1. Data Controller & Contact
The data controller for personal information processed through the Services is Best Practice Institute, Inc., 5600 PGA Boulevard, Suite 204, Palm Beach Gardens, FL 33418, United States.
- Privacy requests: privacy@bestpracticeinstitute.org
- Data Protection Officer (EU/UK/CH): dpo@bestpracticeinstitute.org
- Security & incident reports: security@bestpracticeinstitute.org
- Phone: +1-800-718-4274
Where BPI processes personal information on behalf of an employer customer (for example, LOWI survey responses submitted by that employer's workforce, or job applications routed through a customer's ATS), BPI acts as a processor and the employer is the controller for that data. The employer's own privacy notice governs that processing; please contact your employer for those requests.
2. Information We Collect
2.1 Information you provide
- Identifiers and contact data: name, business email, phone, company, role, country, message content — when you submit a form, request a meeting, chat with our assistant, register for a webinar, claim a Top 100 profile, or apply for a job through our Services.
- Account credentials: hashed password or OAuth identifier (Google), display name, profile photo (optional).
- Survey responses: Love of Workplace Index™ (LOWI) responses, certification questionnaires, and feedback. These are typically submitted under an employer engagement and pseudonymized at the individual level for reporting.
- Application materials: resume, work history, screener answers, cover letters — when you apply to a job through the Services.
- Billing data: for paid Services, billing contact and the payment-card token returned by our processor (we do not store full card numbers).
2.2 Information collected automatically
- Device & usage data: IP address (truncated/hashed for analytics), user-agent, device type, browser, language, referring URL, pages viewed, time on page, click events, search terms used inside the chat assistant, error logs.
- Web Vitals & performance telemetry: page-load timing and error rates, used to operate and improve the Services.
- Local browser storage: we do not set cookies on this site. If you sign in, your session is kept in first-party browser
localStorageso you stay logged in. See our Cookie & Tracking Technologies Notice for the full picture.
2.3 Information from third parties
- Publicly available information about companies featured in the Top 100 Most Loved Workplaces® research (press, SEC filings, LinkedIn company pages, official career sites).
- Authentication providers (e.g., Google) when you sign in via OAuth — limited to your name, email, and profile image.
- Employer customers who submit their workforce roster for a LOWI survey or certification engagement.
2.4 Sensitive personal information
BPI does not intentionally collect sensitive personal information (precise geolocation, government IDs, financial-account credentials, health, racial or ethnic origin, religious beliefs, sexual orientation, biometric identifiers, genetic data, union membership) through the consumer-facing Services. Where an employer engagement requires demographic data for diversity benchmarking, that data is submitted under a separate data-processing agreement controlled by the employer.
3. Why We Process Personal Information & Legal Bases (EU/UK)
| Purpose | Categories used | Legal basis (EU/UK) |
|---|---|---|
| Respond to inquiries; provide requested Services | Contact data, message content | Contract / pre-contract; legitimate interest |
| Operate accounts, certifications, surveys, employer portal | Identifiers, account data, survey responses | Contract; legitimate interest |
| Run the chat assistant and AI features | Chat input, technical metadata | Legitimate interest in providing the Service; consent where required |
| Send research updates, event invitations, newsletters | Email, role, interests | Consent (EU/UK/CH); legitimate interest with opt-out (US/CASL) |
| Process job applications submitted via our Services | Resume, screener answers, identifiers | Pre-contractual measure at your request; legitimate interest |
| Improve the Services, analytics, A/B testing | Aggregated/pseudonymized usage data | Legitimate interest |
| Security, fraud, abuse, and DDoS prevention | IP, device, log data | Legitimate interest; legal obligation |
| Comply with law; respond to lawful requests; defend claims | As required | Legal obligation; legitimate interest in establishing/defending claims |
4. How We Share Information
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We share personal data only in these limited circumstances:
- Service providers / processors acting under a written data-processing agreement that requires confidentiality and limits use to our instructions — see Section 9.
- Employer customers — for survey or certification engagements, aggregated results are shared with the sponsoring employer; individual responses are pseudonymized unless you explicitly choose to identify yourself.
- Press & editorial partners (e.g., The Economist, The Wall Street Journal) — published Top 100 list entries include only company-level facts already public or supplied by the employer for publication; no individual personal data is shared.
- Legal & safety — when required by law, subpoena, court order, or to protect the rights, property, or safety of BPI, our users, or others, or to investigate fraud and security incidents.
- Corporate transactions — in connection with a merger, financing, acquisition, reorganization, or sale of assets, subject to standard confidentiality.
- With your consent — for any purpose disclosed to you at the time of collection.
5. Cookies & Tracking
We do not set cookies on this site and we do not run third-party analytics, advertising pixels, ad-network tags, session replay, fingerprinting, or cross-site trackers. The only browser storage we use is first-party localStorage — and only after you sign in — to keep your session active. Full details are in our Cookie & Tracking Technologies Notice. We honor the Global Privacy Control (GPC) signal as a valid opt-out under California, Colorado, and Connecticut law, even though we do not engage in "sale" or "sharing."
6. International Data Transfers
BPI is based in the United States and processes personal data in the U.S. and in the regions where our infrastructure providers operate. When we transfer personal data from the EEA, United Kingdom, Switzerland, Brazil, or other regions with cross-border transfer restrictions, we rely on:
- European Commission Standard Contractual Clauses (SCCs) (Module Two / Module Three, 2021/914) with U.K. International Data Transfer Addendum (IDTA) for UK transfers and the Swiss FDPIC addendum where applicable;
- Adequacy decisions where available (e.g., EU-U.S. Data Privacy Framework when relied upon by our subprocessors);
- Supplementary measures consistent with EDPB Recommendations 01/2020 (encryption in transit and at rest, access controls, transfer-impact assessments).
You may request a copy of the relevant transfer mechanism from dpo@bestpracticeinstitute.org.
7. Your Privacy Rights
7.1 Rights available to most users
- Access — a copy of the personal information we hold about you;
- Correction — fix inaccurate or incomplete information;
- Deletion / erasure — request removal of your information;
- Portability — receive your data in a structured, commonly-used, machine-readable format;
- Objection / restriction — to processing based on legitimate interests, and to direct marketing at any time;
- Withdraw consent — where processing is based on consent, without affecting prior lawful processing;
- Lodge a complaint with your supervisory authority (EU/UK/CH) or attorney general (US states).
Send requests to privacy@bestpracticeinstitute.org. We will verify your identity (typically by matching an email of record) before responding. We respond within 30 days, extendable by an additional 30–60 days when the request is complex (with notice to you). You will not be discriminated against for exercising privacy rights.
7.2 California (CCPA / CPRA)
California residents have the right to (a) know the categories and specific pieces of personal information collected, the sources, business purposes, and categories of recipients; (b) delete personal information; (c) correct inaccurate personal information; (d) opt out of sale or sharing for cross-context behavioral advertising (we do neither); (e) limit use of sensitive personal information (we do not use any); and (f) be free from retaliation. To exercise rights, email privacy@bestpracticeinstitute.org or use the "Do Not Sell or Share My Personal Information" link in the footer (if present) — and/or enable Global Privacy Control in your browser, which we honor as a valid opt-out. An authorized agent may submit a request on your behalf with proof of authorization. California "Shine the Light" requests (Civ. Code § 1798.83): we do not disclose personal information to third parties for their own direct marketing.
Categories collected in the past 12 months: identifiers (name, email, IP), commercial information (services interest), internet/network activity (pages viewed), professional or employment-related information (role, company), and inferences (interest segments). Categories disclosed for a business purpose: identifiers and internet/network activity disclosed to hosting, email, analytics, and AI subprocessors listed in Section 9. Sources: directly from you, automatically from your device, from authentication providers, from employer customers, and from public sources. Retention: per Section 8.
7.3 Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Tennessee, Iowa, Delaware, New Hampshire, New Jersey, Maryland, Minnesota, Indiana, Rhode Island, Kentucky, and other US state laws
Residents of states with comprehensive privacy laws have rights similar to those above (access, correction, deletion, portability, opt-out of sale/targeted advertising/profiling with legal or significant effects). We do not engage in targeted advertising, sale of personal data, or solely-automated decisions with legal or significant effects. Email privacy@bestpracticeinstitute.org to exercise rights. If we deny a request, you may appeal by replying to our denial email; we will respond to the appeal within 60 days.
7.4 EU / UK / Switzerland / EEA
In addition to the rights above, you have the right to lodge a complaint with your local supervisory authority. Your local authority's contact details are listed at edpb.europa.eu/about-edpb/about-edpb/members_en (EEA) or ico.org.uk (UK).
7.5 Quebec (Law 25), Brazil (LGPD), India (DPDPA), and other regions
We comply with Quebec Law 25 (including the right to data portability and the right not to be subject to automated decisions), Brazil's LGPD (you may contact our Brazilian-resident representative via dpo@bestpracticeinstitute.org for ANPD matters), and India's DPDPA 2023 (you may withdraw consent, request correction or erasure, and nominate another individual to exercise your rights in case of death or incapacity).
8. Retention Schedule
| Data | Retention |
|---|---|
| Contact and inquiry submissions | 3 years from last contact, then deleted |
| Account data | Life of account + 90 days |
| Chat assistant transcripts | 30 days at full fidelity; pseudonymized after |
| Marketing email lists | Until you unsubscribe; suppression list retained indefinitely to honor opt-out |
| LOWI survey responses (individual) | Pseudonymized at collection; deleted within 90 days of engagement close |
| Aggregated certification analytics | Retained indefinitely (no individual identifiers) |
| Job applications | Up to 2 years (or longer where required by law) after the application close date |
| Web logs / security telemetry | 90 days |
| Billing / tax records | 7 years (US tax-record retention requirements) |
9. Categories of Subprocessors
We engage the following categories of subprocessors. Each is bound by a written data-processing agreement and is permitted to process personal data only on our instructions. The current list of named subprocessors is available on request from dpo@bestpracticeinstitute.org.
- Cloud hosting & database (managed Postgres, edge functions, file storage)
- CDN, DNS & DDoS protection
- Transactional and marketing email infrastructure
- Web analytics (privacy-respecting, no cross-site advertising)
- Customer support & chat platforms
- AI inference providers (LLMs used by the chat assistant and content tools, configured to opt out of training on customer inputs where the provider supports it)
- Sales CRM (for B2B lead and customer records)
- Payment processing (PCI-DSS Level 1)
- Search Console / search analytics (Google Search Console for SEO operations)
10. Security
We implement administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege access controls, single-sign-on with multi-factor authentication for our team, row-level security on user-facing tables, audit logging, dependency scanning, vulnerability testing, vendor due diligence, and a documented incident-response plan. No method of internet transmission or storage is 100% secure; we will notify affected users and regulators of confirmed personal-data breaches in line with applicable law (GDPR/UK GDPR 72-hour rule, U.S. state breach statutes). Report a suspected vulnerability to security@bestpracticeinstitute.org.
11. Children's Privacy
The Services are not directed to children under 16, and we do not knowingly collect personal information from children under 16 (under 13 for COPPA purposes in the United States). If you believe a child has provided personal information, please contact privacy@bestpracticeinstitute.org and we will delete it promptly.
12. AI & Automated Decision-Making
The Services use machine-learning models to power the chat assistant, generate content summaries, and assist research workflows. These tools surface, summarize, or draft text and do not produce automated decisions with legal or similarly significant effects about you. Certification and Top 100 ranking decisions are reviewed by BPI's research team. Where you submit information to the chat assistant, that input is processed by our LLM subprocessors solely to generate your response; we contractually prohibit subprocessor use of those inputs to train their general-purpose models wherever the provider exposes that control.
13. "Do Not Track" & Global Privacy Control
Browsers do not have a uniform "Do Not Track" standard, so we do not respond to DNT headers. We do honor the Global Privacy Control (GPC) signal as a valid opt-out of sale and sharing under California, Colorado, and Connecticut law.
14. Changes to This Policy
We may update this Policy. The "Effective" and "Last updated" dates above always reflect the current version. Material changes will be communicated via the Services or by email. Continued use after the effective date constitutes acceptance.
15. Contact Us
Best Practice Institute, Inc.
5600 PGA Boulevard, Suite 204, Palm Beach Gardens, FL 33418, United States
Privacy: privacy@bestpracticeinstitute.org
Data Protection Officer: dpo@bestpracticeinstitute.org
Phone: +1-800-718-4274