SITECORE TRUST CENTER
Summary Privacy Notice
At Sitecore, we understand the value of data and the importance of protecting it. We want to be transparent about the information we collect, and how we process, store and share it, both online and offline.
- How your information is collected
- How we use that information and why
- Who we share your information with and why
- Your privacy rights
- How we keep your information secure
- How you can contact us with any questions
The changes we have made
- Your privacy rights – We have included new privacy rights that may be applicable in your jurisdiction, but we have also included more detail on how you can make informed choices and disable features.
- More detail on who we are – So you can understand who you are sharing your information with and why, we explain who Sitecore is and what our company uses data for.
- Privacy Shield certification – Sitecore is now Privacy Shield certified. We explain what this means and how you can view our certification status.
- Organizing it into the sections listed in the WHAT THIS PRIVACY STATEMENT COVERS section, so you can easily find information;
- Providing more examples to illustrate how we process data, based on our previous and current practices;
- Providing more examples on when we will share your data, based on our previous and current practices; and
- Defining and capitalizing frequently used terms for simplicity and brevity.
What we have not changed
- We do not rent or sell your data – We only share your data with third parties, such as vendors, service providers or partners, when we need to do so. These third parties will only have access to personal information if it is necessary for them to complete their service and will be contractually required to keep it secure.
Last updated: October 19, 2018
SITECORE AND YOU
WHAT THIS PRIVACY STATEMENT COVERS
- How we Process and Handle Data. This section gives general information on how we handle data, including information we receive from you.
- Sitecore Websites. This section describes the type of data collected from the Sitecore Sites.
- Marketing Activities. This section explains that from time to time, Sitecore will reach out to you in a variety of ways to tell you about products, services and other information we believe is relevant to you.
- Our Customer Relationships. This section describes the type of data collected through the services that we provide to our customers and users. In order to use certain services, including our product support services, as a representative of an organization which is a Sitecore customer you might need to have a user account and password.
- Processing Your Personal Data. This section details the lawful basis on which we process the information we collect.
- How We Keep Your Information Secure. This section details how Sitecore secures the data that it collects, processes and stores.
- Storage and Retention of Your Information. This section explains how Sitecore stores data and how long we will keep it.
- Cross-Border Transfers of Information and the Privacy Shield. Sitecore is a global company so this section explains how we transfer data that is shared internationally.
- What is Not Covered in This Policy. This section identifies the areas that are outside the scope of this Privacy Privacy and are addressed in other Sitecore policies.
- Your Privacy Rights. This section outlines how you may exercise any rights you may have under the applicable law of your jurisdiction.
We collect and use information about our web site visitors and those that interact with our products and services in order to manage your relationship with Sitecore and to better serve you by personalizing your experience and how you connect with us.
SECTION 2. HOW WE PROCESS AND HANDLE DATA
The information we collect from you depends on the nature of your relationship with us or your interaction with Sitecore’s products, services, websites and marketing events and communications. The information we collect may include both Personal Data and Other Information, as detailed below.
Cookies and Similar Technologies
In some instances, we may combine Other Information with Personal Data, such as deriving geographical location from your IP address and combining website browsing data about your usage of the Sitecore services with your name. If we combine Other Information with Personal Data, we will treat the combined information as Personal Data.
You are not required to share the Personal Data that we request. However, if you choose not to share such information, in some cases we might not be able to provide you with the Sitecore services, allow you to access certain specialized features of the Sitecore services or be able to effectively respond to any queries you may have.
Sitecore will never collect more of your Personal Data than is necessary for the intended purpose of processing that information. Some of the uses of Personal Data listed in sections 2, 3 and 4 may not be mandatory and can be controlled by you.
Please see the YOUR PRIVACY RIGHTS section below to learn more about how you can control the information Sitecore processes about you.
SECTION 3: SITECORE WEBSITES
A. What information we collect through our Sites and how we collect it
a. Information you provide to us
We collect information about you through our websites, online forms, online chat and email, for example when you request a free trial or demo or contact us via our Sites.
When you communicate with Sitecore, we will store all communications we receive unless otherwise requested by you. If you are submitting information on behalf of another individual, you are responsible for obtaining appropriate consent, including consent to share and transfer any Personal Data across borders.
b. Information we collect automatically
Log data. As with most internet technology services, our servers automatically collect information when you access or use our Sites and record it in log files. This log may include IP address, usage data, browser type, the date and time the Site were accessed, and language preferences cookies (if enabled).
Device Information. Sitecore collects data about devices accessing the Sites, which may include the type of device, device settings, application IDs, and unique identifiers. Whether we collect any or all of this information will depend on the type of device used and how it has been configured by you.
Location Information. We receive data from you and other third parties that helps us to track an approximate device location. We may use, for example, an IP address detected by your browser or device to determine device location. We may also collect information from devices in accordance with the consent process provided by your device.
Third Parties. We use and permit select third parties to use automatic data collection tools to collect information using website tracking technologies such as cookies, web beacons, embedded URS, pixels, widgets, buttons or other similar technologies. These can be disabled by you.
B. How we use that data
We may use the information collected for the following purposes:
- To improve the operation of the Sites;
- To engage in research and development of the Sites and Sitecore’s product offerings;
- To conduct ordinary business operations such as sales, marketing, support, education and training;
- To engage in corporate reporting and management;
- To recruit employees for Sitecore;
- To conduct market research;
- To maintain a safe and trusted environment for Sitecore employees, customers, Site visitors and members of the public; and
- To conduct other similar uses pertaining to the Sitecore Sites.
- Sharing with third party service providers. We retain third party service providers to manage or support certain aspects of our business. These third party service providers may be located globally and may provide services to us such as website hosting, data analysis, advertising and marketing services, data hosting, live-chat and helpdesk services, providing information technology infrastructure, customer service, email delivery, credit card processing, auditing and other similar services. Our third party service providers are contractually bound to safeguard any Personal Data they receive from us and they are prohibited from using such Personal Data for any purpose other than to perform the services as instructed by Sitecore.
- Sharing with ad technology providers. We may provide information we collect to ad technology providers so that they may recognize your devices and deliver interest-based content to you. The information may include your name, postal address, email, device ID, or other identifier in encrypted form. The providers may process the information in hashed or anonymized form. These providers may collect additional information from you, such as your IP address and information about your browser or operating system; may combine information about you with information from other companies in data sharing cooperatives in which we participate; and may place or recognize their own unique cookie on your browser. These cookies may contain demographic or other data in an anonymized form.
Additionally, we allow direct advertisers and other third parties (such as select retail partners) to place cookies on our Sites to allow them to show you advertisements both on and off the Sitecore Sites. We may use remarketing tags (e.g., Google, DoubleClick, Twitter) to allow our partners to advertise products which you have browsed on our site. However, we do not share any information with these advertisers and third parties that will directly identify you. By clicking on those advertisements, you are communicating with those advertisers and other third parties directly (including the ad networks, ad-serving companies, and other service providers they may in turn use).
- Complying with law / protecting legal rights. We may be required to disclose your information to comply with applicable laws (including laws outside of your country of residence), regulations, court orders, government and law enforcement requests, including national security or other law enforcement requirements. Additionally, if we reasonably believe that it is necessary or appropriate, we reserve the right to use or disclose your information to allow us to pursue available claims or remedies and protect our legal rights, property or the safety of our employees, users or others, to the extent allowed by applicable law. This includes exchanging information with companies and organizations for the purposes of fraud detection.
Sitecore maintains control of the data provided to, or collected by or for, or processed in connection with certain marketing activities, such as email communications, webinars, conferences and events. We and our third party service providers may collect information in the following ways:
A. What data we collect through our marketing activities and how we collect it
a. Information you provide to us
In addition to information submitted to Sitecore through our Sites, for example when you register for a webinar, subscribe to our email newsletter or download content (such as Sitecore whitepapers), we may also collect information from you offline, such as when you attend our events in person or during phone calls with sales representatives.
b. Information we acquire from a third party
To enhance Sitecore’s ability to provide relevant marketing, offers, and services to you, we may receive information about you from third parties, such as public databases, partners, lead generation services, and social media platforms. We also collect information from other sources to help us correct or supplement our records such as customer enrichment services, improve the quality or personalization of our services to you and to verify your identification in instances of suspected fraud or identity theft. In each instance we will only accept information from third parties where those third parties can demonstrate they have received all necessary consents to share such information with us.
B. How we use that data
We may use information that is collected through our marketing activities in the same way we use information collected through our Sites, as well as for the following purposes:
- To verify your identity if required (for example, for payment of a ticket to a Sitecore event);
- To tailor marketing to your interests, or to recommend products and services that may be of interest to you;
- To contact you with business, marketing and sales communications that you have agreed to receive such as newsletters, announcements, and special offers, or to notify you of upcoming events;
- To update and improve Sitecore services and product offerings;
- To engage in corporate reporting and management;
- To conduct market research; and
- To conduct other similar uses pertaining to the Sitecore’s Marketing Activities.
We may share information that is collected through our marketing activities in the same way we share information collected through our Sites, as well as for the following purposes:
- Communicating with you regarding a Sitecore Event. We or our partners may communicate with you about events hosted or co-sponsored by Sitecore or one or more of our partners. These communications may include information about the event's content, logistics, payment, updates, or requests for additional information related to your event registration. After the event, Sitecore may contact you about the event and our related products and services and may share information about your attendance with other third parties. Sitecore may also share your information with designated event sponsors or partners who may then send you communications related to your event attendance.
Please note that, during events, our partners or conference sponsors may directly request that you provide them with information about you at their conference booths or presentations. You should review their privacy policies to learn how they use information they collect. Each event may include additional privacy protection practices and terms unique to that event, included in attendee guidebooks, the event website or sponsorship agreements.
Sitecore provides direct training and technical support through our existing customer relationships, as well as educational and marketing services to certain partners and prospective customers through secure, password-protected portals. In these relationships, where the data is still controlled by you (the customer, partner, prospective customer), Sitecore is a processor. Sitecore collects, processes and stores information throughout these processes, as follows:
A. What data we collect and how we collect it
a. Information customers and certain users provide directly through password protected portals
We collect data as registration details from you when an account is set up. We will collect the data that you share with Sitecore in the product, as based on your organization’s configuration of the Sitecore product.
We also collect data through customer and product support portals when a helpdesk ticket is submitted. As part of the product support process, customers must consent to the processing and transfer by our support team of the data they submit, including any of the customer’s end user data they may submit in the support process.
b. Information collected automatically
We may automatically collect information through our services in the same way we automatically collect information through our Sites.
c. Anonymized, aggregated data
In addition to the information you provide to us and which we collect automatically, Sitecore also collects anonymous and aggregated information about how Sitecore’s services are used, to better design and operate our Sites. As part of our operations we might also anonymize or pseudonymize your information for regulatory compliance, market analysis and other Sitecore business purposes.
B. How we use that data
Sitecore collects and uses customer information as necessary for the adequate performance of the contract between you as a customer and Sitecore, and in accordance with any instructions received and the applicable contract terms. We use customer, partner and prospective customer information collected through our password-protected portals in a number of ways.
Using Account Generated Data. Sitecore will use account generated data in furtherance of our legitimate interests in operating the Sitecore Sites. We may use information that is collected through our customer relationships in the same way we use information collected through our Sites and Marketing Activities, as well as for the following purposes:
- To verify your identity if required (for example, for security reasons to gain access to an account);
- To prevent fraudulent activities, such as fraudulent purchases;
- To provide customer support services, problem solution support and enhancing your customer experience – we use the data (which can include communications with Sitecore employees through our Customer Success team) to investigate, respond to and resolve complaints and service issues;
- To monitor license compliance;
- To provide transaction support, including fulfilment of purchased licenses and to communicate with you about those requests;
- To provide notification of bug fixes and security patches;
- To personalize service offerings and advertise to you any products which may be relevant and of interest;
- To review and respond to queries or feedback that you may provide to us;
- Credit Card information using third party processors for purchased training / events;
- To monitor calls for training and providing support purposes; and
- To conduct other similar uses pertaining to our relationships with Sitecore’s customers.
We may share information that is collected through our customer relationships in the same way we share information collected through our Sites, as well as for the following purposes:
- Sharing with Sitecore partners. Sitecore regularly engages third party technology and implementation partners for joint sales or product promotions. Such activities will always reference the partners involved. We contract with our partners for these activities and our partners may have access to your Personal Information, and either Sitecore or our partners may use that information to provide you with sales or product promotion information, further subject to such partners’ own privacy policies.
Sitecore relies on the following reasons for processing Personal Data:
- Consent (where you have given consent)
We process certain Personal Data based on the consent you provided when you submitted your information. Where we rely on your consent, you have the right to withdraw or decline your consent at any time, such as consenting to receive marketing communications.
- Contract (where processing is necessary for the performance of a contract with you, i.e. to deliver the Sitecore product or services you or your organization have purchased).
When information is processed under contract, you are able to terminate the contract at any time and request that information be returned to you and/or deleted.
- Legitimate interests of Sitecore or any third parties.
Legitimate interests include enabling us to conduct internal business services, such as audits, mergers and acquisitions, reporting, and improving our products and services. Personal Data will only be processed on these grounds when doing so does not outweigh your rights.
Where we rely on legitimate interests, you have the right to object at any time.
- Compliance with laws (where we are required to process information to comply with applicable laws)
If we ask you to provide Personal Data to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your Personal Data is mandatory or not (as well as the possible consequences if you do not provide your information).
At Sitecore, we understand the importance of information, and the need to keep Personal Data secure. We have implemented and maintain technical, administrative and physical security measures designed to protect your information from unauthorized access, disclosure, misuse, alteration, accidental loss or destruction.
We regularly review our security procedures to maintain the confidentiality, integrity, availability and resilience of all data both online and offline. These security procedures and measures vary based on the sensitivity of the information that we collect, process and store and the current state of technology but include firewalls, data encryption, physical access controls and information access authorization controls. Sitecore has implemented an incident response plan, with a company protocol we follow in the event of any data breach. We take steps to regularly monitor our systems for vulnerabilities and to ensure that we only share information with those who need to know it.
However, no website or internet transmission is completely secure. While we strive to protect your data, we cannot guarantee that unauthorized access, hacking, data loss or a data breach will never occur, and we cannot warrant the security of any information that you provide to us. You are responsible for securing and maintaining the privacy of any password(s) and account registration information uses with Sitecore, and verifying that the information we maintain about you is accurate and current. We are not responsible for protecting any information that we share with a third party based on an account connection that you have authorized.
We require that our third party service providers and partners agree to keep the information we share with them confidential and to use the information only to perform their obligations in the agreements we have in place with them. Sitecore has implemented internal policies to ensure that such parties are required under contract to maintain privacy and security protections which are at least as consistent with our own policies and practices.
We maintain a list of our current sub-processors of Personal Data and keep the Sitecore Trust Center updated with security and related information.
SECTION 8. STORAGE AND RETENTION OF YOUR INFORMATION
Sitecore is a global company and your information is stored on regional servers depending on your location and the locations of the servers of the companies we hire to provide services to us based on contractual requirements.
SECTION 9. CROSS BORDER TRANSFERS OF INFORMATION AND THE PRIVACY SHIELD
Sitecore has entered into and executed an agreement for the international transfer of personal information within the Sitecore group of companies ("Intra-Company Agreement") which governs the processing of your Personal Information by Sitecore entities. The Intra-Company Agreement also incorporates the European Union Model Clauses requirements for transfers of your Personal Information.
SECTION 10. WHAT IS NOT COVERED IN THIS POLICY
Sitecore Partners who provide implementation and other solution services may also gather information and you should consult those other parties’ privacy policies as appropriate as they may be applicable to you. Please also note that in using our services, we may provide links to other websites to directly provide information relevant to your use of Sitecore products. We will provide notice of when we do this. Any interactions you have with these websites are beyond the control of Sitecore. The Site provides links to websites and access to content, products and services of third parties, including users, advertisers, partners and sponsors of the Site, and such third party websites, content, products or services are governed by the respective third party’s website terms and conditions of use.
SECTION 11. YOUR PRIVACY RIGHTS
We provide you the ability to exercise certain controls and choices regarding our collection, use and sharing of your information.
Please be aware that, if you do not allow us to collect your information from you, we may not be able to deliver certain products and services to you, and some of the Sitecore services may not be able to take account of your interests and preferences.
Your choices. In accordance with applicable law, you may be entitled to exercise your rights and choices as follows:
- Account settings. You may update your profile, your account and any related information at any time to ensure that information is up to date or delete inaccuracies by [link to KB article].
- Devices and browsers. Some of our mobile services use your device’s location information. You can adjust the setting of your mobile device at any time to control whether your device communicates this location information.
- Communications from Sitecore. We may use your information to communicate with you by email, including sending you transactional or marketing emails. Sitecore enables you to opt out of marketing communications. Some communications you may receive from us are not considered marketing emails, such as communications related to product download, sales transactions, software updates and other support-related information, patches and fixes, security alerts, events for which you have registered, disclosures to comply with legal requirements, and (where permitted by law) quality assurance surveys. Such transactional emails are not subject to general opt-out. Some additional communications you may receive from our partners may also not be subject to general-opt out, including product alerts, updates, and other notices related to partner status. You can tell us to stop sending you marketing emails by clicking the unsubscribe link included at the bottom of Sitecore’s marketing emails or updating your preferences here. If you have any issues unsubscribing, you may contact us directly through here.
Sitecore adheres to applicable data protection laws in Europe which, where they apply, provides you with the following rights:
- Data Access. You may request access to the Personal Data we hold about you and request that we edit or delete them.
- Data Portability. You are entitled to request copies of Personal Data that you have provided to us in a structured, commonly used and machine-readable format and/or request that this information be transmitted to another service provider (where technically feasible).
- Deletion. You may be able to have your Personal Data deleted or erased.
- Correcting inaccurate or incomplete information. We maintain a process to help you confirm that your personal details remain correct and up-to-date.
- Manage your Information. You may choose whether or not you wish to receive material from us or some of our partners. Please let us know by contacting us.
- Withdrawing consent. If the processing of your Personal Data is based on your consent, you may withdraw your consent at any time as to future processing.
- Objecting to or restricting use of Personal Data. You can ask us to stop using all or some of your Personal Data (e.g., if we have no legal right to keep using it) or to limit our use of it (e.g., if your Personal Data is inaccurate or unlawfully held).
Under California Civil Code Section 1798.83, California residents are entitled to request certain information regarding our disclosure of Personal Data to third parties for their direct marketing purposes.
You may exercise your rights above by contacting us contact email address and we will review your request in accordance with applicable laws.
Privacy relating to minors
As a company focused on serving the needs of businesses, Sitecore does not promote or market the Sitecore services to minors and we do not knowingly collect information from minors as defined by applicable law. If we discover we have received any Personal Data from a person under the age of 13 in violation of this Policy, we will take reasonable steps to delete that information as quickly as possible.
If you believe we have any information from or about anyone under the age of 13, please contact us.
SECTION 12. UPDATES AND HOW TO CONTACT US
UPDATES TO THIS PRIVACY STATEMENT
Written inquiries may be addressed to our Chief Legal Officer at:
Chief Legal Officer
101 California Street
San Francisco, CA 94111
Phone: +1 415 380 0600
Fax: +1 415 380 0730
For European residents, we have chosen the EU Data Protection Authorities (EU DPAs) to serve as an independent recourse mechanism for dispute resolution arising from collection, use, and retention of Personal Data transferred from EU member countries to the United States. In compliance with the Privacy Shield Principles, Sitecore commits to resolve complaints about our collection or use of your Personal Data. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield certification or privacy practices should first contact us using the contact details above. Sitecore has further committed to cooperating and complying with relevant authorities with regard to the transfer of data from the EU and Switzerland. If you feel that you have not received a timely or satisfactory response from us to your question or complaint, you may contact your local EU DPA here or, for Swiss individuals, the Swiss Federal Data Protection and Information Commissioner (FDPIC) here (at no cost to you) for more information or to file a complaint. In certain circumstances, the Privacy Shield Framework provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the Privacy Shield Principles.