Privacy Policy.
How we handle your information.

1. Scope and Applicability

This Privacy Policy applies to:

• Visitors to evolveblue.com and any related subdomains.
• Candidates, contractors, and W2 employees who submit information through our website, applicant tracking system (ATS), or staffing process.
• Clients, procurement officers, and enterprise or government representatives who contact us or engage our services.
• Partners, vendors, and MSP/VMS program contacts.

This policy does not apply to information processed solely in the course of fulfilling a government contract where a separate Data Privacy Agreement (DPA) or System of Records Notice (SORN) governs.

2. Information We Collect

2.1 Information You Provide Directly

• Contact inquiries: Name, email address, phone number, company/agency name, title, and message content submitted via contact forms, email, or phone.
• Candidate / contractor profiles: Resume, work history, skills, education, certifications, availability, desired bill rate, references, LinkedIn URL, and government security clearance level (if voluntarily disclosed).
• W2 onboarding: Social Security Number (SSN), date of birth, address, banking/direct deposit details, I-9 employment eligibility documents, and background check consent — collected only after offer acceptance through our secure onboarding system.
• Business development: Procurement contact details, vendor registration information, and program-specific requirements shared by enterprise or government clients.

2.2 Information Collected Automatically

• IP address, browser type, operating system, referring URL, and pages visited.
• Device identifiers and general geographic location (city/region level).
• Session duration, click paths, and interaction events via analytics tools (e.g., Google Analytics 4 with IP anonymization enabled).
• Cookie and similar tracking technology data (see Section 10).

2.3 Information from Third Parties

• Professional profile data from LinkedIn or job boards when a candidate applies through those platforms.
• Background screening results from FCRA-compliant third-party background check providers (with your consent).
• Reference check information from professional contacts you provide.
• MSP/VMS platform data (e.g., Beeline, SAP Fieldglass, Ariba) when processing staffing requisitions on behalf of clients.

3. How We Use Your Information

We use personal information for the following purposes:

• Staffing and placement services: Matching candidates to appropriate contract roles, submitting profiles to client hiring managers, conducting interviews, and managing the placement lifecycle.
• W2 employment and payroll: Processing W2 engagements, administering payroll, complying with tax reporting obligations (IRS Form W-2), and managing employee benefits.
• Client service delivery: Responding to staffing requests, managing SOW/project engagements, and providing technology delivery services.
• Compliance and government contracting: Meeting FAR/DFARS requirements, SAM.gov registration maintenance, E-Verify obligations, security clearance processing, and audit support.
• Legal obligations: EEOC reporting, AAP/OFCCP compliance, Form I-9 retention, and responding to lawful government requests.
• Business operations: Improving our website, measuring service quality, communicating relevant company updates, and managing vendor/supplier relationships.
• Security: Detecting fraud, unauthorized access, and protecting the integrity of our systems and client data.

We do not sell personal information to third parties. We do not use personal information for automated profiling that produces legal or similarly significant effects without human review.

4. Legal Basis for Processing

Where applicable (including for individuals in California or under GDPR-aligned frameworks), we process personal information under one or more of the following lawful bases:

• Contract performance: Processing necessary to execute staffing agreements, employment contracts, or client service agreements.
• Legal obligation: Processing required by U.S. federal or state law (IRS, EEOC, E-Verify, OFCCP, FAR).
• Legitimate interests: Running our staffing and technology business, improving services, and communicating with prospects — balanced against individual rights.
• Consent: For background checks, marketing communications, and any processing not covered above. Consent is freely given and may be withdrawn at any time.

5. Information Sharing and Disclosure

We share personal information only as described below. We do not sell or rent personal data.

5.1 Client Hiring Managers

Candidate profiles (resume, skills, assessed qualifications) are submitted to enterprise or government clients for the specific role for which you applied or gave consent. Government clients may include federal agencies operating under FISMA and FedRAMP-compliant environments.

5.2 MSP/VMS Platforms

Where a client engagement runs through a Managed Service Provider (MSP) or Vendor Management System (VMS), required candidate and contractor data is transmitted through that platform pursuant to the applicable supplier agreement.

5.3 Service Providers (Data Processors)

We use vetted third-party service providers under written data processing agreements, including: payroll processors, ATS and HRIS platforms, background screening firms (FCRA-compliant), cloud hosting providers (U.S. data centers), and email/communications tools. These providers are contractually prohibited from using your data for their own purposes.

5.4 Legal and Regulatory Disclosure

We disclose information when required by law, court order, subpoena, or binding government request; to protect rights, safety, or property; or in connection with fraud investigation or government audits.

5.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal information may be transferred to the successor entity under equivalent privacy protections.

6. Data Retention

• Candidate profiles (not placed): 3 years from last activity, unless you request earlier deletion.
• Active contractor / W2 employee records: Duration of engagement plus 7 years (IRS / state tax record requirements).
• Form I-9 records: 3 years from hire date or 1 year after termination, whichever is later (8 U.S.C. § 1324a).
• Background check records: As required by FCRA; generally 5 years.
• Website analytics data: 26 months (anonymized/aggregated).
• Contact/inquiry records: 2 years.

Records tied to government contract performance may be retained for the period required under FAR 4.703 (generally 3–10 years post-contract).

7. Your Privacy Rights

7.1 California Residents (CCPA / CPRA)

California residents have the right to:

• Know what personal information we collect, use, disclose, and sell (we do not sell).
• Delete personal information we hold about you, subject to legal retention requirements.
• Correct inaccurate personal information.
• Opt out of the sale or sharing of personal information (we do not sell or share for cross-context behavioral advertising).
• Limit use of sensitive personal information.
• Non-discrimination for exercising any CCPA right.

To exercise these rights, email privacy@evolveblue.com or call +1 215-882-3133. We will verify your identity and respond within 45 days (extendable by 45 additional days with notice).

7.2 All U.S. Residents

Regardless of state, you may request access to, correction of, or deletion of your personal information by contacting us. We will honor requests to the extent permitted by applicable law and not inconsistent with legal retention obligations.

7.3 Job Applicant Rights (FCRA)

When a background check is conducted, you will receive a separate FCRA disclosure and written authorization form before the check is ordered. If adverse action is taken based on a background report, you will receive a pre-adverse action notice, a copy of the report, and a Summary of Rights under the FCRA.

8. Data Security

Evolve Blue implements administrative, technical, and physical safeguards commensurate with the sensitivity of the information we process, including:

• TLS 1.2+ encryption in transit for all web traffic and data transfers.
• AES-256 encryption at rest for sensitive records (SSN, banking data, I-9 documents).
• Role-based access controls and least-privilege principles for internal systems.
• Multi-factor authentication on all administrative and cloud systems.
• Annual security awareness training for all staff.
• Vendor security assessments and contractual data security obligations.
• Incident response procedures with client and regulatory notification protocols.

In the event of a data breach affecting your personal information, we will notify you and applicable regulators as required by applicable state breach notification laws (e.g., 73 P.S. § 2303 — Pennsylvania; Cal. Civ. Code § 1798.82 — California) and any applicable federal requirements.

9. Government Contracting and Federal Compliance

As a government IT staffing and services provider, Evolve Blue is subject to and complies with:

• FAR 52.224-1 / 52.224-2: Privacy Act notification and records management requirements.
• NIST SP 800-53 / 800-171: Applicable security and privacy controls for Controlled Unclassified Information (CUI) environments.
• E-Verify: Employment eligibility verification for all W2 hires on federal contracts.
• OFCCP / AAP: Affirmative Action Plan and equal employment opportunity data handling for federal subcontractors.
• SAM.gov: Vendor registration data maintained per GSA requirements.

Data processed under specific government contracts is governed by the relevant contract clauses, agency-specific privacy requirements, and any applicable Privacy Impact Assessment (PIA) or System of Records Notice (SORN).

10. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

• Strictly necessary: Required for website functionality (session management, security). Cannot be disabled.
• Analytics: Google Analytics 4 with IP anonymization to understand site usage patterns. No personal identifiers are passed to GA4.
• Functional: Remember preferences (e.g., language, region). Expire at session end or after 12 months.

We do not use advertising cookies, third-party retargeting pixels, or cross-site tracking. You can manage or disable non-essential cookies through your browser settings at any time.

11. Children's Privacy

Our website and services are directed to business professionals and are not intended for individuals under 18 years of age. We do not knowingly collect personal information from minors. If you believe a minor has provided us information, contact us immediately at privacy@evolveblue.com.

12. Do Not Track

Our website does not currently respond to "Do Not Track" (DNT) signals from browsers. We do not conduct cross-site behavioral tracking regardless of DNT status.

13. Third-Party Links

Our website may contain links to third-party websites (e.g., LinkedIn, client portals, MSP/VMS platforms). This Privacy Policy does not apply to those sites. We encourage you to review the privacy policies of any third-party sites you visit.

14. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in law, technology, or our business practices. Material changes will be posted on this page with an updated effective date. For significant changes affecting how we process sensitive information, we will provide additional notice (e.g., email to active contractors or clients).

15. Contact Us

For privacy inquiries, rights requests, or to report a concern: