Last Updated: March 14, 2025

This Rippling User Privacy Notice (this “Privacy Notice”) describes how People Center, Inc. d/b/a Rippling and its affiliates (collectively “Rippling”, “we”, “us”, and/or “our”) collects and processes your personal information for our own purposes when you interact with Rippling and our websites, services, content, and any related software, mobile applications, and other applications (collectively, “Services”).

When you access or use our Services, you acknowledge that you have read this Privacy Notice and understand its contents. Your use of our Services and any dispute over privacy is subject to this Privacy Notice.

In connection with the provision of specific Services, we may provide additional "just-in-time" disclosures or additional information about our data processing practices. These notices may supplement this Privacy Notice, clarify Rippling's privacy practices in the circumstances described, or may provide you with additional choices about how Rippling processes your personal information.

We recommend that you read this Privacy Notice in its entirety to ensure you are fully informed. However, in order to simplify the reading, we have included quick links to each section below:

1. What This Privacy Notice Covers
2. Personal Information We Collect
3. How We Use Your Personal Information
4. How We Disclose Your Personal Information
5. How Long We Keep Your Personal Information
6. International Transfers
7. Cookies
8. Security
9. Your Rights and Choices
10. Children's Personal Information
11. Changes to this Privacy Notice
12. How To Contact Us
13. Additional Information for California Residents

1. What This Privacy Notice Covers

This Privacy Notice applies to the personal information we collect and process when you:

• visit, interact with, or use (or apply to use) any Rippling Services or websites that link to this Privacy Notice;

• create or administer your Rippling account;

• receive communications from, or otherwise interact or communicate with us, including via email, phone, or mail, or using our branded social media pages;

• complete a questionnaire, promotional entry, a support ticket, or other information request forms;

• participate in an employee group health insurance program through your employer where your employer is using Rippling’s insurance broker Services; 

• engage in a contracting process with Rippling (e.g. as an employee of a prospective Rippling customer or service provider);

• register or take part in our marketing, learning, or training events; and

• offer or integrate your application, content, product, or services on or through Rippling Services such as Rippling’s App Shop, our Bill Pay program, or Contractor Hub.

This Privacy Notice does not apply to the following:

• Customer Personal Data. Customer Personal Data is any personal data that you or your organization submits to us for processing to enable us to provide the Rippling Services to our customers, such as when you provide your bank account information for payroll processing, or demographic information for benefits enrollment purposes. Customer Personal Data does not include the account information about you that you provide to us in connection with the creation or administration of your Rippling account. For more information on how Rippling handles Customer Personal Data, please see the Privacy at Rippling FAQs and our Data Processing Addendum.

• Rippling as an employer. Any personal information we collect or process in our capacity as a prospective, active, or former employer, co-employer, or employer of record.

• Third party data. Any products, services, websites or content that are offered by third parties through integrations with Rippling Services, which are governed by their own respective privacy policies.

Rippling also creates and uses de-identified data in some instances. De-identified data refers to data that can no longer reasonably be used to identify you. Where we maintain de-identified data, we make no attempt to re-identify it except for the purpose of determining whether our de-identification process satisfies the requirements of applicable laws.

2. Personal Information We Collect

The personal information we collect depends on the context of your interactions with Rippling and the choices you make, the Services and features you use, your location, and applicable laws, but can include the following:

Information You Provide To Us. We collect personal information you provide us when you interact with us, such as when you complete a form on our website to obtain additional information about our Services, or create a Rippling account. This information may vary depending on how you interact and what you choose to share with us, and includes:

• Account information, such as your email address, password, and any authentication and security credential information used to create and administer your Rippling account.

• Contact and professional information, such as your name, address, phone number, email address, company name, job title/level, department, and industry.

• Contract and payment information, such as your signature, credit card and bank account information, VAT numbers and other tax identifiers that you use to pay for Rippling Services.

• Identification information, such as government-issued identification documents and photos to comply with global anti-money laundering (“AML”) and know your customer (“KYC”) obligations.

• Communications information, such as your feedback on our Services and other communications with us (including when you interact with our customer service online and offline), any queries you raise (including when you fill out a form on our website), and chat, email, or call history. This includes information as to how you contact us, and the channel of communication that you use, as well as any information that you send to us.  

• Insurance benefits information. If your employer uses our insurance broker Services, we may collect your (and your dependents’) identification information, social security number, insurance policy and claim information, and any other information necessary to provide the broker Services to our Customer.

• Financial information, such as your bank routing and account information, bank statements and transaction history, and verification of bank account ownership to conduct KYC and other regulatory clearance and underwriting processes in connection with your organization’s application for certain Rippling Services, such as the Rippling Corporate Card, and for internal reporting purposes for certain Rippling Services.

• Audio and video recordings. If you attend a Rippling in-person or virtual event, answer a telephone call from Rippling, or otherwise join a telephone or video meeting with us, we may record some or all of that event or meeting (including audio and video content). For events, we may document the event in various ways, such as by taking photos, conducting interviews, or recording your participation in an interactive session. We will obtain your consent where required under applicable laws.

• Contractor or vendor information. If you are a Rippling partner such as a contractor or a vendor, we may additionally collect certain information such as your Tax Identification Number (“TIN”) or other tax documents, information contained in invoices you have issued to, or your contracts with, our mutual customers, and financial information (such as your bank account number).

• Advertising and marketing information, such as your interests based on your use of our Services and other websites and online services, your preferences in relation to receiving marketing materials from us, communication preferences, and your preferences for particular products or services.

Providing your personal information is optional. You are not under a legal duty to provide your personal information, but it may be necessary for certain Services, such as account registration. In such cases, if you do not provide your personal information, we may not be able to provide you with the requested Services.

Information We Collect Automatically. We automatically collect certain types of information when you interact with our Services, such as when you visit our website or log into your account. We use common information gathering tools, such as tools for collecting usage data, cookies, web beacons and similar tracking technologies to automatically collect information that may contain personal information from your computer or mobile device as you navigate our Services or interact with emails we have sent you. This information includes:

• Usage and interaction information. The full Uniform Resource Locators (URL) clickstream to, through, and from our website (including date and time) and Services, content you viewed or searched for, page response times, download errors, length of visits to certain pages, and page interaction information (such as scrolling, clicks, and mouse-overs).

• Log data and device information, such as IP address, information about your Internet service provider, computer and device information including device, application, or browser type and version, browser plug-in type and version, operating system, or time zone setting, authentication and security credential information, access dates and times, occurrences of technical errors, diagnostic reports, your settings preferences, backup information, API calls, and other logs.

• Inferred location information. We may look up your IP address to determine your general location.

• Location information. Certain Services may request permission to access your location. Where you grant this permission, we will collect information about your location using GPS, wireless, or Bluetooth technology. You can control access to precise location information through your mobile device settings.

• Other identifiers and information contained in cookies and similar tracking technologies as described in our Cookie Notice.

Information We Collect from Other Sources. Depending on how you use our Services, we may collect information about you from other sources, and combine this information with personal information that you provide. These sources include: 

• Your employer and their partners. We may receive information about you, such as insurance benefits information, from your employer and their service providers or authorized representatives to provide certain Rippling Services, such as our insurance broker Services.

• Other Rippling users. We may receive information about you, such as contact and professional information, from other users, such as our customers or partners who may refer you to Rippling via our referral programs, or provide vendor and contractor information through our Bill Pay or Contractor Hub Services.

• Third-party service providers and business partners. We may receive information about you from third parties we use to verify your identity, manage risk, and prevent fraud, such as your name, address, phone number, banking details, Social Security Number, and IP address. If your employer uses our broker Services, we may also collect and receive certain information, such as your insurance benefits and claims information, from insurers, and their appointed agents, where they are involved. If you, or your employer, uses any of our financial products, we may collect information about you and your use of the Services from our financial partners such as banks, card networks, payment processors, money transmitters, and other partners that provide or support delivery of financial services. 

• Public and third-party sources for marketing. We collect information about prospective users of our Services from publicly and commercially available services including aggregators and social media networks, as well as through third-party marketing initiatives, such as events where we are a sponsor. This information may include marketing and sales generation information such as your social profile (e.g. LinkedIn), name, email address, physical address, phone number, and professional information. 

3. How We Use Your Personal Information and Our Legal Bases For Processing It

Our purposes and legal bases for using personal information depend on the context of your interactions with Rippling and the choices you make, the Services and features you use, and your location, but can include those set out below, as permitted by applicable laws.

In jurisdictions where applicable law distinguishes between primary processing purposes and ancillary processing purposes, our advertising and marketing is considered an ancillary purpose, while all other processing purposes described in this section are primary purposes.

4. How We Disclose Your Personal Information

Maintaining your trust over your personal information is a vital part of our relationship with you, and we disclose your personal information only as described below.

• With others in your organization. If you are the administrator for your organization, we may disclose your information to other users in your organization in accordance with your account settings and preferences. If you are a user, we may disclose certain information, including information about your account settings and your use of the Services, to your organization and its administrator(s). 

• Transactions involving third parties. We make available to you services, software, and content provided by third parties for use on or through our Services. For example, your organization’s administrator may request integration with third-party applications via Rippling’s app shop. We disclose information related to those transactions to that third party.

• Service providers. We engage third party service providers and individuals to perform certain functions on our behalf. This includes cloud computing and storage services, IT services, payments processing, identity verification, event services, customer support, call recording, data analytics, and marketing services. These third party service providers have access to personal information needed to perform their functions, but may not use it for other purposes.

• Business advisors. We may disclose your personal information with professional advisors acting as service providers, processors, or controllers - including lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance and accounting services.

• Insurance Services. If your employer uses our insurance broker Services, we may disclose your personal information with your employer and/or insurance carriers in the course of providing the Services. 

• Financial partners. We disclose your personal information to financial partners such as banks, card networks, and payment processors for a variety of reasons, including supporting their customer identification, risk, and compliance obligations, so they, or us, can determine eligibility for, and provide, Services. This information also enables these partners to deliver card, payment and transfer capabilities through our Services. 

• Services involving authorized representatives, vendors, and contractors. If you are an accountant, broker, or another authorized representative of a Rippling customer, we may disclose information relating to your access to and use of our Services to the relevant customer. If you are a vendor or contractor of a Rippling customer, we may disclose information relating to your access to and use of our Services, such as your status to use the Rippling Services, your TIN or other tax documents, your invoices, or information contained in invoices you have issued, and financial information (such as your bank account number), to our customers.

• Third-party advertising services. We provide information (such as your internet or other similar network activity, identifiers such as your name and email address, location information, and inferences about your interests) to third parties, including advertising networks that allows them to serve you with more useful and relevant Rippling ads and to measure their effectiveness. For more information about your choices relating to our advertising, see “Your Rights and Choices” section below.

• Protection of us and others. We may disclose your personal information if we believe disclosure is appropriate to comply with applicable laws, enforce or apply our terms or agreements (including to collect amounts owed to us), protect the rights, property, or safety of Rippling, or our employees, customers, users, and others or to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities. We may also disclose your personal information in connection with investigating and preventing fraud or security issues relating to our Services.

• Affiliates. We may disclose your personal information to our affiliates within the Rippling corporate group as well as companies we may acquire in the future when they become part of the Rippling corporate group in accordance with this Privacy Notice.

• Business transfers. If Rippling goes through a business transition, such as a merger, acquisition by another company, or sale of all or a portion of its businesses, services, or assets, your personal information may be among the assets transferred. In accordance with applicable laws, we will use reasonable efforts to notify you of any transfer of personal information to an unaffiliated third party.

• With your consent. We may disclose personal information to third parties when we have your consent to do so.

For further information on the recipients of your personal information, please contact us at the address stated under the "How to Contact Us" section below.

5. How Long We Keep Your Personal Information

We keep your personal information for as long as it is required in order to fulfill the relevant purposes described in this Privacy Notice, or for other essential purposes such as complying with our legal obligations, resolving disputes and enforcing our agreements.

Because these needs can vary for different data types in the context of different Services, actual retention periods can vary significantly. We determine the appropriate retention period for personal information based on the amount, nature, and sensitivity of your personal information processed, the potential risk of harm from unauthorized use or disclosure of your personal information and whether we can achieve the purposes of the processing through other means, as well as applicable legal requirements (such as applicable statutes of limitation).

Our retention obligations may require us to retain your personal information after your relationship with us has ended. These retention obligations may also prohibit us in some cases from deleting personal information after you have asked us to delete your personal information. After expiry of the applicable retention periods, your personal information will be deleted, de-identified, anonymized, or otherwise irreversibly destroyed in accordance with applicable laws. If there is any data that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further use of that data.

For further information on applicable data retention periods, please contact us at the address stated under the "How to Contact Us" section below.

6. International Transfers

Personal information we collect may be stored and processed in your region, in the United States or in any other country where we or our affiliates or service providers maintain facilities. We maintain primary data centers in the United States. We take steps designed to ensure that the personal information we collect under this Privacy Notice is processed as described in this Privacy Notice and according to any applicable laws. As a result, your personal information may be subject to the laws of foreign jurisdictions, including laws that permit or require the disclosure of information to law enforcement or national security authorities upon request. When transferring personal information from a jurisdiction restricting such exports, we will adopt appropriate data transfer tools such as approved standard contractual clauses or your consent (based on applicable laws). 

For further information on the transfer tools we use, please contact us at the address stated under the “How to Contact Us” section below.

7. Cookies

We use cookies and similar technologies to enable our systems to recognize your browser or device, to provide our Services, and to improve your experience. For more information about cookies and how we use them, please read our Cookie Notice. This notice also describes how you may opt in or opt out of the use of personal information, such as browser cookies, for targeted or cross-contextual behavioral advertising, depending on your jurisdiction and in accordance with applicable laws.

8. Security

We design our systems with your security and privacy in mind.

• We maintain a wide variety of compliance programs that validate our security controls. Click here to learn more.

• We protect the security of your information during transmission to or from Rippling by using encryption protocols and software.

• We maintain technical, physical, and organizational safeguards in connection with the collection, storage, and disclosure of personal information. Our security procedures mean that we may request proof of identity before we disclose personal information to you.

However, no security measure or modality of data transmission over the Internet is 100% secure. Although we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security. You are solely responsible for protecting your password, limiting access to your devices, and signing out of websites after your sessions.

If you have any questions about the security of our websites, please contact us at the address stated under the "How to Contact Us" section below.

9. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information. To exercise your rights, please contact us as described under the “How to Contact Us” section below, or as otherwise described in this Privacy Notice. Subject to applicable law, you may have the right to:

• ask whether we hold personal information about you, and request copies of such personal information and information about how it is processed;

• request information about our processing of your personal information, including information about third parties to whom we disclose personal information and why we process your personal information;

• request that personal information about you is corrected;

• request deletion of your personal information;

• request us to restrict the processing of your personal information where the processing is inappropriate;

• request that we inform any third parties to whom we’ve disclosed your personal information of your correction, deletion, or restriction requests;

• object to certain processing of your personal information;

• request portability of personal information that you have provided to us;

• if we have collected and processed your personal information with your consent, withdraw your consent. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent. However, please note that the withdrawal of your consent may affect our ability to continue to provide you with Rippling Services because the continued use and disclosure of your personal information is necessary to make Rippling Services available to you; 

• opt out of our disclosure of personal information in exchange for valuable consideration, including where personal information is processed for online behavioral advertising or targeted advertising here;

• unsubscribe from receiving promotional emails or direct mail from us in the Rippling marketing preference center here and/or in the applicable link in the communication received.  You can opt out from receiving promotional calls or SMS by contacting us at privacy@rippling.com or, in the case of SMS, texting “STOP”. If you do not want to receive in-app notifications from us, you can adjust your notification settings in the app or device; 

• submit a complaint to a data protection authority about our collection and use of your personal information. A full list of European Economic Area (“EEA”) data protection authorities by country is here. The UK Information Commissioner’s Office can be contacted here. The Office of the Australian Information Commissioner can be contacted here. The Information Regulator of South Africa can be contacted using the relevant contact details available here.

10. Children's Personal Information

We do not provide our Services to children. We do not knowingly collect personal information from children under the age of 16 (or other minimum age of minors in your jurisdiction) without the consent of the child’s parent or guardian. If you are a parent or guardian and you learn that your children have provided us with personal information, please contact us at the address stated under the "How to Contact Us" section below.

11. Changes to this Privacy Notice

At Rippling, we build with velocity, which means we regularly ship new Services and improve our business. Those changes sometimes require us to collect new personal information or to use personal information in different ways, so we periodically update this Privacy Notice to reflect those changes. If we make material changes to the Privacy Notice, we will post a notice by appropriate means and seek your consent when required by applicable laws. Rippling reserves the right to update or modify this Privacy Notice at any time. Please review this page periodically, and especially before you provide any personal information to us. This Privacy Notice was last updated to be effective as of the “Last Updated” date indicated at the top.

12. How To Contact Us

If you have any questions about our Privacy Notice or privacy practices, or wish to contact our data protection officer in regions where we have appointed one, please contact us at privacy@rippling.com or by mail addressed to People Center Inc. d/b/a Rippling, 2443 Fillmore St #380-7361, San Francisco, CA 94115, stating the country in which you are located. 

Subject to applicable laws, you can also contact us if you wish to lodge a complaint about our privacy practices, or to appeal our actions with regards to your rights and choices.

If you are a resident of the EEA, Rippling Ireland Limited is the controller of your personal information as described in this Privacy Notice. If you are a resident of the UK, Rippling Payments UK Limited is the controller of your personal information as described in this Privacy Notice. If you are a resident of South Africa and/or your personal information is collected and processed within South Africa, Rippling South Africa (Pty) Ltd, located at 222 Smit Street, Braamfontein, Johannesburg, Gauteng, 2001, South Africa, is the controller and/or responsible party of your personal information as described in this Privacy Notice.

If you have any questions about the Customer Personal Data handled by your organization, please contact your organization’s administrator.

13. Additional Information for California Residents

Below are the additional disclosures for California residents that are required by the California Consumer Privacy Act and the California Privacy Rights Act (together, the "CCPA"), effective as of January 1, 2024. These disclosures supplement the rest of this Privacy Notice.

Categories of personal information we collect. The personal information that we have collected from consumers in the preceding twelve months, fall into the following categories established by the CCPA:

• identifiers, such as your name, email, address, phone numbers, or IP address;

• personal information as described in subdivision (e) of Section 1798.80 of the California Civil Code, such as a credit card number;

• characteristics of protected classifications under California or US federal law, such as age or gender, for example if we conduct user surveys or analysis or if you participate in an employee group health insurance program through your employer where your employer is using Rippling’s insurance broker Services;

• commercial information, such as purchase activity;

• internet or other electronic network activity information, including content interaction information, such as content downloads, streams, and playback details;

• geolocation data, such as the location of your device or computer determined from your IP address or mobile device’s GPS depending on your device settings;

• audio, visual, electronic or other similar information, including when you communicate with us by phone or otherwise;

• professional or employment-related information, for example data you may provide about your business; and

• inference data, such as information about your preferences; and

• sensitive personal information, such as government-issued identification documents to comply with global AML and KYC obligations.

For more information about our collection of these categories of personal information, please see the “Personal Information We Collect” section above.

Categories of personal information disclosed for a business purpose. The personal information that we disclosed about consumers for a business purpose in the preceding twelve months fall into the following categories established by the CCPA, depending on how you engage with us:

• identifiers, such as your name, email, address, phone numbers, or IP address;

• personal information as described in subdivision (e) of Section 1798.80 of the California Civil Code, such as a credit card number;

• characteristics of protected classifications under California or US federal law, such as age or gender, for example if we conduct user surveys or analysis or if you participate in an employee group health insurance program through your employer where your employer is using Rippling’s insurance broker Services;

• commercial information, such as purchase activity;

• internet or other electronic network activity information, including content interaction information, such as content downloads, streams, and playback details;

• geolocation data, such as the location of your device or computer determined from your IP address or mobile device’s GPS depending on your device settings;

• audio, visual, electronic or other similar information, including when you communicate with us by phone or otherwise;

• professional or employment-related information, for example data you may provide about your business; and

• inference data, such as information about your preferences; and

• sensitive personal information, such as government-issued identification documents to comply with global AML and KYC obligations.

For more information about our disclosures of these categories of personal information, please see the “How We Disclose Your Personal Information” section above.

Categories of personal information “sold” and “shared.” We use cookies and similar technologies to understand how well our online advertising works, and deliver more targeted online advertising and marketing campaigns. Over the past twelve months, we may have disclosed your internet or other similar network activity, identifiers and location information, and inferences about your interests to third parties, including, advertising networks, data analytics providers, social networks and advertising partners. The CCPA may consider our disclosures of this information to third parties as “sales” or “sharing” of personal information. Rippling does not have actual knowledge that it “sells” or “shares” the personal information of individuals under 16 years of age.

Sensitive personal information. The categories of data that Rippling collects and discloses for a business purpose include "sensitive personal information" as defined under the CCPA. Rippling does not use or disclose sensitive personal information for any purpose not expressly permitted by the CCPA.

Your Rights. Under CCPA, you may have rights to ask us to:

• provide descriptions of the personal information we hold about you;

• provide access to certain personal information we hold about you, in some cases in a portable format, if technically feasible;

• update or correct your personal information;

• delete certain personal information we hold about you; an

• opt out of our “sale” and “sharing” of your personal information, as those terms are defined in the CCPA. To exercise these rights, please visit Your Privacy Choices.

Verification and Authorized Agents. When you submit a rights request to us, we will take steps to verify your identity, including by validating your name and the email you use when interacting with us. You may also have the right to designate an authorized agent to help you exercise these consumer rights. To ensure the security of your Rippling account, we will generally ask you to verify your, or your authorized agent’s, request using the contact information you have already provided.

Exercising your rights. If you would like to exercise any of these rights, please contact us at privacy@rippling.com. You can also use the contact information we provided under the “How to Contact Us” section above.

If you have set global privacy settings using a recognized standard, then we recognize your choice to opt out of the “sale” and “sharing” of your personal information.

No discrimination. We will not discriminate against any consumer for exercising their rights under the CCPA.

Retention of Personal Information. For information on how long we retain your personal information, please see the “How Long We Keep Your Personal Information” section above.