Privacy Policy

  1. Background 

Last updated: November 2nd, 2023.

This notice tells you how we look after your personal data when you visit our websites at, or any of our sub-domains (collectively referred to as the “Website”), when you are involved in our externship program  (“Program”), where you are considering being involved in a Program, or where you are another type of business contact, such as a supplier or service provider to our business. 


This notice sets out what information we collect about you, what we use it for and who we share it with. It also explains your rights and what to do if you have any concerns about your personal data.

We may sometimes need to update this notice, to reflect any changes to the way the Program is provided or to comply with new business practices or legal requirements. You should check this Privacy Notice to see whether any changes have occurred.

  1. Who we are and other important information

We trade under the name “Extern”.  The legal entities that may hold and be responsible for the management of your personal data is Extern, Inc. (referred to as “Extern”, “we”, “us” or” our). 

Depending on where you are located, you may be subject to jurisdiction specific laws and regulations.  This privacy notice is intended to provide you with the information that we are required to provide you with, wherever you are located.  We will look after your personal data carefully wherever you are located, but you may not be able to exercise all of the rights set out below if you are resident in a jurisdiction where such rights do not exist.

  1. The information we collect about you

Personal data means any information which does (or could be used to) identify a living person. 

We have set out the types of personal data that we collect and where we receive it from below.

Type of Personal Data:

  • Identity Data – your first and last name, title and date of birth.  
  • Contact Data – your email address, telephone numbers, home address.
  • Location Data – your physical location, addresses and your device location if you log into our systems remotely.
  • Demographic information – your age, gender, and ethnicity
  • Academic information – details of your academic qualifications and achievements.
  • Career information – details of your employment history.
  • Feedback – information and responses you provide when completing surveys and questionnaires.
  • Photo, image, audio, and other content – images, videos, audio and other content that you may provide to us or that we may collect through our interactions with you.
  • Marketing and Communication Data - includes your preferences in receiving marketing from us and our third parties and your communication preferences.
  • Technical Data - internet protocol (IP) address, browser type and version, time zone setting and generic location, browser plug-in types and versions, operating system, and platform on the devices you use to access our systems.
  • Usage Data - information about how you use our systems, including our website and any platform, API or software that we may provide you with access to, or integrate our systems with.

Please note that we do not collect any payment card data or similar data relating to your method of payment. You provide this data directly to [our payment process] who processes payments on our behalf. We only receive and process information about the timing and amount of your payment.

Sensitive information (also known as “special category” data) includes information about your health, racial or ethnic origin, political opinions, religious or philosophical beliefs, sex life or sexual orientation.  

  • We may use your sensitive information where this forms part of your demographic information, as set out above.
  • Other than as set out above we do not intend to collect or process sensitive information and we request that you do not provide sensitive information to us unless this is strictly necessary for us to perform our services.
  • Sensitive information will only be processed by us where we have your express consent to the processing.

  1. How and when your information is collected

We collect and process information about you and your interactions with us, for example:

  • when you inquire about, purchase, or request information about, the Program or any of our other services, call us, or otherwise visit our website and we provide you or your employer or legal representative with legal advice;
  • when you register to apply for an externship, or subscribe to our mailing list;
  • whenever you interact with us, including over the phone, through our online enquiry form, email, social media channels, or post, or leave a review of the services we have provides to you;
  • we may also collect personal information from third parties such as parties who have connected us to you by way of a referral; and
  • we may use publicly available sources or third-party vendors to allow us to maintain the accuracy of contact details we hold for you or provide missing information

  1. How we use your information

We are required to identify a legal justification (also known as a lawful basis) for collecting and using your personal data. There are six legal justifications which organizations can rely on. 

The most relevant of the lawful bases to us are where we use your personal data to:

  • Contract: to fulfil our contract with you
  • Legitimate Interests: to pursue our legitimate interests (our justifiable business aims) but only if those interests are not outweighed by your other rights and freedoms (e.g. your right to privacy)
  • Legal Obligation: to comply with a legal obligation that we have
  • Consent: do something for which you have given your consent

The table below sets out the lawful basis we rely on when we use your personal data. If we intend to use your personal data for a new reason that is not listed in the table, we will update our privacy notice.

Lawful Basis Purpose for using your personal data
Contract Where we have a contract with you (for example in connection with your application to a Program), as an individual, and the processing is carried out:
  • to perform our services in connection with the contract
  • to otherwise administer or perform our contract with you
  • to process your payment in connection with any contract we have with you
  • to send you updates about the Program or other aspects of the contract.
Legitimate Interests Where using your information is necessary to pursue our legitimate business interests to:
  • to provide our services to an organization with which you are connected in some manner (e.g. where your host company is taking part in a Program)
  • ensure the proper functioning of, improve and optimize our Website
  • to protect our business, our users and the public and to protect our/their rights and property
  • to defend ourselves against legal claims
  • to enforce our Terms of Service, including investigation of potential violations
  • to detect, prevent, or otherwise address fraud or security issues.
Where we use your information for our legitimate interests, we have assessed whether such use is necessary and that such use will not infringe on your other rights and freedoms.
Legal Obligation Where we are under a legal obligation to conduct the processing, including:
  • recording your preferences (e.g. marketing) to ensure that we comply with data protection laws.
  • where we send you information to comply with a legal obligation (e.g. where we send you information about your legal rights).
  • where we are required to file information with, or provide notifications to, public authorities.
Consent Where you have provided your consent to the use or sharing of your information, including:
  • where you have consented to our use of your image, video or other content in our marketing or promotional materials.
  • where you have consented to receive marketing material from us.


We may anonymize the personal data we collect (so it can no longer identify you) and then combine it with other anonymous information so it becomes aggregated data. Aggregated data helps us identify trends (e.g. what percentage of users responded to a specific survey). Data protection law does not govern the use of aggregated data and the various rights described below do not apply to it.

Where we need to collect your personal data (for example, in order to fulfill a contract we have with you), failure to provide us with your personal data may mean that we are not able to provide you with the services. Where we do not have the information required about you to fulfill an order, we may have to cancel the service ordered. 

  1. When we send you marketing messages

We may send you marketing messages where you have consented, or where we are otherwise not legally prohibited from doing so.  

You can opt out of receiving marketing messages from us at any time.  Just let us know at  Opting out of marketing will not affect our processing of your personal data in relation to any contract you have with us and where we required to use your personal data to fulfil that contract or provide you with certain information. 

  1. Who we share your information with

We share (or may share) your personal data with:

  • Prospective Employers: The employers who take part in our Programs and with whom you are interested in obtaining an externship.
  • Publication on our Website or in other promotional materials: where you have provided us with images, videos or other content and have given your consent to publish this information in our promotional materials, we may use such information for all purposes for which you have consented.  You may withdraw your consent to this use of your information at any time.  Following any such withdrawal, we will not include your personal data in future promotions, however, it will not be possible to remove your personal data from past or current promotional material.
  • Our personnel: our employees (or other types of workers) who have contracts containing confidentiality and data protection obligations.
  • Our supply chain: other organizations that help us provide our Program and other services. We ensure these organizations only have access to the information required to provide the support we use them and have a contract with them that contains confidentiality and data protection obligations.
  • Regulatory authorities: such as federal or local governments, regulatory or self-regulatory authorities, or other administrative agencies, such as the IRS in the United States.
  • Fraud prevention:  we may exchange information with other companies and organizations for fraud protection and spam/malware prevention.
  • Our professional advisers: such as our accountants or legal advisors where we require specialist advice to help us conduct our business.
  • Any actual or potential buyer of our business.

If we were asked to provide personal data in response to a court order or legal request (e.g. from the police), we would seek legal advice before disclosing any information and carefully consider the impact on your rights when providing a response.

  1. Transfer of Personal Data overseas

We are based in the USA and therefore, by providing your personal data to us, you acknowledge that it will be transferred to and processed in the USA.

We may also disclose personal information across borders to employers who take part in our Programs, and to third parties so that they may perform services for us, on our behalf, or in the context of the provision of our services to you.

We may also disclose your personal information across borders to others outside our group of companies where:

  • we are required or authorized by law to do so;
  • you have expressly consented to the disclosure; or
  • we are otherwise permitted to disclose the information under any relevant privacy regulations.

  1. How we keep your information safe

We have implemented security measures to prevent your personal data from being accidentally or illegally lost, used or accessed by those who do not have permission. These measures include:

  • access controls and user authentication (including multi-factor authentication);
  • internal IT and network security; 
  • regular testing and review of our security measures;
  • staff policies and training;
  • incident and breach reporting processes;
  • business continuity and disaster recovery processes;
  • All sensitive data is encrypted in storage and in transportation.

If there is an incident which has affected your personal data and we are the controller, we will notify the regulator and keep you informed (where required under data protection law).  Where we act as the processor for the affected personal data, we notify the controller and support them with investigating and responding to the incident.

If you notice any unusual activity on the Website, please contact us at

  1. How long we keep your information

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for. 

To decide how long to keep personal data (also known as its retention period), we consider the volume, nature, and sensitivity of the personal data, the potential risk of harm to you if an incident were to happen, whether we require the personal data to achieve the purposes we have identified or whether we can achieve those purposes through other means (e.g. by using aggregated data instead), and any applicable legal requirements (e.g. minimum accounting records for HM Revenue & Customs).

We may keep Identity Data, Contact Data, information about payments received from you and certain other data (specifically, any exchanges between us by email or any other means) for up to seven years after the end of our contractual relationship with you. 

If you browse our website, we keep personal data collected through our analytics tools for only as long as necessary to fulfill the purposes we collected it for. 

If you have registered an interest in our Program or services, or you have subscribed to our mailing list, we keep your details until you ask us to stop contacting you.

  1. Your legal rights

You have specific legal rights in relation to your personal data, which may vary by jurisdiction. The following list sets out your legal rights if you are resident in the European Economic Area or in the UK.  We will do our best to comply with the below, even where we are not legally required to do so. If you wish to exercise any of the rights listed below, please contact

  • Access: You must be told if your personal data is being used and you can ask for a copy of your personal data as well as information about how we are using it to make sure we are abiding by the law.
  • Correction: You can ask us to correct your personal data if it is inaccurate or incomplete. We might need to verify the new information before we make any changes.
  • Deletion: You can ask us to delete or remove your personal data if there is no good reason for us to continue holding it or if you have asked us to stop using it (see below). If we think there is a good reason to keep the information you have asked us to delete (e.g. to comply with regulatory requirements), we will let you know and explain our decision.
  • Restriction: You can ask us to restrict how we use your personal data and temporarily limit the way we use it.
  • Objection: You can object to us using your personal data if you want us to stop using it. If we think there is a good reason for us to keep using the information, we will let you know and explain our decision.
  • Portability: You can ask us to send you or another organisation an electronic copy of your personal data.
  • Complaints: If you are unhappy with the way we collect and use your personal data, please contact us using the applicable contact details set out above.  We will do our best to resolve your concerns.  If we are unable to do so, you may be able to complain to a regulator, depending on your location, for example:

If you are resident in the United Kingdom you can complain to the UK Information Commissioner’s Office: 

If you are resident in Canada you can complain to the Office of the Privacy Commissioner of Canada: 

If you are resident in the European Economic Area you can complain to the Data Protection Commission in Ireland:

We can decide not to take any action in relation to a request where we have been unable to confirm your identity (this is one of our security processes to make sure we keep information safe) or if we feel the request is manifestly unfounded or excessive. We may charge a fee where we decide to proceed with a request that we believe is unfounded or excessive. If this happens, we will always inform you in writing. 


Cookies will typically be placed on your computer or internet-enabled device whenever you visit us online. This allows the site to remember your computer or device and serve a number of purposes.

On our Website, a notification banner will appear allowing you to manage your consent to collect cookies (cookie banner).

  1. Different types of cookies

Session vs. persistent cookies: cookies have a limited lifespan. Cookies which only last a short time or end when you close your browser are called session cookies. Cookies which remain on your device for longer are called persistent cookies (these are the type of cookies allow websites to remember your details when you log back onto them).

First party vs third party cookies: cookies placed on your device by the website owner are called first party cookies. When the website owner uses other businesses’ technology to help them manage and monitor their website, the cookies added by the other business are called third party cookies.

Below is a summary of the categories of cookies collected on our websites:

  • Strictly necessary cookies: Strictly necessary cookies are essential in order to enable users to move around the website and use its features, such as accessing secure areas of the website. 
  • Performance cookies: Performance cookies are cookies used to gather data to enhance the performance of a website. 
  • Functionality cookies: Functionality cookies are used to remember customer selections that change the way the site behaves or looks. You may opt-out of these cookies, but it will impact your experience on the website, and you may need to repeat certain selections each time you visit. 
  • Analytical cookies:  Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate. 
  • Targeting cookies or advertising cookies: Targeting cookies are used to deliver content relevant to your interests They are also used to limit the number of times you see certain marketing materials, as well as help measure the effectiveness of those marketing materials. If you do not provide consent for targeting cookies, your computer or internet-enabled device will not be tracked for marketing-related activities.  

  1. What do we use cookies for?

We use cookies to:

  • to track how visitors use our Website;
  • to record whether you have seen specific messages we display on our Website;
  • to keep you signed into our Website;
  • where we post content and links to content, we use cookies to capture and analyse information such as number of views and shares.

  1. What Cookies do we use?

We can only use cookies with your permission (you will be prompted by a message when you first visit our Website, also known as a cookie banner, where you can choose to accept or decline our cookies). 

You can update your settings on our Website.

You can choose to decline cookies but if you turn off necessary cookies, some pages and functions on our Website may not work properly. You can also manage cookies through your browser settings or device settings (your user manual should contain additional information).

You can also delete cookies directly with the relevant third parties (for example, you can disable Google Analytics on their website).

If you have any questions about our cookies, or how we otherwise use your personal data, please visit our Privacy Policy for further details.