iHerb: Employee Privacy Notice

Effective Date: January 1, 2023

iHerb Holdings, LLC and its subsidiaries, affiliates, and related entities, including, but not limited to iHerb, LLC and iHerb Netherlands B.V. (collectively, “iHerb” or “we”), respect your concerns about privacy and are committed to protecting the privacy and security of your personal information. This Privacy Notice describes the types of personal information we collect from you as an employee or job applicant, how we secure and use your personal information,, with whom we may share it, and the choices and rights available to you regarding our use of the information. The Privacy Notice also describes the measures we take to safeguard the personal information, how long we retain it and how you can contact us about our privacy practices and to exercise your rights. The entity that is mainly responsible for this information (i.e., the data controller) is the iHerb subsidiary that employs you or for which you apply for a job.

For the purposes of this notice:

”employee” refers to all employees, directors, officers and Board members of iHerb. It also refers to consultants, independent contractors, contingent workers, and interns engaged by iHerb, even though they are not otherwise employees.
“job applicant” refers to individuals who have submitted information to iHerb (e.g. resume or job application) in order to apply to be an iHerb employee.

This notice is not intended and shall not be read to create any express or implied promise or contract for employment, for any benefit, or for specific treatment in specific situations. Nothing in this Privacy Notice should be construed to interfere with iHerb’s ability to process employee data for purposes of complying with our legal obligations or investigating alleged misconduct or violations of company policy or law, subject to compliance with local law. To the extent that this Privacy Notice conflicts with local law, local law controls.

Also, this Privacy Notice does not cover your use of iHerb Services as a consumer. To learn more about privacy for iHerb consumers, please read our iHerb Privacy Policy.

Information We Obtain

The types of personal information we obtain from job applicants and employees during the recruitment, onboarding and personal information update processes, may include:

Identification information, such as name, gender, photograph, date of birth, employee identification number;
Contact information, such as email and postal address, phone number for you and your reference, beneficiary, dependent, and emergency contact details);
Employment information, such as job title/position, office location, hire dates, employment contracts, performance and disciplinary records, grievance procedures, sickness/holiday records, wage and benefit information, compensation history, performance information, insurance enrollment information;
Educational and professional background, such as your resume or CV, prior employment details, performance-related information (e.g., evaluations and training), talent management information (e.g., education details, certifications, professional associations, skills, and awards and other achievements), historical compensation details, and references;
National identifiers, such as national ID/passport, immigration status and documentation, visas, social security numbers (US only), national insurance numbers;
Spouse, beneficiary and dependents information, marital status;
Financial information, such as banking details, tax information, payroll information, withholding, salary, benefits, expenses, company allowances, stock and equity grants;
IT information, including information required to provide access to iHerb’s IT systems and networks such as IP addresses, log files, login information, software/hardware inventories;
Health information, such as information about short- or long-term disabilities or illnesses that you might share with your HRBP or manager, particularly in relation to any leave of absence you may need to take;
Biometric information, such as fingerprints, facial recognition information, voice collected (if any) through time and attendance equipment or security systems, such as security badge scans, and any on-premise video monitoring of iHerb-sensitive facilities and locations for which further notice is provided;
Pre-employment screening and background check information, including criminal records data (for vetting purposes, where permissible and in accordance with applicable law);
Any other information you choose to share with us (e.g., cover letter, photograph, articles, hobbies, social preferences, future career interests, comments, etc.).

We may obtain this information directly from you, when you apply for a job with iHerb on our careers site and/or when you are hired and throughout your employment with iHerb. We also may obtain the above information from third parties, such as recruiters who submit it to us on your behalf, from your social media profile on LinkedIn or other similar services, or when we perform background checks that are necessary for the role to be performed by the employee. In most circumstances, we will get your permission before we collect personal information about you from a third party.

The information we request as part of the job application process is necessary to enter into a possible employment contract. Failure to provide this information may prevent us from evaluating or otherwise processing your application.

We may also collect certain demographic data that qualifies as sensitive personal information, such as race, ethnicity, sexual orientation, veteran status, and disability to help us understand the diversity of our workforce. This information, when collected, is generally done so on a voluntary consensual basis, and employee and job applicants are not required to provide this information, unless it is necessary for us to collect such information to comply with our legal obligations. If you are a U.S. resident, we also may ask for certain demographic information, such as your gender, ethnic background, veteran status and disability status. Providing this information is optional and is not required to apply for a job with iHerb. This personal information will not be considered in evaluating applicants’ qualifications for employment with iHerb.

If you are an employee, we process personal information about you (and your dependents, beneficiaries and other individuals associated with your employment) primarily for managing our employment relationship with you and managing your interactions with workplace facilities/information systems.

If you are a former employee, we process personal information about you primarily for legal compliance.

We will use your personal information only for the purposes for which it was collected, unless we reasonably need it for another compatible purpose and there is a legal basis for further processing. For example, relying upon our legitimate interest in recruiting candidates for roles at iHerb, we may process the personal information you provided while researching job openings. However, once you apply for and are successful in obtaining a role, we may process your personal information for the purpose of entering into an employment relationship with you.

If we ask you to provide any other personal information not described above that is necessary for the execution and performance of employment contract or the management of human resources in accordance with company policies, then the personal information we will ask you to provide, and the reason why we ask you to provide it, will be made clear to you at the point we collect it.

How We Use the Information About You

We use the information we obtain to manage our employment or contractual relationship with you, along with other business purposes. Such uses include:

evaluating and assessing your application and otherwise managing career opportunities with iHerb, including the verification of references and qualifications and, where permitted by law, administering background checks;
administering payroll and benefits as well as processing employee work-related claims (e.g. worker compensation, insurance claims, etc.) and leave of absence requests;
establishing training and/or development requirements;
reviewing work performance and determining performance requirements;
disciplinary actions or termination;
establishing emergency contacts and responding to emergencies;
complying with laws and regulations (e.g. labor and employment laws, health and safety, tax, anti-discrimination laws), under judicial authorization, or to exercise or defend legal rights;
compiling internal directores, such as employee directories;
to detect fraud or other types of wrongdoing;
IT security and administration;
to protect the life and safety of employees and others; and
for other legitimate purposes reasonably required for day-to-day operations, such as accounting, financial reporting, staff augmentation and business planning.

We also use your information if we have a legitimate interest to do so, including staffing open positions at iHerb. For example, if your application for employment is not accepted, we may keep your information so we can inform you of future job openings at iHerb. You can always opt-out from the communication concerning future job openings by clicking on the unsubscribe link within the email you receive from us or by contacting us as indicated below.

We may also use such information to conduct internal analyses to understand job applicants who apply; to improve our recruitment process, including our diversity and equal opportunities efforts; and to comply with our legal obligations (e.g. health, safety, and anti-discrimination laws). We may also combine the information we collect or remove pieces of information to limit or prevent identification of any particular individual and use such information for internal research and operational purposes.

When we process sensitive information about you, we will ensure that one or more of the lawful bases for processing sensitive information applies, for example, processing necessary to satisfy our obligation in relation to employment law, processing related to data you have made public (e.g., if you tell us that you are ill), and processing which is necessary for the purpose of establishing, making, or defending legal claims. If you have questions about the nature of our processing or the lawful bases for which we do so, please contact us using the contact details provided below.

To the extent that we use processes that involve automated decision making or profiling when processing your personal information, we take steps to ensure that any automated decision-making or profiling practices are fair and not discriminatory.

We may also use your personal information for other lawful purposes which we will tell you about, and provided that we get your consent to that use, if required by law to do so.

Information We Obtain by Automated Means

We obtain certain information by automated means when you visit our careers site, such as cookies, web beacons, server logs and other technologies. The information we obtain in this manner may include your device IP address, domain name, identifiers associated with your devices, device and operating system type and characteristics, web browser characteristics, language preferences, clickstream data, your interactions with our careers site (such as the web pages you visit, links you click and features you use), the pages that led or referred you to our careers site, dates and times of access to the site, and other information about your use of the site.

These technologies help us: (1) remember your information so you will not have to re-enter it; (2) track and understand how you use and interact with our careers site; (3) tailor the careers site around your preferences; (4) measure the usability of our careers site and the effectiveness of our communications; and (5) otherwise manage and enhance our careers site and help ensure it is working properly. To the extent required by applicable law, we will obtain your consent before placing cookies or similar technologies on your computer. For more information about cookies we use and to manage your cookie preferences, please click on the "Cookie Preferences" icon at the bottom of each page of our careers site. You can manage cookies through your web browser. Most browsers will tell you how to stop accepting new cookies, how to be notified when you receive a new cookie, and how to disable existing cookies. You can find out how to do this for your particular browser by clicking “help” on your browser’s menu or by visiting www.allaboutcookies.org. Please note, however, that without cookies you may not be able to take full advantage of all our careers site features.

Information Sharing

We may share your personal information with other iHerb subsidiaries, employees, contractors, consultants and service providers who require the data to assist iHerb to establish, manage or terminate your employment with iHerb and for the purposes described in this Privacy Notice. We also may share the personal information with our service providers who perform services on our behalf based on our instructions, including, but not limited to, employee benefit plan providers, payroll support services, employee travel management services, our service provider that operates the careers site on our behalf, and recruitment marketing agencies. We do not authorize our service providers to use or disclose the information except as necessary to perform services on our behalf or comply with legal requirements. We may be required to share personal information when we contact your previous or current employer, with your authorization, to verify your employment history or your references.

Some of these recipients may be located in countries other than the country in which the information originally was collected. Those countries may not have the same data protection laws as the country in which you initially provided the information.

If you are located in the European Economic Area (“EEA”), the United Kingdom (“UK”) or Switzerland, your personal information will be transferred to iHerb and its service providers in the United States. U.S. laws have not been recognized by the European Commission as providing for an adequate level of data protection. When we transfer your information to recipients in other countries (such as the U.S.), we will protect that information as described in this Privacy Notice and will comply with applicable legal requirements providing adequate protection for the transfer of personal information to recipients in countries other than the one in which you provided the information, including by implementing appropriate safeguards based on the European Commission’s Standard Contractual Clauses. Subject to applicable law, you may obtain a copy of these safeguards by contacting us as indicated in the How to Contact Us section below.
If you are located in China, Japan, the Republic of Korea (South Korea) or anywhere else in the world, your personal information will be transferred to iHerb and its service providers in the United States. iHerb uses and requires its service providers to use appropriate privacy and security measures designed to protect your personal information and that, in such cases, the service providers have adopted and are handling your personal information to a standard that is not lower than your entitlement under your country’s data privacy, data protection and data security laws. Subject to applicable law, you may obtain a copy of these safeguards by contacting us as indicated in the How to Contact Us section below.

In addition, we may disclose personal information about you (1) if we are required to do so by law or legal process (such as a court order), (2) for the purposes of, or in connection with, any legal proceedings, or otherwise for the purposes of establishing, exercising or defending any legal rights, including, but not limited to, seeking legal advice from external lawyers and other advice from other professionals such as accountants, management consultants, etc.; (3) in response to a request by law enforcement authorities, (4) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity, (6) in the event we sell or transfer all or a portion of our business or assets (including in the event of a reorganization, dissolution or liquidation); or (7) otherwise with your consent. Note that where legal requirements limit the sharing of your personal information, iHerb will respect such requirements.

Retention of Personal Information

Except as otherwise permitted or required by applicable law or regulation, we will only retain your personal information for as long as necessary to fulfill the purposes we collected it for, as required to satisfy any legal, accounting, or reporting obligations, or as necessary to resolve disputes, and as documented in our data retention policy. To determine the appropriate retention period for personal information, we consider applicable legal requirements, the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes we process your personal information for, and whether we can achieve those purposes through other means. We specify the retention periods for your personal information in our data retention policy.

Under some circumstances we may aggregate and de-identify your personal information so that it can no longer be associated with you. We reserve the right to use such aggregated, anonymous and/or de-identified information for any legitimate business purpose without further notice to you or your consent, subject to applicable law. Once you are no longer an employee of the company, we will retain and securely destroy your personal information in accordance with our document retention policy and applicable laws and regulations.

How We Protect Personal Information

We maintain administrative, technical and physical safeguards designed to protect personal information we obtain against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use.

Your Rights and Choices

To the extent provided by applicable law, you may: (1) request access to the personal information we maintain about you; (2) request that we update, correct, amend, or erase your information; or (3) request the restriction of our use of your personal information, by contacting us as specified in the “How to Contact Us” section below.

EU/EEA & UK

If you are located in the EEA and the UK, you also may object to the use of your personal information in certain situations in which we use that information based on our legitimate interests, as described above. In addition, to the extent provided by applicable law, you may receive, in a structured, commonly used and machine-readable format, your personal information you have provided to us based on a contract. You have the right to have this information transmitted to another company, where it is technically feasible. To exercise these rights, please contact us as specified in the “How to Contact Us” section below. Depending on your location, you may have the right to file a complaint with a privacy regulator if you are not satisfied with our response.

California

If you are an employee, former employee or job applicant that resides in California, the California Privacy Rights Act (“CPRA”) applies to you and provides specific rights regarding your personal information under California law. This section applies to you and explains your rights under the CPRA and this Privacy Notice.

Please note that in the preceding twelve (12) months, we have not sold your personal information or shared such information for cross context behavioral advertising. We may disclose certain personal information, such as your first and last name, employee identification number, email address, bank account details, job title/position, and other similar contact data, financial information, and employment details with our subsidiaries and affiliates and other third parties, including service providers who provide services on behalf of iHerb.

Only you or an authorized agent that you authorize to act on your behalf may make a verifiable request related to your personal information. Any verifiable request (including those to delete data) must provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative (such as by requiring you to provide a signed written authorization that the agent is authorized to make a request on your behalf) and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you; however, making a verifiable request does not require you to create an account with us.

You may request:

Notice of and access to certain information about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable request, we may disclose to you the categories of personal information we collected about you; the categories of sources for the personal information we collected about you; our business or commercial purpose for collecting that personal information; the categories of third parties with whom we disclosed that personal information; the specific pieces of personal information we collected about you (also called a data portability request); and if we disclosed your personal information for a business purpose, a list of disclosures identifying the personal information categories that each category of recipient obtained.
Correction of personal information about you that is inaccurate.
Deletion of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable request, we will delete or de-identify (and direct our service providers to delete or de-identify) your personal information from our records, unless an exception applies.

California residents who are employees, former employees, or job applicants may make requests regarding their personal information by submitting a request as described in the How To Contact Us section below. There may be circumstances in which we are required or permitted under applicable law not to address your request. We will not penalize you for exercising any of your rights where prohibited by law.

How To Contact Us

You can use the contact details below if you wish to exercise these rights or if you have any questions about this Privacy Notice:

iHerb, LLC

Attn: Legal Department

17400 Laguna Canyon Road, Suite 400

Irvine, CA 92618, United States

[email protected]

If you are in the EU, you can write us at:

iHerb Netherlands B.V.

Schiphol Boulevard 359, 1118 BJ

Amsterdam Schiphol, Netherlands

[email protected]

Alternatively, you may also raise any questions or concerns directly with your manager, a member of the HR team, or through the Legal/Privacy team.