Effective as of September 26, 2016, updated last on November 18, 2019

Scope of this Notice

SugarCRM Inc. complies with the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, UK and Switzerland to the United States, respectively. SugarCRM Inc. has certified to the Department of Commerce that it adheres to the principles of the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework  (“Principles”) with respect to personal data that it receives from its subsidiaries, customers, website visitors, and business partners in the European Economic Area (EEA) and UK.

Specifically, SugarCRM certifies compliance with the Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.

This Notice does not apply to SugarCRM (and its subsidiaries’) employee data.

 Data processed (categories of data)

SugarCRM provides customer relationship management (CRM) and other (online) solutions and services that our customers use to manage their customer relationships. In providing these tools, SugarCRM processes data our customers input to our products and/or services or that they request us to process on their behalf (“Customer Data”). SugarCRM`s customers decide what to enter. SugarCRM generally has no knowledge of the specific information being stored. Typically the types of information include business-related information about our customers’ customers (e.g. names, business addresses, work phone numbers, work e-mail addresses etc.), sales prospects and leads, users of the solutions and services,  customer contact information, submitted orders for our products and services, and customer billing information. SugarCRM also processes contact data such as name, e-mail address, postal address and telephone numbers which it receives from prospect, suppliers, vendors or other third parties. Additionally, SugarCRM processes analytics data to identify trends and gain anonymized insights in the aggregate on the foregoing types of data (“Other Personal Data”)


SugarCRM processes Customer Data pursuant to our subscription agreement as well as to perform customer support activities, such as fulfilling product orders, hosting services, providing technical support, evaluating the quality of our products and services, improving product offerings, and providing technical services to customers.  To fulfill our contractual obligations, SugarCRM may access Customer Data to provide services, to correct and address technical or service problems, to follow instructions of the customer who submitted the data, or in response to contractual requirements.

SugarCRM processes Other Personal Data  (1) to respond to requests of the data subject, (2) to communicate with data subjects about our products, services, and related issues  as permissible under applicable law, (3) for analytics purposes as described above, (4) for administrative purposes such as financial processing and management, fraud detection and prevention, and (5) to comply with our legal obligations, policies and procedures.

Third Parties who may receive personal data (Onward Transfer

SugarCRM may engage third-party service providers to assist SugarCRM with its daily business operations. SugarCRM may also engage a limited number of third party service providers to assist SugarCRM with providing its products/ services to customers. These third party providers may offer customer support, data storage services (data centers), assist with the transmission of data, or perform other technical operations. These third parties may access, process, or store personal data in the course of providing their services.

SugarCRM maintains contracts with these third parties restricting their access, use and disclosure of personal data in compliance with our Privacy Shield obligations. SugarCRM may be liable if the third parties fail to meet their obligations.

 Compelled disclosure

SugarCRM may be compelled to disclose personal information in response to lawful requests by public authorities or to comply with national security or law enforcement requirements.

Data Integrity & Security

SugarCRM employs procedural and technological measures that are reasonably designed to help protect personal information from loss, unauthorized access, disclosure, alteration, or destruction.  For example, among other measures, we have implemented physical security measures at our premises (e.g., key cards) and we have established technical safeguards such as firewalls and security patches.  

Data access and correction, your choices for limiting use and disclosure

If you are an individual based in the EU; UK or in Switzerland and SugarCRM or our products or services holds your personal data, you may request access to your personal data. You also have the right to update, correct or delete your personal data. Also, the EU-US Privacy Shield Framework and the Swiss-US Privacy Framework requires that participants offer data subjects a choice to opt out of uses and disclosures of their data that are materially different from the purposes for which that data was originally collected or subsequently authorized. SugarCRM is committed to respecting your rights.

SugarCRM personnel have limited ability to access data inputted by its customers in the SugarCRM products or services, and do not have any personal relationship with the individuals whose personal data it processes on behalf of its customers.  If you wish to request access to, correct or delete, or to limit the use or disclosure of your personnel data please provide us the name of the SugarCRM customer who has submitted your data into the SugarCRM products or services. We will refer your request to that customer and will support our customer as needed in responding to your request.

Inquiries and complaints

We encourage you to direct any inquiries or complaints concerning our Privacy Shield compliance to SugarCRM Inc., attn. General Counsel 10050 N. Wolfe Road, SW2-130, Cupertino, CA  95014, USA, or call us at (408) 454-6900, or email us at legal@sugarcrm.com. We will investigate and attempt to resolve complaints and disputes in a manner that complies with the principles described in this Notice.  If you have a comment or concern that cannot be resolved with us directly within forty-five (45) days time, or if our response does not address your concern,  you may contact JAMS, an independent third party dispute resolution body based in the Unites States. JAMS has committed to respond to Privacy Shield complaints and to provide appropriate dispute resolution at no cost to you. To contact JAMS and/or learn more about the company’s dispute resolution services, including instructions for submitting a complaint, please visit: https://www.jamsadr.com/eu-us-privacy-shield. If neither SugarCRM nor JAMS resolves your complaint, you may pursue binding arbitration through the Privacy Shield Panel.

U.S. Federal Trade Commission enforcement

SugarCRM’s commitments under the Privacy Shield are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.