Privacy Policy

Effective Date: June 1, 2025
Last Updated: June 1, 2025

Introduction

Pick & Roll II Inc.. ("Workstreet," "we," "us," or "our") is committed to protecting the privacy and security of personal information. This Privacy Policy describes how we collect, use, disclose, and protect personal information in connection with our professional trust services for SaaS businesses, including security and compliance consulting, audit management, risk assessments, and related services.

Data Privacy Framework Compliance

Workstreet adheres to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce. Workstreet has certified to the Department of Commerce that it adheres to the Data Privacy Framework Principles. If there is any conflict between the terms in this privacy policy and the Data Privacy Framework Principles, the Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Information We Collect

Personal Information from Clients and Prospects

• Contact Information: Name, email address, phone number, job title, company name
• Professional Information: Role responsibilities, security certification details, compliance requirements
• Communication Records: Email correspondence, meeting notes, support requests
• Account Information: Login credentials, user preferences, service usage data

Personal Information from Client Personnel

When providing services to our clients, we may process personal information about their employees and users, including:

• Identity Information: Names, email addresses, employee IDs
• Access Information: System access logs, authentication records, privilege assignments
• Training Records: Security awareness training completion, certification status
• Incident Information: Security incident reports involving personnel

Technical Information

• Website Usage: IP addresses, browser information, pages visited, time stamps
• Service Data: Information processed through our compliance management tools and platforms
• Security Data: Vulnerability scan results, penetration test findings, security assessments

How We Use Personal Information

We use personal information for the following purposes:

Service Delivery

• Providing security and compliance consulting services
• Managing SOC 2, ISO 27001, HIPAA, HITRUST, and other compliance frameworks
• Conducting risk assessments and security reviews
• Managing third-party audits and certifications
• Delivering training and awareness programs

Business Operations

• Communicating with clients and prospects about our services
• Processing payments and managing accounts
• Improving our services and developing new offerings
• Maintaining and securing our systems and infrastructure

Legal and Compliance

• Complying with applicable laws and regulations
• Responding to legal requests and government inquiries
• Protecting our rights and interests
• Investigating security incidents and potential violations

Information Sharing and Disclosure

Service Providers

We may share personal information with trusted service providers who assist us in delivering our services, including:

• Cloud infrastructure providers
• Software platforms (including our partnership with Vanta)
• Payment processors
• Professional service providers

All service providers are contractually required to protect personal information and use it only for the specified purposes.

Client Authorization

When providing services to clients, we may share personal information as directed by our clients and as necessary to deliver contracted services, including:

• Coordinating with third-party auditors for certification processes
• Sharing compliance documentation with client stakeholders
• Providing security assessment results to authorized personnel

Legal Requirements

We may disclose personal information when required by law, regulation, or legal process, or when we believe disclosure is necessary to:

• Comply with legal obligations
• Protect the rights, property, or safety of Workstreet, our clients, or others
• Investigate fraud or security incidents
• Respond to government requests

Business Transfers

In the event of a merger, acquisition, or sale of assets, personal information may be transferred as part of the transaction, subject to appropriate confidentiality protections.

Individual Rights and Choices

Access and Correction

Individuals have the right to:

• Access their personal information that we process
• Request correction of inaccurate or incomplete information
• Obtain a copy of their personal information in a structured format

Limitation of Use

Individuals may request that we limit the use of their personal information for specific purposes, subject to legal and contractual obligations.

Deletion

Individuals may request deletion of their personal information, subject to:

• Legal retention requirements
• Ongoing contractual obligations
• Legitimate business interests

Objection and Withdrawal

Individuals may object to certain uses of their personal information and withdraw consent where processing is based on consent.

To exercise these rights, please contact us using the information provided in the "Contact Information" section below.

Data Security

We implement comprehensive security measures to protect personal information, including:

Technical Safeguards

• Encryption of data in transit and at rest
• Multi-factor authentication for system access
• Regular security assessments and penetration testing
• Intrusion detection and monitoring systems

Administrative Safeguards

• Security awareness training for all personnel
• Background checks for employees with access to personal information
• Incident response procedures
• Regular review and update of security policies

Physical Safeguards

• Secure data centers with restricted access
• Environmental controls and monitoring
• Secure disposal of physical media

Data Retention

We retain personal information for as long as necessary to:

• Fulfill the purposes outlined in this Privacy Policy
• Comply with legal obligations and regulatory requirements
• Resolve disputes and enforce agreements
• Maintain business records and continuity

Specific retention periods vary based on the type of information and applicable legal requirements. Upon expiration of retention periods, we securely delete or anonymize personal information.

International Data Transfers

As a U.S.-based company providing services globally, we may transfer personal information internationally. We ensure adequate protection for such transfers through:

• Data Privacy Framework certification
• Standard contractual clauses
• Adequacy decisions by relevant authorities
• Other appropriate safeguards as required by law

Third-Party Links and Services

Our website and services may contain links to third-party websites and integrate with third-party services. This Privacy Policy does not apply to such third parties. We encourage individuals to review the privacy policies of any third-party services they use.

Children's Privacy

Our services are not directed to children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected such information, we will take steps to delete it promptly.

Dispute Resolution

Independent Recourse Mechanism

Workstreet has committed to refer unresolved privacy complaints under the Data Privacy Framework Principles to [Independent Dispute Resolution Provider], an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit [Dispute Resolution Provider Website] for more information and to file a complaint. This service is provided free of charge to you.

Binding Arbitration

For complaints not resolved through other mechanisms, individuals may invoke binding arbitration through the Data Privacy Framework arbitration process under certain conditions.

Federal Trade Commission

Workstreet is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, services, or applicable laws. We will post the updated policy on our website and indicate the effective date of changes. For material changes, we may provide additional notice as appropriate.

Contact Information

For questions about this Privacy Policy, to exercise your rights, or to submit a privacy complaint, please contact us:

Workstreet, Inc.
Privacy Officer
Email: privacy@workstreet.com
Address: 2261 Market Street STE 22218. San Francisco, CA 94114
Phone: 303-351-2640

For Data Privacy Framework-related inquiries, you may also contact our designated privacy contact at: privacy@workstreet.com

This Privacy Policy is designed to comply with the EU-U.S. Data Privacy Framework, UK Extension to the EU-U.S. Data Privacy Framework, and Swiss-U.S. Data Privacy Framework.

‍