SugarCRM Inc. Privacy Policy

SugarCRM respects your privacy. This Privacy Policy explains how SugarCRM collects and uses personal information collected from you, through (i) our publicly available websites, (ii) SugarCRM products 

I. General Information

Websites

This Privacy Policy covers the information practices of our websites, including how SugarCRM collects, uses, shares and secures the personal information you provide. 

As used in this Privacy Policy, “personal information” or “personal data” is any data about an identified or identifiable natural person, or any information that in combination with other non-personal information can reasonably be used to identify a natural person. 

SugarCRM’s websites may contain links to other websites and applications that SugarCRM does not control. Such links do not constitute an endorsement by SugarCRM and SugarCRM does not control the content or privacy policies or practices of such sites. Any access to and use of such linked websites is governed by the privacy policies of those third parties’ websites. 

SugarOutfitters (https://www.sugaroutfitters.com/) is an online marketplace for applications that are complementary to our Services. This Privacy Policy does not apply to the use of third-party applications made available on SugarOutfitters. 

Controller

The data controller of www.sugarcrm.com and any subpages thereto (e.g., https://support.sugarcrm.com) is SugarCRM Inc., a Delaware corporation, located at 548 Market Street, PMB 59423, San Francisco, CA 94104-5401, USA. If you have any questions on this Privacy Policy or any of our data processing practices, please contact dataprivacy@sugarcrm.com or SugarCRM Inc., 548 Market Street, PMB 59423, San Francisco, CA 94104-5401, USA, c/o General Counsel. 

Personal data we collect and process (categories of data)

The type of information we collect from you depends upon the type of interactions you have with our websites and Services, including the context of your interactions with SugarCRM, the choices you make (including privacy settings) as well as the Services you use. 

You may choose to give us personal information directly in a variety of situations, such as if you request to receive information or a service from SugarCRM, if you apply for a job via our job application portal, or if you do business with us as a supplier or partner. 

We may also collect information relating to your use of our websites and our Services using various technologies. For example, when you visit our websites, we may log certain information that your browser sends, such as your IP address, browser type and language, access time, and referring website addresses. We may collect information about the pages you view within our websites and other actions you take while visiting us. In addition, some of our Services include technologies that allow us to collect certain information about product use. 

We may also collect information that pertains to you indirectly through other sources, such as vendors. When we do so, we ask the vendors to confirm that the information was legally acquired and that we have the right to obtain it from them and use it. 

SugarCRM provides customer relationship management (CRM) and other solutions and services, online and on premise, that our customers use to manage their customer relationships. In providing these tools, SugarCRM processes data our customers input to our products and/or services or that they request us to process on their behalf (“Customer Data”). SugarCRM`s customers decide what to enter. SugarCRM generally has no knowledge of the specific information being stored. Typically, the types of information include business-related information about our customers’ customers (e.g., names, business addresses, work phone numbers, work email addresses, etc.), sales prospects and leads, users of the solutions and services, customer contact information, submitted orders for our products and services, and customer billing information. SugarCRM also processes contact data such as name, email address, postal address and telephone numbers which it receives from prospect, suppliers, vendors or other third parties. Additionally, SugarCRM processes analytics data to identify trends and gain anonymized insights in the aggregate on the foregoing types of data. 

Google API Services Usage Disclosure

Our use of your information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. 

Further details can be found in Section II. 

How we use your personal data (purposes)

We collect and use your data principally for the following purposes: 

• SugarCRM processes Customer Data pursuant to our subscription agreement as well as to perform customer support activities, such as fulfilling product orders, hosting services, providing technical support, evaluating the quality of our products and services, improving product offerings, and providing technical services to customers. 
• Sugar also processes personal data to: 
  • Provide you with the information you have requested;Process, fulfill and follow up on transactions and requests for products, services, support, and information; 
  • Contact you with information about SugarCRM; 
  • Communicate, interact and build our relationship with you for purposes such as marketing and product support; 
  • Verify your authority to enter and use our Services; 
  • Engage in market research and analysis; 
  • Measure, analyze and improve our products and services, the effectiveness and user experience of our products and services and websites, and our advertising and marketing; 
  • Consider an employment application; 
  • For administrative purposes such as financial processing and management, fraud detection and prevention; 
  • For other analytics purposes as described above; 
  • Comply with legal requirements, policies and procedures; and 
  • Deter, detect, and prevent fraud and other prohibited or illegal activities. 
  • We may link or combine information we collect from multiple sources to provide better service to you and to improve our Services. Further details on our use and the legal basis can be found in Section II. 

To market our products and services, we subscribe to lead generation services that provide us with email addresses to which we may send marketing emails. We require such providers to comply with applicable data privacy laws. 

See also, Details on Processing and Legal Basis for Processing, below, for more information about the types of data we collect and process. 

Why you are required to provide personal data

In general, your provision of any personal data or granting of consent to a processing activity is entirely voluntary. However, there are certain circumstances in which SugarCRM cannot act without processing certain personal data, for example to process your orders, or to assist you with use of our Services, or to provide access to a web offering or newsletter. In these cases, it will not be possible for SugarCRM to provide what you request without the relevant personal information. In some circumstances, SugarCRM may need to terminate your ability to use the Services without access to your personal data. SugarCRM intends to notify you of whether such communication or data sharing is deemed mandatory and the impact of not sharing. 

Sharing of your personal data

SugarCRM is a global organisation with business processes, management structures and technical systems that cross borders. As such, we may share data about you with other SugarCRM entities and transfer it to countries in the world where we do business in connection with the uses identified in this Privacy Policy. Our procedures are designed to provide a globally consistent level of protection for personal information by all SugarCRM entities. 

In some cases we use suppliers located in various countries to collect, use, analyse, and otherwise process information on our behalf. We may also use third party service providers including digital marketing service providers that conduct marketing activity on our behalf. We may also use subcontractors that provide services to us in connection with providing our Services to you. We put in place contractual safeguards for the protection of your personal data with such suppliers, third party service providers and subcontractors including obligations for processing in line with applicable legal requirements to ensure compliant processing. 

We may also disclose your personal information to other business partners. Unless otherwise specified in this Privacy Policy, we will only do so with your consent. We do not in any event sell or lease any of your personal information. 

Where you post information to our wikis, forums, blogs, message boards, chat rooms, websites or other social networking environments, your information will be shared with audiences within those platforms. 

We may share your personal data based on a good faith belief that such disclosure is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, or situations involving potential threats to the safety of any person. We may use your personal data as evidence in litigation in which we are involved, to protect the rights or safety of any person or entity, to respond to a judicial process or valid government inquiry or as otherwise required by law. 

We do not sell your personal information. 

Where we process personal data

If you choose to provide us with information, including personal data, you understand that we are storing this and/or transferring it to SugarCRM’s locations and systems in the United States or to the locations and systems of SugarCRM’s affiliates or service providers around the world. SugarCRM complies with applicable law when transferring your personal information outside of the country there the information is collected.  

We transfer personal data from the European Economic Area, the United Kingdom, and Switzerland to other countries, some of which have not yet been determined by the European Commission to have an adequate level of data protection. For example, their laws may not guarantee you the same rights, or there may not be a privacy supervisory authority there that is capable of addressing your complaints. When we engage in such transfers, we use a variety of legal mechanisms, including the Data Privacy Framework Program and contracts such as the standard contractual clauses published by the European Commission under Commission Implementing Decision 2021/914, to help protect your rights and enable these protections to travel with your data.  

SugarCRM complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. SugarCRM has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  SugarCRM has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/. 

If third-party agents process personal data on our behalf in a manner inconsistent with the principles of the Data Privacy Framework we remain liable unless we prove we are not responsible for the event giving rise to the damage. The controlled U.S. subsidiaries of SugarCRM, as identified in our self-certification submission, also adhere to the Data Privacy Framework Principles.  

https://www.privacyshield.gov/ps/program-overview

Compelled disclosure

SugarCRM may be compelled to disclose personal information in response to lawful requests by public authorities or to comply with national security or law enforcement requirements. 

Data Integrity & Security

SugarCRM employs procedural and technological measures that are reasonably designed to help protect personal information from loss, unauthorized access, disclosure, alteration, or destruction.  For example, among other measures, we have implemented physical security measures at our premises (e.g., key cards) and we have established technical safeguards such as firewalls and security patches.   

How long we retain your personal data

The duration of processing of your personal data depends on the legal basis for the processing. 

SugarCRM’s policy is to retain personal data no longer than (a) is necessary to fulfil the purposes for which the personal data is processed, (b) if processing is based on consent, until you withdraw your consent, or (c) if processing is based on a legitimate interest of SugarCRM, until you object to such processing. 

However, we will store personal data for a longer period where (a) we are required by law to retain your personal data, or (b) your personal data is required for SugarCRM to assert or defend against legal claims. In this event, we will retain your personal data until the end of the relevant retention period or until the claims in question have been settled. If you require more details with respect to the retention periods, please contact us at dataprivacy@sugarcrm.com. 

Your rights as a data subject

You can contact us directly (as set forth below) to update your personal data.  

Access, correction, deletion of personal data; Your right to be forgotten: You can request at any time the personal data SugarCRM holds about you and the correction or deletion of such personal data. SugarCRM can only delete your personal data if there is no statutory obligation or prevailing right of SugarCRM to retain it. In addition, if you request deletion of your personal data you will not be able to continue to use any Services that require the use of your personal data. 

Personal data stored in the Services: SugarCRM personnel have limited ability to access data inputted by its customers in the SugarCRM products or services, and do not have any personal relationship with the individuals whose personal data it processes on behalf of its customers.  If you wish to request access to, correct or delete, or to limit the use or disclosure of your personal data please provide us the name of the SugarCRM customer who has submitted your data into the Services. We will refer your request to that customer and will support our customer as needed in responding to your request. 

Request personal data in a portable format: If SugarCRM uses your personal data based on your consent or to perform a contract with you, you may further request from SugarCRM a copy of the personal data in a portable format that you have provided to SugarCRM and where processing is carried out by automated means. 

Restriction of processing and right to object: You can also request that SugarCRM restrict (without deleting) further processing of your personal data: (i) if you state that your personal data is incorrect, for as long as we need to verify the accuracy of the personal data, (ii) if there is no legal basis for SugarCRM to process your personal data and you demand that SugarCRM restricts your personal data from further processing instead of deleting it, (iii) if SugarCRM no longer needs your personal data but you as data subject claim that you require SugarCRM to retain such data in order to establish, exercise or defend a legal claim, or (iv) where SugarCRM processes your personal data on the basis of its legitimate interest as further detailed in Section II and you object to the processing of your personal data for as long as it is required to review whether SugarCRM has a prevailing interest or legal obligation to process your personal data. 

Please send any such requests to dataprivacy@sugarcrm.com.  

Inquiries and Right to lodge a complaint

If you believe that SugarCRM is not processing your personal data in accordance with the requirements set out herein or applicable data protection laws, you can at any time lodge a complaint with the relevant supervisory authority. 

If you have a question or complaint related to participation by Sugar in EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), we encourage you to contact us via dataprivacy@sugarcrm.com or via mail SugarCRM Inc., attn. Privacy Team, 548 Market Street PMB 59423, San Francisco, CA 94104-5401, USA. We will investigate and attempt to resolve complaints and disputes in a manner that complies with the principles described in this Privacy Policy. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, SugarCRM commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States.  If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-data-privacy-framework for more information or to file a complaint.  The services of JAMS are provided at no cost to you. 

If neither SugarCRM nor JAMS resolves your complaint, you may pursue binding arbitration through the DPF Panel. 

U.S. Federal Trade Commission enforcement

mailto:dataprivacy@sugarcrm.com SugarCRM is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC). 

General Data Protection Regulation (GDPR) – European Representative

Pursuant to Article 27 of the General Data Protection Regulation (GDPR), SugarCRM Inc. has appointed SugarCRM S.R.L. as its GDPR representative in the EU.

You can contact SugarCRM S.R.L. regarding matters pertaining to the GDPR by: 

• Sending an email to dataprivacy@sugarcrm.com 
• Writing to SugarCRM S.R.L.  at 12 Ştefan cel Mare Street, Office No. 7, Dolj county, Romania 

Use of this website by children

SugarCRM recognizes the privacy interests of children, and we encourage parents and guardians to take an active role in their children’s online activities and interests. SugarCRM’s websites are not intended for children under the age of 16 and SugarCRM does not target our websites to children under 16. Also, SugarCRM’s policy is to not knowingly collect personal data from children under the age of 16. 

II. Details on Processing and Legal Basis for Processing

a. Where SugarCRM uses your personal data based on law

SugarCRM is permitted to process your personal data under applicable data protection law as follows: 

Providing the requested information or services. If you request information on our Services, order our Services or become our business partner, we typically ask you to provide your personal contact information such as name, business email address, business telephone number, company name and address, job title, role and, if payment is to be made to SugarCRM, financial and billing information, such as billing name and address, tax identification number, credit card information, bank details or other payment information. We collect and use these types of personal data only to process your order or to provide the requested Service. Specifically, this includes taking the necessary steps prior to entering into a contract, confirming your opening of an account, responding to your inquiries, processing or providing customer feedback and support, providing you with billing or shipping information, sending you (i) notice of payments, (ii) information about changes to our Services, (iii) other related notices, and (iv) disclosures as required by law. 

If you participate in tutorials and trainings or use learning tools provided by Sugar University, we may also ask you about your professional qualifications, relevant experience and education. Sugar University may also track your learning progress in order to make this information available to you. 

Ensuring compliance. SugarCRM and its Services are subject to the export laws of various countries including, without limitation, those of the European Union and its member states, and of the United States of America. You acknowledge that, pursuant to the applicable export laws, trade sanctions, and embargoes issued by these countries, SugarCRM is required to take measures to prevent entities, organizations, and parties listed on government-issued sanctioned-party lists from accessing certain products and services, technologies, and services through SugarCRM’s websites or other delivery channels controlled by SugarCRM. SugarCRM’s compliance may include (i) automated checks of any user registration data as set out herein and other information a user provides about his or her identity against applicable sanctioned-party lists, (ii) regular repetition of such checks whenever a sanctioned-party list is updated or when a user updates their information, (iii) blocking of access to the Services in case of a potential match, and (iv) contacting a user to confirm their identity in case of a potential match. 

General Business Relationship Communications. SugarCRM communicates on a regular basis by email with users of our Services. For resolving partner, customer or user complaints or enquiring into suspicious transactions we may also communicate by phone. 

Generally, users cannot opt out of these communications, which are not marketing-related but required for the relevant business relationship. Regarding marketing-related communication by phone or email, SugarCRM will (i) if legally required, only provide you with such communications after you have opted in, and (ii) provide you the opportunity to opt out if you do not want to receive further marketing-related types of communication from us. You can opt out of these at any time at Preference Center. 

b. Where SugarCRM uses your personal data based on SugarCRM’s legitimate interest

In addition to the use cases under applicable law, the use cases below constitute a legitimate interest of SugarCRM to process or use your personal data. If you do not agree with this approach, you may object to SugarCRM’s processing or use of your personal data as set out below under the ‘right to object” heading. 

Questionnaires and surveys. SugarCRM may invite you to participate in questionnaires and surveys. These questionnaires and surveys are generally designed in a way that can be answered without any personal data. If you nonetheless enter personal data in a questionnaire or survey, SugarCRM may use such personal data to improve its Services or for such other purposes as are specified in the questionnaire or survey. 

Usage Data. In the course of providing the Services to you, we may collect, use, process and store usage data, such as number of sessions, users, number of sessions, number of users, page views, number of page views per sessions, average session duration, bounce rate, percentage of new sessions, language of user, country, city, new versus returning users, browser type, operating system, internet service provider, IP address, screen resolution size, Service used, Service version number and mobile device brand. The usage data is collected and processed in order to create and compile anonymized, aggregated datasets and/or statistics about the Services for the following purposes: (a) to maintain and improve the performance and integrity of the Services, (b) to understand which Services are most commonly deployed and preferred by customers and how customers interact with the Services, (c) to identify the types of Services that may require additional maintenance or support, and (d) to comply with regulatory, legislative and/or contractual requirements. Please note that such aggregated datasets and statistics will not enable you or any living individual to be identified. For more details on the usage data collected please refer to our Cookie Policy. 

Critical Control Software. Our relationship management products (i.e., Sugar Sell, Sugar Serve or Sugar Market) also includes critical control software that regularly transmits certain usage data (including potential personal data such as IP address, number of records accessed, operating system, PHP version utilized on company server, time zone, number of subscription users) to us and, if applicable, an authorized partner, to verify compliance with contract terms and to improve the Services. For more details on the usage data collected please refer to our Cookie Policy. 

Relationship Intelligence Products. While providing relationship intelligence products within the Services to provide you with better service, more detailed and higher quality returned data, support service troubleshooting and performance improvement, and (b) to understand usage patterns and frequency. Supplemental usage data will not be shared with third parties except for lookup parameters which may be provided to third party content providers for the content providers to provide the enriched data response and which they may retain for optimizing their services. Any lookup data will be handled by us as a data processor on behalf of our customers. 

Product and company news/request feedback. If we have an existing business relationship with you, SugarCRM may inform you about our products or services (including webinars, seminars or events) that are similar or relate to products and services you have already purchased or used from SugarCRM. Furthermore, where you have attended a SugarCRM webinar, seminar or event or purchased products or services from SugarCRM, SugarCRM may contact you for feedback regarding the improvement of the applicable webinar, seminar, event, product or service. 

Personal data transferred in an acquisition. If we are acquired by or merged with another entity, if all or part of our assets are acquired, or in response to a bankruptcy proceeding, we may transfer your information to the acquiring entity for purposes that are similar to those for which it was originally acquired. 

Data received from SugarCRM entities. Our global entities may enter business contact details of prospects (such as name, company, title, company address, email and phone number) which have expressed an interest in receiving information about SugarCRM and the Services into SugarCRM’s customer relation management system. 

Data received from third parties. Our business partners may register leads with us in which they provide business contact details of prospects (such as name, company, title, company address, email and phone number) that have expressed an interest in receiving information about SugarCRM and our Services. We may also use such personal data to assist our business partners in responding to your request. 

We also may receive personal data from third parties such as marketing or advertising companies’ organizers of events that provide us with such information as a part of their relationship with us. Such data could include contact details (such as name, company, title, company address, email and phone number) and we use that information for evaluating a potential business relationship with you or for combining the information with personal data that we may have already collected about you. 

We also may receive data from third parties such as data suppliers to enable us to deliver an enhanced experience to our customers and prospects. Such data could include contact details (such as name, company, title, company address, email and phone number) and we use that information to enhance our data records. 

Right to object. You may object to SugarCRM using your personal data for the purposes set forth in this subsection b at any time by sending your request to dataprivacy@sugarcrm.com. If you do so, SugarCRM will cease using your personal data for such purposes and remove it from its systems unless SugarCRM is permitted to use such personal data for another purpose set out in this Privacy Policy or SugarCRM determines and demonstrates a compelling legitimate interest to continue processing your personal data. 

c. Where SugarCRM uses your personal data based on your consent

In addition to the use cases under applicable law and legitimate interests set forth above, SugarCRM may use your personal data after you have granted your consent in the following use cases. 

News about SugarCRM’s Products and Services. Where you have granted your consent, we may use your name, email address, telephone number, job title and basic information about your employer (name, address, and industry) in order to keep you up-to-date on the latest product announcements, software updates, software upgrades, special offers, and other information about SugarCRM’s Services and events (including marketing-related newsletters). 

Events. If you register for a SugarCRM event, seminar, or webinar, we may share basic participant information (typically your name, company, title, and email address) with other participants of the same event, seminar, or webinar for the purpose of communication and the exchange of ideas with your consent. We may also ask you to consent to sharing your participant information with sponsors of that event. 

In addition, we may also ask for information about special dietary requirements or other health/impairment information in connection with the registration for and provision of access to an event or seminar. Any such information is voluntary. We may not be able to take any respective precautions if you choose not to provide such information. 

Employment application. If you apply for a job (e.g., via our website), we may require you to submit additional personal information as well as a resume or curriculum vitae and other information. We encourage you to limit the personal data to the information necessary to enable us to evaluate your suitability for the position you are applying for. 

Forums and social media. You have the option to participate in blogs, forums and social media networks offered by SugarCRM or linked to our websites. If you choose to participate, you are required to register and create a user profile. User profiles provide the option to display personal information about you to other users, including but not limited to your name, photo, social media accounts, postal address, email address, telephone number, personal interests, skills, and basic information about your company. All of the information you post will be available to all visitors to our websites. SugarCRM is not responsible for the personal information you choose to submit in these forums. You are not permitted to provide any personal information about other data subjects in those forums and blogs, and we also encourage you to limit any personal information about yourself to a minimum. 

Revocation of a consent granted hereunder. 

You may at any time object to, opt out, or withdraw a consent granted hereunder by emailing  dataprivacy@sugarcrm.com. If you would like to unsubscribe from our newsletters, click here and follow the directions. 

In case of withdrawal, SugarCRM will cease processing the relevant personal data which was based on consent unless we have legal justification to reject the withdrawal. In case SugarCRM is required to retain your personal data for legal reasons, your personal data will be restricted from further processing and retained for the term required by law. Please note that any withdrawal has no effect on past processing of personal data up to the point in time of your withdrawal. Furthermore, if your use of the Services requires your consent and you have withdrawn your consent, SugarCRM will no longer be able to provide the Services to you. 

III. Cookies 

If you use our websites, we may use various website navigation information including tracking technologies such as cookies and web beacons to collect and store information from you. Website navigation information includes standard information from your Web browser (such as browser type and browser language), language choices, time zone, your Internet Protocol (IP) address, actions you take on our websites, URL and page metadata, installation data (such as the operating system type and application version), system crash information, system activity and hardware settings. We may also automatically collect and store certain information in activity logs such as: details of how you use our websites, your search queries, and your IP address. 

For more details, please see our “Cookie Policy” at https://www.sugarcrm.com/legal/cookie-policy/. 

IV. California Residents

California residents should read our SugarCRM Privacy Policy for California Residents in conjunction with this Privacy Policy. The SugarCRM Privacy Policy for California Residents explains SugarCRM’s commitment to comply with California law and applies to personal information of California residents collected in connection with the Services. 

V. Changes to Privacy Policy

We reserve the right to change, modify, add or remove portions of this Privacy Policy from time to time and in our sole discretion. Our policy is to alert you that changes have been made by indicating on the Privacy Policy the date it was last updated. 

Effective 9/11/2023