destruction, use, modification or disclosure. Because we operate globally, we may transfer your information to countries or jurisdictions that do not provide the same level of data protection as the country in which you are based. If we make such a transfer, we will, or our vendors will, as applicable, provide for the proper safeguards required by applicable law to ensure that your information is protected. More information on International Data Transfers of your personal information is below.
Where we share your personal information for our legitimate interests you can object to this disclosure. Please be aware that when you object to disclosure of your personal information for CBRE’s legitimate interests it may affect the services we provide to you. More information on Your Privacy Rights is below.
Legally Affiliated Entities:
In the event that CBRE is merged, or in the event of a transfer of our assets, Site or operations, CBRE may disclose or transfer your personal information in connection with such transaction. In the event of such a transfer, CBRE will notify you via email or by posting a prominent notice on our Site for 30 days of any such change in ownership of CBRE resulting in a change of control of your personal information. We may also share your personal information with CBRE affiliates in order to provide or offer services to you.
Legally Compelled Disclosure:
We will also disclose your personal information when required to do so by law, for example, in response to a court order or a subpoena or other legal obligation, in response to lawful requests by public authorities, including to meet national security or law enforcement agency's requirements, or in special cases when we have reason to believe that disclosing your personal information is necessary to identify, contact or bring legal action against someone who may be causing injury to or interference with (whether intentionally or unintentionally) our rights or property.
International Data Transfers
Processing in the US and Elsewhere:
CBRE is a global business. We may transfer the personal information we collect about you to recipients, and your personal information may be stored and processed, in countries other than the country in which the information was originally collected, including the United States and elsewhere that may have less stringent data protection laws than the country in which you initially provided the information.
When we transfer your information to countries other than the country in which the information was originally collected, we will protect your information as described in this Notice or as otherwise disclosed to you at the time the data is collected (e.g. via program specific privacy notice) and will comply with all applicable data protection laws in making such transfers.
If you are located in a non-US jurisdiction, the transfer of personal information is necessary to provide you with the requested information and/or to perform any requested service. To the extent permitted by law, such submission also constitutes your consent for the cross-border transfer.
With respect to transfers originating from the European Economic Area to the United States and other non-EEA jurisdictions:
- CBRE US affiliates are EU-US and Swiss-US Privacy Shield certified, and
- CBRE has executed EU Standard Contractual Clauses with respect to personal information collected in the European Economic Area and transferred to CBRE in the United States and elsewhere.
Where required by applicable law, you may ask for further information on the safeguards that we have put in place to safeguard the transfer of your data to outside of the EEA by contacting us as indicated below.
Privacy Shield Certification:
CBRE complies with the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding personal information that is collected by CBRE affiliates or corporate customers located in the European Economic Area and/or United Kingdom and/or Switzerland and transferred to CBRE, Inc. and its wholly owned US-based affiliates, which include CBRE Global Investors LLC, CBRE GWS Puerto Rico Inc., CBRE Clarion Securities LLC, CBRE Security Services, Inc., CBRE Heery Inc., CBRE HMF, Inc., CBRE Multifamily Capital, Inc., CBRE Capital Markets, Inc., and Trammell Crow Company LLC, and CBRE Technical Services, LLC in the United States (“CBRE US”). This Notice supplements the data protection notices that Clients and Client contacts may have received. CBRE has certified to the Department of Commerce that it adheres to the Privacy Shield Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability. If there is any conflict between the terms in this Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/. CBRE is subject to investigatory enforcement powers of the Federal Trade Commission as it relates to conformation with Privacy Shield requirements.
Independent Recourse of Privacy Shield Complaints
In compliance with the EU-US and Swiss-US Privacy Shield Principles, CBRE commits to resolve complaints about our collection or use of your personal information. EU, United Kingdom and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact CBRE at: [email protected].
CBRE has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit www.jamsadr.com for more information or to file a complaint. The services of JAMS are provided at no cost to you. You have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by JAMS. For additional information on binding arbitration, visit: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
CBRE endeavors to protect the security of your personal information and your choices for its intended use. We use Secure Sockets Layer/Transport Layer Security (SSL/TLS) technology to protect the transmission of your personal information. We store your personal information on a secure server, and use procedures designed to protect the personal information we collect from unauthorized access, destruction, use, modification or disclosure.
Although we will take (and require our third-party providers to take) commercially reasonable security precautions regarding your personal information collected from and stored on the Site, due to the open nature of the Internet, we cannot guarantee that any of your personal information stored on our servers, or transmitted to or from a user, will be free from unauthorized access, and we disclaim any liability for any theft or loss of, unauthorized access or damage to, or interception of any data or communications. By using Host Work, you acknowledge that you understand and agree to assume these risks.
How Long We Keep Your Personal Information
We will only retain the personal information we collect about you for as long as necessary for the purpose for which that information was collected, and to the extent permitted by applicable laws. We take steps to ensure that when we no longer need to use your personal information, we remove it from our systems and records and/or take steps to anonymize it so that you can no longer be identified from it (unless we need to keep your information to comply with legal or regulatory obligations to which we are subject).
Your Privacy Rights
Requesting Access to Your Personal Information and Other Rights:
You may also have rights under applicable law to request to review, access, correct, delete, port or object to our processing of your personal information, and lodge a complaint with a supervisory authority. If so, you may do so by making a request on CBRE’s data subject rights portal or submitting your request to [email protected]
Independent Recourse for Privacy Shield Complaints:
Information about independent recourse for Privacy Shield complaints can be found above.
Changes to this Notice
We are a rapidly evolving, global business. We will continue to assess this Notice against new technologies and services, business practices as well as our clients’ needs, and make changes to this Policy from time to time as required. If we make any material changes to this Notice, we will update the Notice here. If the changes are significant, we will provide notice through the app and/or via email notification.
You are always free to contact us if you have questions or concerns regarding this Notice. You may contact us by emailing [email protected] or by writing to us at 321 North Clark Street, Suite 3400, Chicago, Illinois 60654, Attention: Global Director, Data Privacy.
Visitors in Europe, the Middle East or Africa:
If you are located in Europe, the Middle East or Africa, you may also e-mail us at [email protected] or write to us at St. Martins Court, 10 Paternoster Row, London EC4M 7HP, United Kingdom, Attention: EMEA Director, Data Privacy.
Visitors in Asia or the Pacific:
If you are located in Asia or the Pacific, you may also e-mail us at [email protected] or write to us at 40/F GT Tower International, 6813 Ayala Ave. cor H.V. Dela Costa Street, Salcedo Village, Makati City, Philippines 1227, Attention: APAC Senior Manager, Data Privacy.