Effective Date: February 22nd, 2021
Transfers to the United States
The Services are hosted and operated in the United States (“U.S.”) through SailPoint and its service providers. By using the Services, you acknowledge that Personal Data about you, regardless of whether provided by you or obtained from a third party, is being provided to SailPoint in the U.S. and will be hosted on U.S. servers, and you authorize SailPoint to transfer, store and process your information to and in the U.S., and possibly other countries. You hereby consent to the transfer of your data to the U.S. as set forth herein, which consent may be withdrawn at any time.
If you are located in the European Union (“EU”), United Kingdom, Lichtenstein, Norway, or Iceland, you may have additional rights under the EU General Data Protection Regulation (the “GDPR”) with respect to your Personal Data. SailPoint processes Personal Data of our customers’ end users and employees in connection with our provision of services to these customers, making us the processor of Personal Data and those customers the controllers of the Personal Data. For more information about your potential rights under the GDPR, and to exercise such rights where applicable, please contact the controller party in the first instance.
EU-U.S. Privacy Shield
SailPoint remains committed to the Principles of the EU-U.S. Privacy Shield Framework set forth by the U.S. Department of Commerce regarding the collection and use of Personal Data transferred from the EU. These Principles are (1) notice, (2) consent, (3) accountability for onward transfer, (4) security, (5) data integrity and purpose limitation, (6) access and (7) recourse, enforcement and liability with respect to all Personal Data received from within the EU in reliance on the Privacy Shield. The Privacy Shield Principles require that we remain potentially liable if any third party processing Personal Data on our behalf fails to comply with these Privacy Shield Principles (except to the extent we are not responsible for the event giving rise to any alleged damage). SailPoint’s compliance with the Privacy Shield is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. For more information about the Privacy Shield Program, please visit www.privacyshield.gov.
On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a judgment which made the EU-U.S. Privacy Shield Framework no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. Following the CJEU Decision, the Swiss Federal Data Protection and Information Commissioner also concluded that the Swiss-U.S. Privacy Shield no longer provides a valid mechanism for the transfer of personal data from Switzerland to the United States. However, SailPoint continues to honor its commitments under the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework, along with reliance on alternative mechanisms to legitimize international personal data transfers from the European Union or Switzerland to the United States, such as by implementing standard contractual clauses and/or obtaining consent to such transfers.
Notice of What Information We Collect and How We Use It
What Information Do We Collect?
The information we gather enables us to provide, personalize, improve and continue to operate the Services. In connection with certain aspects of the Services, we may request, collect and/or display some of your Personal Data. We collect the following types of information from our users.
When you create an Account, you will provide information that could be Personal Data, such as your username, password and email address. Additionally, if you register for or access the Services using a Third Party Service (such as your Google Apps account login credentials), we may receive Personal Data that you have made available to share through such Third Party Service, which may include, without limitation, your user ID, email, name, and image. We may use your contact information to send you information about our Services. You may unsubscribe from some of these messages through your Account settings, although we reserve the right to continue contacting you when we believe it is necessary, such as for account recovery purposes.
The Services collects data about your computer usage (“Usage Data”) and also integrates with Third Party Services, including your browser and other software applications, that collect Usage Data. For example, browser plug-ins may record your IP address and browsing history, and APIs may record information about how you use our Services and various Third Party Services. This information may be Personal Data or may be linked to your Account or other Personal Data like your name. We use Usage Data for reasons such as to provide the Services to your employer, to generate Aggregate Information (as defined below), and to improve our Services.
Some features of the Services allow you to provide content to the Services, such as written comments. All content submitted by you to the Services may be retained by us indefinitely, even after you terminate your account. We may continue to disclose such content to third parties in a manner that does not reveal Personal Data.
IP Address Information and Other Information Collected Automatically:
- We automatically receive and record information from your web browser when you interact with the Services, including your IP address and cookie information. This information is used for fighting spam/malware and also to facilitate collection of data concerning your interaction with the Services (e.g., what links you have clicked on).
- Generally, the Services automatically collect usage information, such as the number and frequency of visitors to the Site. We may also use this data in aggregate form. This type of data enables us and third parties authorized by us to figure out how often individuals use parts of the Services so that we can analyze and improve them.
- We may collect some device-specific information if you access the Services using a mobile device. Device information may include but is not limited to unique device identifiers, network information, and hardware model, as well as information about how the device interacts with our Services.
We may receive a confirmation when you open an email from us. We use this confirmation to improve our customer service.
- Essential Cookies. Essential cookies are required for providing you features or services that you have requested. For example, certain cookies enable you to log into secure areas of our Site. Disabling these cookies may make certain features and services unavailable.
- Functionality Cookies. Functional cookies are used to record your choices and settings regarding our Services, maintain your preferences over time, and recognize you when you return to our Services. These cookies help us to personalize our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
- Performance/Analytical Cookies. Performance/analytical cookies allow us to understand how visitors use our Site and Services such as by collecting information about the number of visitors to the Site, what pages visitors view on our Site, and how long visitors are viewing pages on the Site. Performance/analytical cookies also help us measure the performance of our advertising campaigns in order to help us improve our campaigns and the Services’ content for those who engage with our advertising.
- Retargeting/Advertising Cookies. Retargeting/advertising cookies collect data about your online activity and identify your interests so that we can provide advertising that we believe is relevant to you.
- Most browsers automatically accept cookies but have an option for blocking or deleting cookies, which will prevent your browser from accepting new cookies, as well as (depending on the sophistication of your browser software) allow you to decide on acceptance of each new cookie in a variety of ways. You can usually access these options through the “Settings” or similar menu in your browser. For more information about cookies, including how to see what cookies have been set and how to manage and delete cookies, visit http://www.aboutcookies.org/ or http://www.allaboutcookies.org/. Please note that if you block or delete cookies, some portions of the Services may not work properly. In some cases, cookies may enable us to aggregate certain information with other Personal Data we collect and hold about you.
- SailPoint may also use tracking technologies that record information such as Internet domain and host names; Internet protocol (IP) addresses; browser software and operating system types; clickstream patterns; and dates and times that any Site is accessed by visitors. SailPoint may also analyze information for trends and statistics, such as through the use of Google Analytics or other similar analytics services.
Services and their computers (“Aggregate Information”). Some of this information is derived from Personal Data and Usage Data, but as part of Aggregate Information it is not Personal Data and cannot be tied back to you, your Account or your web browser.
Legal basis for processing Personal Data (EEA and Swiss visitors only)
If you are a user or visitor from the European Economic Area or Switzerland, our legal basis for collecting and using the Personal Data described above will depend on the Personal Data concerned and the specific context in which we collect it.
However, we will normally collect Personal Data from you only (i) where we need the Personal Data to perform a contract with you, (ii) where the processing is in our legitimate interests and not overridden by your rights, or (iii) where we have your consent to do so.
If you have questions about or need further information concerning the legal basis on which we collect and use your Personal Data, please contact us using the contact details provided below.
How, and With Whom, is My Information Shared?
The Services are designed to share your Usage Data with your employer. As a result, some of the information generated through the Services is shared with your employer.
Your Usage Data may be connected with your Personal Data and shared with your employer.
IP Address Information:
Information You Elect to Share:
We share Aggregate Information with our partners, service providers and other persons with whom we conduct business. We share this Aggregate Information so that our partners can understand how and how often people use our Services and their services or websites, which facilitates improving both their services and how our Services interface with them.
User Profile Information:
User profile information including your username and other information you enter may be displayed to other users to facilitate user interaction within the Services. Your account and profile information may also be shared with your employer.
Information Shared with Our Service Providers:
We employ and contract with people and other entities that perform certain tasks on our behalf (our “Service Providers”). We may need to share Personal Data with our Service Providers in order to provide products or services to you. Unless we tell you differently, our Service Providers do not have any right to use Personal Data or other information we share except in connection with their services to us. You hereby consent to our sharing of Personal Data with our Service Providers.
Information Disclosed Pursuant to Business Transfers:
In some cases, we may choose to buy or sell assets. In these types of transactions, user information is typically one of the transferred business assets. Moreover, if we, or substantially all of our assets, were acquired, or if we go out of business or enter bankruptcy, user information would be one of the assets that is transferred or acquired by a third party. You acknowledge that such transfers may occur, and that any acquirer of us or our assets may continue to use your Personal Data as set forth in this policy.
We may share your Personal Data to present or future companies that, directly or indirectly, through one or more intermediaries, control, are controlled by, or are under common control with SailPoint (“Affiliates”). Your information may also be transferred to one of our Affiliates in connection with any reorganization or consolidation with such Affiliates.
Information Disclosed for Our Protection and the Protection of Others:
Information We Share With Your Consent:
Except as set forth above, you will be notified when your Personal Data may be shared with third parties, and will be able to prevent the sharing of this information.
Is Information About Me Secure?
Your Account information will be protected by a password for your privacy and security. It is your responsibility to prevent unauthorized access to your Account and Personal Data by selecting and protecting your password appropriately and limiting access to your computer and browser by signing off after you have finished accessing your Account. If your password is compromised, you agree to notify as promptly as is practicable.
We seek to protect Account information and take commercially reasonable steps to ensure that it is kept private; however, we cannot guarantee the security of any Account information. Unauthorized entry or use, hardware or software failure, and other factors, may compromise the security of user information at any time.
We otherwise store all of our information, including your IP address information, using industry-standard techniques. We do not guarantee or warrant that such techniques will prevent unauthorized access to information about you that we store, Personal Data or otherwise.
What Information of Mine Can I Access?
You can access certain information associated with your Account by logging into the Services.
How Can I Delete My Account?
Should you ever wish to delete your Account, please contact your employer.
We retain Personal Data we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with the Services or to comply with applicable legal, tax or accounting requirements).
When we have no ongoing legitimate business need to process your Personal Data, we will either delete or anonymize it or, if this is not possible (for example, because your Personal Data has been stored in backup archives), then we will securely store your Personal Data and isolate it from any further processing until deletion is possible.
For clarity, SailPoint may retain, without restriction, all Aggregate Information and user content that does not contain Personal Data.
What Choices Do I Have Regarding My Information?
- You can request that your employer deletes your Account. If your employer deletes your Account, it would limit the use and disclosure of your Personal Data, and any association between your Account and information we store will no longer be accessible through your Account. However, given the nature of sharing on the Services, any activity on your Account prior to deletion will remain stored on our servers and will remain accessible.
- You can opt not to disclose certain information to us, but please note that certain information may be needed to take advantage of some of our features.
- You may manage the sharing of certain Personal Data when you register with us through a Third Party Service, such as by using your Google Apps account login credentials. Please refer to the privacy settings of the Third Party Service to determine how you may adjust our permissions and manage the interactivity between the Services and the Third Party Service.
- You can opt-out of certain cookies and tracking technologies by following the steps set forth in the section titled “IP Address Information and Other Information Collected Automatically” above.
- Your browser may offer you a “Do Not Track” or “DNT” option, which allows you to signal to operators of websites, and web applications, and services that you do not wish such operators to track certain of your online activities over time and across different websites. The Services do not support Do Not Track requests at this time, which means that we may collect information about your online activity both while you are using the Services and after you leave our properties. This is just our Do Not Track policy, and we can’t and don’t make any promises about how third parties react when you set this signal on your browser.
- If you wish to make a request to access, correct, update or delete your Personal Data, you can do so at any time by contacting us using the contact details provided below. If you are a California resident or a resident of the European Economic Area or Switzerland, see below for additional information.
- You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. To opt-out of other forms of marketing (such as postal marketing or telemarketing), please contact us using the contact details provided below.
If you are a resident of the European Economic Area or Switzerland, you can also:
- Object to processing of your Personal Data, ask us to restrict processing of your Personal Data or request portability of your Personal Data. Again, you can exercise these rights by contacting us using the contact details provided below.
- Similarly, if we have collected and process your Personal Data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Data conducted in reliance on lawful processing grounds other than consent.
- You have the right to complain to a data protection authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority.
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.
Your California Privacy Rights
If you are a California resident whose Personal Data is covered by the California Consumer Privacy Act (the “CCPA”), you may have certain rights regarding Personal Data we may have collected about you, as described in this below.
Those rights include (a) the right to access specific pieces of Personal Data we have collected about you in the 12 months prior to receipt of a verified request, and (b) the right to know about the categories of Personal Data we collected about you, the categories of sources from which that information was collected, the purpose for collection, and/or the categories of Personal Data we have shared with third parties and the categories of those third parties, all within the 12 months preceding your verified request.
You may also have the right to request deletion of Personal Data we have collected about you that is covered by the CCPA, subject to various exceptions in the CCPA.
These rights to access, know about, or delete Personal Data do not apply to Personal Data we may have collected in the course of certain business-to-business transactions or in the human resources context, consistent with the CCPA.
We do not sell the Personal Data of California residents.
Submitting CCPA requests
You may submit a request for Personal Data consistent with this section by emailing us at [email protected] or 1-877-378-1220.
Depending on the nature of your request, we may ask you for information to verify your request and identity.
Please note that you may designate an agent to submit requests on your behalf. Any such agent will have to verify their identity and we will require separate verifiable confirmation from you that you have authorized the agent to act on your behalf.
We are a CCPA Service Provider
SailPoint primarily operates as a “service provider,” as that term is defined in the CCPA, for its customers. This means SailPoint primarily collects and/or processes Personal Data on behalf of its customers, for customers’ business purposes, pursuant to written agreements. As a service provider, we do not use, disclose or retain Personal Data collected in its capacity as a service provider other than is necessary to perform the services for its customers as described in their agreements.
If we receive a request to access, know about, or delete Personal Data we have collected in our capacity as a service provider, we will inform the requestor that we will not be responding because we are a service provider, and recommend you place your request directly to the business.
Shine the Light
Under California Civil Code sections 1798.83-1798.84, California residents are entitled to ask us for a notice identifying the categories of personal customer information which we share with our affiliates and/or third parties for marketing purposes, and providing contact information for such affiliates and/or third parties. If you are a California resident and would like a copy of this notice, please submit a written request to the address set forth below under “Contact Information.”
Children’s Personal Data Policy
SailPoint does not knowingly solicit or sell any Personal Data from children under the age of 16. If SailPoint is made aware that SailPoint has collected Personal Data from a child under 16 years old in a manner that is inconsistent with the Children’s Online Privacy Protection Act of the United States, then SailPoint will delete this information as soon as practicable.
SailPoint Technologies, Inc.
c/o Privacy Manager
11120 Four Points Dr.
Austin, Texas 78726
You may also stop email messages and other promotional mailings by contacting us at the above address or email.
Our goal is to resolve all disputes through our internal processes. If you have a complaint regarding our collection, use, disclosure or retention of Personal Data originating from the European Economic Area or Switzerland that cannot be resolved through those processes, you may:
(1) submit the complaint to the relevant data protection authorities, EU Data Protection Authorities and Swiss Federal Data Protection and Information Commissioner (FDPIC) (“DPAs”);
(2) at no cost to you, resolve the complaint through JAMS using this link: https://www.jamsadr.com/eu-us-privacy-shield; or