Effective Date: March 15, 2021
If you are located in the European Union (“EU”), United Kingdom, Lichtenstein, Norway, or Iceland, you may have additional rights under the EU General Data Protection Regulation (the “GDPR”) with respect to your Personal Data. SailPoint processes Personal Data of our customers’ end users and employees in connection with our provision of services to these customers, making us the processor of Personal Data and those customers the controllers of the Personal Data. For more information about your potential rights under the GDPR, and to exercise such rights where applicable, please contact the controller party in the first instance.
EU-U.S. Privacy Shield: SailPoint remains committed to the Principles of the EU-U.S. Privacy Shield Framework set forth by the U.S. Department of Commerce regarding the collection and use of Personal Data transferred from the EU. These Principles are (1) notice, (2) consent, (3) accountability for onward transfer, (4) security, (5) data integrity and purpose limitation, (6) access and (7) recourse, enforcement and liability with respect to all Personal Data received from within the EU in reliance on the Privacy Shield. The Privacy Shield Principles require that we remain potentially liable if any third party processing Personal Data on our behalf fails to comply with these Privacy Shield Principles (except to the extent we are not responsible for the event giving rise to any alleged damage). SailPoint’s compliance with the Privacy Shield is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. For more information about the Privacy Shield Program, please visit www.privacyshield.gov.
On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a judgment which made the EU-U.S. Privacy Shield Framework no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. Following the CJEU Decision, the Swiss Federal Data Protection and Information Commissioner also concluded that the Swiss-U.S. Privacy Shield no longer provides a valid mechanism for the transfer of personal data from Switzerland to the United States. However, SailPoint continues to honor its commitments under the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework, along with reliance on alternative mechanisms to legitimize international personal data transfers from the European Union or Switzerland to the United States, such as by implementing standard contractual clauses and/or obtaining consent to such transfers.
- INFORMATION WE COLLECT
Personal Data is information that may be used to directly or indirectly identify you, such as your name, email address mailing address, and phone number.
Other Information is information that, by itself does not individually identify you, such as browser type, operating system, the webpages you viewed and how long you viewed them.
We may link together different types of Other Information or link Other Information to Personal Data. If linked information directly or indirectly identifies an individual person, SailPoint treats the linked information as Personal Data.
- HOW WE COLLECT INFORMATION
SailPoint collects information:
When you register for the Services: When you register for the Services, we collect your name, email address, phone number, primary address, zip code, country, and password.
When you use the Services: We may ask for contact information such as your name, address, telephone number, email address, contact preferences, employer/company, job title, country, and other information related to your interests in our Services. We collect this information so that we may: keep you informed about the SailPoint and provide you with information on our Services.
Through Server Logs: A server log is a list of the activities that a server performs. SailPoint’s servers automatically collect and store in server logs your search queries, Internet Protocol (IP) address, hardware settings, browser type, browser language, the date and time of your request and referral URL and certain cookies that identify your browser or SailPoint account.
From Your Computer, Tablet or Mobile Telephone: We collect information about your computer, tablet or mobile telephone (“Device”), such as model, operating system version, mobile network information, telephone number, internet service provider and similar identifiers. SailPoint may associate your Device information with your SailPoint account. We may collect and store information (including Personal Data) on your Device through browser web and web application data caches.
We may collect information from sensors that provide SailPoint with information on nearby devices, Bluetooth address, Wi-Fi access points and information made available by you or others that indicates the current or prior location of the user. We also may collect IP address and MAC address. How we collect this data depends on how you access the Services. Certain Services may collect this data even when you are not actively using the Services.
- DATA COLLECTION TECHNOLOGY
Data Collection Technology collects all sorts of information, such as how long you spend on various webpages in the Services, which webpages you view, your search queries, error and performance reports, as well as Device identifier or IP address, browser type, time zone and language settings and operating system.
Data Collection Technology deployed through the Services includes cookies and web beacons.
Web Beacons: A web beacon (also called a pixel tag or clear GIF) is computer code that communicates information from your device to a server. Some of SailPoint’s content and emails may contain embedded web beacons that allow a server to read certain types of information from your Device, allow us to count the number of people who have viewed content, to know when you opened an email message and the IP address of your Device. Web beacons help SailPoint develop statistical information to provide better and more personalized content.
Cookies: Cookies are small text files that are sent to or accessed from your web browser or your computer’s hard drive. A cookie typically contains the name of the domain (internet location) from which the cookie originated, the “lifetime” of the cookie (i.e., when it expires) and a randomly generated unique number or similar identifier. A cookie also may contain information about your computer, such as user settings, browsing history and activities conducted while using the Services.
The Services use the following cookies:
- Strictly necessary cookies, which are required for the operation of the Services. Without them, for example, you would not be able to register or log in for the Services that SailPoint offers.
- Analytical/performance cookies, which allow SailPoint to recognize and count the number of visitors, learn how visitors navigate the Services and improve the Services.
- Functionality cookies, which SailPoint uses to recognize you when you return to the Services.
- For more information on cookies, including how to control your cookie settings and preferences, visit http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm, https://ico.org.uk/for-the-public/online/cookies/, and http://allaboutcookies.org.
SailPoint also uses analytics services, such as Google Analytics, to collect Other Information. Generally analytics services do not identify individual users. Many analytics services allow you to opt out of data collection. For example, to learn more about Google Analytics practices and to opt out, visit www.google.com/settings/ads or by downloading the Google Analytics opt-out browser add-on at https://tools.google.com/dlpage/gaoptout.
How SailPoint Uses Data Collection Technology: Some Data Collection Technology is deployed by SailPoint when you visit the Services. Other Data Collection Technology is deployed by third parties with which SailPoint partners to deliver the Services.
Data Collection Technology helps us improve your experience of the Services by, measuring the success of marketing campaigns, compiling statistics about use of the Services and helping us analyze technical and navigational information about the Services.
We also may use Data Collection Technology to collect information from the device that you use to access the Services, such as your operating system type, browser type, domain and other system settings, as well as the language your system uses and the country and time zone in which your computer or device is located.
Your Control of Cookies: Some web browsers (including some mobile web browsers) provide settings that allow you to control or reject cookies or to alert you when a cookie is placed on your device. Although you are not required to accept cookies or mobile device identifiers, if you block or reject them, you may not have access to all features available through the Services.
Do Not Track: Some web browsers (including Safari, Internet Explorer, Firefox and Chrome) incorporate a “Do Not Track” (“DNT”) or similar feature that signals to websites that a user does not want to have his or her online activity and behavior tracked. If a website that responds to a particular DNT signal receives the DNT signal, the browser can block that website from collecting certain information about the browser’s user. Not all browsers offer a DNT option and DNT signals are not yet uniform. For this reason, many website operators, including SailPoint, do not respond to DNT signals.
- HOW WE PROCESS PERSONAL DATA
SailPoint processes Personal Data:
- To set up and maintain your registration with the Services;
- To communicate with you;
- To deliver relevant content to you;
- To provide features through the Services;
- To prevent and investigate fraud and other misuses of the Services;
- To protect our rights and property;
- To operate, manage and improve the Services; and
- To ensure the technical functionality and security of the Services.
SailPoint processes Other Information:
- To administer and improve the Services and your experience on the Services;
- To analyze trends and gather broad aggregate demographic information;
- To statistically monitor how many people are using the Services or opening our emails;
- To develop, improve and protect the Services;
- For audience research;
- To audit and analyze the Services; and
- To ensure the technical functionality and security of the Services.
- HOW WE SHARE INFORMATION
We may share Personal Data collected via the Services with:
- Affiliates: We may share your Personal Data with present or future companies that, directly or indirectly, through one or more intermediaries, control, are controlled by, or are under common control with SailPoint (“Affiliates”) for use in a manner consistent with the purpose for which it was collected by us. Your information may also be transferred to one of our Affiliates in connection with any reorganization or consolidation with such Affiliates.
SailPoint may aggregate information collected though the Services and remove identifiers so that the information no longer identifies or can be used to identify an individual (“Anonymized Information”). SailPoint shares Anonymized Information with third parties (our sponsors) and does not limit third parties’ use of the Anonymized Information because it is no longer Personal Data.
Applicable law may require SailPoint to access, read, preserve, or disclose your Personal Data if: (i) reasonably necessary to comply with legal process (such as a court order, subpoena or search warrant) or other legal requirements; (ii) disclosure would mitigate SailPoint’s liability in an actual or threatened lawsuit; (iii) necessary to protect legal rights of SailPoint, users, customers, business partners or other interested parties; or (iv) necessary for the prevention or detection of crime (subject in each case to applicable law). For residents of the European Economic Area, SailPoint will disclose Personal Data only when permitted to do so under applicable European and EU Member States’ national data protection laws and regulations.
- YOUR CALIFORNIA PRIVACY RIGHTS
If you are a California resident whose Personal Data is covered by the California Consumer Privacy Act (the “CCPA”), you may have certain rights regarding Personal Data we may have collected about you, as described in this below.
Those rights include (a) the right to access specific pieces of Personal Data we have collected about you in the 12 months prior to receipt of a verified request, and (b) the right to know about the categories of Personal Data we collected about you, the categories of sources from which that information was collected, the purpose for collection, and/or the categories of Personal Data we have shared with third parties and the categories of those third parties, all within the 12 months preceding your verified request.
You may also have the right to request deletion of Personal Data we have collected about you that is covered by the CCPA, subject to various exceptions in the CCPA.
These rights to access, know about, or delete Personal Data do not apply to Personal Data we may have collected in the course of certain business-to-business transactions or in the human resources context, consistent with the CCPA.
We do not sell the Personal Data of California residents.
Submitting CCPA requests: You may submit a request for Personal Data consistent with this section by emailing us at firstname.lastname@example.org or 1-877-378-1220.
Depending on the nature of your request, we may ask you for information to verify your request and identity.
Please note that you may designate an agent to submit requests on your behalf. Any such agent will have to verify their identity and we will require separate verifiable confirmation from you that you have authorized the agent to act on your behalf.
We are a CCPA Service Provider: SailPoint primarily operates as a “service provider,” as that term is defined in the CCPA, for its customers. This means SailPoint primarily collects and/or processes Personal Data on behalf of its customers, for customers’ business purposes, pursuant to written agreements. As a service provider, we do not use, disclose or retain Personal Data collected in its capacity as a service provider other than is necessary to perform the services for its customers as described in their agreements.
If we receive a request to access, know about, or delete Personal Data we have collected in our capacity as a service provider, we will inform the requestor that we will not be responding because we are a service provider, and recommend you place your request directly to the business.
California Shine the Light Law. California Civil Code Section 1798.83 permits users who are California residents to obtain from us once a year, free of charge, a list of third parties to whom we have disclosed personal information (if any) for direct marketing purposes in the preceding calendar year. If you are a California resident and you wish to make such a request, please send an e-mail with “California Privacy Rights” in the subject line to the contact information listed below.
- CHILDREN’S PRIVACY
The Services are not directed to or intended for use by minors. Consistent with the requirements of applicable law, if we learn that we have received any information directly from a minor without his or her parent’s verified consent, we will use that information only to respond directly to that child (or his or her parent or legal guardian) to inform the minor that he or she cannot use the Services and subsequently will delete that information.
California Minors: While the Service is not intended for anyone under the age of 18, if you are a California resident who is under age 18 and you are unable to remove publicly-available content that you have submitted to us, you may request removal by contacting us at: email@example.com. When requesting removal, you must be specific about the information you want removed and provide us with specific information, such as the URL for each page where the information was entered, so that we can find it. We are not required to remove any content or information that: (1) federal or state law requires us or a third party to maintain; (2) was not posted by you; (3) is anonymized so that you cannot be identified; (4) you don’t follow our instructions for removing or requesting removal; or (5) you received compensation or other consideration for providing the Content or information. Removal of your content or information from the Service does not ensure complete or comprehensive removal of that content or information from our systems or the systems of our service providers. We are not required to delete the content or information posted by you; our obligations under California law are satisfied so long as we anonymize the content or information or render it invisible to other users and the public.
- SECURITY OF PERSONAL DATA
SailPoint takes precautions intended to help protect information that we process but no system or electronic data transmission is completely secure. Any transmission of your Personal Data is at your own risk and we expect that you will use appropriate security measures to protect your Personal Data.
You are responsible for maintaining the security of your account credentials for the Services. SailPoint will treat access to the Services through your account credentials as authorized by you. Unauthorized access to password-protected or secure areas is prohibited and may lead to criminal prosecution. We may suspend your use of all or part of the Services without notice if we suspect or detect any breach of security. If you believe that information you provided to us is no longer secure, please notify us immediately using the contact information provided below.
If we become aware of a breach that affects the security of your Personal Data, we will provide you with notice as required by applicable law. To the extent permitted by applicable law, SailPoint will provide any such notice that SailPoint must provide to you at your account’s email address. By using the Services, you agree to accept notice electronically.
We retain Personal Data in identifiable form only for as long as necessary to fulfill the purposes for which the Personal Data was provided to SailPoint or, if longer to comply with law legal obligations, to resolve disputes, to enforce agreements and similar essential purposes.
- YOUR CHOICES ABOUT YOUR PERSONAL DATA
The right to know what Personal Data we hold about you: If you would like to know the Personal Data that SailPoint maintains about you, please contact us in writing using the contact information below. If you are a registered user, you can review certain Personal Data that you provided to SailPoint by logging in to your account. If you are not a registered user, SailPoint may take reasonable steps to verify your identity before providing access to Personal Data.
The right to correct or delete Personal Data: The easiest way to correct or delete certain Personal Data that you have provided to the Services is to log in to your account and enter the necessary changes in your profile settings. If you have additional questions regarding the correction or deletion of the Personal Data we hold about you, please contact us using the contact information below. Please be reminded that we will review your request but may be restricted in our ability to change or delete your Personal Data. If the Services are made available to you by a corporate customer that is sponsoring your use of the Services, your eligibility to receive Incentives and Rewards from such parties, if any are offered, may be adversely affected by your election to remove Personal Data about you from the Services. You must contact the corporate customer directly for further information.
Data retention: We retain Personal Data we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with the Services or to comply with applicable legal, tax or accounting requirements).
When we have no ongoing legitimate business need to process your Personal Data, we will either delete or anonymize it or, if this is not possible (for example, because your Personal Data has been stored in backup archives), then we will securely store your Personal Data and isolate it from any further processing until deletion is possible.
For clarity, SailPoint may retain, without restriction, all Aggregate Information and user content that does not contain Personal Data.
Legal basis for processing Personal Data (EEA and Swiss visitors only): If you are a user or visitor from the European Economic Area or Switzerland, our legal basis for collecting and using the Personal Data described above will depend on the Personal Data concerned and the specific context in which we collect it.
However, we will normally collect Personal Data from you only (i) where we need the Personal Data to perform a contract with you, (ii) where the processing is in our legitimate interests and not overridden by your rights, or (iii) where we have your consent to do so.
If you have questions about or need further information concerning the legal basis on which we collect and use your Personal Data, please contact us using the contact details provided below.
- HOW TO CONTACT US
SailPoint Technologies, Inc.
c/o Privacy Manager
11120 Four Points Dr., Suite 100
Austin, Texas 78726
You may also stop email messages and other promotional mailings by contacting us at the above address or email.
Our goal is to resolve all disputes through our internal processes. If you have a complaint regarding our collection, use, disclosure or retention of Personal Data originating from the European Economic Area or Switzerland that cannot be resolved through those processes, you may:
- submit the complaint to the relevant data protection authorities, EU Data Protection Authorities and Swiss Federal Data Protection and Information Commissioner (FDPIC) (“DPAs”); ]
- at no cost to you, resolve the complaint through JAMS using this link: https://www.jamsadr.com/eu-us-privacy-shield; or
SailPoint commits to cooperate with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.
Other Policies and Agreements You May be Interested in Viewing:
SailPoint’s Standard Data Transfer Agreement