Privacy Policy.
How we handle your information.

1. Scope and Applicability

This Privacy Policy applies to:

• Visitors to evolveblue.com and any related subdomains.
• Candidates, contractors, and W2 employees who submit information through our website, applicant tracking system (ATS), or staffing process.
• Clients, procurement officers, and enterprise or government representatives who contact us or engage our services.
• Partners, vendors, and MSP/VMS program contacts.

This policy does not apply to information processed solely to fulfill a government contract where a separate Data Privacy Agreement (DPA) or System of Records Notice (SORN) applies.

2. Information We Collect

2.1 Information You Provide Directly

• Contact inquiries: Name, email address, phone number, company/agency name, title, and message content submitted via contact forms, email, or phone.
• Candidate / contractor profiles: Resume, work history, skills, education, certifications, availability, desired bill rate, references, LinkedIn URL, and government security clearance level (if voluntarily disclosed).
• W2 onboarding: Social Security Number (SSN), date of birth, address, banking and direct deposit details, I-9 employment eligibility documents, and background check consent. We collect these only after offer acceptance through our secure onboarding system.
• Business development: Procurement contact details, vendor registration information, and program-specific requirements shared by enterprise or government clients.

2.2 Information Collected Automatically

• IP address, browser type, operating system, referring URL, and pages visited.
• Device identifiers and general geographic location (city/region level).
• Session duration, click paths, and interaction events via analytics tools (e.g., Google Analytics 4 with IP anonymization enabled).
• Cookie and similar tracking technology data (see Section 10).

2.3 Information from Third Parties

• Professional profile data from LinkedIn or job boards when a candidate applies through those platforms.
• Background screening results from FCRA-compliant third-party background check providers (with your consent).
• Reference check information from professional contacts you provide.
• MSP/VMS platform data (e.g., Beeline, SAP Fieldglass, Ariba) when processing staffing requisitions on behalf of clients.

3. How We Use Your Information

We use personal information for the following purposes:

• Staffing and placement: Matching candidates to contract roles, submitting profiles to client hiring managers, conducting interviews, and managing the placement process.
• W2 employment and payroll: Processing W2 engagements, running payroll, meeting tax reporting obligations (IRS Form W-2), and managing employee benefits.
• Client service delivery: Responding to staffing requests, managing SOW and project work, and providing technology delivery services.
• Compliance and government contracting: Meeting FAR/DFARS needs, maintaining SAM.gov registration, fulfilling E-Verify obligations, processing security clearances, and supporting audits.
• Legal obligations: EEOC reporting, AAP/OFCCP compliance, Form I-9 retention, and responding to lawful government requests.
• Business operations: Improving our website, measuring service quality, sharing relevant company updates, and managing vendor and supplier relationships.
• Security: Detecting fraud, blocking unauthorized access, and protecting our systems and client data.

We do not sell personal information to third parties. We do not use personal information for automated profiling that has legal or significant effects without human review.

4. Legal Basis for Processing

Where applicable — including for California residents and under GDPR-aligned frameworks — we process personal information on one or more of the following lawful bases:

• Contract performance: Processing needed to carry out staffing agreements, employment contracts, or client service agreements.
• Legal obligation: Processing required by U.S. federal or state law (IRS, EEOC, E-Verify, OFCCP, FAR).
• Legitimate interests: Running our staffing and technology business, improving services, and communicating with prospects — balanced against individual rights.
• Consent: For background checks, marketing, and any processing not covered above. Consent is freely given and can be withdrawn at any time.

5. Information Sharing and Disclosure

We share personal information only as described below. We do not sell or rent personal data.

5.1 Client Hiring Managers

Candidate profiles (resume, skills, assessed qualifications) are submitted to enterprise or government clients for the specific role for which you applied or gave consent. Government clients may include federal agencies operating under FISMA and FedRAMP-compliant environments.

5.2 MSP/VMS Platforms

Where a client engagement runs through a Managed Service Provider (MSP) or Vendor Management System (VMS), we transmit required candidate and contractor data through that platform under the applicable supplier agreement.

5.3 Service Providers (Data Processors)

We use vetted third-party service providers under written data processing agreements. These include payroll processors, ATS and HRIS platforms, FCRA-compliant background screening firms, U.S.-based cloud hosting providers, and email and communications tools. All providers are contractually barred from using your data for their own purposes.

5.4 Legal and Regulatory Disclosure

We share information when required by law, court order, subpoena, or binding government request. We may also share to protect rights, safety, or property, or to support fraud investigations or government audits.

5.5 Business Transfers

If we merge, are acquired, or sell assets, personal information may be transferred to the successor entity under equivalent privacy protections.

6. Data Retention

• Candidate profiles (not placed): 3 years from last activity, unless you request earlier deletion.
• Active contractor / W2 employee records: Duration of engagement plus 7 years (IRS / state tax record requirements).
• Form I-9 records: 3 years from hire date or 1 year after termination, whichever is later (8 U.S.C. § 1324a).
• Background check records: As required by FCRA; generally 5 years.
• Website analytics data: 26 months (anonymized/aggregated).
• Contact/inquiry records: 2 years.

Records tied to government contract performance are kept for the period required under FAR 4.703 — generally 3 to 10 years after the contract ends.

7. Your Privacy Rights

7.1 California Residents (CCPA / CPRA)

California residents have the right to:

• Know what personal information we collect, use, disclose, and sell (we do not sell).
• Delete personal information we hold about you, subject to legal retention requirements.
• Correct inaccurate personal information.
• Opt out of the sale or sharing of personal information (we do not sell or share for cross-context behavioral advertising).
• Limit use of sensitive personal information.
• Non-discrimination for exercising any CCPA right.

To use these rights, email privacy@evolveblue.com or call +1 215-882-3133. We will verify your identity and respond within 45 days. We may extend this by 45 additional days with notice.

7.2 All U.S. Residents

No matter what state you live in, you can ask us to access, correct, or delete your personal information. We will honor requests as far as the law allows and where no legal retention obligation applies.

7.3 Job Applicant Rights (FCRA)

Before we run a background check, you will receive a separate FCRA disclosure and a written authorization form. If we take adverse action based on a background report, we will send you a pre-adverse action notice, a copy of the report, and a Summary of Your Rights under the FCRA.

8. Data Security

Evolve Blue uses administrative, technical, and physical safeguards matched to the sensitivity of the information we handle, including:

• TLS 1.2+ encryption in transit for all web traffic and data transfers.
• AES-256 encryption at rest for sensitive records (SSN, banking data, I-9 documents).
• Role-based access controls and least-privilege principles for internal systems.
• Multi-factor authentication on all administrative and cloud systems.
• Annual security awareness training for all staff.
• Vendor security assessments and contractual data security obligations.
• Incident response procedures with client and regulatory notification protocols.

If a data breach affects your personal information, we will notify you and the relevant regulators as required by state breach notification laws (e.g., 73 P.S. § 2303 — Pennsylvania; Cal. Civ. Code § 1798.82 — California) and any applicable federal requirements.

9. Government Contracting and Federal Compliance

As a government IT staffing and services provider, Evolve Blue is subject to and complies with:

• FAR 52.224-1 / 52.224-2: Privacy Act notification and records management requirements.
• NIST SP 800-53 / 800-171: Applicable security and privacy controls for Controlled Unclassified Information (CUI) environments.
• E-Verify: Employment eligibility verification for all W2 hires on federal contracts.
• OFCCP / AAP: Affirmative Action Plan and equal employment opportunity data handling for federal subcontractors.
• SAM.gov: Vendor registration data maintained per GSA requirements.

Data processed under specific government contracts is governed by the relevant contract clauses, agency privacy requirements, and any applicable Privacy Impact Assessment (PIA) or System of Records Notice (SORN).

10. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

• Strictly necessary: Required for website functionality (session management, security). Cannot be disabled.
• Analytics: Google Analytics 4 with IP anonymization to understand site usage patterns. No personal identifiers are passed to GA4.
• Functional: Remember preferences (e.g., language, region). Expire at session end or after 12 months.

We do not use advertising cookies, third-party retargeting pixels, or cross-site tracking. You can manage or turn off non-essential cookies in your browser settings at any time.

11. Children's Privacy

Our website and services are for business professionals. They are not meant for anyone under 18. We do not knowingly collect personal information from minors. If you think a minor has given us information, contact us right away at privacy@evolveblue.com.

12. Do Not Track

Our website does not respond to "Do Not Track" (DNT) signals. We do not conduct cross-site behavioral tracking regardless of DNT status.

13. Third-Party Links

Our website may link to third-party sites such as LinkedIn, client portals, or MSP/VMS platforms. This Privacy Policy does not cover those sites. Please review the privacy policies of any third-party sites you visit.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in law, technology, or our business. We will post material changes here with an updated effective date. For significant changes that affect how we handle sensitive information, we will give you additional notice — for example, an email to active contractors or clients.

15. Contact Us

For privacy inquiries, rights requests, or to report a concern: