Onetrust Privacy Policy

From Websites or Events: We may collect any Personal Information that you choose to send to us or provide to us, for example, on our “Request a Demo” (or similar) online form or if you register for a OneTrust webinar. If you contact us through the Websites, we will keep a record of our correspondence.

From the Services: We receive and store information you provide directly to us. For example, when setting up new users, we collect Personal Information, such as name and e-mail address, to provide them with the Services. The types of information we may collect directly from our customers and their users include: names, usernames, email addresses, postal addresses, phone numbers, job titles, transactional information (including Services purchased), as well as any other contact or other information they choose to provide us or upload to our systems in connection with the Services.

When you use the Websites: When you visit the Websites, we collect certain information related to your device, such as your device’s IP address, referring website, what pages your device visited, and the time that your device visited our Website.

When you use the Services:

• Usage information – we keep track of user activity in relation to the types of Services our customers and their users use, the configuration of their computers, and performance metrics related to their use of the Services.
• Log information – we log information about our customers and their users when you use one of the Services including Internet Protocol (“IP”) address.
• Information collected by cookies and other similar technologies – we use various technologies to collect information which may include saving cookies to users’ computers.
• Customer Feedback – While using the Services, you may be asked to provide feedback (e.g. in the software directly or after receiving help from our support team). Providing this feedback is entirely optional.

For further information, please read the section below headed “Cookies and other Tracking Technologies”.

We will use the information we collect via our Websites:

• To administer our Website, our events and for internal operations, including troubleshooting, data analysis, testing, statistical and survey purposes;
• To improve our Website to ensure that content is presented in the most effective manner for you and for your computer;
• For trend monitoring, marketing and advertising;
• For purposes made clear to you at the time you submit your information – for example, to fulfill your request for a demo, to provide you with access to one of our webinar’s or whitepaper’s or to provide you with information you have requested about our Services; and
• As part of our efforts to keep our Website secure.

Our use of your Personal Information may be based on our legitimate interest to ensure network and information security, and for our direct marketing purposes, or you consenting to it (e.g. when you request a demo).

We may use the information we collect from our customers and their users in connection with the Services we provide for a range of reasons, including to:

• Set up a user account,
• Provide, operate and maintain the Services;
• Process and complete transactions, and send related information, including transaction confirmations and invoices;
• Manage our customers’ use of the Services, respond to enquiries and comments and provide customer service and support;
• Send customers technical alerts, updates, security notifications, and administrative communications;
• Investigate and prevent fraudulent activities, unauthorized access to the Services, and other illegal activities; and
• For any other purposes about which we notify customers and users.

We use your Personal Information in this context based on the contract that we have in place with you or our legitimate interest for security purposes (e.g. the prevention and investigation of fraudulent activities). Personal Information will be deleted based on the terms of the contract. You can exercise your rights regarding your personal information by filling out this Web Form.

We may share your information with third party vendors, consultants and other service providers who we employ to perform tasks on our behalf. These companies include (for example) our payment processing providers, website analytics companies (e.g., Google Analytics), product feedback or help desk software providers (e.g. Salesforce), CRM service providers (e.g., Salesforce), email service providers (e.g., Sendgrid) and others.
If OneTrust receives your Personal Information in the United States and subsequently transfers that information to a third party agent or service provider for processing, OneTrust remains responsible for ensuring that such third party agent or service provider processes your Personal Information to the standard required by the applicable privacy laws, including the GDPR (see the sections below headed “Additional Information for Users in the European Economic Area (“EEA”) or in the United Kingdom (“UK”)” and “International Data Transfers”).

When you attend an event or webinar organized by OneTrust (such as PrivacyConnect) we ask your preferences on sharing your contact details with the event sponsor. Based on your choice, we may share your contact details (such as your name, email address, company name and phone number) with the event sponsor. If you’d like to opt-out of sharing of your details with sponsors, you can always do so either at the time of registration, or by submitting a request.

We may choose to buy or sell assets, and may share and/or transfer customer information in connection with the evaluation of and entry into such transactions. Also, if we (or our assets) are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, Personal Information could be one of the assets transferred to or acquired by a third party.

We may also share your personal data with our parent companies, subsidiaries and/or affiliates for purposes consistent with this Privacy Notice.
Protection of OneTrust and Others: We reserve the right to access, read, preserve, and disclose any information as necessary to comply with law or court order; enforce or apply our agreements with you and other agreements; or protect the rights, property, or safety of OneTrust, our employees, our users, or others.

Under certain circumstances, we may be required to disclose your Personal Information in response to valid requests by public authorities, including to meet national security or law enforcement requirements.

OneTrust LLC’s Integrated Management System (IMS) is ISO/IEC 27001:2013 and ISO/IEC 27701:2019 certified as reflected in the certificates found here and here, respectively. The audit established the overall operational effectiveness of sample of control areas comprising OneTrust’s IMS.

OneTrust LLC and OneTrust Technology Limited have been audited and received a SOC 2 report addressing the security, confidentiality and availability of OneTrust’s services.
Unfortunately, no company or service can guarantee complete security. Unauthorized entry or use, hardware or software failure, and other factors, may compromise the security of user information at any time. Among other practices, your account is protected by a password for your privacy and security. You must prevent unauthorized access to your account and Personal Information by selecting and protecting your password appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account.

On some of our Websites, we also may utilize Google Analytics, a web analysis service provided by Google, to better understand your use of the Website and Services. Google Analytics collects information such as how often users visit the Websites, what pages they visit and what other sites they used prior to visiting. Google uses the data collected to track and examine the use of the Websites, to prepare reports on its activities and share them with other Google services. Google may use the data collected on the Websites to contextualize and personalize the ads of its own advertising network. Google’s ability to use and share information collected by Google Analytics about your visits to the Websites is restricted by the Google Analytics Terms of Use and the Google Privacy Policy.
Google offers an opt-out mechanism for the web available here.
Please consult the applicable Website Cookie Notice for more information about the type of cookies and tracking technologies that we use on the Website and why, and how to accept and reject them.

You can always opt not to disclose information to us, but keep in mind some information may be needed to register with us or to take advantage of some of our features.

You can accept or reject cookies for our Websites through our Cookie Preference Center, accessible by clicking the “cookie settings” button in the applicable Website Cookie Notice. You can also do so by adjusting your web browser controls. Please consult the Website Cookie Notice for more information about our use of cookies on the Website and how to accept and reject them.

You can opt-out of receiving certain promotional or marketing communications from us at any time, by using the unsubscribe link in the emails communications we send, or fill out this Web Form.

If you have any account for our Services, we will still send you non-promotional communications, like service related emails.

California residents have specific rights under the California Consumer Privacy Act (‘CCPA’). For more information and to exercise your rights, please see the section headed “The California Consumer Privacy Act” below.
If you are a resident of the European Economic Area or the United Kingdom, please see the section below headed “Additional Information for users in the European Economic Area and in the United Kingdom” for further information about your privacy rights.

OneTrust LLC may transfer Personal Information from the EEA or the UK to the United States, including Personal Information we receive from individuals residing in the EEA or the UK who visit our Websites and/or who may use of our Services or otherwise interact with us. Please note that for individuals located in the EEA or the UK, the term Personal Information used in this notice is equivalent to the term “personal data” under applicable European and UK data protection laws.
When OneTrust LLC engages in such transfers of personal information, it relies on i) Adequacy Decisions as adopted by European Commission on the basis of Article 45 of Regulation (EU) 2016/679 (GDPR), or ii) Standard Contractual Clauses issued by the European Commission. The European Commission has determined that the Standard Contractual Clauses provide sufficient safeguards to protect the personal data transferred outside the EU or EEA. For more information, please visit https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en. OneTrust LLC also continually monitors the circumstances surrounding such transfers in order to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the GDPR.

Following the Court of Justice of the European Union’s invalidation of the EU-US Privacy Shield Framework in Case C-311/18, OneTrust LLC will no longer rely on the EU-US Privacy Shield as a mechanism of international data transfer until further notice.
OneTrust LLC will however remain committed to maintaining its self-certification under the EU-US Privacy Shield Principles and respect its principles, as an additional measure of protection of its users’ privacy, until further notice.

Following the opinion of the Swiss Federal Data Protection and Information Commissioner (FDPIC) of 8 september 2020, OneTrust LLC will no longer rely on the Swiss-U.S. Privacy Shield as a mechanism of international data transfer until further notice.
OneTrust LLC will however remain committed to maintaining its self-certification under the Swiss Privacy Shield Principles and respect its principles, as an additional measure of protection of its users’ privacy, until further notice.

Please note that, despite the Court of Justice of the European Union’s invalidation of the EU-US Privacy Shield Framework as a mechanism for transfers of personal data between the EU and the U.S. in Case C-311/18, OneTrust LLC intends to maintain its self-certification under the EU-US Privacy Shield Framework and remains committed to complying with the Privacy Shield Principles. For more information one the U.S. Department of Commerce’s continued administration of the Privacy Shield program, please visit https://www.privacyshield.gov/article?id=EU-U-S-Privacy-Shield-Program-Update.

This section sets out the privacy principles we follow with respect to transfers of Personal Information from the EEA or the UK to the United States, including Personal Information we receive from individuals residing in the EEA or the UK who visit our Websites and/or who may use of our Services or otherwise interact with us.
Please note that for individuals located in the EEA or the UK, the term Personal Information used in this notice is equivalent to the term “personal data” under applicable European and UK data protection laws.
OneTrust LLC complies with the EU-U.S. Privacy Shield Framework (“Privacy Shield”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information from European Union member countries and the UK. OneTrust LLC has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability with respect to such personal information. If there is any conflict between the policies in this Privacy Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern.
To learn more about the Privacy Shield program, see the US Department of Commerce’s Privacy Shield website located at https://www.privacyshield.gov. To view our certification on the Privacy Shield list, please visit https://www.privacyshield.gov/list.
In compliance with the EU-U.S. Privacy Shield Principles, we commit to resolve complaints about your privacy and our collection or use of your Personal Information. Individuals located within the EEA or the UK with inquiries or complaints regarding this Privacy Notice should first contact OneTrust at: Andrew Clearwater, VP of Privacy, [email protected].
We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of personal data within 45 days of receiving your complaint. OneTrust LLC has further committed to refer unresolved privacy complaints under the EU-U.S. Privacy Shield Principles BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.
Under certain limited circumstances, individuals in the EEA or the UK may invoke binding Privacy Shield arbitration as a last resort if all other forms of dispute resolution (discussed above) have been unsuccessful. To learn more about this method of resolution and its availability to you, please visit https://www.privacyshield.gov/.
OneTrust LLC is subject to the jurisdiction of the U.S. Federal Trade Commission for purposes of Privacy Shield enforcement.
Please note that OneTrust LLC is required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Please note that despite the opinion of the Swiss Federal Data Protection and Information Commissioner (FDPIC) of 8 september 2020, OneTrust LLC intends to maintain its self-certification under the Swiss Privacy Shield Framework and remains committed to complying with its Principles. For more information one the U.S. Department of Commerce’s continued administration of the Swiss Privacy Shield program, please visit https://www.privacyshield.gov/article?id=Swiss-U-S-Privacy-Shield-FAQs

We comply with the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from Switzerland to the United States. We have certified to the Department of Commerce that we adhere to the Privacy Shield Principles. If there is any conflict between the terms in this Privacy Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
In compliance with the Swiss-US Privacy Shield Principles, we commit to resolve complaints about your privacy and our collection or use of your personal information. Swiss individuals with inquiries or complaints regarding this Privacy Notice should first contact OneTrust at: Andrew Clearwater, VP of Privacy, [email protected].
OneTrust has further committed to refer unresolved privacy complaints under the Swiss-US Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit http://www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint.
Under certain limited circumstances, individuals in Switzerland may invoke binding Privacy Shield arbitration as a last resort if all other forms of dispute resolution (discussed above) have been unsuccessful. To learn more about this method of resolution and its availability to you, please visit https://www.privacyshield.gov/.

We collect identifiers (such as name, address, email, phone number, job title, and transactional information), commercial information (such as a record of the services purchased or demos requested), and Internet or other electronic network activity information (such as usage information, IP address, cookie information, and customer feedback).

We use identifiers to provide the services requested, such as to fulfill a request for a demo, provide access to a webinar, or provide you with information about our services.
We use identifiers and commercial information for general website administration, which includes record keeping, troubleshooting, data analysis, testing, and survey purposes.
We use identifiers, commercial information, and Internet or other electronic network activity for trend monitoring, marketing, and advertising, as well as to ensure website security.

We collect identifiers and commercial information directly from you.
We collect Internet or other electronic network activity from your usage of the OneTrust website and its services.

OneTrust shares personal information as necessary for certain “business purposes,” as defined by the CCPA (Cal. Civ. Code 1798.140(d)). This includes sharing identifiers, commercial information and internet or other electronic network activity with providers of payment processing, customer relationship management, consulting, email, product feedback and helpdesk services.
While OneTrust does not sell personal information in exchange for any monetary consideration, we do share personal information for other benefits that could be deemed a “sale,” as defined by the CCPA (Cal. Civ. Code 1798.140(t)(1)). This includes sharing identifiers, commercial information and internet or other electronic network activity with advertising networks, website analytics companies, and event sponsors.

While OneTrust does not sell personal information in exchange for any monetary consideration, we do share personal information for other benefits that could be deemed a “sale,” as defined by the CCPA (Cal. Civ. Code 1798.140(t)(1)). We support the CCPA and wish to provide you with control over how your personal information is collected and shared.
You have the right to direct OneTrust to not sell your personal information. Click here to learn more and to exercise your right to opt-out.
With respect to cookies, you can always customize your settings at any time.
Please note that we may still use aggregated and de-identified personal information that does not identify you or any individual; we may also retain information as needed in order to comply with legal obligations, enforce agreements, and resolve disputes.

You have the right to request disclosure about what categories of personal information OneTrust has sold or disclosed for a business purpose about you and the categories of third parties to whom the personal information was sold or disclosed. Additionally, you have the right to request disclosure of specific pieces of information. Below is a full list of the information that you can include in your request.

• The categories of personal information that OneTrust has collected about you
• The categories of sources from which OneTrust collected the personal information
• The business or commercial purpose for collecting or selling the personal information
• The categories of third parties with whom OneTrust shares personal information
• The specific pieces of personal information OneTrust has collected about you
• The categories of personal information that OneTrust disclosed about you for a business purpose
• The categories of personal information that OneTrust has sold about you, as well as the categories of third parties to whom OneTrust sold the information

If you would like to exercise your right to request disclosure, please fill out this request form. Our privacy team will examine your request and respond to you as quickly as possible.

You have the right to request that OneTrust delete any personal information about your that OneTrust has collected from you. Please note that there are exceptions where OneTrust does not have to fulfill a request to delete information, such as when the deletion of information would create problems with the completion of a transaction or compliance with a legal obligation.
If you would like to exercise your right to delete, please fill out this request form. Our privacy team will examine your request and respond to you as quickly as possible.

OneTrust will not discriminate against you (e.g., through denying goods or services, or providing a different level or quality of goods or services) for exercising any of the rights afforded to you.

In compliance with the CCPA, we commit to resolve complaints about your privacy and our collection or use of your Personal Information. California residents with inquiries or complaints regarding this Privacy Notice should first contact OneTrust at:

Andrew Clearwater
VP of Privacy
[email protected]