SugarCRM respects your privacy. This Privacy Policy explains how SugarCRM collects and uses personal information collected from you, through (i) our publicly available websites, (ii) SugarCRM products, including Sugar, Sugar mobile, SugarCRM Hint and other add-on applications and other related services (together the “Services”), (iii) third parties, and (iv) interactions you have with our employees or affiliates.

I. General Information

Websites

This Privacy Policy covers the information practices of our websites, including how SugarCRM collects, uses, shares and secures the personal information you provide.

Personal data is any data about an identified or identifiable natural person, or any information that in combination with other non-personal information can reasonably be used to identify a natural person.

SugarCRM’s websites may contain links to other websites and applications over which SugarCRM does not have control. Such links do not constitute an endorsement by SugarCRM and SugarCRM does not control the content or privacy policies or practices of such sites. Any access to and use of such linked websites is governed by the privacy policies of those third parties’ websites.

SugarExchange (https://sugarexchange.sugarcrm.com/) is an online marketplace for applications that are complementary to our Services. This Privacy Policy does not apply to use of third party applications made available on SugarExchange.

Controller

The data controller of www.sugarcrm.com and any subpages thereto (e.g. https://support.sugarcrm.com) is SugarCRM Inc., a Delaware corporation located at 10050 N. Wolfe Rd. SW2-130, Cupertino, CA 95014, USA. If you have any questions on this Policy or any of our data processing practices, please contact dataprivacy@sugarcrm.com or SugarCRM Inc., 10050 N. Wolfe Rd. SW2-130, Cupertino, CA 95014, USA, c/o General Counsel. Our EU representative per article 27 GDPR is SugarCRM UK Ltd., Highlands House, Basingstoke Road, Spencers Wood, Reading Berkshire, England, RG7 1NT.

Personal data we collect

The type of information we collect from you depends upon the type of interactions you have with our websites and Services, including the context of your interactions with SugarCRM, the choices you make (including privacy settings) as well as the Services you use.

You may choose to give us personal information directly in a variety of situations, such as if you request to receive information or a service from SugarCRM, if you apply for a job via our job application portal, or if you do business with us as a supplier or partner.

We may also collect information relating to your use of our websites and our Services through the use of various technologies. For example, when you visit our websites, we may log certain information that your browser sends, such as your IP address, browser type and language, access time, and referring web site addresses. We may collect information about the pages you view within our websites and other actions you take while visiting us. In addition, some of our Services include technologies that allow us to collect certain information about product use.

We may also collect information that pertains to you indirectly through other sources, such as vendors. When we do so, we ask the vendors to confirm that the information was legally acquired and that we have the right to obtain it from them and use it.

Further details can be found in Section II.

How we use your personal data

We collect and use your data principally for the following purposes:

  • Provide you with the information you have requested;
  • Process, fulfill and follow up on transactions and requests for products, services, support, and information;
  • Contact you with information about SugarCRM;
  • Communicate, interact and build our relationship with you for purposes such as marketing and product support;
  • Verify your authority to enter and use our Services;
  • Engage in market research and analysis;
  • Measure, analyze and improve our products and services, the effectiveness and user experience of our websites, and our advertising and marketing;
  • Consider an employment application;
  • Comply with legal requirements; and
  • Deter, detect, and prevent fraud and other prohibited or illegal activities.

We may link or combine information we collect from multiple sources to provide better service to you and to improve our Services. Further details on our use and the legal basis can be found in Section II.

Why you are required to provide personal data

In general, your provision of any personal data or granting of consent to a processing activity is entirely voluntary. However, there are certain circumstances in which SugarCRM cannot take action without processing certain personal data, for example to process your orders, or to assist you with use of our Services, or to provide access to a web offering or newsletter. In these cases, it will not be possible for SugarCRM to provide what you request without the relevant personal information. In some circumstances, SugarCRM may need to terminate your ability to use the Services without access to your personal data. SugarCRM intends to notify you of whether such communication or data sharing is deemed mandatory and the impact of not sharing.

Sharing of your personal data

SugarCRM is a global organisation with business processes, management structures and technical systems that cross borders. As such, we may share data about you with other SugarCRM entities and transfer it to countries in the world where we do business in connection with the uses identified in this Privacy Policy. Our procedures are designed to provide a globally consistent level of protection for personal information by all SugarCRM entities.

In some cases we use suppliers located in various countries to collect, use, analyse, and otherwise process information on our behalf. We may also use subcontractors which provide services to us in connection with providing our Services to you. We put in place contractual safeguards for the protection of your personal data with such suppliers, including obligations for processing in line with applicable legal requirements.

We may also disclose your personal information to other business partners. Unless otherwise specified in this Privacy Policy, we will only do so with your consent. We do not in any event sell or lease any of your personal information.

Where you post information to our wikis, forums, blogs, message boards, chat rooms, websites or other social networking environments, your information will be shared with audiences within those platforms.

We may share your personal data based on a good faith belief that such disclosure is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, or situations involving potential threats to the safety of any person. We may use your personal data as evidence in litigation in which we are involved, to protect the rights or safety of any person or entity, to respond to a judicial process or valid government inquiry or as otherwise required by law.

Where we process personal data

If you choose to provide us with information, including personal data, you understand that we are storing this and/or transferring it to SugarCRM’s locations and systems in the United States or to the locations and systems of SugarCRM’s affiliates or service providers around the world. SugarCRM complies with applicable law when transferring your personal information outside of the country there the information is collected. For data originating from a European Union member state, SugarCRM uses a variety of data transfer mechanisms (including standard contractual clauses) for this purpose.

SugarCRM has also certified under the EU- U.S. Privacy Shield and the Swiss-U.S. Privacy Shield. The EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield address the collection, protection, storage, transfer, use and other processing of data transferred from the European Economic Area and Switzerland to the United States. To learn more about SugarCRM’s certification, please visit the Privacy Shield website https://www.privacyshield.gov/participant?id=a2zt0000000TNjnAAG and refer to our Privacy Shield Notice.

How long we retain your personal data

The duration of processing of your personal data depends on the legal basis for the processing.

SugarCRM’s policy is to retain personal data no longer than (a) is necessary to fulfil the purposes for which the personal data is processed, (b) if processing is based on consent, until you withdraw your consent, or (c) if processing is based on a legitimate interest of SugarCRM, until you object to such processing.

However, we will store personal data for a longer period where (a) we are required by law to retain your personal data or (b) your personal data is required for SugarCRM to assert or defend against legal claims. In this event, we will retain your personal data until the end of the relevant retention period or until the claims in question have been settled. If you require more details with respect to the retention periods, please contact us at dataprivacy@sugarcrm.com.

Your rights as a data subject

You can contact us directly (as set forth below) to update your personal data.

Access, correction, deletion of personal data: You can request at any time the personal data SugarCRM holds about you and the correction or deletion of such personal data. SugarCRM can only delete your personal data if there is no statutory obligation or prevailing right of SugarCRM to retain it. In addition, if you request deletion of your personal data you will not be able to continue to use any SugarCRM Services that require the use of your personal data.

Request personal data in a portable format: If SugarCRM uses your personal data based on your consent or to perform a contract with you, you may further request from SugarCRM a copy of the personal data in a portable format that you have provided to SugarCRM and where processing is carried out by automated means.

Restriction of processing and right to object: You can also request that SugarCRM restrict (without deleting) further processing of your personal data: (i) if you state that your personal data is incorrect, for as long as we need to verify the accuracy of the personal data, (ii) if there is no legal basis for SugarCRM to process your personal data and you demand that SugarCRM restricts your personal data from further processing instead of deleting it, (iii) if SugarCRM no longer needs your personal data but you as data subject claim that you require SugarCRM to retain such data in order to establish, exercise or defend a legal claim, or (iv) where SugarCRM processes your personal data on the basis of its legitimate interest as further detailed in Section II and you object to the processing of your personal data for as long as it is required to review whether SugarCRM has a prevailing interest or legal obligation to process your personal data.

Please send any such requests to dataprivacy@sugarcrm.com.

Right to lodge a complaint

If you believe that SugarCRM is not processing your personal data in accordance with the requirements set out herein or applicable data protection laws, you can at any time lodge a complaint with the relevant supervisory authority.

Use of this website by children

SugarCRM recognizes the privacy interests of children and we encourage parents and guardians to take an active role in their children’s online activities and interests. SugarCRM’s websites are not intended for children under the age of 16 and SugarCRM does not target our websites to children under 16. Also, SugarCRM’s policy is to not knowingly collect personal data from children under the age of 16.

Details on Processing and Legal Basis for Processing

a. Where SugarCRM uses your personal data based on law

SugarCRM is permitted to process your personal data under applicable data protection law as follows:

Providing the requested information or services. If you request information on our Services, order our Services or become our business partner, we typically ask you to provide your personal contact information such as name, business email address, business telephone number, company name and address, job title, role and, if payment is to be made to SugarCRM, financial and billing information, such as billing name and address, tax identification number, credit card information, bank details or other payment information. We use the personal data only to process your order or to provide the requested Service. Specifically, this includes: taking the necessary steps prior to entering into a contract, confirming your opening of an account, responding to your inquiries, processing or providing customer feedback and support, providing you with billing or shipping information, sending you (i) notice of payments, (ii) information about changes to our Services, (iii) other related notices and (iv) disclosures as required by law.

If you participate in tutorials and trainings or use learning tools provided by Sugar University, we may also ask you about your professional qualifications, relevant experience and education. Sugar University may also track your learning progress in order to make this information available to you.

Ensuring compliance. SugarCRM and its Services are subject to the export laws of various countries including, without limitation, those of the European Union and its member states, and of the United States of America. You acknowledge that, pursuant to the applicable export laws, trade sanctions, and embargoes issued by these countries, SugarCRM is required to take measures to prevent entities, organizations, and parties listed on government-issued sanctioned-party lists from accessing certain products, technologies, and services through SugarCRM’s websites or other delivery channels controlled by SugarCRM. SugarCRM’s compliance may include (i) automated checks of any user registration data as set out herein and other information a user provides about his or her identity against applicable sanctioned-party lists; (ii) regular repetition of such checks whenever a sanctioned-party list is updated or when a user updates his or her information; (iii) blocking of access to SugarCRM’s Services in case of a potential match; and (iv) contacting a user to confirm his or her identity in case of a potential match.

General Business Relationship Communications. SugarCRM communicates on a regular basis by email with users of our Services. For resolving partner, customer or user complaints or enquire into suspicious transactions we may also communicate by phone.

Generally, users cannot opt out of these communications, which are not marketing-related but required for the relevant business relationship. With regard to marketing-related communication by phone or e-mail, SugarCRM will (i) if legally required, only provide you with such communications after you have opted in, and (ii) provide you the opportunity to opt out if you do not want to receive further marketing-related types of communication from us. You can opt out of these at any time at Preference Center.

b. Where SugarCRM uses your Personal Data based on SugarCRM’s legitimate interest

In addition to the use cases under applicable law, the use cases below constitute a legitimate interest of SugarCRM to process or use your personal data. If you do not agree with this approach, you may object to SugarCRM’s processing or use of your personal data as set out below under the ‘right to object” heading.

Questionnaires and surveys. SugarCRM may invite you to participate in questionnaires and surveys. These questionnaires and surveys are generally designed in a way that they can be answered without any personal data. If you nonetheless enter personal data in a questionnaire or survey, SugarCRM may use such personal data to improve its Services.

Usage Data. In the course of providing our Services to you, we may collect, use, process and store usage data such as number of sessions, users, number of sessions, number of users, page views, number of page views per sessions, average session duration, bounce rate, percentage of new sessions, language of user, country, city, new versus returning users, browser type, operating system, internet service provider, IP address, screen resolution size, Service used, Service version number and mobile device brand. The usage data is collected and processed in order to create and compile anonymized, aggregated datasets and/or statistics about the Services for the following purposes: (a) to maintain and improve the performance and integrity of our Services, (b) to understand which Services are most commonly deployed and preferred by customers and how customers interact with our Services, (c) to identify the types of Services that may require additional maintenance or support, and (d) to comply with regulatory, legislative and/or contractual requirements. Please note that such aggregated datasets and statistics will not enable you or any living individual to be identified. For more details on the usage data collected please refer to our Cookie Policy.

Critical Control Software. Our relationship management product (ie Sugar) also includes critical control software that regularly transmits certain usage data (including potential personal data such as IP address, number of records accessed, operating system, PHP version utilized on company server, time zone, number of subscription users) to us and, if applicable, an authorized partner, to verify compliance with contract terms and to improve the Services. For more details on the usage data collected please refer to our Cookie Policy.

Relationship Intelligence Products. In the course of providing relationship intelligence products (which includes SugarCRM Hint) to you, we may collect supplemental usage data. Supplemental usage data includes without limitation IP address, company identifier, browser type, browser language and locale, operating system, device type, date and time of request, user id, and the person or company name being looked up by the relationship intelligence product. The supplemental usage data may be used for the following purposes: (a) provide you with better service, more detailed and higher quality returned data, support service troubleshooting and performance improvement, and (b) understand usage patterns and frequency. Supplemental usage data will not be shared with third parties except for lookup parameters which may be provided to third party content providers in order for the content providers to provide the enriched data response and which they may retain for optimizing their services. Any lookup data will be handled by us as a data processor on behalf of our customers.

Product and company news/request feedback. If we have an existing business with you, SugarCRM may inform you about our products or services (including webinars, seminars or events) which are similar or relate to such products and services you have already purchased or used from SugarCRM. Furthermore, where you have attended a webinar, seminar or event of SugarCRM or purchased products or services from SugarCRM, SugarCRM may contact you for feedback regarding the improvement of the relevant webinar, seminar, event, product or service.

Personal data transferred in an acquisition. If we are acquired by or merged with another entity, if all or part of our assets are acquired, or in response to a bankruptcy proceeding, we may transfer your information to the acquiring entity for purposes that are similar to those for which it was originally acquired.

Data received from SugarCRM entities. Our global entities may enter business contact details of prospects (such as name, company, title, company address, e-mail and phone number) which have expressed an interest in receiving information about SugarCRM and our Services into SugarCRM’s customer relation management system.

Data received from third parties. Our business partners may register leads with us in which they provide business contact details of prospects (such as name, company, title, company address, e-mail and phone number) which have expressed an interest in receiving information about SugarCRM and our Services. We may also use such personal data to assist our business partners in responding to your request.

We also may receive personal data from third parties such as marketing or advertising companies organizers of events that provide us with such information as a part of their relationship with us. Such data could include contact details (such as name, company, title, company address, e-mail and phone number) and we use that information for evaluating a potential business relationship with you or for combining the information with personal data that we may have already collected about you.

Right to object. You may object to SugarCRM using your personal data for the purposes set forth in this subsection b at any time by sending your request to dataprivacy@sugarcrm.com. If you do so, SugarCRM will cease using your personal data for such purposes and remove it from its systems unless SugarCRM is permitted to use such personal data for another purpose set out in this Privacy Policy or SugarCRM determines and demonstrates a compelling legitimate interest to continue processing your personal data.

c. Where SugarCRM uses your personal data based on your consent

In addition to the use cases under applicable law and legitimate interests set forth above, SugarCRM may use your personal data after you have granted your consent in the following use cases.

News about SugarCRM’s Products and Services. Where you have granted your consent, we may use your name, email address, telephone number, job title and basic information about your employer (name, address, and industry) in order to keep you up-to-date on the latest product announcements, software updates, software upgrades, special offers, and other information about SugarCRM’s Services and events (including marketing-related newsletters).

Events. If you register for a SugarCRM event, seminar, or webinar, we may share basic participant information (typically your name, company, title, and email address) with other participants of the same event, seminar, or webinar for the purpose of communication and the exchange of ideas with your consent. We may also ask you to consent to sharing your participant information with sponsors of that event.

In addition, we may also ask for information about special dietary requirements or other health/impairment information in connection with the registration for and provision of access to an event or seminar. Any such information is voluntary. We may not be able to take any respective precautions if you choose not to provide such information.

Employment application. If you apply for a job (eg via our website), we may require you to submit additional personal information as well as a resume or curriculum vitae and other information. We encourage you to limit the personal data to the information necessary to enable us to evaluate your suitability for the position you are applying for.

Forums and social media. You have the option to participate in blogs, forums and social media networks which may be offered by SugarCRM or linked to our websites. If you choose to participate, you are required to register and create a user profile. User profiles provide the option to display personal information about you to other users, including but not limited to your name, photo, social media accounts, postal address, email address, telephone number, personal interests, skills, and basic information about your company. All of the information that you post will be available to all visitors to our websites. SugarCRM is not responsible for the personal information you choose to submit in these forums. You are not permitted to provide any personal information about other data subjects in those forums and blogs, and we also encourage you to limit any personal information about yourself to a minimum.

Revocation of a consent granted hereunder.

You may at any time object to, opt out and withdraw a consent granted hereunder by e-mailing dataprivacy@sugarcrm.com. If you would like to unsubscribe from our newsletters, click here and follow the directions.

In case of withdrawal, SugarCRM will cease processing the relevant personal data which was based on consent unless we have legal justification to reject the withdrawal. In case SugarCRM is required to retain your personal data for legal reasons, your personal data will be restricted from further processing and retained for the term required by law. Please note that any withdrawal has no effect on past processing of personal data up to the point in time of your withdrawal. Furthermore, if use of our Services requires your consent and you have withdrawn your consent, SugarCRM will no longer be able to provide the Services to you.

III. Cookies

If you use our websites, we may use various website navigation information including tracking technologies such as cookies and web beacons to collect and store information from you. Website navigation information includes: standard information from your Web browser (such as browser type and browser language), language choices, time zone, your Internet Protocol (IP) address, actions you take on our websites, URL and page metadata, installation data (such as the operating system type and application version), system crash information, system activity and hardware settings. We may also automatically collect and store certain information in activity logs such as: details of how you use our websites, your search queries, and your IP address.

For more details please see our “Cookie Policy” at https://www.sugarcrm.com/legal/cookie-policy.

IV. Changes to Privacy Policy

We reserve the right to change, modify, add or remove portions of this Privacy Policy from time to time and in our sole discretion. Our policy is to alert you that changes have been made by indicating on the Privacy Policy the date it was last updated.