Effective February 25, 2019

Print Version

Please review this Privacy Policy (the “Policy”) to understand how we collect, use, and share your personal data, as well as your choices and rights with respect to that personal data.


This is the Policy of POINT380, LLC (“us,” “our,” or “we”). You can contact us at or +1.888.540.5300.


This Policy applies to our “Services” which include:

  • Our FlagstaffRPO™ sustainability intelligence platform, and other modules, SaaS applications, and other web-based software and services where we link to/post this Policy (collectively the “Platform”); and
  • Our corporate website, and other websites where we link to/post this Policy, including any subdomains or mobile versions (the “Corporate Site(s)”).


This Policy is incorporated into the Terms of Use governing your use of our Services. Any capitalized term not defined in this Policy will have the definition provided in our Terms of Use.
Your use of our Services indicates your acknowledgement of the practices described in this Policy.


We provide the Platform and process information relating to third parties that have entered into a subscription or services agreement with us (our “Clients”), and in relation to the Client’s authorized users of the Platform (“Authorized Users”).

This Policy reflects only how we process Personal Data through our Services. This Policy does not apply to information processed by other third parties, for example, when you visit a third-party website or interact with third-party Services unless we process information from those parties. Please review the relevant third party’s privacy policy for information regarding their privacy practices.


Personal Data We Collect

In order to provide our Services, we may collect and process information that relates to identified or identifiable individuals (“Personal Data”). We collect and process the following categories of Personal Data (note, specific Personal

Data elements are examples and may change):

  • Identity Data: Personal Data about you and your identity, such as your name, username, profile data, employer information, and other Personal Data you may provide on registration forms or as part of an account profile.
    Contact Data: Personal Data used to contact an individual, e.g. email address, physical address, or phone number.
  • Device/Network Data: Personal Data relating to your device, browser, or application e.g. IP addresses, MAC addresses, application ID/AdID/IDFA, identifiers from cookies, session history and similar browsing metadata, and other data generated through applications and browsers, including via cookies and similar technologies.
  • User Content: Personal Data included in content provided by users of the Platform in any free-form or unstructured format, such as in a “contact us” box, free text field, in a file or document, or messages to us.

How We Collect Personal Data

We collect Personal Data from various sources based on the context in which the Personal Data will be processed:

  • Data we collect from you: We collect Personal Data from you directly, for example, when you input information into an online form, or contact us directly.
  • Data we receive from others: We receive Personal Data from third parties with whom we have a relationship in connection with a certain transaction, for example, we may receive certain Personal Data when a Client signs up for our Services and provides a list of Authorized Users.
  • Data collected automatically: We may collect certain Personal Data automatically. For example, we collect Device/Network Data automatically using cookies and similar technologies when you use our Services, or when you open our marketing communications.

Ways we Process Personal Data

Platform Registration and Use

  • Data: Clients and Authorized Users may register and create an account (for themselves or on behalf of other Authorized Users) on our Platform. If you choose to register, we will process Identity Data and Contact Data in connection with the creation, operation, and maintenance of that account. We may also collect certain User Content from you, for example, in response to a request for data, information, questionnaire responses, file uploads, or similar matters.
  • Uses: We use Identity Data, Contact Data, and User Content as necessary to create, maintain, and provide you with important information about your account, and to otherwise provide the services and features Clients or Authorized Users request. Subject to Your Rights & Choices, and consistent with our business interests, we may process Identity Data and Contact Data in connection with Marketing Communications, Aggregate Analytics, Internal Processes and Service Improvement, and for the other lawful purposes described below.

Marketing Communications

  • Data: We may process Identity Data, Device/Network Data and Contact Data in connection with email marketing communications (such as emails or texts), which you might receive if you register for an account on our Platform, choose to receive marketing communications, or engage in a transaction allowing us to send you those marketing communications. We may also collect Device/Network Data when you open or interact with those marketing communications.
  • Uses: Subject to Your Rights & Choices, we use Identity Data and Contact Data as necessary to customize, deliver, and otherwise process marketing communications, and in order to tailor certain communications to individuals’ preferences and requests. Additionally, we may process Device/Network Data from devices receiving those marketing communications as part of our business interest in understanding whether our emails are opened or other aspects of engagement with such marketing communications.

Contact Us

  • Data: When you contact us though the Service we process on behalf of the Client certain Personal Data such as Identity Data, Device/Network Data, and any Personal Data contained within any User Content.
  • Uses: We use Identity Data, Contact Data, and User Content as necessary to communicate with you about the subject matter of your request and related matters. Subject to Your Rights & Choices, we may also use Identity Data and Contact Data in connection with Marketing Communications, if relevant to your request (such as when you request more information about our Services), and for Internal Processes and Service Improvement, and for other lawful purposes described below.

Cookies and Similar Tracking Technologies

  • Data: We, and certain third parties, may process Identity Data, Contact Data, and Device/Network Data when you interact with cookies and similar technologies on our Services. We may receive this data (or Aggregate Data derived from it) from third parties to the extent allowed by the applicable partner. Please note that the privacy policies of third parties may also apply to these technologies and the Personal Data collected through them.
  • Uses: Subject to Your Rights & Choices, we may use this information as follows:
    •  (i) for “essential” or “functional” purposes, such as to enable certain features of the Services, or keeping you logged in during your session;
    • (ii) for “analytics” and “personalization” purposes, consistent with our business interest in how the Services are used or perform, how users engage with and navigate through our Service, what sites users visit before visiting the Service, how often they visit the Service, and other similar information, as well as to greet users by name and modify the appearance of the Service to usage history, tailor the Service based on geographic location or Client, and understand characteristics of users in various technical and geographic contexts; and
    • (iii) for “retargeting” or similar advertising purposes on our Corporate Site, so that you can see advertisements from us on other websites. These technologies and the data they collect, may be used by advertisers to deliver ads that are more relevant to you based on content you have viewed, including content on our Corporate Sites. These tracking technologies may also help prevent you from seeing the same advertisements too many times, and help us understand whether you have interacted with or viewed ads we’ve delivered to you. This collection and ad targeting may take place both on our Corporate Sites, as well as and on third-party websites that participate in the ad network (e.g. any advertisements delivered by that ad network on a third-party website).

Note: Some of these technologies can be used to identify you across platforms, devices, sites, and services.

How we Process Data for Specific Purposes

Aggregate Analytics

Subject to Your Rights & Choices, we will collect and aggregate your Personal Data and information about your use of the Services in order to identify certain trends in how our Services are used and perform, the individuals who use our Services, and the products and services most relevant to users (“Aggregated Data”). Aggregated Data will not contain information from which you may be individually identified. We may use this information in order to create analytics that help us better identify patterns and trends among employees, and provide analytics to our Clients regarding our Services and their employees. Internal Processes and Service Improvement.

Subject to Your Rights & Choices

We may use any Personal Data we process through our Services as necessary in connection with our business interests in improving the design of our Services, to create a personalized user experience (such as greeting you by name, or associating Authorized Users with Clients and Platform versions), and for ensuring the security and stability of the Platform. For example, we may use Personal Data to understand what parts of our Services are most relevant to users, how users interact with various aspects of our Platform, how our Services perform or fail to perform, etc., or we may analyze use of the Services to determine if there are specific activities that might indicate an information security risk to the Services or our Clients and Authorized Users.

Miscellaneous Processing

If we process Personal Data in connection with our Services in a way not described in this Policy, this Policy will still apply generally (e.g. with respect to Your Rights & Choices) unless otherwise stated when you provide it.
Note that we may, without your consent, also process your Personal Data on certain public interest grounds. For example, we may process Personal Data as necessary to fulfill our legal obligations, to protect the vital interests of any individuals, or otherwise in the public interest. Please see the Data Sharing section for more information about how we disclose Personal Data in extraordinary circumstances.

Data Sharing

Information we collect may be shared with a variety of parties, depending upon the purpose for and context in which that information was provided. We generally transfer data to the categories of recipients or in connection with specific business purposes, each described below.


We process data on behalf of Clients, and may share your Personal Data with Clients to the extent such information was provided to us for processing on the Client’s behalf, or in the event the Client has a legitimate business purpose for receiving the information. For example, Authorized Users’ account information (for example name and email) may be made available to the relevant Client when necessary to document Client use of the Platform, or as appropriate to ensure the security of Client accounts.

Business Purposes

In connection with our general business operations, product/service improvements, to enable certain features, and in connection with our other lawful business interests, we may share your Personal Data with service providers or subprocessors who provide certain services or process data on our behalf. For example, we may use cloud-based hosting providers to host our Services or disclose information as part of our own internal operations, such as security operations, internal research, etc.). When we disclose information for business purposes we may disclose Identity Data, Contact Data, Device/Network Data, and User Content.

Corporate Events

Your Personal Data may be processed in the event that we go through a business transition, such as a merger, acquisition, liquidation, or sale of all or a portion of our assets. For example, Personal Data may be part of the assets transferred, or may be disclosed (subject to confidentiality restrictions) during the due diligence process for a potential transaction.


In order to streamline certain business operations, share promotions and content we believe would be of interest to you, and develop products and services that better meet the interests and needs of our customers, we may share your Personal Data with any of our current or future, subsidiaries, parent companies, and other affiliates.

Legal Disclosures

In limited circumstances, we may, without notice or your consent, access and disclose your Personal Data, any communications sent or received by you, and any other information that we may have about you to the extent we believe such disclosure is legally required, to prevent or respond to a crime, to investigate violations of our Terms of Use or Subscription Agreement, or in the vital interests of us or any person. Note, these disclosures may be made to governments that do not ensure the same degree of protection of your Personal Data as your home jurisdiction. We may, in our sole discretion (but without any obligation), object to the disclosure of your Personal Data to such parties.

Data Sale

For purposes of the California Consumer Privacy Act, we do not sell your Personal Data.


Your Rights

To the extent required under applicable law, and subject to our rights or obligation to limit or deny access or disclosure, you may have the following rights in Personal Data (users in the EU may wish to review the “Additional Information for EU Users” below, in addition to the rights and choices listed in this section):

  • List of Data: You may receive a list of the specific Personal Data about you that we process.
    Rectification: You may correct any Personal Data that we hold about you.
  • Erasure: You may request that we delete your Personal Data from our systems.
  • Data Export: You may request that we send you a copy of your Personal Data in a common, portable format of our choice.
  • Regulator Contact: You have the right to contact or file a complaint with regulators or supervisory authorities about our processing of Personal Data. Your appropriate local data protection or consumer protection authority varies based on your location and jurisdiction.
  • California Rights: Residents of California (and others to the extent required by applicable law) may request a list of Personal Data we have disclosed about you to third parties for direct marketing purposes during the preceding calendar year. You may also request that we provide you a copy of your Personal Data, direct us to stop selling or disclosing Personal Data for certain purposes (if we have done so), and receive information regarding: (1) the categories of Personal Data we have collected about you, or that we have sold, or disclosed for a commercial purpose; (2) the categories of sources from which your Personal Data was collected; (3) the business or commercial purpose for which we collected or sold your Personal Data; (4) the categories of third parties with whom we have disclosed your Personal Data, or sold, or disclosed it for a business purpose; and (5) the specific pieces of Personal Data we have collected about you.

You may exercise these rights by contacting us at the address below and submitting a request. We respond to only verifiable requests, and we may require that you provide additional Personal Data to exercise these rights, e.g. information necessary to verify your identity.

Note: We are able to fulfill rights requests regarding Personal Data that we control or process. We may not have access to or control over Personal Data controlled by third parties, including our Clients. Please contact the third party directly to exercise your rights in third party-controlled information.

Your Choices
You may have the following choices regarding the Personal Data we process, to the extent required under applicable law:

  • Consent: If you consent to processing, you may withdraw your consent at any time. You may be required to close your account in order to withdraw consent where your consent is necessary to perform essential aspects of our Services.
  • Direct Marketing: You have the choice to opt-out of or withdraw your consent to marketing communications. You may have a legal right not to receive such messages in certain circumstances, in which case, you will only receive direct marketing communications if you consent. You may exercise your choice via the links in our communications or by contacting us re: direct marketing.
  • Cookies & Similar Tech: If you do not want information collected through the use of cookies and similar technologies, you can manage/deny cookies and certain similar technologies using your browser’s settings menu. You must opt out of the use of some third-party services directly via the third party. For example, to opt-out of Google’s analytic and marketing services, visit Google Ads Privacy Policy, or Google Analytics Opt-out. To learn more about how to opt out of Google’s use of cookies for advertising or retargeting, visit Google’s Ads Settings, here. You may also opt out of certain online advertising through industry association tools, such as the NAI Opt Out or AdChoices. Please note, at this time, our Services do not respond to your browser’s do-not-track request.
  • Other Processing: You may have the right under applicable law to object to our processing of your Personal Data for certain purposes, including without limitation, situations where we process in accordance with our business interests. You may do so by contacting us re: data rights requests. Note that we may not be required to cease processing based solely on your objection.


We implement and maintain reasonable security measures to safeguard the Personal Data you provide us. However, we sometimes share Personal Data with third parties as noted above, and though we may enter contracts to help ensure security, we do control third parties’ security processes. We do not warrant perfect security and we do not provide any guarantee that your Personal Data or any other information you provide us will remain secure.


We retain information for so long as it, in our discretion, remains relevant to its purpose, and in any event, for so long as is required by law. We will review retention periods periodically, and may sometimes pseudonymize or anonymize data held for longer periods, if appropriate.


Our Services are neither directed at nor intended for use by minors under the age of majority in the relevant jurisdiction. Further, we do not knowingly collect Personal Data from such individuals. If we learn that we have inadvertently done so, we will promptly delete it.


We operate in and use service providers located in the United States. If you are located outside the U.S., your Personal Data may be transferred to the U.S. The U.S. does not provide the same legal protections guaranteed to Personal Data in the European Union. Accordingly, your Personal Data may be transferred to the U.S. pursuant to the EU’s Standard Contractual Clauses, or other adequacy mechanisms, or pursuant to exemptions provided under EU law. Contact us for more information regarding the mechanisms we use to ensure adequate protection of data subject to EU Law.


POINT380, LLC is the data controller for Personal Data collected through the Service.

Legal bases for processing
The legal bases for our processing of your Personal Data are described below. If you have questions about the legal basis of how we process your Personal Data, contact us at:

Processing is necessary to perform the contract governing our provision of the Services to you or the Client, or to take steps that you request prior to such engagement. This may include processing that is in connection with operations that are necessary to provide the Services themselves:

  • Use:
    • Platform
    • Contact Us
    • Marketing Communications
  • Disclosure:
    • Clients

The following processing activities constitute our legitimate interests (also called our “business interests” in this Policy. We balance any potential impact on you when we process your Personal Data for our legitimate interests. You may object to this processing as permitted by law. For example, our legitimate interests include:

Direct marketing of our products and services to our Clients, Authorized Users, and other parties with whom we do business:

  • Use:
    • Marketing Communications
  • Disclosure:
    • Clients
    • Business Purposes
    • Corporate Events
    • Affiliates
    • Legal Disclosures

Determining the effectiveness of marketing campaigns; providing cost-effective services; personalizing content for individual Users:

  • Use:
    • Marketing Communications
    • Cookies & Similar Tracking Technologies
  • Disclosure:
    • Business Purposes
    • Affiliates

To create, provide, support, maintain, and improve the functionality and performance of our Services, and operate our business:

  • Use:
    • Platform
    • Internal Processes & Service Improvement
    • Cookies & Similar Tracking Technologies
    • Aggregate Analytics
  • Disclosure:
    • Business Purposes
    • Affiliates
    • Legal Disclosures

To secure our Platform and network, investigate suspicious activity or violations of our terms or policies; and to protect the safety of Personal Data, including to prevent exploitation or other harms to which users may be vulnerable:

  • Use:
    • Internal Processes & Service Improvement
  • Disclosure:
    • Clients
    • Business Purposes
    • Legal Disclosures

Processing is necessary to comply with our legal obligations, for example, tax laws, fraud reporting, etc:

  • Use:
    • Miscellaneous Processing
  • Disclosure:
    • Legal Disclosures

All personal data: Note, we may process and disclose Personal Data where it is in the vital interests of a data subject, to comply with a legal obligation to which we are subject, in the public interest, for research, or other appropriate legal ground which may apply under applicable law.


Rights of EU Users 

In addition to the applicable rights set forth above under Your Rights & Choices, users of our Service in the EU may have the following additional rights:

  • Right to Object: Where we process data on the basis of our legitimate interests, you can object to that processing to extent allowed by law. Note that we must only limit processing where our interests in processing do not override an individual’s interests, rights, and freedoms, or the processing is not for the establishment exercise, or defense of a legal claim.
  • Right to Restrict: You may have the right to restrict processing of your Personal Data where the accuracy of the Personal Data is contested, the processing is unlawful but you object to deleting the Personal Data, or we no longer require the Personal Data, but it is still required for the establishment, exercise, or defense of a legal claim, or while we assess an objection to processing.
  • Automated Processing: To the extent we process Personal Data using automated means (if any), or where otherwise required by law, you may opt-out of, or revoke your consent, to this processing or elect to have an individual review any of the results of processing.


We may change this Policy from time to time. Please visit this page regularly so that you are aware of our latest updates. Your use of the Services following notice of any changes indicates acceptance of any changes.


Feel free to contact us with questions or concerns using the appropriate address below.
General inquires:

Physical address: PO Box 1868, Boulder CO 80306

Toll-Free Phone: +1.888.540.5300