Privacy Policy

XRM Solutions Privacy Policy


This XRM Solutions Privacy Policy (“Privacy Policy”) provides a framework of understanding about the personal data that is collected by XRM Solutions Inc.’s (“XSI’s”) Vendor Management System, XRM System (“XRM”). XRM is a cloud-based software used to support sourcing and administration of contingent labor. This Privacy Policy explains how XSI, a division of Acro Service Corp. (also known as Acro Service Corporation), a Michigan corporation, as a “Data Controller” and “Data Processor” processes information that is submitted to XRM by authorized users. Those users are employees or agents of a using client (“Client”), a recruiting organization (“Vendor”) or a Managed Service Provider (“MSP”). This Privacy Policy further helps govern XSI’s Privacy Program (“Privacy Program”). XSI and Acro Service Corp. are collectively referred to as XSI in this Privacy Policy.

This Privacy Policy applies to all authorized users of XRM and is in keeping with all of XSI’s existing contractual agreements and license grants and does not comprise a modification of said agreements and grants.

This Privacy Policy describes the types of personal data or personal information we collect, how we use the information, how we process and protect the information we collect, for how long we store it, with whom we share it, to whom we transfer it, the rights that individuals can exercise regarding our use of their personal data, and what information shall not be uploaded to XRM for user safety. We also describe how you can contact us about our privacy practices and exercise your rights. In general, our privacy practices conform with local law and regulation, including where applicable the provisions of the European Union’s General Data Protection Regulation (“GDPR”), as amended from time to time. Accordingly, our privacy practices may vary among the countries in which we operate to reflect local practices and legal requirements.

Information We Collect

We collect personal information about you in XRM. We may collect the following types of personal information (as permitted under local law):

  • Contact information (such as name, postal address, email address and telephone number).
  • Username and password when you register on XRM.
  • Other information you may provide to us, such as in surveys.
  • Information automatically collected when visiting our website, which may include cookies, third party tracking technologies and server logs.

In addition, we may collect information you provide to us about other individuals, such as information related to emergency contacts. You may choose to give us personal data online to allow us to communicate with you or provide services to you.

Please rest assured that XSI shall only collect personal information that you knowingly and willingly provide. It is the intent of this site to use personal information and confidential entity information only for the purpose for which it was requested, and any additional uses specifically provided on this site. XSI may have the occasion to collect non-personal anonymous demographic information, as well as the type of browser you are using, IP address, type of operating system, as that information will assist us in providing and maintaining superior quality service.

How We Use the Information We Collect

As the Data Controller and/or Data Processor, XSI collects and uses the data gathered for the following purposes (as permitted under local law):

  • Creating and managing online accounts
  • Processing work orders and tests
  • Managing our business partner, client and vendor relationships
  • Where permitted under law and consistent with this Privacy Notice, to send alerts and other communications
  • Responding to individuals' inquiries
  • Operating, evaluating and improving our business (including developing, enhancing, analyzing and improving our services; managing our communications; performing data analytics; performing accounting, auditing and other internal functions)
  • Complying with and enforcing applicable legal requirements, relevant industry standards, contractual obligations and our policies

All processing will be carried out based on adequate legal grounds which may fall into a number of categories, including:

  • consent or explicit consent from the data subject, where required by applicable law
  • to ensure that we comply with a statutory or contractual requirement (e.g., processing your personal data to ensure that your wages and taxes are paid correctly); or it is essential and necessary for the legitimate interest of the Data Controller and/or Data Processor, (e.g., allowing access to a website in order to provide the services offered)

We also may use the information in other ways for which we provide specific notice at or prior to the time of collection.

Use of Automated Data Collection Methods

When you visit XRM, we may collect certain information by automated means, such as cookies, web beacons and web server logs. The information we may collect in this manner includes IP address, unique device identifier, browser characteristics, device characteristics, operating system, language preferences, referring URLs, information on actions taken on XRM, dates and times of visits to XRM, geographic information and other usage statistics.

A "cookie" is a file that websites send to a visitor's computer or other Internet-connected device to uniquely identify the visitor's browser or to store information or settings in the browser.

A "web beacon" also known as an Internet tag, pixel tag or clear GIF, links web pages to web servers and their cookies and is used to transmit information collected through cookies back to a web server.

Through these automated collection methods, we may obtain "click-stream data," which is a log of the links and other content on which a visitor clicks while browsing a website.

XRM uses these types of cookies:

Technical Cookies

Technical cookies are those used exclusively with a view to "carrying out the transmission of a communication on an electronic communications network, or insofar as this is strictly necessary to the provider of an information society service that has been explicitly requested by the contracting party or user to provide the said service."

How We Collect Information by Automated Means

As you click through XRM, a record of the action may be collected and stored. We link certain data elements we have collected through automated means, such as your browser information, with other information we have obtained about you to let us know, for example, whether you have opened an email we sent to you. Your browser may tell you how to be notified when you receive certain types of cookies or how to restrict or disable certain types of cookies. Your browser will allow you to block cookies, however, you may not be able to use all of the features of XRM without cookies.

To the extent required by applicable law, we will obtain your consent before collecting information using cookies or similar automated means.

How We Use Information Collected through Automated Means

We use information collected through cookies, web beacons, pixels, web server logs and other automated means for purposes, such as:

  • Customizing our users' use of XRM
  • Delivering content tailored to our users' interests and the manner in which our users use XRM; and Managing XRM and other aspects of our business.

Third-Party Cookies

We also use third-party analytics services on XRM, such as those of Google Analytics and Adobe Omniture. The analytics providers that administer these services use technologies such as cookies, web server logs and web beacons to help us analyze your use of XRM. The information collected through these means (including IP address) may be disclosed to these analytics providers and other relevant third parties who use the information, for example, to evaluate use of the Sites. To learn more about these analytics services and how to opt out, please visit the following sites and any sites contained in the country-specific addenda:

Legitimate Interest

The Data Controller and/or Data Processor may process personal data for certain legitimate business purposes, which includes some or all of the following:

  • To enhance, modify, personalize or otherwise improve our services/communications for the benefit of our clients, candidates and associates
  • To identify and prevent fraud
  • To enhance security of our network and information systems
  • To better understand how people interact with XRM
  • To provide postal communications to you
  • To determine the effectiveness of promotional campaigns and advertising

Whenever we process data for these purposes, we will ensure that we keep your rights in high regard and take account of these rights. You have the right to object to such processing and may do so by contacting us as described below. Please bear in mind that if you exercise your right to object, this may affect our ability to carry out and deliver services to you for your benefit.

How We Process and Protect Personal Information

We process the personal data we collect, also by automated means, for the purposes defined above and for a specific period of time, which complies with our internal retention policy, in order to ensure that the personal data are not kept longer than necessary.

We maintain administrative, technical and physical safeguards designed to protect the personal data you provide against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use. In order to ensure adequate security and confidentiality of the personal data, we may apply the following security measures as appropriate:

  • Encryption of data in transit and at rest
  • Strong user authentication controls
  • Hardened network infrastructure
  • Network monitoring solutions

How Long We Store Data We Collect

We store in our systems the personal data we collect in a way that allows the identification of the data subjects for no longer than it is necessary in light of the purposes for which the data was collected, or for which that data is further processed.

The necessity to retain the personal data collected is based on

  • In order to offer services established with the user
  • The legitimate interest of the Data Controller and/or Data Processor, as described in the purposes above
  • The existence of specific legal obligations that make the processing and related storage necessary for a specific period of time

Information Storage and Security

XSI uses industry best practices for Information Storage and Security. These include the following types of controls

Physical Controls

XRM System is hosted by an industry leading cloud hosting services provider having certification under FedRamp, SOC2, SSAE-16 and other standards. Their sites have all the required physical controls to protect data storage used to store XRM information

Technical Controls

XSI incorporates industry standard technical protocols for (i) User authentication and access controls, (ii) Traffic profiling, (iii) Monitoring and reporting and (iv) Encryption of data at rest and in transit.

Administration Controls

XSI includes administrative controls within its Information Storage Policy, Planning, and Procedures such as (i) identification and protection of business critical and PII data, (ii) incorporation into other IT policies, (iii) data retention and protection and (iv) data destruction and sanitization

Information We Share

We do not disclose personal data that we collect about you, except as described in this Privacy Notice or in separate notices provided in connection with particular activities. We may share personal data with vendors who perform services on our behalf based on our instructions. We do not authorize these vendors to use or disclose the information except as necessary to perform services on our behalf or comply with legal requirements. We also may share your personal data (i) with our subsidiaries and affiliates; (ii) if you are a job candidate, with clients who may have job opportunities available or interest in placing our job candidates; and (iii) with others with whom we work, such as job placement consultants and subcontractors, to find you a job.

In addition, we may disclose personal data about you (i) if we are required to do so by law or legal process; (ii) to law enforcement authorities or other government officials based on a lawful disclosure request; and (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual fraudulent or illegal activity. We also reserve the right to transfer personal data we have about you in the event we sell or transfer all or a portion of our business or assets (including in the event of a reorganization, dissolution or liquidation).

Data Transfers

We also may transfer the personal data we collect about you to countries outside of the country in which the information originally was collected. Those countries may not have the same data protection laws as the country in which you initially provided the personal data. When we transfer your information to other countries, we will protect that data as described in this Privacy Notice and such transfers will be in compliance with applicable law.

The countries to which we may transfer the personal data we collect about you may be:

  • Within the European Union
  • Outside the European Union

When we transfer personal data collected from within the European Union to countries or international organizations that are based outside the European Union the transfer takes place on the basis of:

  • An adequacy decision by the European Commission
  • In the absence of an adequacy decision, other legally permitted grounds: (i) a legally binding and enforceable instrument between public authorities or bodies; (ii) binding corporate rules; or (iii) standard data protection clauses (formerly called the Model Clauses) promulgated by the European Commission.

What We Do Not Collect And You Shall Not Upload To XRM

  • Non-public government identification numbers or financial account numbers associated with individuals (e.g., Social Security numbers, driver’s license numbers, credit card numbers or bank account numbers)
  • Medical records or health care claim information associated with individuals, including claims for payment and reimbursement for any type of medical care for an individual and vaccine status
  • Information regulated under the International Traffic in Arms Regulations
  • Without specific permission from XSI, technical data restricted under US law for export purposes
  • Data designated as “Sensitive” or “Classified” or similar categories requiring extra protection under regulations or laws

XRM was not designed as a secure repository for such information. Emerging threats and various laws and regulations make XRM unsuitable for said information. Any uploading of such information is done at your sole risk and violates this Privacy Policy. By using XRM, you agree to hold XSI harmless for any and all claims based on the uploading of any of the above information.

XRM was not designed for use by minors. If you are below 16, you may not register with or use XRM. XRM does not knowingly gather the Personal Data of minors under the age of 13. If you are a parent or guardian and believe that XRM has gathered information about a minor please contact the XRM Privacy Officer at the address below.

Notice to all End Users

The Privacy Policies of your organization may differ from this policy. XSI is not responsible for the privacy and security protocols of your organization if they affect your control over your XRM account. Please contact your organization administrator in this case.

Your Rights as a Data Subject

When authorized by applicable law, a data subject may exercise certain specific rights, such as:

  • Right of access: A data subject may access his or her personal data in order to verify that his or her personal data is processed in accordance with law
  • Right to rectification: A data subject may request the rectification of any inaccurate or incomplete data held about him or her, in order to protect the accuracy of such information and to adapt it to the data processing.
  • Right to erasure: A data subject may request that the Data Controller and/or Data Processor erases information about him or her and no longer processes that data.
  • Right to restriction of processing: A data subject may request that the Data Controller and/or Data Processor restricts the processing of his or her data.
  • Right to data portability: A data subject may request data portability, meaning that the data subject can receive the originally provided personal data in a structured and commonly used format or that the data subject can request the transfer of the data to another Data Controller and/or Data Processor.
  • Right to object: A data subject who provides a Data Controller and/or Data Processor with personal data may object, at any time, to the data processing on a number of grounds as set out under GDPR without needing to justify his or her decision.
  • Right not to be subject of automated individual decision-making: A data subject may request not to be subject to a decision based solely on automated processing, including profiling, if such profiling produces a legal effect concerning the data subject or similarly significantly affects him or her.
  • Right to lodge a complaint with a supervisory authority: Every data subject has the right to lodge a complaint with an applicable supervisory authority; in particular in the EU Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes GDPR.

Whenever data processing is based on consent as described in Article 7 of the GDPR, the data subject may withdraw his or her consent at any time.

If you require more information about the processing of your personal data, please refer to the How to Contact Us section below.

Notice To California Residents

Subject to certain limitations, California residents may ask us to provide them with (i) a list of certain categories of personal information that we have disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year, and (ii) the identity of those third parties. To make this request, California residents may contact us as specified in the "How to Contact Us" section below.

Updates to Our Privacy Notice

This Privacy Notice (including any addenda) may be updated periodically to reflect changes in our privacy practices and legal updates. For significant changes, we will notify you by posting a prominent notice on XRM indicating at the top of each notice when it was most recently updated.

How To Contact Us

If you have any questions or comments about this Privacy Notice, or if you would like to exercise your rights, please write to:

XRM Privacy Officer
c/o Acro Service Corporation
Attn: General Counsel
39209 W. Six Mile Road, #250
Livonia, Michigan 48152