Hexcel respects individuals’ privacy and is committed to providing transparency regarding its privacy practices.
This Policy does not apply to the Personal Data Hexcel collects and processes related to our employees, job applicants and job candidates or to any information that is exempt under applicable privacy and data protection laws.
Hexcel websites are not designed for, or directed at, children under the age of 13 and we do not knowingly collect personal data from individuals in this age group. If you believe we have inadvertently collected personal data about a child, please contact us and we will take steps to delete this data.
This Policy may change from time to time so please check this page occasionally to ensure that you are familiar with any changes. For more information please see the section CHANGES TO THIS POLICY below.
If you are a California resident, please review the CCPA SUPPLEMENT at the end of this Policy for important information about our privacy practices and your rights under California privacy laws.
This policy was last updated in December 2023.
The Hexcel group of companies is made up of numerous individual companies across the globe. For the purposes of this Policy, the primary controller of your personal data will be:
We collect personal data about you in a number of ways:
If you are a Customer, or (in relation to sales and support) a representative of a Supplier, we process your personal data for a number of purposes including as set out in the table below:
|TYPICAL PERSONAL DATA PROCESSED & HOW THIS IS OBTAINED
|Sales & Support
To support our clients with sales, support and other inquiries
To promote our business, our brand and our products and services
|Research & Analytics
To identify and respond to changing market conditions and our customers’ needs
|Planning & Managing Events
|Safety & Security
|General Business Obligations
We may also on occasion need to process your personal data for other purposes, including for example where we have a legitimate business interest in doing so in relation to the possible or actual sale or restructuring of the business (including negotiations thereto); to establish, defend or exercise legal claims in an employment tribunal or court of law; or where we are required to do so by applicable law.
If you are a dependent or emergency contact of a workforce member or site visitor, we process your personal data for an number of purposes including as set out in the table below:
|TYPICAL PERSONAL DATA PROCESSED & HOW THIS IS OBTAINED
|To Contact You in an Emergency
|Administration of Benefits
Where our processing is subject to the Chinese data protection laws, some types of personal data (e.g. information contained in a formal identiﬁcation document or social security or other unique reference relating to you e.g. passport or driving license) may constitute sensitive personal data under the laws. Providing us with your sensitive personal data increases the risk that you may suffer harm to your personal safety or dignity or your reputation, or loss or damage to your property if your sensitive personal data is accessed, used, or divulged without authorization while it is in our custody. We will take enhanced security measures designed to protect your sensitive personal data. But please understand that no security measures can be entirely flawless, and we cannot guarantee that your sensitive personal data will never be accessed or used without authorization.
If you are a Website Visitor, we collect information directly from you when you complete a ‘contact us’ form, or subscribe to our newsletter. In these cases, you will be treated as a prospective or actual Customer. Please see the previous section on our use of Customer data. When you navigate through and interact with our website, we and our third-party providers may, with your consent where appropriate, automatically collect and record information about your browsing activities using cookies, pixel tags, log files and other similar technologies (referred to below as “Cookies”). We process your personal data for a number of purposes including as set out in the table below:
|PERSONAL DATA PROCESSED & HOW THIS IS OBTAINED
|Necessary Functionality and Website & Information Security
A cookie is a small file placed on the hard drive of your computer when you access our website, although we also use the term “Cookie” to refer to pixel tags, log files and other similar technologies. As noted previously, the Cookies we use may collect information about your equipment, browsing actions, and patterns, including for example:
We use the following Cookies on our website:
|COOKIE TYPE & DOMAIN
|PURPOSE & DESCRIPTION
|Strictly Necessary: To read and filter requests from bots for security purposes
|Google Analytics cookies we use include:
_utmb, _utmz,_gat, _ga, _utmc, _gid, _gid_utmt, _utma
|Website Analytics: To allow us to track visitor behavior and measure site performance
The length of time for which cookies are stored on your browser varies depending on the specific cookie. “Session” cookies only last for your online session (i.e. until you close your browser); others will stay on your browser for a reasonable time afterward. Unless indicated above, the cookies set on our website will usually last for between 1 day and 6 months from the last visit to our site.
Some of the information collected by cookies is personal data to which the rest of this privacy notice applies. Please see the section on WHAT PERSONAL DATA DO WE COLLECT, AND HOW DO WE USE IT? for information about what personal data we collect and how this information is used, and the section on YOUR PRIVACY CHOICES AND RIGHTS for your rights in relation to such data.
When you first visit our website, we will ask you whether you want to accept cookies. Most web browsers automatically accept cookies, but if you prefer, you can edit your browser options to block them in the future. The Help portion of the toolbar on most browsers will tell you how to prevent your computer from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. Some of our services may not work properly if you disable cookies.
You can review and manage your cookie preferences for our websites and opt out of certain cookies, including targeting cookies and tags on our websites, either by editing your browser options as explained above or by reviewing and changing your preferences for most cookies on our website (including to opt out of all but ‘required’ cookies) by adjusting your preferences through our cookie preferences manager made available on our websites.
Please note that cookie preferences are browser and device specific, which means that you need to set the preference for each browser and device you use to access our websites; in addition, if you delete or block cookies, you may need to reapply these preferences.
Do-Not-Track Signals. Please note that our websites do not recognize or respond to any signal which your browser might transmit through the so-called "Do Not Track" feature your browser might have. However, you can set your preferences for cookies on our websites as discussed above.
LAWFUL BASIS FOR PROCESSING
Where required by applicable data protection laws, we will only process your personal data where we have a lawful basis to do so (including, where appropriate, where we have obtained your consent). Please see Appendix 1 for details of the lawful basis relied on for different processing activities and different jurisdictions.
HOW WE DISCLOSE YOUR PERSONAL DATA
We may share your information with other companies within the Hexcel group of companies. When a Hexcel group company receives your personal data, they will act as an independent controller of that data, and may use your personal data in accordance with this Policy. Please see our Global Locations page for the details of those of our group companies with whom we may share your personal data.
Please contact us at firstname.lastname@example.org for more information about the specific types of personal data shared with them and the purposes of sharing.
Our Suppliers and Service Providers
We may disclose your personal data to our third-party service providers, agents, subcontractors, vendors, business partners, marketing, advertising and analytics providers, third party platform services and other organizations (as listed below) for the purposes of providing services to us or directly to you on our behalf. These recipients include:
These recipients will usually be located in the same jurisdiction or region as the Hexcel Group company they support, with the exception of IT services (including Website Analytics provider, IT support service providers and Cloud Services providers) which are provided on a global basis.
If you are based in the European Union (EU) or the United Kingdom (UK) we will endeavor to only share your personal data with suppliers and service providers based in the European Economic Area (EEA). The only exceptions to this are when we arrange travel/ accommodation for you outside of the EEA and we may use Cloud Storage Providers which are based outside of the EEA.
If you are based in China, we will endeavour to only share your personal data with suppliers and service providers based in China. The only exceptions to this are when you visit our website your data may be shared with our IT services (including Website Analytics provider, IT support service providers and Cloud Services providers).
For more information on how we transfer personal data outside of the EEA or China, please see the section INTERNATIONAL TRANSFERS OF PERSONAL DATA below.
Other Ways We May Share Your Personal Data
We may disclose your personal data to a third party:
Where the recipients have independent purposes and means of processing your personal data, you may contact us at email@example.com for more information about the identities and contact information of the recipients, the specific types of personal data shared and the purposes of sharing. We will share with you the relevant information unless the disclosure is prohibited or restricted by applicable law.
INTERNATIONAL TRANSFERS OF PERSONAL DATA
Hexcel is a global group of companies.
Accordingly, we may transfer your personal data to, or access it in, jurisdictions other than the jurisdiction in which you are located (including the United States and other jurisdictions where we, our affiliates and service providers have operations), including to jurisdictions that do not include equivalent levels of data protection as the country you are based in.
When we transfer personal data, we will take organizational, contractual, and technical measures designed to safeguard your personal data to the levels required by local laws, including through appropriate written data processing terms and/or data transfer agreements and/or other legally acceptable mechanisms according to applicable local laws.
TRANSFERRING INFORMATION OUTSIDE OF THE EEA
If you are in the European Economic Area or the United Kingdom (collectively referred to herein as “EEA”) and we transfer your personal data to a jurisdiction located outside of the EEA , which may not have similar data protection laws to the EEA and may not be recognized by the European Commission and/or the U.K. Government (or other relevant regulatory body) as providing an adequate level of data protection, we will take steps to ensure that appropriate security and other safeguards are in place to ensure that your privacy rights continue to be protected as outlined in this policy.
These safeguards include imposing contractual obligations, such as the European Commission approved standard contractual clauses (available here) and the U.K. Addendum thereto (available here), on the recipient of your personal data.
Please contact us at firstname.lastname@example.org for more information about the protections that we put in place and to obtain a copy of the relevant documents.
TRANSFERRING INFORMATION OUTSIDE OF CHINA
We may transfer your personal data outside of China when your information is shared with any of our group companies located in a country outside of China or if any of our servers or those of our third-party service providers are from time to time located in a country outside of China. Please see the section on HOW WE DISCLOSE YOUR PERSONAL DATA above for more information about recipients.
You may contact us at email@example.com for more information about the identities and contact information of these overseas recipients, the specific types of personal data shared, the purposes of sharing and the mechanisms via which you may raise requests to these overseas recipients.
If we transfer your information outside of China in this way, we will take steps to ensure that appropriate security and other safeguards are in place to ensure that your privacy rights continue to be protected as outlined in this policy. These safeguards may include entering standard contractual clauses formulated by the Chinese data regulator with the overseas recipients, conducting necessary security assessments or any other compliance actions as required by the Chinese data protection laws. We will provide you with a supplementary notice if necessary.
We have in place a variety of technical and organisational security measures designed to protect your personal data and prevent unauthorised access to, use or disclosure of it.
HOW LONG WE KEEP YOUR PERSONAL DATA
We retain personal data only for as long as necessary to fulfil the purposes for which we collected it, reﬂected in our internal document retention schedule, unless a longer retention period is required or permitted by law. For example:
Generally, the retention period is determined by a number of factors, including the purpose for which we use that information and our obligations under applicable laws.
Your local data protection laws may confer rights on you in relation to your personal data. The rights available to you may vary depending on our reason for processing your personal data and the country/ region you are based in.
Depending on the data protection law that applies, and subject to the conditions and limitations of such law, you may have one or more of the following rights with respect to your personal data:
Please be aware that these rights are not absolute, and the way we process your Personal Data, legal basis on which we rely to process it (where a legal basis is required under applicable privacy and data protection law) and the country/region you are based in may affect the extent to which these rights apply.
If you are a California resident, please see the CCPA SUPPLEMENT at the end of this Policy for additional information about your rights under California privacy laws.
How to Exercise Your Rights
To exercise any of your data protection and privacy rights, please email your request to us at Dataprivacy@hexcel.com Hexcel may require you to verify your identity before responding to your request. We may ask you to provide us with additional information to verify your identity.
When you make a request, you should also provide us with enough information regarding your request so that we are able to action it. We will respond to you within the timeframe required by applicable law (in the EU or U.K., this is usually one month).
You can have a third party submit a request on your behalf. The third party must provide us with evidence that it has your valid authorisation (such as a signed permission from you) and verify your identity. We may also need to verify the identity of the third party.
How to Make a Complaint
Although you have the right to complain to the applicable data protection authority (in the country where you work or live or where your legal rights have been infringed), we encourage you to contact us first at Dataprivacy@hexcel.com before making any complaint and we will seek to resolve any issues or concerns you may have.
We may review this Policy from time to time and any changes will be posted on the page.
If we make any changes that materially affect our practices with regard to the personal data, we have previously collected from you, we will endeavor to provide you with notice in advance of such change by highlighting the change on our website or, where appropriate, notify you by email. Where it is required by applicable data protection laws, we will obtain your consent to the changes.
We recommend you regularly review this Policy and check for changes.
If you are located in the People’s Republic of China (for the purpose of this policy only, excluding Hong Kong, Macau and Taiwan) (“China”) or if our processing of your personal data isotherwise regulated by the Chinese data protection laws, then we rely on your consent as the legal basis for the relevant purpose(s).
EU and UK
If you are located in a Member State of the EEA, or in the United Kingdom (UK), or if our processing of your personal data is otherwise regulated by EEA and/or UK data protection laws, the lawful basis for each processing activity is set out in the following table.
|EU/UK Lawful Basis for Processing
Including Legitimate Interests (where applicable)
|Sales & Support
|Research & Analytics
|Planning & Managing Events
|Safety & Security
|Compliance with Legal & Regulatory Obligations
|General Business Obligations
DEPENDENTS and EMERGENCY CONTACTS
|To Contact You in an Emergency
|Administration of Benefits
|Website & Information Security
In this section, we provide additional information to California residents about the categories of personal data we collect about you and your privacy rights under applicable California privacy laws, including the California Consumer Privacy Act and its supplementing regulations (collectively the “CCPA”). This section does not address or apply to our collection and processing of data that is exempt from CCPA (including publicly available information lawfully made available by state or federal government records or other personal data that is exempt under the CCPA), or information about our employees, personnel, applicants and candidates.
Categories of Personal Information under the CCPA. Our collection, use and disclosure of personal data varies based upon our relationship and interactions with you. In the table below, we describe that categories of personal data we may collect, and have in the prior twelve (12) months collected, about California residents, as well as the categories of third parties to whom we may disclose this information for a business or commercial purpose.
|Categories of Personal Information Collected
|Categories of Third-Party Disclosures
|Includes direct identifiers, such as name, alias, user ID, username, account number or unique personal identifier; Social Security number, driver’s license number, passport number, tax ID and other government identifiers; email address, phone number, address and other contact information; IP address and other online identifiers
|Categories of Personal Information Listed in Cal. Civ. Code § 1798.80(e)
|Includes personal data, such as name, account name, user ID, contact information, account number, and financial or payment information, that individuals provide us in order to purchase or obtain our products and services
|Internet and Electronic Network Activity Information
|Including, but not limited to, browsing history, clickstream data, search history, and information regarding interactions with an internet website, application, or advertisement, including other usage data related to your use of any of our Services or other online services
|Location information about a particular individual or device
|Audio, Visual and Other Electronic Data (“Sensory Data”)
|Includes audio, electronic, visual, thermal, olfactory, or similar information, such as, thermal screenings and CCTV footage (e.g., collected from visitors to our premises), photographs and images (e.g., that you provide us) and call recordings (e.g., of customer support calls)
|Professional and Employment-Related Information
|Includes professional and employment-related information such as business contact information and professional memberships
|Profiles and Inferences
|Including inferences drawn from any of the information identified above to create a profile reflecting a consumer’s preferences, characteristics, behavior or attitudes
Sales and Sharing of Personal Information. Under the CCPA, ‘sales’ and ‘sharing’ are broadly defined and include disclosing or making available personal data to third parties, in exchange for money or some other benefit or for purposes of cross-context behavioral advertising. As broadly defined by the CCPA, we may sell/share identifiers, internet and electronic network activity information and inferences to/with advertising networks and third-party ad companies, data analytics providers and social networks in order to analyze use of our services, optimize and develop our products and services, improve and measure our ad campaigns, and reach users with more relevant ads and content. However, we do not knowingly sell or share sensitive personal data, nor personal data about California residents who are younger than 16.
Sources of Personal Information. As stated in the Policy above, in general, we collect the categories of personal data identified in the table above directly from you, automatically and in certain cases from the following categories of third-party sources:
Purposes for Collecting and Disclosing. As described in more detail in the section WHAT PERSONAL DATA DO WE COLLECT, AND HOW DO WE USE IT?, in general, we collect and otherwise process the personal data set forth in the table above for the following business or commercial purposes:
Notwithstanding the above, we only use and disclose sensitive personal data as reasonably necessary (i) to perform our services requested by you, (ii) to help ensure security and integrity, including to prevent, detect, and investigate security incidents, (iii) to detect, prevent and respond to malicious, fraudulent, deceptive, or illegal conduct, (iv) to verify or maintain the quality and safety of our services, (v) for compliance with our legal obligations, (vi) to our service providers who perform services on our behalf, and (vii) for purposes other than inferring characteristics about you. We do not use or disclose your sensitive personal data other than as authorized pursuant to section 7027 of the CCPA regulations (Cal. Code. Regs., tit. 11, § 7027 (2022)).
Retention. We retain personal data only for as long as necessary to accomplish the purpose for which the information was collected, unless a longer retention period is required or permitted by law. Generally, the retention period is determined by a number of factors, including the purpose for which we use that information and our obligations under applicable laws.
California Residents’ Rights. In general, California residents have the following rights with respect to their personal data:
Submitting Requests to Know, Correct and Delete. California residents may submit requests to know, correct and delete their personal data by emailing us at Dataprivacy@hexcel.com. You can also submit a privacy request online at Webform or via phone at phone our San Ramon office at (800) 688-7734.
When you submit a request to know or delete, we will need to verify your identity before processing your request, which may require us to request additional personal data from you. In certain circumstances, we may decline or limit your request, particularly where we are unable to verify your identity or locate your information in our systems, or as permitted by law. Authorized agents may initiate a request on behalf of another individual by contacting us at Dataprivacy@hexcel.com; authorized agents will be required to provide proof of their authorization and we may also require that the relevant consumer directly verifies their identity and the authority of the authorized agent.
Requests to Opt Out of Sales and Sharing. California residents may submit a request to opt out of sales and sharing by us via email at Dataprivacy@hexcel.com. You may also review and manage your cookie preferences for our website as set forth in the COOKIES Section above.
Rights Under California's Shine-the-Light Law. If you are a California resident and you still believe your information has been shared or you have general questions about how your information may have been shared, you may contact us by requesting a list of the third parties to which we have disclosed personal data about you for their own direct marketing purposes. You may make one request per year. In your request, please attest to the fact that you are a California resident and provide a current California address for your response. You may request this information in writing by emailing us at Dataprivacy@hexcel.com.
Contact Us. For more information about our privacy practices, you may contact us via email at Dataprivacy@hexcel.com.