On May 25, 2018, a new, wide-ranging data privacy law, called the General Data Protection Regulation (GDPR), takes effect in the European Union (EU). The GDPR expands privacy rights granted to EU individuals, and it places new obligations on companies, such as Apttus, that market to, process or store EU personal data.
Apttus is committed to its, as well as our customers’, compliance with the GDPR. To this end, Apttus has created a Data Processing Addendum (DPA) for our customers’ review and signature.
1. Purpose, Scope, and Introduction
2. Information We Collect and How We Use It
Personal Information is any information relating to an identified or identifiable natural person, which may include IP addresses, information contained in cookies, and navigational data. We collect Personal Information to gather data to provide and improve our Services. Personal Information also includes sixteen supplemental principles: (1) sensitive data, (2) journalistic exceptions, (3) secondary liability, (4) performing due diligence and conducting audits, (5) the role of the data protection authorities, (6) self-certification, (7) verification, (8) access, (9) human resources data, (10) obligatory contracts for onward transfers, (11) dispute resolution and enforcement, (12) choice – timing of opt-out, (13) travel information, (14) pharmaceutical and medical products, (15) public record and publicly available information, and (16) access requests by public authorities.
The types of Personal Information we collect and our privacy practices depend on the nature of the relationship you have with Apttus and the requirements of applicable law. Apttus collects Personal Information regarding its current, prospective and former customers, its customer’s clients (“Customer Data”), and visitors (collectively “Individuals”). Apttus also collects Personal Information regarding current, temporary, permanent, prospective and former employees, directors, contractors, workers or retirees of Apttus and its subsidiaries worldwide (“Employees”).
We collect, process, and store the following types of Personal Information: (1) information you explicitly provide to us by completing a form on our website; (2) information we automatically collect when you visit our website; (3) information our customers provide about themselves to obtain Services; (4) information Employees provide to us for employment purposes; and (5) information that our customers provide about other individuals that is processed by the Service.
We use this information for our own internal purposes, which are more fully explained below. We may share your information with contractually-assigned Apttus partners and any other parties required of Apttus to comply with state and federal laws. We endeavor to collect or store information only relevant for the purposes of processing. Below are the legal bases and some of the ways we collect information and how we use it.
2.1. Information We Collect, Process, and StoreThe data we collect from Individuals includes information that may be deemed Personal Information, such as contact information, user name, Internet Protocol address, government identification, photo or image, and credit card and other financial information related to payments for services, collected directly from you or from an Apttus customer. We may also collect other information that is not Personal Information, such as comments you provide through https://apttus.wpengine.com and our related sites (“the Websites”), demographic information you choose to provide (e.g., your business or company information), and answers to a security question and password.
2.2. How We Collect Personal InformationOur corporate values, ethical standards, policies and practices are committed to the protection of customer information. In general, our business practices limit employee access to confidential information and limit the use and disclosure of such information to authorized persons and processes.
Here are some of the ways that we may collect former, prospective, and current customers’ Personal Information:
- Information you provide directly to us. We may collect Personal Information from you through various channels, including Personal Information you explicitly provide to us when you use the Service or engage in certain activities, such as contacting us via the Websites, responding to surveys, attending business or marketing events, or requesting Services or information, we may ask you to provide some or all of the following types of information: .
- Communications with Us. We may collect Personal Information from you, such as your contact information, when you request information about our Services, register for our newsletter, request customer or technical support, or otherwise communicate with us.
- Automatic Data Collection. As you navigate the Websites, certain passive information may also be collected, including Internet Protocol addresses, cookies, navigational data, the name of the domain and host from which you access the Internet, the browser software you use and your operating system, the date and time you access our Websites, and the Internet address of the website from which you linked directly to our Websites.
- Research/Survey Solicitations. From time to time, Apttus may perform research (online and offline) via surveys. We may engage third parties to conduct such surveys on our behalf. All survey responses are voluntary, and the information collected will be used for research and reporting purposes to help us better serve Individuals by learning more about their needs and the quality of the products and services we provide. The survey responses may be utilized to determine the effectiveness of our Websites, various types of communications, advertising campaigns and/or promotional activities. If an Individual participates in a survey, the information given will be used along with that of other study participants. We may share anonymous individual and aggregate data for research and analysis purposes.
- Information from Customers. When you provide Personal Information to an Apttus customer, we may collect certain types of Personal Information to provide Services to the Apttus customer.
2.3. Information from Other SourcesWe may collect information about you from third-party sources to supplement information provided by you. This supplemental information allows us to verify information that you have provided to us and to enhance our ability to provide you information about our business, products and Services.
How Apttus Uses your Personal Information
Depending on how you interact with us, we and our Third-Party Service Providers may also use Personal Information in a variety of ways, including:
If you are a prospective, former, or current customer:
- Providing Information and Services You Requested. We may use the Personal Information about you to provide you information that you may request, e.g. information about a service we are offering. We may also use your Personal Information to deliver Services to you, and/or when you enroll to receive the Service. Such use may include: (a) generally managing your information and accounts; (b) responding to questions, comments and requests; (c) providing access to certain areas and features of the Apttus Websites; (d) permitting you to register for events or participate in webinars; and (e) improving the quality of Apttus services.
- Marketing Products and Services. Apttus may use the Personal Information about you to provide you with materials about offers, products and services offered by us, including new content or services on Apttus Websites. Apttus may provide you with these materials by phone, postal mail, facsimile or email, as permitted by applicable law. If you do not wish us to use your Personal Information for marketing purposes, we offer the option to decline these communications at no cost to you by following the instructions under “Choice/Modalities to Opt Out.”
- Information Submitted Via Websites. You agree that we are free to use the content of any communications or other information submitted by you via the Websites, including any narratives, images, ideas, inventions, concepts, techniques, or know-how disclosed therein, for any purpose including developing, manufacturing, and/or marketing goods or services. However, we do not release your name or otherwise publicize the fact that you submitted materials or other information to us unless: (a) you grant us permission to do so; (b) we first send notice to you that the materials or other information you submit to a particular part of a site will be published or otherwise used with your name on it; or (c) we are required to do so by law.
- Sharing Content with Friends or Colleagues. Apttus’ Websites may offer various tools and functionality. For example, we may provide functionality on Websites that will allow you to forward or share certain content with a friend or colleague. Email addresses that you may provide for a friend or colleague will be used to send your friend or colleague the content or link you request but will not be collected or otherwise used by Apttus or any other third parties for any other purpose.
- Pseudonymous Data. Including as discussed below, Apttus may use and share your anonymized or aggregated information within the Apttus group of companies or with third parties for research, analytics and any other legally permissible purposes.
- IP Addresses. When you connect to the Internet, your computer has a unique identification code called an “IP address.” Depending on the way you access the Internet, you may have a different IP address each time you connect, or your IP address may be the same each time. We log the IP addresses of users who visit our website. We use your IP address for system administration purposes, such as to help diagnose problems with our server. In addition, we may use your IP address to help identify you and to gather broad demographic information about you and the rest of the users who visit our website.
If you are our customer’s client:
- Providing Information and Services to our Customers. To provide Services to our customers, we may use Personal Information our customers provide to us, including client name, occupation/title, and signatures (digitized or other electronic signature); the kinds of Apttus service(s) the client purchased, leased or returned, and was provided to the client; and business information, including postal address, phone number, fax number, e-mail address.
If you are an Employee:
- Apttus may collect Personal Information from Employees, their contact points in case of a medical emergency, and beneficiaries under any insurance policy (collectively “Human Resources Data”).
- The Human Resources Data we collect may include title, contact information, date of birth, government-issued identification and identification numbers, financial information related to credit checks, bank details for payroll, information that may be recorded on a CV or application form, language abilities, contact information of third parties in case of an emergency and beneficiaries under any insurance policy. We may also collect Sensitive Human Resources Data such as details of health and disability, including mental health, medical leave, and maternity, paternity, or compassionate leave.
- We acquire, hold, use and process Human Resources-related Personal Information for a variety of business purposes including:
- workflow management, assigning, managing and administering projects;
- Human Resources administration and communication;
- payroll and the provision of benefits;
- compensation, including bonuses and long-term incentive administration, stock plan administration, compensation analysis, including monitoring overtime and compliance with labor laws, and company recognition programs;
- job grading activities;
- performance and employee development management;
- organizational development and succession planning;
- benefits and personnel administration;
- absence management;
- helpdesk and IT support services;
- regulatory compliance;
- internal and/or external or governmental compliance investigations;
- internal or external audits;
- litigation evaluation, prosecution and defense;
- diversity and inclusion initiatives;
- restructuring and relocation;
- emergency contacts and services;
- Employee safety;
- compliance with statutory requirements;
- processing of Employee expenses and travel charges; and
- acquisitions, divestitures and integrations.
- We may be obligated to collect certain Personal Information to comply with regulatory requirements. We may also use your Personal Information for other purposes disclosed to you at the time you provide Personal Information or with your consent.
3. Cookies, Pixel Tags/Web Beacons, Analytics Information, and Interest-Based Advertising
3.1. Cookies“Cookies” are a feature of web browser software that allows web servers to recognize the computer used to access a website. They are small pieces of data that are stored by a user’s web browser on the user’s hard drive. Information gathered through cookies and web server logs may include information such as the date and time of visits, the pages viewed, time spent at the website, and the websites visited just before and just after our website. Cookies can remember what information a user accesses on one web page to simplify subsequent interactions with that website by the same user or to use the information to streamline the user’s transactions on related web pages.
You can delete cookie files from your own hard drive at any time by clicking on the Privacy or History tab typically found on the Settings or Options menu in your internet browser. Please note that deleting cookies may limit access to much of the content and many of the features available on Apttus Websites.
3.2. Pixel Tags/Web BeaconsApttus may use “pixel tags” (or web beacons”), which are small graphic files that allow us to monitor the use of our Websites. A pixel tag can collect information such as the Internet Protocol (“IP”) address of the computer that downloaded the page on which the tag appears; the URL of the page on which the pixel tag appears; the time the page containing the pixel tag was viewed; the browser type and language; the device type; geographic location; and the identification number of any cookie on the computer previously placed by that server. When corresponding with you via HTML capable email, we or our Third-Party Service Providers may use “format sensing” technology, which allows pixel tags to let us know whether you received and opened our email.
3.3. Analytics InformationApttus may use Google Analytics and Google Analytics Demographics and Interest Reporting to collect information regarding visitor behavior and visitor demographics on some of our Websites, and to develop website content. This analytics data is not tied to any Personal Information. For more information about Google Analytics, please visit https://www.google.com/policies/privacy/partners/.
You can opt out of Google’s collection and processing of data generated by your use of the Services by going to https://tools.google.com/dlpage/gaoptout.
3.4. Interest-Based AdvertisingThrough our Websites, Apttus may allow third-party advertising partners to set tracking tools (e.g., cookies) to collect anonymous, non-Personal Information regarding your activities (e.g., your IP address, page(s) visited, time of day). We may also share such de-identified information we have collected with third-party advertising partners. These advertising partners may use this information (and similar information collected from other websites) for purposes of delivering targeted advertisements to you when you visit non-Apttus related websites within their networks. This practice is commonly referred to as “interest-based advertising” or “online behavioral advertising.”
3.5. Mobile DevicesOur mobile applications (“Apps”) may require you to log in to Third-Party Platforms, such as Salesforce or Azure. In addition, Apttus may provide websites and online resources that are specifically designed to be compatible and used on mobile devices. Apttus will collect certain information that your mobile device sends when you use such websites or online resources, like a device identifier, user settings and the operating system of your device.
3.6. Anonymous and Aggregated Information<Apttus may use your Personal Information and other information about you to create anonymized and aggregated information, such as de-identified demographic information, de-identified location information, information about the computer or device from which you access the Apttus Website or other online services, or other analyses we create. Anonymized and aggregated information is used for a variety of functions, including the measurement of visitors’ interest in and use of various portions or features of the Websites. Anonymized or aggregated information is not Personal Information, and Apttus may use such information in a number of ways, including research, internal analysis, analytics and any other legally permissible purposes. We may share this information within Apttus and with third parties for our or their purposes in an anonymized or aggregated form that is designed to prevent anyone from identifying you.
Please note that if you are a client of one of our customers and would no longer like to be contacted by an Apttus customer that uses our Service, please contact the customer that you interact with directly. Please also note that while you have the right to access personal data that we store, Apttus has no direct relationship with the individuals whose Personal Information it processes on behalf of our customers. An individual who seeks to access, correct, amend, or delete data should direct their request to the Apttus customer.
4.1. GeneralWhere you have consented to Apttus’ processing of your Personal Information, you may withdraw that consent at any time and opt out by following the instructions in this Section. Additionally, before we use Personal Information for any new purpose not originally authorized by you, we will provide information regarding the new purpose and give you the opportunity to opt out.
Before disclosing sensitive data to a third party or processing sensitive data for a purpose other than its original purpose or the purpose authorized by you, Apttus will endeavor to obtain your explicit consent (opt-in). If your consent is otherwise required by law or contract for us to process your Personal Information, Apttus will comply with the law or contract.
4.2. Website CommunicationsYou have the opportunity to opt out of receiving further communications from us at the time you complete the registration form on our website. Alternatively, if you initially decide to receive information from us but at a later date wish to remove your information from our database, you can do so by visiting the unsubscribe page: https://solutions.apttus25.wpengine.com/subscription-center.html
We maintain telephone “do not call” lists and “do not mail” lists as mandated by law. We process requests to be placed on do not mail, do not phone and do not contact lists within 60 days after receipt, or such shorter time as may be required by law.
4.4. Human Resources Data<With regard to Personal Information that Apttus receives in connection with the employment relationship, Apttus will use such Personal Information only for employment-related purposes as more fully described above. If Apttus intends to use this Personal Information for any other purpose, we will provide you with an opportunity to opt-out of such uses.
4.5. “Do Not Track”Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. DNT is a way for users to inform websites and services that they do not want certain information about their webpage visits collected over time and across websites or online services. Apttus does not recognize or respond to browser-initiated DNT signals. For information about “do-not-track”, visit https://www.allaboutdnt.org.
You can opt out of the collection and use of your information for interest-based advertising by going to https://optout.aboutads.info or https://www.youronlinechoices.eu/ to limit collection through the Websites or by configuring the settings on your mobile device to limit ad tracking through the mobile applications.
Even if you opt out, we may still collect and use non-Personal Information regarding your activities on our Websites and/or information from the advertisements on Third-Party websites for non-interest-based advertising purposes, such as to determine the effectiveness of the advertisements.
5.2. Service ProvidersApttus may share Personal Information with our service providers that we have retained to perform services on our behalf including (i) provision of IT and related services; (ii) provision of information and services you have requested; (iii) payment processing; and (iv) customer service activities. Payment information will be used and shared only to effectuate your order and may be stored by a service provider for purposes of future orders.
Apttus has executed appropriate contracts with the service providers that prohibit them from using or sharing your personal information except as necessary to perform the contracted services on our behalf or to comply with applicable legal requirements.
5.3. Business PartnersApttus may share Personal Information with our business partners, and affiliates for our and our affiliates’ internal business purposes or to provide you with a product or service that you have requested. Apttus may also provide Personal Information to business partners with whom we may jointly offer products or services, or whose products or services we believe may be of interest to you. In such cases, our business partner’s name will appear, along with Apttus’. Apttus requires our affiliates and business partners to agree in writing to maintain the confidentiality and security of Personal Information they maintain on our behalf and not to use it for any purpose other than the purpose for which it was provided.
5.4. Information Disclosed for Our Protection and the Protection of OthersWe may disclose information about you: (i) if we are required to do so by law, court order or legal process; (ii) in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; (iii) under the discovery process in litigation; (iv) to enforce Apttus policies or contracts; (v) to collect amounts owed to Apttus; (vi) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation or prosecution of suspected or actual illegal activity; or (vii) if we, in good faith, believe that disclosure is otherwise necessary or advisable.
Sometimes, we may review server logs for security purposes– e.g., to detect unauthorized activity on the Websites. In such cases, server log data containing IP addresses and other information may be shared with law enforcement bodies in order that they may identify users in connection with their investigation of the unauthorized activities.
5.6 Liability for Onward TransfersAs further described in Section 6.2 below, we comply with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework. As a Privacy Shield organization, we have primary responsibility for the processing of Personal Information received under the Privacy Shield and subsequently transferred to a third party acting as an agent on its behalf. We shall remain liable under the Privacy Shield Principles (available here: https://www.privacyshield.gov/EU-US-Framework) if our agent processes such Personal Information in a manner inconsistent with such principles, unless we prove that we are not responsible for the event giving rise to the damage(s).
6.1 GeneralAll Personal Information sent or collected via or by Apttus may be stored anywhere in the world, including but not limited to, in the United States, in the cloud, our servers, the servers of our affiliates or the servers of our service providers. Your Personal Information may be accessible to law enforcement or other authorities pursuant to a lawful request. By providing information to Apttus, you consent to the storage of your Personal Information in these locations.
In compliance with the Privacy Shield Principles, we commit to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact us at: [email protected].
We have further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://www.jamsadr.com/file-an-eu-us-privacy-shield-claim for more information or to file a complaint. The services of JAMS are provided at no cost to you.
If neither Apttus nor our dispute resolution provider resolves your complaint, you may have the possibility to engage in binding arbitration through the Privacy Shield Panel.
In addition, we commit to cooperate with EU data protection authorities and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship. As a Privacy Shield organization, we are also subject to the investigatory and enforcement powers of the Federal Trade Commission.
Although Apttus makes good faith efforts to provide Individuals with access to their Personal Information, there may be circumstances in which Apttus is unable to do so, including but not limited to: where the information contains legal privilege, would compromise others’ privacy or other legitimate rights, where the burden or expense of providing access would be disproportionate to the risks to the Individual’s privacy in the case in question or where it is commercially proprietary. If Apttus determines that access should be restricted in any particular instance, we will explain why and provide a contact point for any further inquiries. To protect your privacy, Apttus will take commercially reasonable steps to verify your identity before granting access to or making any changes to your Personal Information.
The security of all Personal Information provided to Apttus is important to us, and Apttus takes reasonable steps designed to protect your Personal Information. Unfortunately, no data transmission over the Internet or storage of information can be guaranteed to be 100% secure. Thus, while Apttus strives to protect your Personal Information, we cannot ensure or warrant the security of any information you transmit to Apttus, and you do so at your own risk. You are responsible for maintaining the secrecy of your own passwords. If you have reason to believe that your passwords or Personal Information is no longer secure, please promptly notify us at [email protected].
You have the ability to correct or change any information which you have previously provided by contacting us. You may change this information at any time and as often as necessary.
11.1. GDPR (General Data Protection Regulation)Apttus and the Services endeavor to be compliant with all applicable GDPR regulations and if you are a Customer, and upon request, Apttus will agree to execute a Data Processing Addendum describing the processing of Personal Information.
11.2. Information Regarding ChildrenDue to the nature of Apttus’ business, services and benefits are not marketed to minors. Apttus does not knowingly solicit or collect Personal Information from children under the age of 13 (and in certain jurisdictions under the age of 16). Apttus may, however, collect Personal Information about children who are beneficiaries of Employees in the context of Human Resources Data. If we learn that we have collected Personal Information from a child under the age of 13 (and in certain jurisdictions under the age of 16) outside of the Human Resources Data context, we will promptly delete that information.
Access to Specific Information and Data Portability Rights. You have the right to request that Apttus disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable request, we will disclose to you: (i) the categories of personal information we collected about you; (ii) the categories of sources for the personal information we collected about you; (iii) our business or commercial purpose for collecting or selling that personal information; (iv) the categories of third parties with whom we share that personal information, if any; (v) the specific pieces of personal information we collected about you (also called a data portability request); (vi) if we sold or disclosed your personal information for a business purpose, two separate lists disclosing: (a) sales, identifying the personal information categories that each category of recipient purchased; and (b) disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
Deletion Request Rights. You have the right to request that Apttus delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to: (i) complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you; (ii) detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities; (iii) debug products to identify and repair errors that impair existing intended functionality; (iv) exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law; (v) comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.); (vi) engage in public or peer-reviewed research in accordance with Section 1798.11.35 (d)(6) of the CCPA; (vii) enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us; (viii) comply with a legal obligation; or (ix) make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Exercising Access, Data Portability, and Deletion Rights. To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request please [email protected] or call us at +1 (650) 445-7700.
Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must: (i) provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative; and (ii) describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Response Timing and Format. We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Non-Discrimination. We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not: (i) deny you goods or services; (ii) Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; (iii) provide you a different level or quality of goods or services; (iv) suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services. However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time.
Contact Information: If you have any questions or comments about this notice, the ways in which Apttus collects and uses your information described in this section 11.3, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:
Email: [email protected]
1400 Fashion Island Blvd, Suite 100, San Mateo, CA 94404
Last Updated: January 1, 2020