Privacy Policy

Customer and Website Visitors Privacy Policy

INTRODUCTION

Hexcel respects individuals’ privacy and is committed to providing transparency regarding its privacy practices. 

This privacy policy (“Policy”) explains how Hexcel Corporation and its affiliates and subsidiaries (each described as “Hexcel”, “we,” “us,” and “ours”) collect, use, disclose, and otherwise process Personal Data about:

  • our customers, prospective customer and partners, or representatives of our customers, prospective customers and partners (“Customers”);
  • our current or prospective suppliers, or representatives of our suppliers and prospective suppliers (“Suppliers”);
  • individuals who access our websites (“Website Visitors”);
  • anyone who communicates or otherwise engages with us about our products and services (“Contacts”); and
  • dependents of or emergency contacts for our workforce or site visitors;
  • (“you” or “your”), as well the rights that you have with regard to such personal data.  

This Policy does not apply to the Personal Data Hexcel collects and processes related to our employees, job applicants and job candidates or to any information that is exempt under applicable privacy and data protection laws. 

Hexcel websites are not designed for, or directed at, children under the age of 13 and we do not knowingly collect personal data from individuals in this age group. If you believe we have inadvertently collected personal data about a child, please contact us and we will take steps to delete this data.

This Policy may change from time to time so please check this page occasionally to ensure that you are familiar with any changes. For more information please see the section CHANGES TO THIS POLICY below.

If you are a California resident, please review the CCPA SUPPLEMENT at the end of this Policy for important information about our privacy practices and your rights under California privacy laws.

This policy was last updated in December 2023.

WHO WE ARE

The Hexcel group of companies is made up of numerous individual companies across the globe. For the purposes of this Policy, the primary controller of your personal data will be:

  • If you are a Hexcel customer, or a representative/employee of a Hexcel customer or supplier: the Hexcel company with which your company has contracted;
  • If you are a website visitor, Hexcel Corporation; and
  • If you are a dependent or emergency contact of a workforce member or a site visitor, the entity employing your relative or friend.
  • Please see the Global Locations page on our website for the address and contact details of each relevant controller. For data protection queries, please see CONTACT US below.
HOW WE COLLECT YOUR PERSONAL INFORMATION

We collect personal data about you in a number of ways:

  • Directly: when you provide information to us, whether in person, in writing, on the phone or via our website;
  • Automatically: when you access our website, we may use cookies, log files, pixel tags and other similar technologies to automatically collect information about your device andyour use of our site (with your consent where required by applicable law);
  • Other Hexcel Companies: your contact details, job title, employer and information about any pre-existing relationship with Hexcel may be received from other Group companies (a list of which can be obtained HERE), and will be used as set out in this Policy;
  • Third parties outside of the Hexcel Group: such as your employer (if you are a representative of a customer or supplier); social media providers (LinkedIn – whose privacy policy is available at https://www.linkedin.com/legal/privacy-policy), or other third party platforms and companies. These third-party platforms and companies control the personal data they collect and share about you. For information about how they may use and disclose your personal data, including any data you make public, please consult their respective privacy policies. We may also receive certain personal data from our suppliers, our clients, or from third parties about prospective customers that may be interested in our Services, such as lead prospect information. We may also engage with third parties to enhance or update our customer information.
WHAT PERSONAL DATA DO WE COLLECT, AND HOW DO WE USE IT?

If you are a Customer, or (in relation to sales and support) a representative of a Supplier, we process your personal data for a number of purposes including as set out in the table below:

PURPOSE
TYPICAL ACTIVITY
TYPICAL PERSONAL DATA PROCESSED & HOW THIS IS OBTAINED
Sales & Support
To support our clients with sales, support and other inquiries
  • To correspond and communicate with you in connection with the products and services we (or if you are a Supplier, you) offer
  • To train and monitor our staff and to identify ways of improving their call handling and your customer service experience
  • To process, record or answer queries in relation to a purchase or payment
  • To notify you about changes to our products

  • When you communicate or correspond with us, we collect and maintain a record of your name, role, company name, contact details, your communication and our responses, including a transcript of each communication and any information you may provide to us.
  • If you request support, we will maintain support tickets which may include product details or any other details relevant to such a request.
  • If you call us, we may maintain logs and records of those calls.
  • We also retain records of all transactions, but this information will usually relate to your company rather than yourself (e.g. corporate account/credit card details).

Marketing
To promote our business, our brand and our products and services
  • If you work for a corporate business, to contact you by email or by telephone with marketing information about our products and services and upcoming events
  • We may use your personal data to tailor or personalize the marketing communications you receive to make them relevant to you
  • If you fill out a contact us form, sign up for our mailing lists, or otherwise request information from us, we collect and maintain details of your requests (along with details of your name, company and contact details).
  • You can choose to stop receiving our marketing at any time by responding to our emails indicating that you no longer want to receive emails. Please note that you may still receive necessary messages from us, for example, to send you messages about ongoing support requests, or respond to specific queries from you.

Research & Analytics
To identify and respond to changing market conditions and our customers’ needs
  • For market research and analytics in order to improve the products and services that we and our group companies deliver

  • If you complete a survey, we will collect your name, contact details and any responses you provide.
  • When navigating our Website, we may (with your consent where necessary) collect information about your interactions with our website.
Planning & Managing Events
  • To plan and manage events we host or sponsor, including registration, attendance,connecting you with other event attendees, and contacting you about events for which you have shown an interest 
  • When you register to attend, attend and participate in our events and business meetings, webinars, or our Corporate Social Responsibility Programs (CSR), we collect your name, role, contact details and other data related to your registration for, and participation in, an event we host.
  • If we record an event, we will make you aware of this in advance.

Safety & Security
  • To protect your safety during your visits to our offices or factory sites
  • When you visit our premises we may collect certain information about you, such asyour name, company and reason for visit; we may also automatically collect certain information regarding location, date and time your visit (for example when you use a guest access card at our security gates) and your behavior onsite (for example when you access a public area where there is CCTV monitoring).
General Business Obligations
  • To allow us to operate the administrative and technical aspects of our business efficiently and effectively and in compliance with applicable law, including:
    • to enable us to make payments to contractors who provide products and services to us
    • for the prevention of fraud and other criminal activities.
    • to verify the accuracy of information we hold about you
    • for network and information security purposes in order for us to take steps to protect your information against loss or damage, theft or unauthorized access
    • to comply with a request from you in connection with the exercise of your rights (for example where you have asked us not to contact you for marketing purposes, we will keep a record of this on our suppression lists in order to be able to comply with your request)
    • for the purposes of a corporate restructure or reorganization or sale of our business or assets
    • for efficiency, accuracy or other improvements of our databases and systems (e.g. by combining systems or consolidating records we or our group companies hold about you)
    • to enforce or protect our contractual or other legal rights or to bring or defend legal proceedings
    • for general administration including managing your queries, complaints, or claims, to send service messages and to provide you with important information about our business
  • The personal data we collect and use for thesepurposes, and how we collect it, will depend upon the specific use case: pleasecontact us if you need more detailed information.
Examples include:
  • if you are a sole trader, you may provide us withyour bank account details so that we can make payments to you   
  • we may process any personal data we have collectedas necessary to prevent fraud or other criminal activities, to enforce ourcontractual or legal rights, or to comply with our legal obligations
  • we may automatically collect information about the use of our systems for network and information security purposes


We may also on occasion need to process your personal data for other purposes, including for example where we have a legitimate business interest in doing so in relation to the possible or actual sale or restructuring of the business (including negotiations thereto); to establish, defend or exercise legal claims in an employment tribunal or court of law; or where we are required to do so by applicable law.

If you are a dependent or emergency contact of a workforce member or site visitor, we process your personal data for an number of purposes including as set out in the table below:

PURPOSE
TYPICAL ACTIVITY
TYPICAL PERSONAL DATA PROCESSED & HOW THIS IS OBTAINED
To Contact You in an Emergency
  • To get in touch in an emergency affecting your friend/relative
  • Name and contact details: this information is provided by the relevant workforcemember / visitor for whom you are listed as an emergency contact
Administration of Benefits
  • To keep records of, and facilitate any relevant payments to, dependents of members of our workforce (for example, in relation to pensions or life insurance policies)
  • Name and contact details; relationship to workforce member. This information is provided by the relevant workforce member for whom you are listed as a dependent.
  • Social Security number, formal identification documents, driver’s license number, passport number, tax ID and other government identifiers to identify you


CHINA

Where our processing is subject to the Chinese data protection laws, some types of personal data (e.g. information contained in a formal identification document or social security or other unique reference relating to you e.g. passport or driving license) may constitute sensitive personal data under the laws. Providing us with your sensitive personal data increases the risk that you may suffer harm to your personal safety or dignity or your reputation, or loss or damage to your property if your sensitive personal data is accessed, used, or divulged without authorization while it is in our custody. We will take enhanced security measures designed to protect your sensitive personal data. But please understand that no security measures can be entirely flawless, and we cannot guarantee that your sensitive personal data will never be accessed or used without authorization.

If you are a Website Visitor, we collect information directly from you when you complete a ‘contact us’ form, or subscribe to our newsletter. In these cases, you will be treated as a prospective or actual Customer. Please see the previous section on our use of Customer data. When you navigate through and interact with our website, we and our third-party providers may, with your consent where appropriate, automatically collect and record information about your browsing activities using cookies, pixel tags, log files and other similar technologies (referred to below as “Cookies”). We process your personal data for a number of purposes including as set out in the table below:

PURPOSE
ACTIVITIES
PERSONAL DATA PROCESSED & HOW THIS IS OBTAINED
Necessary Functionality and Website & Information Security
  • To help ensure that our website functions properly, to provide core services and features (including allowing you to sign up for events), and to monitor, and take actions to promote, the security of our website(s) and any information processed by such website(s)
  • The Cookies we use to provide this functionality are strictly necessary, and so are set automatically when you visit our website. They may record information about:
    • your computer and internet connection, including your IP address, operating system and browser type
    • your visit to our website, including traffic data, location data, logs and other communication data and the resources that you access and use on the website
Website Analytics
  • To assess how visitors, use our sites, so that we can improve them
  • If you have agreed to us setting Cookies, we use them to automatically record information about:
    • Visits to our website, including traffic data, location data, logs and other communication data and the resources that you access and use on the website
    • Information about your computer and internet connection, including your IP address, operating system and browser type


COOKIES

A cookie is a small file placed on the hard drive of your computer when you access our website, although we also use the term “Cookie” to refer to pixel tags, log files and other similar technologies. As noted previously, the Cookies we use may collect information about your equipment, browsing actions, and patterns, including for example:

  • Details of your visits to our website, including traffic data, location data, logs and other communication data and the resources that you access and use on the website;
  • Information about your computer and internet connection, including your IP address, operating system and browser type.

We use the following Cookies on our website:

COMPANY
COOKIE ID
COOKIE TYPE & DOMAIN
PURPOSE & DESCRIPTION
DATA SHARING
Cloud Flare
_cf_bm
  • 1st Party
Strictly Necessary: To read and filter requests from bots for security purposes
N/A
Google Analytics
Google Analytics cookies we use include:
 _utmb, _utmz,_gat, _ga, _utmc, _gid, _gid_utmt, _utma
  • 1st Party
  • Hexcel.com
Website Analytics: To allow us to track visitor behavior and measure site performance
  • Data shared with Google includes the URL of the page you are visiting, your general location
  • Please see here for more information about how Google uses information from our site – these purposes include to deliver, maintain and improve their own services. Their Privacy Policy is available here.


Duration

The length of time for which cookies are stored on your browser varies depending on the specific cookie. “Session” cookies only last for your online session (i.e. until you close your browser); others will stay on your browser for a reasonable time afterward. Unless indicated above, the cookies set on our website will usually last for between 1 day and 6 months from the last visit to our site.

Some of the information collected by cookies is personal data to which the rest of this privacy notice applies. Please see the section on WHAT PERSONAL DATA DO WE COLLECT, AND HOW DO WE USE IT? for information about what personal data we collect and how this information is used, and the section on YOUR PRIVACY CHOICES AND RIGHTS for your rights in relation to such data.

Cookie Settings

When you first visit our website, we will ask you whether you want to accept cookies. Most web browsers automatically accept cookies, but if you prefer, you can edit your browser options to block them in the future. The Help portion of the toolbar on most browsers will tell you how to prevent your computer from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. Some of our services may not work properly if you disable cookies.

You can review and manage your cookie preferences for our websites and opt out of certain cookies, including targeting cookies and tags on our websites, either by editing your browser options as explained above or by reviewing and changing your preferences for most cookies on our website (including to opt out of all but ‘required’ cookies) by adjusting your preferences through our cookie preferences manager made available on our websites.

Please note that cookie preferences are browser and device specific, which means that you need to set the preference for each browser and device you use to access our websites; in addition, if you delete or block cookies, you may need to reapply these preferences.

Do-Not-Track Signals. Please note that our websites do not recognize or respond to any signal which your browser might transmit through the so-called "Do Not Track" feature your browser might have. However, you can set your preferences for cookies on our websites as discussed above.

LAWFUL BASIS FOR PROCESSING

Where required by applicable data protection laws, we will only process your personal data where we have a lawful basis to do so (including, where appropriate, where we have obtained your consent). Please see Appendix 1 for details of the lawful basis relied on for different processing activities and different jurisdictions.

HOW WE DISCLOSE YOUR PERSONAL DATA

Group Companies

We may share your information with other companies within the Hexcel group of companies. When a Hexcel group company receives your personal data, they will act as an independent controller of that data, and may use your personal data in accordance with this Policy. Please see our Global Locations page for the details of those of our group companies with whom we may share your personal data.

Please contact us at dataprivacy@hexcel.com for more information about the specific types of personal data shared with them and the purposes of sharing.

Our Suppliers and Service Providers

We may disclose your personal data to our third-party service providers, agents, subcontractors, vendors, business partners, marketing, advertising and analytics providers, third party platform services and other organizations (as listed below) for the purposes of providing services to us or directly to you on our behalf. These recipients include:

  • Accountancy services
  • Banks, payment processors and financial services providers
  • Cloud storage providers
  • Financial auditing services
  • Government tax administration offices
  • Website Analytics Provider (Google Analytics)
  • Insurance brokers – for claims
  • Insurance services – for claims
  • IT support service providers
  • Legal advisers
  • On-site security access control services
  • Taxi service providers
  • Travel & accommodation providers, including expense reporting

These recipients will usually be located in the same jurisdiction or region as the Hexcel Group company they support, with the exception of IT services (including Website Analytics provider, IT support service providers and Cloud Services providers) which are provided on a global basis.

If you are based in the European Union (EU) or the United Kingdom (UK) we will endeavor to only share your personal data with suppliers and service providers based in the European Economic Area (EEA). The only exceptions to this are when we arrange travel/ accommodation for you outside of the EEA and we may use Cloud Storage Providers which are based outside of the EEA.

If you are based in China, we will endeavour to only share your personal data with suppliers and service providers based in China. The only exceptions to this are when you visit our website your data may be shared with our IT services (including Website Analytics provider, IT support service providers and Cloud Services providers).

For more information on how we transfer personal data outside of the EEA or China, please see the section INTERNATIONAL TRANSFERS OF PERSONAL DATA below.

Other Ways We May Share Your Personal Data

We may disclose your personal data to a third party:

  • as part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or re-organization;
  • if we’re under a duty to disclose or share it in order to comply with any legal obligation, for security purposes and to protect rights, such as for example to detect or report a crime, to enforce or apply the terms of our contracts or to protect the rights, property or safety of our visitors and customers.

Where the recipients have independent purposes and means of processing your personal data, you may contact us at dataprivacy@hexcel.com for more information about the identities and contact information of the recipients, the specific types of personal data shared and the purposes of sharing. We will share with you the relevant information unless the disclosure is prohibited or restricted by applicable law.

INTERNATIONAL TRANSFERS OF PERSONAL DATA

Hexcel is a global group of companies.

Accordingly, we may transfer your personal data to, or access it in, jurisdictions other than the jurisdiction in which you are located (including the United States and other jurisdictions where we, our affiliates and service providers have operations), including to jurisdictions that do not include equivalent levels of data protection as the country you are based in.  

When we transfer personal data, we will take organizational, contractual, and technical measures designed to safeguard your personal data to the levels required by local laws, including through appropriate written data processing terms and/or data transfer agreements and/or other legally acceptable mechanisms according to applicable local laws.

TRANSFERRING INFORMATION OUTSIDE OF THE EEA

If you are in the European Economic Area or the United Kingdom (collectively referred to herein as “EEA”) and we transfer your personal data to a jurisdiction located outside of the EEA , which may not have similar data protection laws to the EEA and may not be recognized by the European Commission and/or the U.K. Government (or other relevant regulatory body) as providing an adequate level of data protection, we will take steps to ensure that appropriate security and other safeguards are in place to ensure that your privacy rights continue to be protected as outlined in this policy.

These safeguards include imposing contractual obligations, such as the European Commission approved standard contractual clauses (available here) and the U.K. Addendum thereto (available here), on the recipient of your personal data.

Please contact us at dataprivacy@hexcel.com for more information about the protections that we put in place and to obtain a copy of the relevant documents.

TRANSFERRING INFORMATION OUTSIDE OF CHINA

We may transfer your personal data outside of China when your information is shared with any of our group companies located in a country outside of China or if any of our servers or those of our third-party service providers are from time to time located in a country outside of China. Please see the section on HOW WE DISCLOSE YOUR PERSONAL DATA above for more information about recipients.

You may contact us at dataprivacy@hexcel.com for more information about the identities and contact information of these overseas recipients, the specific types of personal data shared, the purposes of sharing and the mechanisms via which you may raise requests to these overseas recipients.

If we transfer your information outside of China in this way, we will take steps to ensure that appropriate security and other safeguards are in place to ensure that your privacy rights continue to be protected as outlined in this policy. These safeguards may include entering standard contractual clauses formulated by the Chinese data regulator with the overseas recipients, conducting necessary security assessments or any other compliance actions as required by the Chinese data protection laws. We will provide you with a supplementary notice if necessary.

SECURITY

We have in place a variety of technical and organisational security measures designed to protect your personal data and prevent unauthorised access to, use or disclosure of it.

HOW LONG WE KEEP YOUR PERSONAL DATA

We retain personal data only for as long as necessary to fulfil the purposes for which we collected it, reflected in our internal document retention schedule, unless a longer retention period is required or permitted by law. For example:

  • Customer data will be kept for the duration of our relationship with you plus 7 years;
  • Cookie data will be anonymised or deleted within 6 months of collection.

Generally, the retention period is determined by a number of factors, including the purpose for which we use that information and our obligations under applicable laws.

YOUR PRIVACY CHOICES AND RIGHTS

Your local data protection laws may confer rights on you in relation to your personal data. The rights available to you may vary depending on our reason for processing your personal data and the country/ region you are based in.

Depending on the data protection law that applies, and subject to the conditions and limitations of such law, you may have one or more of the following rights with respect to your personal data:

  • Accessing Your Personal Data. You have the right to ask for a copy of the information that we hold about you by emailing or writing to us at the address at the end of this policy. We may not provide you with a copy of your personal data if this concerns other individuals or we have another lawful reason to withhold that information.

  • Correcting and Updating Your Personal Data. The accuracy of your information is important to us. If the personal data we hold on you is inaccurate or incomplete, you are entitled to request that we make corrections.

  • Withdrawing Your Consent. Where you have previously provided your consent and that is our legal basis for processing your personal data, you may withdraw your consent at any time. Please note that if you do withdraw your consent, our use of your personal data before you withdrew your consent remains lawful.

  • Objecting to Our Use of Your Personal Data and Purely Automated Decisions Made About You. Where we rely on our legitimate business interests as the legal basis for processing your personal data for any purpose(s), as set forth under the Section WHAT PERSONAL DATA DO WE COLLECT, AND HOW DO WE USE IT?, you may object to us using your personal data for these purposes. Except for the purposes for which we are sure we can continue to process your Personal Data, we will temporarily stop processing your Personal Data in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your data for those purposes. Otherwise, we will provide you with our justification as to why we need to continue using your data. Where personal data are processed for direct marketing purposes, you have the right to object at any time to such processing (including profiling to the extent that it is related to such marketing). If you make such objection, we will no longer process your personal data for direct marketing purposes. You may also contest a decision made about you based purely using automated processing by contacting us. However, we do not currently engage in any such automated decision-making.

  • Erasing Your Personal Data or Restricting its Processing. In certain circumstances, you may ask for your personal data to be removed from our systems. Unless there is a lawful reason which allows us to use your personal data for longer, we will make reasonable efforts to comply with your request. For example, if we need to retain your personal data to complete a transaction or provide you with a service. You may also ask us to restrict processing your personal data where you believe it is unlawful for us to continue processing, you have objected to its use and our investigation is pending or you require us to keep it in connection with legal proceedings. In these situations, we may only process your personal data while its processing is restricted if we have your consent or are legally permitted to do so, for example for storage purposes, to protect the rights of another individual or company or in connection with legal proceedings.

  • Transferring Your Personal Data in a Structured Data File. If we rely on your consent as the legal basis for processing your personal data or need to process it in connection with your contract, as set out under the section WHAT PERSONAL DATA DO WE COLLECT, AND HOW DO WE USE IT?, or if your request is otherwise supported by the applicable data protection laws, you may ask us to provide you with a copy of that information in a structured data file. We will provide this to you electronically in a structured, commonly used and machine-readable form, such as a CSV file. We may not provide you with a copy of your personal data if this concerns other individuals or we have another lawful reason to withhold that information.

  • Right Against Discrimination. You have the right not to be discriminated against for exercising any of the rights granted to you under any applicable law in relation to your personal data. Hexcel will not deny you goods or services or charge you different processes or rates if you decide to exercise your rights.

Please be aware that these rights are not absolute, and the way we process your Personal Data, legal basis on which we rely to process it (where a legal basis is required under applicable privacy and data protection law) and the country/region you are based in may affect the extent to which these rights apply.

If you are a California resident, please see the CCPA SUPPLEMENT at the end of this Policy for additional information about your rights under California privacy laws. 

How to Exercise Your Rights

To exercise any of your data protection and privacy rights, please email your request to us at Dataprivacy@hexcel.com Hexcel may require you to verify your identity before responding to your request. We may ask you to provide us with additional information to verify your identity.

When you make a request, you should also provide us with enough information regarding your request so that we are able to action it. We will respond to you within the timeframe required by applicable law (in the EU or U.K., this is usually one month).

You can have a third party submit a request on your behalf. The third party must provide us with evidence that it has your valid authorisation (such as a signed permission from you) and verify your identity. We may also need to verify the identity of the third party.

How to Make a Complaint

Although you have the right to complain to the applicable data protection authority (in the country where you work or live or where your legal rights have been infringed), we encourage you to contact us first at Dataprivacy@hexcel.com before making any complaint and we will seek to resolve any issues or concerns you may have.

CHANGES TO THIS POLICY

We may review this Policy from time to time and any changes will be posted on the page.

If we make any changes that materially affect our practices with regard to the personal data, we have previously collected from you, we will endeavor to provide you with notice in advance of such change by highlighting the change on our website or, where appropriate, notify you by email. Where it is required by applicable data protection laws, we will obtain your consent to the changes.

We recommend you regularly review this Policy and check for changes.

__________________________________________

APPENDIX: LAWFUL BASIS FOR PROCESSING 

CHINA

If you are located in the People’s Republic of China (for the purpose of this policy only, excluding Hong Kong, Macau and Taiwan) (“China”) or if our processing of your personal data isotherwise regulated by the Chinese data protection laws, then we rely on your consent as the legal basis for the relevant purpose(s).

EU and UK

If you are located in a Member State of the EEA, or in the United Kingdom (UK), or if our processing of your personal data is otherwise regulated by EEA and/or UK data protection laws, the lawful basis for each processing activity is set out in the following table.


Processing Activity
EU/UK Lawful Basis for Processing
Including Legitimate Interests (where applicable)
CUSTOMERS
Sales & Support
  • Our legitimate interests in supporting our customers with sales, support and other inquiries, and in communicating with our Suppliers regarding the products and service they offer.
Marketing
  • Our legitimate interest in promoting ourbusiness, our brand and our products and services.
Research & Analytics
  • Our legitimate Interest in identifying and responding to changing market conditions and our customers’ needs.
Planning & Managing Events
  • Our legitimate Interest in promoting ourbusiness, our brand and our products and services.
Safety & Security
  • Our legal obligations to protect, and tothe extent that our activities go beyond the strict requirements of applicablelaw, our legitimate interest in ensuring, the safety of all individuals attending our offices or factory sites.
  • Exceptionally, your, or another individual’s vital interests.
Compliance with Legal & Regulatory Obligations
  • Our legal obligation to comply with applicable law.
  • To the extent that our activities go beyond those strictly required by law, our legitimate interest in complying with our legal and regulatory obligations effectively and efficiently.
General Business Obligations
  • To comply with our legal obligations.
  • To the extent that processing goes beyond the requirements of applicable law, our legitimate interests in operating the administrative and technical aspects of our business efficiently and effectively and in compliance with applicable law and regulation.
DEPENDENTS and EMERGENCY CONTACTS
To Contact You in an Emergency
  • Our legitimate interest, and that of the relevant member of our workforce, in contacting you in the event of a serious incident affecting your friend/relative.
Administration of Benefits
  • Our, and our workforce’s, legitimate interest in facilitating the administration of benefits by our third-party benefits providers.
WEBSITE VISITORS
Website & Information Security
  • Our legitimate interest in ensuring the security of our website(s) and all information processed by such website(s).
Website Analytics
  • Our legitimate interest in assessing how website visitors use our sites, so that we can improve them.


CCPA SUPPLEMENT

In this section, we provide additional information to California residents about the categories of personal data we collect about you and your privacy rights under applicable California privacy laws, including the California Consumer Privacy Act and its supplementing regulations (collectively the “CCPA”). This section does not address or apply to our collection and processing of data that is exempt from CCPA (including publicly available information lawfully made available by state or federal government records or other personal data that is exempt under the CCPA), or information about our employees, personnel, applicants and candidates.

Categories of Personal Information under the CCPA. Our collection, use and disclosure of personal data varies based upon our relationship and interactions with you. In the table below, we describe that categories of personal data we may collect, and have in the prior twelve (12) months collected, about California residents, as well as the categories of third parties to whom we may disclose this information for a business or commercial purpose.

Categories of Personal Information Collected
Categories of Third-Party Disclosures  
Identifiers
Includes direct identifiers, such as name, alias, user ID, username, account number or unique personal identifier; Social Security number, driver’s license number, passport number, tax ID and other government identifiers; email address, phone number, address and other contact information; IP address and other online identifiers
  • Service providers 
  • Business partners, advisors and agents
  • Regulators, government entities and law enforcement
  • Hexcel group companies
  • Data analytics providers
  • Internet service providers
  • Operating systems and platforms
  • Others as required by law or consented by you
Categories of Personal Information Listed in Cal. Civ. Code § 1798.80(e)
Includes personal data, such as name, account name, user ID, contact information, account number, and financial or payment information, that individuals provide us in order to purchase or obtain our products and services
  • Service providers 
  • Regulators, government entities and law enforcement
  • Hexcel group companies
  • Others as required by law or consented by you
Internet and Electronic Network Activity Information
Including, but not limited to, browsing history, clickstream data, search history, and information regarding interactions with an internet website, application, or advertisement, including other usage data related to your use of any of our Services or other online services
  • Service providers 
  • Business partners, advisors and agents
  • Regulators, government entities and law enforcement
  • Hexcel group companies
  • Others as required by law or consented by you
Geolocation Data
Location information about a particular individual or device
  • Service providers 
  • Business partners, advisors and agents
  • Regulators, government entities and law enforcement
  • Hexcel group companies
  • Data analytics providers
  • Internet service providers
  • Operating systems and platforms
  • Others as required by law or consented by you
Audio, Visual and Other Electronic Data (“Sensory Data”)
Includes audio, electronic, visual, thermal, olfactory, or similar information, such as, thermal screenings and CCTV footage (e.g., collected from visitors to our premises), photographs and images (e.g., that you provide us) and call recordings (e.g., of customer support calls)
  • Service providers
  • Business partners, advisors and agents
  • Regulators, government entities and law enforcement
  • Hexcel group companies
  • Advertising networks
  • Data analytics providers
  • Social networks
  • Internet service providers
  • Operating systems and platforms
  • Others as required by law or consented by you
Professional and Employment-Related Information
Includes professional and employment-related information such as business contact information and professional memberships
  • Service providers
  • Business partners, advisors and agents
  • Regulators, government entities and law enforcement
  • Hexcel group companies
  • Others as required by law or consented by you
Profiles and Inferences
Including inferences drawn from any of the information identified above to create a profile reflecting a consumer’s preferences, characteristics, behavior or attitudes
  • Service providers
  • Business partners, advisors and agents
  • Regulators, government entities and law enforcement
  • Hexcel group companies
  • Advertising networks
  • Data analytics providers
  • Social networks
  • Internet service providers
  • Operating systems and platforms
  • Others as required by law or consented by you


Sales and Sharing of Personal Information. Under the CCPA, ‘sales’ and ‘sharing’ are broadly defined and include disclosing or making available personal data to third parties, in exchange for money or some other benefit or for purposes of cross-context behavioral advertising.  As broadly defined by the CCPA, we may sell/share identifiers, internet and electronic network activity information and inferences to/with advertising networks and third-party ad companies, data analytics providers and social networks in order to analyze use of our services, optimize and develop our products and services, improve and measure our ad campaigns, and reach users with more relevant ads and content. However, we do not knowingly sell or share sensitive personal data, nor personal data about California residents who are younger than 16.

Sources of Personal Information. As stated in the Policy above, in general, we collect the categories of personal data identified in the table above directly from you, automatically and in certain cases from the following categories of third-party sources:

  • Hexcel Group Companies
  • Business customers, vendors, and suppliers
  • Third-party platforms, sites and services, including social networks
  • Data analytics providers
  • Ad networks
  • Internet service providers
  • Operating systems and platforms
  • Government entities
  • Third-party and publicly available data sources

Purposes for Collecting and Disclosing. As described in more detail in the section WHAT PERSONAL DATA DO WE COLLECT, AND HOW DO WE USE IT?, in general, we collect and otherwise process the personal data set forth in the table above for the following business or commercial purposes:

  • Services and support
  • Communications
  • Research and analytics
  • Customization and personalization
  • Marketing and advertising
  • Planning and managing events
  • Legal proceedings and obligations
  • Account administration
  • Security and protection of rights
  • General business and operational support

Notwithstanding the above, we only use and disclose sensitive personal data as reasonably necessary (i) to perform our services requested by you, (ii) to help ensure security and integrity, including to prevent, detect, and investigate security incidents, (iii) to detect, prevent and respond to malicious, fraudulent, deceptive, or illegal conduct, (iv) to verify or maintain the quality and safety of our services, (v) for compliance with our legal obligations, (vi) to our service providers who perform services on our behalf, and (vii) for purposes other than inferring characteristics about you.  We do not use or disclose your sensitive personal data other than as authorized pursuant to section 7027 of the CCPA regulations (Cal. Code. Regs., tit. 11, § 7027 (2022)).

Retention. We retain personal data only for as long as necessary to accomplish the purpose for which the information was collected, unless a longer retention period is required or permitted by law. Generally, the retention period is determined by a number of factors, including the purpose for which we use that information and our obligations under applicable laws.

California Residents’ Rights. In general, California residents have the following rights with respect to their personal data:

  • To know/access: to know what personal data we have collected about them, including the categories of personal data, the categories of sources from which the personal data is collected, the business or commercial purpose for collecting, selling, or sharing personal data, the categories of third parties to whom we disclose personal data, and the specific pieces of personal data we have collected about them.
  • Correction: to request correction of inaccurate personal data.
  • Deletion: to request deletion of their personal data, subject to certain exceptions.
  • Opt out of sales and sharing: to opt-out of our sale and sharing of their personal data.
  • Right to limit use of sensitive personal data: The right to limit the use or disclosure of sensitive personal data to those uses authorized by the CCPA.  However, as noted, we do not use or disclose your sensitive personal data beyond the CCPA’s authorized purposes.
  • Right to non-discrimination: to not be subject to discriminatory treatment for exercising their rights under the CCPA.

Submitting Requests to Know, Correct and Delete. California residents may submit requests to know, correct and delete their personal data by emailing us at Dataprivacy@hexcel.com. You can also submit a privacy request online at Webform or via phone at phone our San Ramon office at (800) 688-7734.

When you submit a request to know or delete, we will need to verify your identity before processing your request, which may require us to request additional personal data from you. In certain circumstances, we may decline or limit your request, particularly where we are unable to verify your identity or locate your information in our systems, or as permitted by law. Authorized agents may initiate a request on behalf of another individual by contacting us at Dataprivacy@hexcel.com; authorized agents will be required to provide proof of their authorization and we may also require that the relevant consumer directly verifies their identity and the authority of the authorized agent.

Requests to Opt Out of Sales and Sharing. California residents may submit a request to opt out of sales and sharing by us via email at Dataprivacy@hexcel.com.  You may also review and manage your cookie preferences for our website as set forth in the COOKIES Section above.

Rights Under California's Shine-the-Light Law. If you are a California resident and you still believe your information has been shared or you have general questions about how your information may have been shared, you may contact us by requesting a list of the third parties to which we have disclosed personal data about you for their own direct marketing purposes. You may make one request per year. In your request, please attest to the fact that you are a California resident and provide a current California address for your response. You may request this information in writing by emailing us at Dataprivacy@hexcel.com.

Contact Us. For more information about our privacy practices, you may contact us via email at Dataprivacy@hexcel.com.