STO Building Group utilizes NAVEX Global (formerly EthicsPoint) to provide anyone, including employees and business partners, with the ability to confidentially report concerns, make suggestions, or simply ask questions by calling. Click to learn more.
The LiRo Group and STO Building Group Inc. are affiliates within the family of companies owned by Global Infrastructure Solutions Inc. (each, a “Company”), and each comprises a number of operating subsidiaries, a list of which can be found on each Company’s website at liro.comGo to http://www.liro.com and stobuildinggroup.comGo to http://www.stobuildinggroup.com, respectively. The Companies use a web- and phone-based reporting system for individuals to ask a question or raise a concern about workplace issues and/or violations or suspected violations of law or Company policy (“Reporting System”). Through use of the Reporting System, each Company will process personal information in accordance with this Privacy Notice (“Notice”). The Reporting System is operated by a third-party service provider, Convercent by OneTrust (“Convercent”).
The Reporting System is an additional mechanism for you to raise a concern or ask a question about workplace issues and/or violations or suspected violations of law or Company policy (collectively, a “Report”) and does not replace existing Company internal mechanisms for addressing workplace concerns. In certain countries, local law restricts the types of issues that can be reported through the Reporting System. If your Report pertains to a matter that, under local law, may not be addressed through the Reporting System, you will be informed of the restriction and encouraged to submit your Report to another Company resource, such as a member of management, the Human Resources Department, or the Compliance or Legal Department.
This Notice is intended to help you understand the types of personal information that may be gathered about you and others during the intake and any investigation of a Report made through the Reporting System, and how such information may be used, disclosed, transferred across borders, and otherwise processed in connection with the administration of the Reporting System.
This Notice applies only to personal information collected for purposes of administering the Reporting System, including personal information processed during any investigation and resolution of Reports. This Notice does not apply to any other type of personal information collection or website or page that the Companies may host, own, or operate. This Notice applies to all Reports made through the Reporting System, whether by web or phone.
To make a Report by web, you will need to review this Notice provided via hyperlink in the pop-up message. Once you have reviewed the notice, you will need to check the box stating, “You understand and acknowledge that,” and then click “GET STARTED WITH YOUR REPORT.” By checking the box and clicking “GET STARTED WITH YOUR REPORT,” you consent to the collection, use, disclosure, transfer across borders, and other processing of your personal information as described below.
To make a Report by phone, you will be prompted to acknowledge your consent to the collection, use, disclosure, transfer across borders, and other processing of your personal information as described in this Notice, the hyperlink for which will be provided to you on the phone.
Whether you make a Report by web or phone, once you agree, your consent will continue to apply to the collection, use, disclosure, cross-border transfer and other processing of your personal information through your use of the Reporting System, unless you revoke your consent by contacting us at email@example.comGo to mailto:firstname.lastname@example.org.
If you do not provide consent, you will not be able to use the Reporting System, and your Report may not be addressed or investigated unless submitted through other means to the applicable Company.
No Retaliation for Reports Made in Good Faith
Please be aware that the information you supply about yourself, others, or any aspect of a Company’s operations may result in decisions that affect others. Therefore, you should only provide information if you believe it to be true. You may not be retaliated against for any Report you make through the Reporting System in good faith, even if it later turns out to be factually incorrect. Please be aware, however, that recklessly or knowingly providing false or misleading information is not permitted. If you recklessly or knowingly make a false Report, provide false or misleading information, or otherwise act in bad faith through the Reporting System or in connection with any investigation of a Report made through the Reporting System, you may be subject to disciplinary action (if you are a Company employee) and/or other action or legal proceedings as determined by the applicable Company, in its sole discretion, up to and including termination of your employment—and if you are a Company employee, as permitted by applicable law and/or any applicable collective bargaining agreement.
Personal Information Collected
The following categories of personal information about you or others may be collected when you use the Reporting System or in the course of any investigation of a Report made through the Reporting System. Not all categories may be collected in the administration of every Report; any personal information collected will in large part depend on the information you provide when using the Reporting System.
Information about the alleged misconduct: a description of the alleged misconduct and the surrounding circumstances, including the date and location of the alleged misconduct;
Identifiers, for example, your name and contact details, and the name and other personal data of any persons you name in your Report;
Professional or Employment-Related Information, of you and/or of the persons you name in your Report, for example: location of work, seniority, training, employment start and ending dates, and job title;
Internet or Other Electronic Network Activity Information, for example: interactions with the Reporting System’s website; and
Sensory or Surveillance Data, for example: images or recordings you upload as part of the Report.
Information About Protected Classification
Unless you voluntarily provide information about protected classification in your Report, such information will not otherwise be collected. For purposes of this Notice, protected classification includes information related to gender, health, race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, sexual orientation, genetic information or biometric information, or veteran status.
Categories of Sources of Personal Information
Any personal information collected comes from the following categories of sources; not all categories apply to the administration of every Report:
You, when you provide information in connection with your use of the Reporting System;
Third parties (for example, witnesses with respect to the allegations raised in your Report (which may include a spouse or dependent), or HR personnel in connection with investigation into a Report);
Vendors and service providers (for example, Convercent, the third-party service provider that operates the Reporting System);
Surveillance/recording technologies installed by the Companies (for example, voicemail and audio recording technologies, with consent to the extent required by law); and
Government or administrative agencies (for example, law enforcement or public health authorities).
How Personal Information May Be Used
Any personal information collected may be used for purposes of administering the Reporting System and investigating and resolving Reports, including:
Administration of the Reporting System;
Administration of Company policies and procedures;
Investigation of suspected misconduct, illegal activity, violation of Company policies, or non-performance of duties;
Communication among Company employees and third-party service providers (including by email, instant messaging, and other electronic means) in furtherance of the purposes described in this section;
Managing the security and integrity of Company information and electronic resources related to the administration of the Reporting System and investigation into Reports;
Protecting the health and safety of employees, visitors, customers, and the public, including, but not limited to, responding to emergencies, and protecting the safety and security of Company facilities;
Protecting Company rights or property, including, but not limited to, detecting and prevent fraud or other types of wrongdoing, managing litigation involving a Company, and other legal disputes and inquiries, crisis management, dispute resolution, reporting suspected criminal conduct to law enforcement, and cooperating in investigations;
Short-term transient use of personal information; and
Exercising the Companies’ rights under applicable law, and supporting any claim, defense, or declaration involving a Company in a case or before a jurisdictional and/or administrative authority, arbitration, or mediation panel.
Applicable Company employees involved in the administration of the Reporting System and/or any investigation of a Report will have access to your personal information on a need-to-know basis.
Lawful Basis for Processing
When the law that applies to a Company requires a lawful ground for processing personal information, this processing is based on the following legal grounds:
Your Consent: Your use of the Reporting System is voluntary. Where permitted or required by applicable law, the applicable Company will rely on your consent to the processing of your personal information as described in this Notice.
Legal Compliance/Exercise Rights: Your personal information will be processed as required to comply with a Company’s legal obligations and for the Company to exercise its rights, such as to defend against a legal claim.
A Company’s Legitimate Interests: Where other legal grounds do not apply, your personal information will be processed as necessary for a Company to pursue its legitimate interests in investigating misconduct and suspected misconduct, illegal activity, violation of Company policy, or non-performance of duties.
How Personal Information May Be Disclosed
Each Company generally maintains personal information related to the Reporting System as confidential. However, there are limited circumstances when a Company may disclose the personal information collected about you to third parties, most notably:
Service providers: With third-party service providers. For example, the Companies have engaged Convercent, a third-party service provider, to host the Reporting System. Service providers will be permitted to use your personal information only for the purpose(s) for which it was disclosed to them and in accordance with the Companies’ instructions. Service providers generally will be located only in Canada, Ireland, the United Kingdom (“UK”), and/or the United States (“U.S.”).
Corporate Affiliates: With affiliated companies, such as grandparent, parent, and/or subsidiary corporations, when needed to investigate, resolve, and remedy violations or suspected violations of law or Company policy.
Required By Law: When required by law, such as when a Company responds to subpoenas, court orders, legal process, or a discovery request in civil litigation.
Legal Violations: If a Company believes that your actions violate applicable law or threaten the rights, property, or safety of the Company, its employees, or others.
The Companies will not sell, lease, or license your personal information to any third party. The Companies will make such disclosures only as permitted by applicable data protection laws.
Retention of Your Personal Information
Each Company will retain the personal information collected in conjunction with administration of the Reporting System, including, without limitation, for as long as needed or permitted to investigate and resolve Reports that are submitted through the Reporting System. The criteria used to determine such retention periods include:
the length of time during which a Company may have a legitimate need to reference your personal information, such as to administer a Report;
Whether a Company has a legal obligation under a law to which it is subject (for example, certain laws may require us to keep the Report for certain period of time); and
Whether retention is advisable considering a Company’s legal position (such as in regard to applicable statutes of limitations, litigation, litigation holds, or regulatory investigations).
International Transfer of Personal Information
If you submit a Report from outside of the U.S., the personal information that you submit will be transferred to, and stored on, Company servers located in the U.S., and on servers maintained by Convercent in the U.S., Ireland, and/or the Netherlands. For Reports submitted from outside the U.S., authorized employees of STO Building Group Inc. in the U.S. may have access to your personal information. These employees may use and disclose your personal information only for administration of the Reporting System, including investigation and resolution of Reports, and must handle that information in accordance with this Notice and applicable data protection laws and guidance. The laws of the countries identified above may provide a different level of protection for your personal information than what is required in the country where you reside.
If you reside in the European Union (“EU”) or the UK, steps have been taken to ensure an adequate level of protection for your transferred personal information through Standard Contractual Clauses (the “SCCs”) to which STO Building Group Inc. and its entities in Ireland and the UK are parties. You may obtain a copy of the SCCs by submitting a request to email@example.comGo to mailto:firstname.lastname@example.org. If you reside in other countries with restrictions on cross-border data transfers, the Companies rely on your consent for the transfer of your personal information outside your country of residence.
Security of Personal Information
Each Company has implemented a security program to keep information that is transmitted to its systems protected from unauthorized access. Personal information transmitted to a Company’s systems is protected by firewalls, stored on encrypted drives, and protected by Microsoft Active Directory secure access. After a Company has received your information, access to it is limited to employees with a need to know.
While each Company strives to protect your personal information, it cannot guarantee the security of any information that you submit through the Reporting System, and you do so at your own risk. The Companies urge you to keep your password and any other log-in credentials in a safe place, as you share responsibility for maintaining the confidentiality of the information that you submit through the Reporting System. It is a good practice to sign off and exit your browser when you have finished visiting the Reporting System.
How to Access, Correct, or Delete Personal Information in Your Account
This section applies only to personal information collected from individuals who reside in the state of California in the United States (“California residents”) through the Reporting System or in any other way related to the investigation and resolution of Reports.
California Notice at Collection
The Companies collect the categories of personal information identified in the “Personal Information Collected” section, above, for the purposes identified in the “How Personal Information May Be Used” section, above, and retains personal information for the period described in the “Retention of Personal Information” section, above. It does not, and will not, sell your personal information or disclose it to third parties for cross-context behavioral advertising. The Companies also do not collect or process sensitive personal information for the purpose of inferring characteristics about you.
Additional Information Regarding Disclosures of Personal Information
The California Privacy Rights Act (“CPRA”) requires the Companies to provide you with the following information about disclosures of your personal information to third parties for “business purposes,” as that term is defined in the CPRA:
Service providers: a Company may disclose to service providers any of the categories of personal information it collects for the business purpose of performing services on the Company’s behalf and, in particular, for the specific purposes described in the “How Personal Information May Be Used” section, above.
Auditors, lawyers, consultants, and accountants engaged by a Company: a Company may disclose the categories of personal information listed in the “Personal Information Collected” section, above, to these services providers or contractors for the business purpose of auditing compliance with policies and applicable laws, in addition to performing services on the Company’s behalf.
Affiliated companies: a Company may disclose any of the categories of personal information listed in the “Personal Information Collected” section, above, to other companies within the Global Infrastructure Solutions Inc. family of companies for the business purposes of (a) auditing compliance with policies and applicable laws, (b) helping to ensure security and integrity, (c) debugging, (d) short-term transient use, (e) internal research, and (f) activities to maintain or improve the quality or safety of a service or device.
No Sales or Sharing
The Companies do not sell or “share” (disclose for cross-context behavioral advertising) your personal information in connection with the Reporting System. In addition, the Companies have no actual knowledge that they sell or share the personal information of individuals of any age in connection with the administration of the Reporting System, including the personal information of children under 16.
Your California Privacy Rights
Subject to applicable exceptions, California residents have the following rights under the CPRA:
Right to Know: You have the right to submit a verifiable request for specific pieces of your personal information obtained from you and for information about a Company’s collection, use, and disclosure of categories of your personal information.
Right to Delete: You have the right to submit a verifiable request to delete personal information that a Company has collected from or about you.
Right to Correct: You have the right to submit a verifiable request to correct inaccurate personal information about you maintained by a Company, taking into account the nature of the personal information and the purposes of processing the personal information.
The Companies will not unlawfully discriminate against you for exercising your privacy rights under the CPRA.
How to Exercise Your California Privacy Rights
Each Company will respond to requests to know, delete, and correct personal information in accordance with applicable law if it can verify the identity of the requestor. You can exercise these rights in the following ways:
If you submit a request through the Reporting System, the applicable Company will use the authentication mechanisms in the account to verify your identity. Otherwise, the applicable Company matches personal information that you provide it against personal information it maintains in its files. The more risk entailed by the request (e.g., a request for specific pieces of personal information), the more items of personal information the applicable Company may request to verify your identity. If the applicable Company cannot verify your identity to a sufficient level of certainty to respond securely to your request, it will let you know promptly and explain why it cannot verify your identity.
You may designate an authorized agent to exercise your right to know, correct, or delete your personal information. If an authorized agent submits a request to know, correct, or delete on your behalf, the authorized agent must submit with the request a document signed by you that authorizes them to submit the request on your behalf. In addition, the applicable Company may ask you to follow the process described above for verifying your identity. You can obtain an “Authorized Agent Designation” form by contacting email@example.comGo to mailto:firstname.lastname@example.org.
Note on Deidentified Information
At times, the Companies converts personal information into deidentified information using reasonable measures to ensure that the deidentified information cannot be associated with the individual (“Deidentified Information”). The Companies maintain Deidentified Information in a deidentified form and do not attempt to reidentify it, except that they may attempt to reidentify the information solely for the purpose of determining whether their deidentification processes ensure that the information cannot be associated with the individual.
European Economic Area and the UK
This section applies only to individuals who reside in the European Economic Area or the UK and Reports made to STO Building Group Inc. and its affiliates, including the data controller’s identified below (“STO Building Group”).
The data controller of your personal information is:
Structure Tone Limited (Warrington House 1st floor, Mount Street Crescent, Dublin 2, Ireland D02 R256) for Reports that originate in the European Economic Area; or
Structure Tone Limited (77 Gracechurch Street 1st floor, London, England EC3V 0AS) for Reports that originate in the UK.
No Automated Decision-Making
STO Building Group does not make any decisions concerning the Reporting System solely by automated means.
Your Rights With Respect to Your Personal Information:
To the extent provided by applicable law and subject to any relevant exceptions, you have the right to:
request access to your personal information, i.e., to ask STO Building Group to provide you with copies of your personal information;
More on the right to access: The right to access your personal information includes your right to receive a copy of all, or a portion, of your personal information in STO Building Group’s possession as long as providing the personal information would not adversely affect the rights and freedoms of others.
request that STO Building Group update, correct, or delete (the “right to be forgotten”) your personal information, i.e., to rectify personal information that is incomplete or inaccurate or to erase your personal information;
withdraw your consent to the processing of your personal information, at any time, where you previously consented to the processing of your personal information.
More on the right to withdraw consent: You may use the contact information below to withdraw your consent. Any withdrawal shall not affect the lawfulness of processing based on your consent before its withdrawal, and STO Building Group will continue to retain the information that you provided it before you withdrew your consent for as long as allowed or required by applicable law.
request restriction of processing of your personal information in certain situations, such as while a dispute concerning the accuracy of personal information is being resolved;
request data portability;
More on the right to information portability: Subject to certain limitations, the right to data portability allows you to obtain from STO Building Group, or to ask the applicable Company to send to a third party, a copy of your personal information in electronic form that you provided to the applicable Company in connection with your interactions with it.
object to the processing of your personal information;
More on the right to object: You have the right to object to the processing of your personal information based solely on STO Building Group’s legitimate interests. If you do object in these circumstances, the processing of your personal information will be stopped unless there is an overriding, compelling reason to continue the processing or the processing is necessary to establish, pursue, or defend legal claims.
If you believe that your personal information has been processed in violation of applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority in the country where you reside, where you work, or where the alleged violation occurred.
The Companies may change this Notice from time to time in their sole discretion. If the Companies make a material change to this Notice, they will inform you by posting a notice hereGo to https://stobuildinggroup.com/compliance/helplineprivacynotice/. Those changes will go into effect on the effective date posted in the revised notice. The new Notice will apply to all current and past users of the Reporting System and to all information collected before the date of the change. The new Notice will replace any prior notices that are inconsistent. Please check periodically for changes to this Notice, and especially before you provide any personal information through the Reporting System. If a Company will materially change how it uses, discloses, or otherwise process your personal information, it will contact you before doing so and obtain your consent before using, disclosing, or otherwise processing your personal information other than as described in this Notice.