Employee Privacy Notice
How we handle personal information for employees and placed workers.
Who This Notice Applies To
This Employee Privacy Notice (the “Notice”) applies to two populations of individuals whose personal information VertiSource HR, LLC (“VertiSource HR,” “we,” “our”) processes in an employment context:
- Internal VertiSource HR employees and independent contractors, the individuals directly employed or engaged by VertiSource HR.
- Worksite employees of our PEO and ASO clients, individuals employed by client companies whose payroll, benefits, and HR administration is delivered by VertiSource HR under a Professional Employer Organization (PEO) co-employment arrangement or an Administrative Services Only (ASO) services arrangement.
Where this Notice conflicts with the VertiSource HR Privacy Policy on employment-related matters, this Notice controls.
Applicants for employment with VertiSource HR are covered by the separate Applicant Privacy Notice.
Categories of Personal Information Collected
VertiSource HR collects the following categories of personal information in the employment context. Categories marked with ♦ are Sensitive Personal Information under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).
| Category | Examples | Why we collect it |
|---|---|---|
| Identifiers | Full name, employee ID, work email, personal email, work and home phone, home address, date of birth, emergency contact | Employment recordkeeping, payroll, benefits enrollment, emergency contact |
| Government ID ♦ | Social Security Number, driver’s license, state ID, passport, I-9 work-authorization documents | Tax reporting (W-2/1099), employment eligibility verification, state new-hire reporting |
| Financial information ♦ | Bank routing and account numbers, pay-card details | Direct deposit of wages, HSA/FSA funding |
| Compensation | Wage rate, salary, overtime, commissions, bonuses, deductions, PTO accrual, pay history | Payroll administration, tax withholding, wage-and-hour compliance |
| Tax withholding | W-4, state withholding elections, wage garnishments, child-support orders | Tax compliance, court-ordered obligations |
| Benefits & insurance | Plan elections, dependent information, beneficiary designations, premium contributions | Benefits administration, ACA reporting, COBRA |
| Health information ♦ | Disability status, FMLA/ADA leave records, workers’ compensation claims, vaccination status where legally required | Leave administration, accommodations, WC claims, OSHA recordkeeping |
| Employment records | Resume, references, performance reviews, disciplinary records, training completions, job title changes | HR recordkeeping, career management, OSHA/regulatory training |
| Time & attendance | Clock-in/clock-out data, timesheets, schedules, PTO usage | Payroll, FLSA compliance, scheduling |
| Biometric data ♦ | Fingerprint, palm-vein, or facial template only if your employer has activated a biometric time-clock integration and you have signed a written consent | Time-clock authentication. See the Biometric Information Policy. |
| Demographic (voluntary) | Race, ethnicity, sex, veteran status, disability status (voluntary self-ID for EEO-1/VETS/OFCCP) | Federal EEO-1 reporting, affirmative-action administration |
| Union membership ♦ | Union affiliation, dues deduction details | Collective-bargaining-agreement administration (dues remittance only) |
| Communications | Work email content, HR support tickets, benefits-enrollment counseling calls | Supervision, legitimate business operations, compliance records |
| Device & system access | Login credentials, IP address, access logs for HRIS and email systems | Security, fraud prevention, compliance with acceptable-use policies |
| Geolocation ♦ | Office location, remote-work state, and (where mobile clock-in is enabled by the client) GPS coordinates accurate to the clock-in event. Where precise geolocation is collected, it is treated as Sensitive Personal Information under CCPA §1798.140(ae) and is subject to the "limit use of SPI" right. | Multi-state payroll-tax assignment, FLSA remote-work compliance, geofencing for mobile clock-in |
Inferences: VertiSource HR does not draw commercial inferences about employees for profiling, marketing, or automated decision-making that produces legal or similarly significant effects. See Section 6.
How We Use This Information
We use employment-related personal information only as needed to operate the employment relationship. Specifically:
- Payroll administration, calculating wages, withholding taxes, remitting garnishments, processing direct deposit, generating W-2s and 1099s.
- Benefits administration, enrollment, premium payment, life events, COBRA, ACA reporting, HSA/FSA, 401(k).
- HR advisory and compliance, handbook policy, employee relations, disciplinary recordkeeping, EEO-1 reporting, multi-state employment-law compliance.
- Workers’ compensation, claim intake, medical coordination, return-to-work programs, experience-modifier tracking.
- Time & attendance, hour tracking, meal-period compliance, FLSA overtime calculation, PTO accrual.
- Training & development, assigning required training (harassment prevention, safety, role-specific), tracking completions.
- Safety, OSHA 300/301/300A recordkeeping, incident investigation, near-miss reporting.
- Legal compliance, IRS filings, DOL reporting, state employment-agency responses, court-ordered garnishments, subpoenas, audits.
- Security and fraud prevention, system access logging, insider-threat monitoring, payroll-fraud detection.
Electronic monitoring notice. VertiSource HR and worksite-employer clients may monitor and log the use of employer-provided systems, including email, internet access, employer devices, and HRIS activity, for security, compliance, and legitimate business purposes. Employees in New York, Connecticut, Delaware, and other states with electronic-monitoring notice requirements are provided this notice and, where required by law, are asked to acknowledge it at or before hire. Monitoring is limited to employer-provided systems and lawful business purposes; we do not monitor employees' personal devices or personal accounts.
We do not use personal information collected in the employment context for third-party marketing. We do not sell or share personal information of employees for cross-contextual behavioral advertising.
Co-Employment (PEO) Model, How Roles Split
Under a PEO co-employment arrangement, both VertiSource HR and the worksite-employer client are considered employers of the worksite employee for specific purposes:
- VertiSource HR is responsible for payroll administration, tax withholding and remittance, benefits administration, workers’ compensation coverage, and applicable employment-law compliance under our shared responsibility.
- The worksite-employer client retains operational control of the worksite, including hiring, firing, day-to-day supervision, work assignments, performance management, and workplace discipline.
Under an ASO arrangement, the worksite-employer client is the sole employer and VertiSource HR acts solely as a service provider / data processor.
In both models, most personal information we process about worksite employees is collected initially by the worksite-employer client and transmitted to VertiSource HR to deliver contracted services. Worksite employees with questions about data held by VertiSource HR should direct those questions first to their worksite-employer’s HR representative.
Recipients of Personal Information
We disclose employment-related personal information to the following categories of recipients, in each case under contractual or legal obligations appropriate to the data and purpose:
- The worksite-employer client (for worksite-employee data);
- Benefits carriers, third-party administrators, and plan trustees (for benefits-enrollment data);
- Workers’ compensation insurers and claims administrators (for WC claims data);
- Retirement plan recordkeepers and trustees (for 401(k), ROTH, HSA data);
- Payroll-tax and garnishment processors;
- Federal, state, and local tax and regulatory authorities (IRS, DOL, state DORs, OSHA, immigration agencies);
- Cloud infrastructure and SaaS service providers under written DPAs (HRIS platform partner identified by name in our main Privacy Policy §7.3);
- Background-check and screening vendors for onboarding (as permitted under FCRA);
- Professional advisors (legal counsel, auditors) under confidentiality;
- Parties to a court order, subpoena, or other compulsory legal process.
A current list of primary subprocessors is available to clients on written request to privacy@vertisourcehr.com.
Automated Decision-Making & Profiling
VertiSource HR does not use automated decision-making (including profiling) to make employment decisions that produce legal or similarly significant effects, such as hiring, firing, promotion, discipline, compensation changes, or benefits eligibility decisions, without meaningful human involvement. Rule-based computations (tax withholding, PTO accrual, benefits-eligibility flagging based on employment start date) are not profiling for these purposes because they apply deterministic rules rather than evaluating personal characteristics. Our use of automated tools in the employment context is aligned with the EEOC’s May 2023 technical assistance document Assessing Adverse Impact in Software, Algorithms, and Artificial Intelligence Used in Employment Selection Procedures Under Title VII. See Section 13 of the Privacy Policy for our full AI/ADMT statement.
Retention
Employment-related personal information is retained for the periods required by federal and state employment-recordkeeping law, including but not limited to:
- Payroll and wage records: minimum four (4) years post-tax year per IRS Publication 583; FLSA requires three (3) years; we apply the longer of any applicable rule and typically retain payroll records for seven (7) years as an internal standard;
- Benefits and ERISA records: six (6) years from filing date;
- I-9 and employment eligibility: three (3) years from hire or one (1) year after separation, whichever is later;
- Employment records (offer letters, disciplinary records, performance docs): minimum three (3) years post-separation, longer where state law requires;
- Workers’ compensation claims: five (5) years minimum, longer if claim remains open;
- OSHA 300/301/300A: five (5) years;
- Benefit-plan documents: as required by ERISA Section 107 and DOL regulations.
After retention, records are securely destroyed or de-identified.
Your Rights
8.1 California Employees (CCPA/CPRA)
California residents employed by VertiSource HR or by our PEO/ASO clients have the same CCPA/CPRA rights as other California consumers, effective January 1, 2023, following expiration of the HR data carve-out. These rights are: know, delete, correct, portability, opt-out of sale/share, limit use of SPI, non-discrimination, and appeal. See Section 9.2 of the Privacy Policy for full detail and exercise methods. California employees may submit requests by the same four methods (email, toll-free phone, online form, mail).
8.2 Employees in Other States
California is currently the only state whose comprehensive consumer-privacy law extends consumer-privacy rights to individuals acting in an employment context. The comprehensive privacy laws of Utah, Virginia, Colorado, Connecticut, Texas, and the other enacted states exempt personal data processed within an employment context, so those statutes generally do not give employees separate consumer-privacy rights in their capacity as employees. Regardless of state law, VertiSource HR will consider reasonable access and correction requests from any employee; submit them as described in Section 8.3. Employees also retain all rights provided by applicable federal and state employment laws, including any right to inspect their personnel file where state law provides one.
8.3 Routing of Requests
We recommend employees direct most personal-data requests first to their direct HR representative, this is usually the fastest path, and many requests (for example, correcting a name or address) are resolved at the worksite-employer level. Escalations and requests that cannot be resolved that way should be submitted to privacy@vertisourcehr.com with “Employee Privacy Request” in the subject line.
8.4 Limits on Deletion
Some deletion requests cannot be honored because VertiSource HR is legally required to retain certain employment records (for example, payroll records under the IRS seven-year rule). We will explain the specific retention obligation in writing when we cannot fulfill a deletion request.
8.5 No Retaliation
We do not retaliate against any employee for exercising a privacy right under this Notice or applicable law. Retaliation includes termination, demotion, denial of benefits, denial of promotion, wage reduction, or other adverse employment actions taken because of the employee’s exercise of a privacy right.
Security
VertiSource HR maintains administrative, technical, and physical safeguards to protect personal information of employees. See Section 7 of the Privacy Policy. Employees are expected to follow our acceptable-use, password, and data-handling policies as a condition of continued access to VertiSource HR systems.
Changes to This Notice
We may update this Notice from time to time. The “Last Updated” date at the top reflects the most recent change. Material changes will be communicated via company email (for VSHR internal employees) or through the worksite-employer client’s HR communication channel (for worksite employees). Prior versions are available on written request.
Contact
VertiSource HR, LLC
Attn: Privacy Officer
6985 Union Park Center, Suite 100
Cottonwood Heights, UT 84047
Email: privacy@vertisourcehr.com
Phone: 855-565-8747