Job Applicant Privacy Notice

Updated: March 31, 2022

Note: This Privacy Notice applies to the processing of Personal Information of job applicants of Klaviyo, Inc. and its affiliates and subsidiaries

A. GENERAL PROVISIONS

1. GENERAL INFORMATION – OUR APPROACH TO PRIVACY

1.2 Please ensure that you have read and understood this Job Applicant Notice. If you have any questions about it, please contact hr@klaviyo.com.

1.3 Note that this Job Applicant Notice only applies for as long as you are not engaged by Klaviyo. Once we establish a work-relationship, you will receive a separate Employee Privacy Notice. Information we receive during an application process might also fall within the scope of the Employee Privacy Notice.

2. REGION-SPECIFIC DISCLOSURES

2.1 We may choose or be required by law to provide different or additional disclosures relating to the processing of Personal Information about residents of certain countries, regions or states. Please refer below for disclosures that may be applicable to you:

(a) If you are based in the European Economic Area (“EEA”), the United Kingdom (the “UK”) or Switzerland, please refer to section B, Additional Europe-Specific Privacy Disclosures, for more information.

(b) If you are based in Australia, please refer to section C, Additional Australia-Specific Privacy Disclosures, for more information.

3. DATA CONTROLLER

3.1 Klaviyo is the data controller of your Personal Information, and references to “Klaviyo”, “we” or “us” in this Job Applicant Notice are reference to the Klaviyo entity to which you submit your application. As the controller of your Personal Information, Klaviyo is responsible for determining the purposes and means of data processing as described in this Job Applicant Notice. The table in Annex 1 sets out the Klaviyo entities to which this Job Applicant Notice applies.

4. PERSONAL INFORMATION WE COLLECT ABOUT YOU AND HOW WE USE IT

4.1 The table in Annex 2 sets out in detail the categories of Personal Information we may collect about you when you apply for a role at Klaviyo and how we use that information.

Personal Information we collect

4.2 We collect Personal Information that you provide to us when you submit your application to us or communicate with us in respect of your application. This Personal Information may include, for example, your name, address, phone number, emergency contacts, education and qualification details and previous employment history.

4.3 The types of Personal Information we collect will vary depending on the nature of the position and role you are applying for.

4.4 When we ask you to provide such information, we will inform you whether the information requested is optional/voluntary to our consideration of your application. If you decline to provide information which is not optional/voluntary, you may limit our options in response to your application.

4.5 We may also create and maintain internal records with Personal Information about you, such as interview notes and evaluations. We may also collect personal information about you from other parties, such as recruiters and referees.

4.6 If you visit our premises, we may collect health and safety screening information, such as symptoms and vaccination information. We collect this information to protect the health and safety of our personnel and other visitors to our premises, and to comply with our legal and regulatory obligations, including any reporting obligations we may have under applicable law.

Sensitive Information

4.7 We may process Personal Information about You that is sensitive in nature and is subject to special protection under applicable law (“Sensitive Information”). This information may include certain equal opportunities information. We may anonymize and aggregate this information and store it in such form that does not identify you. Annex 2 also sets out which Sensitive Information we collect. In many cases, we may request your consent before processing such Sensitive Information (please see Section 7 for further information on consent).

How we use it

4.8 We may use the Personal Information we collect about you to manage our relationship with you, such as opening and maintaining your applicant record, communicating with you, conducting identity checks, assessing your suitability or qualification for a role and improving our application process.

4.9 We may also use the information we collect to analyze our hiring habits to improve it and ensure diversity and also in other situations where such use is legally required.

Pre-employment vetting

4.10 If we decide to offer you employment or engage you as a consultant, we may also collect the results of any pre-employment screening checks against public or government databases before we make a formal offer to you.

4. 11 Depending on the nature of your role, such pre-employment screening information may include:

(a) Employment history and professional qualification verification. We may contact your professional and academic referees to confirm the employment, professional and academic information that you have provided to us. You should ensure that you have any referees’ consent to disclose information about you to us when you submit your application.

(b) Directorship searches, such as current and former directorships and any disqualifications from acting as a director;

(c) Adverse media searches, conducted using adverse key words relating to crime, terror, fraud or other illicit activities;

(d) Basic criminal records checks.

4.12 We use the above information to assess your suitability and eligibility for the role for which you have applied.

4.13 We will inform you if we obtain any information through pre-employment screening that could affect our decision to offer you employment or appointment as a consultant. We will give you the opportunity to respond to the information obtained and will take your response into account when deciding whether to proceed with your appointment.

5. HOW LONG WE KEEP YOUR PERSONAL INFORMATION

5.1 We will store your Personal Information for no longer than necessary for the purposes set out in Annex 2 and in accordance with our legal obligations and legitimate business interests.

5.2 If you become an employee, consultant or contractor of Klaviyo, or are engaged as temporary or agency staff by Klaviyo, the Personal Information we collect during the application process may be transferred to your personnel file and stored in accordance with our Employee Privacy Notice (we will give you a copy of this notice at the start of your employment or other engagement with Klaviyo).

5.3 Even if you are not hired or engaged as a result of your initial application, and with your consent as may be required by applicable law, we may keep your Personal Information for purposes of considering you for employment with other Klaviyo companies or for other positions with Klaviyo. Otherwise, if you do not wish to be considered for other roles at Klaviyo, we will keep your Personal Information subject to and in accordance with our records retention policy.

5.4 In all cases, we will only use data in a manner consistent with applicable law.

6. RECIPIENTS OF PERSONAL INFORMATION

6.1 We may share your Personal Information with the following (as required in accordance with the uses set out in the Annex 2):

(a) Other Klaviyo group companies: If You apply for a position with a Klaviyo subsidiary or affiliate, we may share your Personal Information with our parent company, Klaviyo, Inc. (Klaviyo U.S.) or another Klaviyo subsidiary or affiliate for:

• group-level compliance and associated risk management, including, for example, providing legal advice and in connection with potential or actual litigation or regulatory action;
• the decision to hire, and
• the provision of health and safety screenings.

(b) Service providers and advisors: we may share your Personal Information with third party service providers that provide services to us or on our behalf, which may include without limitation providing mailing, email, recruitment and pre-employment vetting services.

(c) Law enforcement, regulators, government bodies and other third parties for legal reasons: we may share your Personal Information with third parties as required by law or if we reasonably believe that such action is necessary to (i) comply with the law and the reasonable requests of law enforcement; (ii) detect investigate and respond to potential civil or criminal violations, such as breaches of agreements or laws, respectively; and/or (iii) otherwise exercise or protect the rights, property, or personal safety of Klaviyo, our team members or others.

7. CONSENT

7.1 We are not required to obtain your consent for most of the processing activities that we undertake in respect of your Personal Information:

7. 2 We may, however, need your consent for some uses of certain Personal Information. For instance, in certain circumstances, we may need your consent to use certain “sensitive” information, such as information about your health or ethnicity, in particular ways.

7.3 If we need your explicit consent, we will notify you of the Personal Information we intend to use and how we intend to use it before or at the time we ask for such consent.

7.4 You will never be obliged to consent. Where you have consented to our collection, disclosure or other use of your Personal Information, you may withdraw your consent at any time. If you wish to withdraw any consent that you have given us, please contact us at hr@klaviyo.com.

8. STORING AND TRANSFERRING YOUR PERSONAL INFORMATION

8.1 Security. We implement appropriate technical and organizational measures designed to protect your Personal Information against accidental or unlawful destruction, loss, change or damage. All Personal Information we collect will be stored securely.

8.2 International transfers of your Personal Information. Klaviyo is committed to protecting the privacy and confidentiality of your Personal Information when it is accessed by or transmitted to other Klaviyo entities or any other third party. However, you should be aware that not all of the countries to which Personal Information will be transferred provide the same level of data protection as the country where you are located.

9. YOUR RIGHTS IN RESPECT OF YOUR PERSONAL INFORMATION

9.1 In accordance with applicable privacy law, you may have the following rights in respect of your Personal Information that we hold:

(a) Right of access. You have the right to obtain certain information regarding the Personal Information we collect and process.

(b) Right to rectification. You have the right to obtain rectification of any inaccurate or incomplete Personal Information we hold about You without undue delay.

(c) Right to erasure. You have the right, in some circumstances, to require us to erase your Personal Information if the continued processing of that Personal Information is not justified.

(d) Right to restriction. You have the right, in some circumstances, to require us to limit the purposes for which we process your Personal Information if the continued processing of the Personal Information in this way is not justified.

(e) Right to object. You have the right, in some circumstances, to object to the processing of your Personal Information.

9.2 If You wish to exercise one of these rights, please contact us using the details below.

10. CHANGES TO THIS NOTICE
WE MAY UPDATE THIS JOB APPLICANT NOTICE FROM TIME TO TIME AND SO YOU SHOULD REVIEW THIS PAGE PERIODICALLY. IF AND WHEN WE MAKE MATERIAL CHANGES THIS JOB APPLICANT NOTICE, WE WILL UPDATE THE “LAST MODIFIED” DATE DISPLAYED AT THE END OF THE DOCUMENT. CHANGES TO THIS JOB APPLICANT NOTICE ARE EFFECTIVE WHEN THEY ARE PUBLISHED ON THIS PAGE.

11. CONTACTING US

11.1 Please contact hr@klaviyo.com if you have any questions, comments, concerns and requests regarding this Job Applicant Notice.

B. ADDITIONAL EUROPE-SPECIFIC PRIVACY DISCLOSURES

12. The following information may apply to you if you are located in the EEA, the UK or Switzerland.

12. 1 Additional Information on Controllership. If you apply for a position with a Klaviyo subsidiary or affiliate located in the EU, UK or Switzerland, We, together with Klaviyo, Inc., act as a joint controller (i.e., we jointly decide on the “why” (purpose) and “how” (means) of the processing) with respect to the Personal Information that is collected and shared with Klaviyo, Inc. as set out above under Section 6.1(a)(i) of this Job Applicant Notice. Note, however, that Klaviyo, Inc., will act as a data processor for us in connection with providing IT infrastructure.

12.2 Legal Basis. The table in Annex 2 lists the legal bases under the GDPR on which we base the processing of your Personal Information. Note that the legal bases set out in Annex 2 refers to the legal bases in the GDPR. Depending on the country in which you are employed, there may be country-specific legal bases that apply. If you would like to obtain information in this respect, please contact us at hr@klaviyo.com.

12.3 In relation to the Personal Information that is shared with others, the legal bases are the following:

(a) Klaviyo, Inc.: Taking steps prior to entering into a contract with you and our legitimate interests, namely the interests set out in Section 6.1(a).

(b) Service providers and advisors: The legal basis is the balancing of legitimate interests, namely our interest in managing our resources and pursuing our business as set out above and, in this context, evaluating your application. Note that service providers that act on our behalf will process your Personal Information only according to our instructions and will be bound by adequate data processing agreements. Advisors will often provide their advice more independently and thus qualify as data controller.

(c) Third parties at your request: The legal basis is consent according to the GDPR.

(d) Law enforcement, regulators and other third parties for legal reasons: The legal bases are legal obligation and a balancing of legitimate interests as specified above as well as compliance with legal obligations.

12.4 International Transfers of your Personal Information. With respect to international transfers of your Personal Information from locations in the EEA and the UK to jurisdictions that are not considered to provide an adequate level of data protection under EU law (such as the U.S.), we have implemented appropriate safeguards, such as standard contractual clauses approved by the European Commission, to secure the transfer of your Personal Information. In particular, we have implemented an intra-group data transfer agreement which includes the standard contractual clauses, to ensure an adequate level of protection when transferring data within the company group. If you would like to obtain further information on the transfer of your Personal Information to countries located outside the EEA and the UK which do not provide for an adequate level of protection, please contact us using the contact details provided above.

12.5 Data Subject Rights. In accordance with applicable privacy law, you may have the following rights in respect of your Personal Information that we hold:

(a) Right of access. You have the right to obtain:

(i) confirmation of whether, and where, we are processing your Personal Information;

(ii) information about the categories of Personal Information we are processing, the purposes for which we process your Personal Information and information as to how we determine applicable retention periods;

(iii) information about the categories of recipients with whom we may share your Personal Information; and

(iv) a copy of the Personal Information we hold about you.

(b) Right of portability. You have the right, in certain circumstances, to receive a copy of the Personal Information you have provided to us in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of your Personal Information to another person.

(c) Right to rectification. You have the right to obtain rectification of any inaccurate or incomplete Personal Information we hold about you without undue delay.

(d) Right to erasure. You have the right, in some circumstances, to require us to erase your Personal Information without undue delay if the continued processing of that Personal Information is not justified.

(e) Right to restriction. You have the right, in some circumstances, to require us to limit the purposes for which we process your Personal Information if the continued processing of the Personal Information in this way is not justified, such as where the accuracy of the Personal Information is contested by you.

(f) Right to object.

(i) YOU HAVE THE RIGHT TO OBJECT, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, AT ANY TIME, TO PROCESSING OF PERSONAL INFORMATION CONCERNING YOU WHICH IS BASED ON OUR LEGITIMATE INTERESTS INCLUDING PROFILING (E.G., CREDIT RATING). WE SHALL NO LONGER PROCESS THE PERSONAL INFORMATION UNLESS WE DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE THE INTERESTS, RIGHTS AND FREEDOMS OF YOU, OR FOR THE ESTABLISHMENT, EXERCISE OR DEFENSE OF LEGAL CLAIMS.

(ii) YOU HAVE THE RIGHT TO OBJECT TO AT ANY TIME TO PROCESSING OF PERSONAL INFORMATION CONCERNING YOU FOR PURPOSES OF DIRECT MARKETING, WHICH INCLUDES PROFILING TO THE EXTENT THAT IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT TO THE PROCESSING FOR DIRECT MARKETING PURPOSES, YOUR PERSONAL INFORMATION WILL NO LONGER BE PROCESSED FOR SUCH PURPOSES.

(g) If you wish to exercise one of these rights, please contact hr@klaviyo.com.

(h) You also have the right to lodge a complaint to the supervisory authority in your country of residence. Further information about how to contact your local data protection authority is available at https://ec.europa.eu/newsroom/article29/items/612080. For the UK, please contact the Information Commissioner’s Office (ICO) at https://ico.org.uk/.

C. ADDITIONAL AUSTRALIA-SPECIFIC PRIVACY DISCLOSURES

13. The following information may apply to you if you are located in Australia.

13.1 Additional information on Sensitive Information: In Australia, ‘Sensitive Information’ under the Privacy Act 1988 (Cth) includes, but is not limited to, information about your ethnic origins, criminal record, political opinions, religion, sexual orientation and membership of a professional / trade association or a trade union. Sensitive Information also includes your health information and biometric information. Klaviyo will only ordinarily collect your Sensitive Information with your consent.

13.2 Additional information on pre-employment vetting: Depending on the nature of the position for which you are applying, we may conduct a criminal record check. This involves collecting your Personal Information from (or disclosing your Personal Information to) the police. We will only conduct a criminal record check with your consent.

13.3 Additional information on recipients of Personal Information: The locations where your Personal Information will be transferred for the purposes outlined above in section 6(and for the uses set out in Annex 2 below) include to Klaviyo, Inc. in the U.S and Klaviyo LTD in the U.K.

13. 4 Additional information on your rights:

(a) Rights of access and correction: Under the Australian Privacy Principles, you (as a job applicant or prospective consultant) have a right to request access to your Personal Information and to request the correction of your Personal Information. If you would like to exercise these rights, please contact hr@klaviyo.com.

(b) We will only decline an access or correction request in circumstances prescribed by the Privacy Act. If we do refuse your access or correction request, we will provide you with written reasons for our decision and, in the case of a request for correction, we will include a statement with your personal information about the requested correction (if you ask us to do so).

(c) Right to complain: Under the Australian Privacy Principles, you (as a job applicant or prospective consultant) have a right to make a privacy complaint. If you would like to make a privacy complaint, please contact hr@klaviyo.com.

(d) We will first consider your complaint to determine whether there are simple or immediate steps which can be taken to resolve the complaint. Your complaint will then be investigated. In most cases, we will investigate and respond to a complaint within a reasonable time, usually within 30 days of receipt of the complaint. If the matter is more complex or our investigation may take longer, we will let you know.

(e) If you are not satisfied with our response to your complaint, you may make a complaint to the Office of the Australian Information Commissioner (OAIC). The OAIC can be contacted by telephone on 1300 363 992 or by using the contact details on the website www.oaic.gov.au.

(f) Please note that the following rights are not available under the Privacy Act and the Australian Privacy Principles: the right to erase, restrict, object (except for opting out of receiving marketing messages) and portability. p

Annex 1

KLAVIYO ENTITIES AND CONTACT

Annex 2

PERSONAL INFORMATION WE COLLECT