Plan Management Corp. Data Privacy Policy
Last reviewed April 1, 2024
Website Users
Paramount Financial Communications Inc., D/B/A Plan Management Corp. (“PMC”) collects and uses Personal Data provided to the PMC through the www.optiontrax.com and www.planmanagementcorp.com websites solely to directly contact individuals who express interest in receiving our services. PMC does not sell any Personal Data to any third parties. By providing PMC your Personal Data, you agree that PMC may contact you and may use, store, and process your Personal Data solely and exclusively for the purpose for which it was originally collected and may not use, store, process, and/or disclose your Personal Data for any other purpose. See PMC’s Privacy Policy below for more information about how PMC protects your privacy.
Software Platform Users
PMC collects and uses Personal Data provided to the PMC through the OptionTrax ® software platform solely to provide equity compensation plan and shareholder and securities transaction management and administration services purchased from PMC by client entities. By providing PMC your Personal Data directly, or via a client entity or authorized agent, you agree that PMC may contact you and may use, store, process, and disclose to third parties your Personal Data solely and exclusively for the purpose for which it was originally collected and may not use, store, process, and/or disclose your Personal Data for any other purpose. See PMC’s Privacy Policy below for more information about the services that PMC provides to client entities, and how PMC protects your privacy.
Data Protection Legislation
PMC complies with the EU Data Protection Law, the UK Extension to EU Data Protection Law, and California Consumer Privacy Act regarding the collection, use, and retention of Personal Data, and with regard to the EU/UK Data Protection Law, data transferred from the European Union or United Kingdom to the United States.
PMC is responsible for the processing of personal data it receives, under these data protection legislation frameworks, and subsequently transfers to a third party acting as an agent on its behalf.
EU-U.S. Data Privacy Framework (EU-U.S. DPF) and UK Extension
PMC complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. PMC has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
PMC is responsible for the processing of personal data it receives, under the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. DPF, and subsequently transfers to a third party acting as an agent on its behalf. In addition to compliance with current Data Protection Legislation, PMC complies with the EU-U.S. DPF Principles for all onward transfers of personal data from the EU, and to the UK Extension to the EU-U.S. DPF Principles with regards to onward transfers of personal data from the UK, including the onward transfer liability provisions.
Definitions
“Data Protection Legislation” means, as applicable to a party and its Processing of Personal Data: (i) CCPA and any national data protection laws made under the CCPA, and (ii) EU/UK Data Protection Law, including the UK Extension to the EU-U.S. DPF;
“EU/UK Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR“); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR“); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;
“Personal Data” means any information that (i) is protected as “personal data”, “personal information” or “personally identifiable information” under Data Protection Legislation
Scope and Responsibility
This Privacy Policy applies to Personal Data transferred from European Union member countries, or the United Kingdom, to PMC’s operations in the U.S. and Personal Data transferred from California to PMC operations.
Some types of Personal Data may be subject to other privacy-related requirements and policies. For example:
- Personal Data regarding and/or received from a client is also subject to any specific agreement with, or notice to, the client, as well as additional applicable laws and professional standards.
All employees of PMC that have access in the U.S. to Personal Data covered by this Privacy Policy are responsible for conducting themselves in accordance with this Privacy Policy. Adherence by PMC to this Privacy Policy may be limited to the extent required to meet legal, regulatory, governmental, or national security obligations, but Personal Data covered by this Privacy Policy shall not be collected, used, or disclosed in a manner contrary to this policy without the prior written permission of PMC’s Chief Operating Officer.
PMC employees responsible for engaging third parties to which Personal Data covered by this Privacy Policy will be transferred are responsible for obtaining appropriate assurances that such third parties have an obligation to conduct themselves in accordance with the applicable provisions of this Privacy Policy, including any applicable contractual assurances required by the CCPA or EU/UK Data Protection Law.
Collection
If you are an employee of a company that is a customer (client entity) of PMC, as part of our Software as a Service (SaaS) or other service offerings, we may collect the following Personal Data from your employer about you such as: First Name, Middle Initial, Last Name, Tax ID, Address, Office Phone, Cell Phone, Fax, Email address, Equity Plan Grants, Securities Holdings, Date of Birth, Hire Date, Retirement Eligibility Date, Annual Compensation, Transfer Agent Account Number, Financial Account Number, or Broker Account Number. PMC collects information submitted by client entities in order to facilitate the management and administration of equity compensation plans and shareholder and securities transactions. Not all of these fields are required and hence they may or may not be stored in our database.
Data Privacy Principles
Notice
The Personal Data PMC receives comes from use of our services and software platform by company administrators on behalf of employees and share plan participants of a client entity, and from use of our software platform by employees or share plan participants of a client entity. In some circumstances, Personal Data may be received from a third party agent authorized by the client entity to provide such data to PMC for the sole purpose of providing the requested services. PMC uses this Personal Data solely to directly contact individuals who express interest in receiving our services or to provide such services. PMC does not sell any Personal Data to any third parties.
PMC informs client entities providing their employees’, shareholders’ and share plan participants’ Personal Data of the purpose for which PMC collects and uses the Personal Data and the types of non-agent third parties to which PMC discloses or may disclose that Information. If the individual is providing his or her Personal Data directly, then PMC shall provide the individual with the choice and means for limiting the use and disclosure of their Personal Data for any purpose other than those necessary for the processing of services for which it was originally collected.
Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to PMC, or as soon as practicable thereafter, and in any event before PMC uses or discloses the Information for a purpose other than for which it was originally collected.
If in connection with providing its services, PMC receives Personal Data indirectly through an administrator employee or client entity authorized third party, and not the individual with respect to which the Personal Data is regarding, then the administrator employee or authorized third party agent has received the express or implied consent of the applicable employee with whose Personal Data is being provided.
Choice
If Personal Data covered by this Privacy Policy is to be used for a new purpose that is materially different from that for which the Personal Data was originally collected or subsequently authorized or is to be disclosed to a non-agent third party, PMC will provide individuals providing their Personal Data directly, and administrator employees, with an opportunity to choose whether to have their Personal Data so used or disclosed.
We will provide an individual opt-out or opt-in choice before we share their data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected subsequently authorized.
To limit the use and disclosure of your personal information, please submit a written request to [email protected]
By using PMC’s services and providing Personal Data to PMC through such use, individuals or administrators on behalf of those individuals, have opted to authorize PMC to use the Personal Data for the purpose it was intended but for no other purpose.
Onward Transfers
PMC may provide Personal Data to third parties performing services on PMC’s behalf for the benefit of such individuals whose Personal Data is being disclosed (agent third parties) provided that such third parties have agreed in writing with PMC that they will provide at least the same level of privacy protection as is required by the Principles. Such agent third parties may include the following:
- Web hosting service providers that host PMC software and servers,
- Financial brokers where the client entity or individual has a brokerage account and authorized PMC to share data for equity transaction execution,
- Client entity transfer agent/ share registrars providing share settlement and delivery services
- Client entity payroll/ HR system providers,
- Client entity accounting system or service providers,
- Data exchange service providers where the client entity has requested system integration and a data exchange service provider is used to format, configure, or exchange the data as requested
Other than as permitted in the prior paragraph, prior to disclosing Personal Data for any other purpose, PMC shall notify the individual or company administrator employee of such disclosure and allow the individual the choice (opt out) of such disclosure. PMC shall ensure that any third party for which Personal Data may be disclosed subscribes to the Data Protection Legislation or are subject to law providing the same level of privacy protection as is required by the Data Protection Legislation and agree in writing to provide an adequate level of privacy protection.
With respect to our agents, we will transfer only the Personal Data covered by this Privacy Policy needed for an agent to deliver to PMC the requested product or service. Furthermore, we will (i) permit the agent to process such Personal Data only for limited and specified purposes; (ii) require the agent to provide at least the same level of privacy protection as is required by the Data Protection Legislation; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with PMC’s obligations under the Data Privacy Legislation; and (iv) require the agent to notify PMC if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Legislation. Upon receiving notice from an agent that it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Legislation, we will take reasonable and appropriate steps to stop and remediate unauthorized processing.
PMC remains liable under the Data Privacy Legislation if an agent processes Personal Data covered by this Privacy Policy in a manner inconsistent with the Data Privacy Legislation, except where PMC is not responsible for the event giving rise to the damage.
Cookies and Related Technologies
This website uses cookies and related technologies. Cookies are small data files that are served by our platform and stored on your device. Our site uses cookies dropped by us solely for the purpose of operating and personalizing the platform. The types of data collected may include IP addresses, cookies identifiers, or website activity. This information is not used for any purpose other than providing the services requested by the client entity.
Data Security
PMC shall take reasonable steps to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. PMC has put in place appropriate physical, electronic and managerial procedures to safeguard and secure the Information from loss, misuse, unauthorized access or disclosure, alteration or destruction. PMC cannot guarantee the security of Information on or transmitted via the Internet.
Data Integrity
PMC limits the collection of Personal Data covered by this Privacy Policy to information that is relevant for the purposes of processing. PMC does not process such Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual or company client administrator on behalf of the individual.
Access
PMC acknowledges the right of EU and UK individuals to access their personal data.
Access for Individuals who are employees or share plan participants of our Clients: PMC has no direct relationship with the individuals whose personal data it processes on behalf of our clients and we are acting in the role of data processor for that information. An individual who seeks access, or who wishes to correct, amend, or delete their personal data should contact the PMC Client Entity, who is the data controller.
Access for Individuals who Place Their Data Directly with PMC: Upon request PMC will provide you with information about whether we hold any of your Personal Data. You may access your Personal Data by logging in to your account, or by contacting your employer or administrator directly. You may correct or request deletion of your Personal Data by contacting your employer or administrator directly, or by contacting us at [email protected].
All requests for data access will be handled within a reasonable timeframe and may be limited where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated.
Recourse, Enforcement, and Liability
With respect to personal data received or transferred pursuant to the EU-U.S. DPF or the UK Extension to the EU-U.S. DPF, PMC is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. With respect to personal data received or transferred pursuant to the EU-U.S. DPF or the EU/UK Data Protection framework, in certain situations, PMC may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In compliance with the EU-U.S. Data Privacy Framework program Principles, PMC commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles. European Union, United Kingdom individuals with DPF inquiries or complaints should first contact PMC at:
Plan Management Corp.
Attn: Elena Thomas, Chief Operating Officer
1001 Conshohocken State Road
Building 1 Suite 205
West Conshohocken, PA 19428
Telephone: (610) 359-5870
Fax: (610) 688-1323
PMC has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.
Finally, as a last resort and under limited circumstances, if your DPF complaint cannot be resolved through the above channels, EU and UK individuals may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2
PMC uses a self-assessment approach to assure compliance with this DPF and periodically verifies that the policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible and in conformity with the Principles. We encourage interested persons to raise any concerns using the contact information provided and we will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of Personal Data in accordance with the Principles. If a complaint or dispute cannot be resolved through our internal process, we agree to dispute resolution using (an independent resource mechanism) as a third-party resolution provider as outlined above.
Amendments
This Privacy Policy may be amended from time to time consistent with the requirements of the Data Privacy Legislation. PMC will post any revised policy on this website. If we make any material changes, we will notify you by email (sent to the e-mail address specified in your account) or by means of a notice on this website prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.