EN globe icon
user icon
What can we help you find? Trust Global Privacy Program Exari Privacy Policy

Exari Privacy Policy

Revised: 05 March 2021

This Policy is effective as of March 5, 2021.

Welcome to the Exari Privacy Policy (“Privacy Policy”). We take the security of your information seriously and work hard to maintain secure services for your use.  Exari Group, Inc. and its affiliates (who are named at the end of this Policy) (collectively, “Exari,” “we,” or “us”), provide document creation, automation and management software and related services. This Privacy Policy is intended to better help you understand our practices regarding information collected, including through (i) our products and services, and (ii) any other digital properties that we own or control (collectively, the “Exari Services” or “Services”). This Privacy Policy describes how Exari collects, processes, shares and retains the personal information (or in the EU/Switzerland: “personal data”) you provide to us; how you can access and correct it; how to make a privacy complaint; and how we handle privacy complaints.

When you interact with the Exari Services, you consent to such collection, processing, sharing and retaining of information (including personal information/personal data) as described in this Privacy Policy and other applicable legal terms that govern your use of the Exari Services. If you do not consent to the terms of this Privacy Policy and the aforementioned legal terms, do not continue to interact with or use the Exari Services.

European Privacy Policy: Please also see our European Privacy Policy for further information on your rights under applicable privacy law.

Quick Links:

Information We May Collect

Use of Information

Sharing of Information

Cookies and Similar Technologies

Data Retention

Choices and Opt-Out

Cross-Device Tracking

Accessing and Correcting Your Personal Information

Third Party Sites

Security

Children

International Data Transfers

U.S. Privacy Including California Consumer Privacy Act

Questions, Complaints and Disputes

Privacy Policy Updates

Affiliates of Exari Group, Inc.

Due to the global nature of the Exari Services, our privacy practices may vary among the states, countries and regions in which we operate in order to comply with applicable legal requirements.

Privacy Shield Notice

Exari’s U.S. affiliates have certified compliance with the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield (collectively, the "Privacy Shield Framework") https://www.commerce.gov/tags/eu-us-privacy-shield regarding the collecting, processing, sharing and retaining of the Personal Data transferred from the European Union (“EU”), European Economic Area (“EEA”) and Switzerland to the United States. We certify that we adhere to the Privacy Shield Framework principles of notice, choice, onward transfer, security, data integrity, access, liability and enforcement (the “Privacy Shield Principles”) for Personal Data of users of the Exari Services in the countries participating in the Privacy Shield Framework. If there is any conflict between the terms in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  We are responsible for the processing of personal data we receive under the Privacy Shield Framework and subsequently transfer to a third-party agent and may be liable for onward transfers in violation of the Privacy Shield Principles. Our certification is available here https://www.privacyshield.gov/participant?id=a2zt0000000L0XcAAK. We may also process Personal Data relating to individuals in Europe via other compliance mechanisms, including use of the European Union Standard Contractual Clauses.

Exari’s Privacy Shield Privacy Statement is different from this general Privacy Policy. 
You can see our Privacy Shield Privacy Statement at: https://success.coupa.com/Trust/Data_Privacy/z_Exari_Privacy_Shield_Statement. If the Privacy Shield Privacy Statement applies to you and anything in this general Privacy Notice is different from the Privacy Shield Privacy Statement, the provision in the Privacy Shield Privacy Statement governs.
 

INFORMATION WE MAY COLLECT

The Exari Services gather certain information automatically, some of which may be considered personal information under applicable law.

We only collect personal information for the purposes of conducting our business, including in relation to the licensing and implementation of the Exari Services. We collect, process, share, and retain information from you and any devices you may use when you access our websites, use our Services, register for an account with us, provide us information on a web form, update or add information to your account, participate in community discussions, chats, or otherwise correspond with us. The specific information we collect depends upon your use of the Services and websites, and is described below:

Examples of the types of information we collect are:

  • Your name, date of birth and contact details, including phone number, email address and postal address
  • Your credit card, bank account and wire transfer details
  • Your passwords and/or personal identification codes (PINs)
  • Your testimonials, feedback and complaints
  • Fax number
  • Professional information, such as employer or organizational affiliation for a customer or partner
  • Screen name
  • Screen sharing views, at the request of customers, for support and quality assurance (“QA”) purposes
  • Any data in any files uploaded, emailed or otherwise provided by customers for support and QA
  • Operating system type and version, web server type and version, database type and version
  • Unique IDs such as a cookie placed on a computer or mobile device, or device IDs
  • IP address or MAC address, and information derived from an IP or MAC address, such as geographic location
  • Browsing activities, cookies and similar data, and platform or mobile application use data
  • Referring domain, destination domain and destination path
  • Geolocational data, including latitudinal and longitudinal data
  • User IDs and passwords for customers with accounts on the Exari Services
  • Information about the performance, security, software configuration and availability of our software on your servers and network
  • Website user statistics and website and viewing activity records
  • Communication preferences
  • Other similar information

We may collect your personal information in a number of ways, including in person, by telephone, by email or electronically when you contact us or visit our website to:

  • Registration, purchase and use of the Exari Services: Information such as name, email address, telephone number, company/organization, financial information, and other information, may be collected in connection with registration for, purchase of or use of the Exari Services (for example, to sign-up for and log into the Exari Services or executing a demo of our software on our website). Customers may update their information by logging into their account.  Information may also be collected to track license use.
  • Communications: Personal information such as name, email address, and other information, may be collected, when provided in any communications, whether via email, social media, telephone or otherwise.
  • Support: Personal information may be collected in connection with customer support, whether via screensharing, email, social media, telephone or otherwise.
  • Surveys and Research: We may collect personal information from anyone participating in research and surveys.
  • Information We Automatically Collect: We receive and store certain types of information whenever you interact with us or our Service. Our websites use “cookies,” tagging and other tracking technologies. This information includes computer and connection information such as statistics on your page views, traffic to and from our websites, referral URL, ad data, your IP address, and device identifiers; this information may also include your browsing history, transaction history, and your web log information.
  • Information from Social Media and Other Sites: When you interact with our websites or Services on a social media platform, we may collect the personal information that you make available to us on that page, including your account ID or username. If you choose to log in to your Exari account with or through a social networking service, Exari and that service may share certain information about you and your activities.
  • User Comments and Content:  If you post any comments or content on our websites, you should be aware that any personally identifiable information you choose to provide there may be read, collected, or used by third parties. We are not responsible for the information you choose to submit, and we cannot guarantee that third parties have not made copies of or will not use such information in any way.
  • Information from Other Sources: We may supplement the personal information we collect with information from third parties and add it to your account information. Information from third parties may include, but is not limited to, demographic information that is publicly available, additional contact information, group affiliations, occupational information, and educational background. We may also collect your personal information from third parties, including data available on the internet, and data purchased from third party sources. Where personal information is obtained from third party sources, the collection, use and disclosure of that personal information will be governed by the third party's privacy policy as well as by applicable privacy laws.

You do not have to agree to this privacy policy and can choose not to provide us with certain information, but then you might not be able to take advantage of many features of the websites and Exari may not be able to provide you with certain Services.

USE OF INFORMATION

Exari may use the information, including personal information, collected in connection with the Exari Services for the purpose of providing the Services to our customers, as well as for supporting our business functions, such as fraud prevention, marketing, analytics and legal functions, and other legitimate purposes. 

To the extent permitted by applicable law and, for customer data, as permitted by our customer agreements, we will use information collected in connection with our Services:

  • To deliver our products and services, including our consultancy services, hosting services and data capturing services.
  • To explore prospective sales leads.
  • To provide, maintain, and improve the websites for internal or other business purposes.
  • To fulfill customer requests, such as to create a Exari Services account or to provide, produce, and ship ordered products or requested services.
  • To communicate with our customers; to inform customers and users of products, programs, services, profiles or transactions with us, and changes to our policies or terms, as applicable.
  • To send offers, promotions, or other communications about our products and Services, including special or promotional events, including services, products, or events for which we collaborate or co-offer with a third party.
  • To send customers information regarding the Exari Services, including information about features and enhancements on or to our websites and issues specifically affecting Exari Services.
  • To respond to reviews, comments, or other feedback provided to us.
  • To support, optimize, improve and personalize our Services, websites, and advertising, including tracking and evaluating the use of the websites.
  • In the case of server logs, to help us statistically monitor how many people are using our site and for what purpose.
  • To send newsletters or other materials.
  • To protect the security and integrity of our Services, content, and our business.
  • For benchmarking, data analysis, audits, developing new products, enhancing the Exari Services, facilitating product, software and applications development, improving our services, conducting research, analysis, studies or surveys, identifying usage trends, as well as for other analytics purposes.
  • To perform statistical, demographic, and marketing analyses of users of the websites and their viewing patterns.
  • To meet our contractual requirements, to comply with applicable legal or regulatory requirements and our policies, and to protect against criminal activity, claims and other liabilities.
  • For any other lawful purpose for which the information is provided, including fulfilling requests for information.

Personal information under the control of users of the Exari Services. In some circumstances, we may access and use personal information that has been collected by a customer in the course of their use of our Services. This personal information remains under the control of the customer at all times. We will only use this information on a limited basis to fulfill our contractual obligations to the customer to:

  • diagnose and address software programs;
  • provide hosting services;
  • fulfill IT-related duties for technical maintenance and the backup of the hosting environment;
  • provide consulting services in relation to the installation and configuration of our software;
  • assist with the preparation and migration of data to our software;
  • develop product enhancements; and
  • provide data capturing services.

Aggregate Information. To the extent permitted by applicable law, we may use, process, transfer, and store any data about individuals and customers or partners in an anonymous (or pseudonymous) and aggregated manner. We may combine personal information with other information, collected online and offline, including information from third party sources. We may also use information in other ways with consent or as permitted by applicable law. By using the Exari Services, our customers agree that we are hereby licensed to collect, use, share and store anonymized (or pseudonymized) aggregated data collected through the Exari Services for benchmarking, analytics, A/B testing, metrics, research, reporting, machine learning and other business purposes.

Automated Decisions. To the extent permitted by applicable law, we may collect data in an automated manner and make automated decisions, including using machine learning algorithms, about individual users of the Exari Services in order to provide or optimize the Exari Services offered and/or delivered, for security or analytics purposes, and for any other lawful purpose.

SHARING OF INFORMATION

To the extent permitted by applicable law, Exari may share and disclose information, including personal information, as set forth below:

  • Customers. We may share information with our customers and their service providers and other platforms that may assist those customers.
  • Affiliates and Agents. We may share information with our affiliates or any business partners or agents acting on our behalf.
  • Service Providers. We may share information with our service providers (e.g. data storage and payroll service providers), agents, vendors and other third parties we use to support and advertise the Exari Services and our business. We share personal information with such third parties to the extent necessary to provide services to us, and pursuant to binding contractual obligations.
  • Advertising and Marketing. To the extent permitted by applicable law, we may share information with third parties for marketing, advertising, promotions, contests, or other similar purposes. If required by applicable law, we will share such data for advertising and marketing purposes only in an aggregate, anonymous, and de-identified manner.
  • Mergers, Acquisitions, Divestitures. We may share, disclose or transfer information to a buyer, investor, new affiliate, or other successor in the event Exari, or any affiliate, portion, group or business unit thereof, undergoes a business transition, such as a merger, acquisition, joint venture, consolidation, reorganization, divestiture, liquidation or dissolution (including bankruptcy), or a sale or other transfer of all or a portion of any assets of Exari or any affiliates or during steps in contemplation of such activities (e.g., negotiations and due diligence).
  • Law Enforcement and National Security. We may share information with legal, governmental, or judicial authorities, as instructed or required by those authorities or applicable laws, or to comply with any law or directive, judicial or administrative order, legal process or investigation, warrant, subpoena, government request, regulatory request, law enforcement or national security investigation, or as otherwise required or authorized by law.
  • Protection of Rights, Property or Safety.  We may also share information if, in our sole discretion, we believe disclosure is necessary or appropriate to protect the rights, property or safety of any person, or if we suspect fraud or other illegal activity.

Exari may also disclose personal information for other purposes or to other third parties when an individual has consented to, or requested, such disclosure, or where a customer has obtained permission from such individual, or where such disclosure is otherwise legally permitted for legitimate business purposes, and, for customer data, with such customer’s authorization or otherwise in accordance with Exari’ agreement with such customer.

COOKIES AND SIMILAR TECHNOLOGIES

We may use cookies and similar technologies to operate and improve the Exari Services, as well as to simplify our interaction with you. A "cookie" is a unique numeric code that we transfer to your computer so that we can keep track of your interests and/or preferences and recognize you as a return visitor to the Services. We may use cookies, log files, pixel tags, web bugs, web beacons, clear GIFs, Local Storage Objects (LSOs) such as HTML5 and Flash or other similar technologies to collect information about the ways you interact with and use the Exari Services, to support and enhance features and functionality, to monitor performance, to personalize content and experiences, for marketing and analytics, and for other lawful purposes.

We may use the following types of cookies and similar technologies:

  • Essential/strictly necessary cookies required for the operation of the Exari Services. They include, for example, cookies that enable you to log into secure areas.
  • Analytical/performance cookies that collect information about how you use the Exari Services. They allow us to recognize and count the number of visitors and to see how visitors move around our websites. This helps us to improve the way our websites work. [These cookies are sometimes placed by third party providers of web traffic analysis services.]
  • Functionality cookies that remember choices you make and recognize you when you return. This enables us to personalize our content, greet you by name and remember your preferences (for example, your choice of language or region) or allow the pre-population of certain resource request forms, making it easier for you to access Exari content.

Most internet browsers accept cookies by default. You can block cookies by activating the setting on your browser that allows you to reject all or some cookies.  The help and support area on your internet browser should have instructions on how to block or delete cookies. Some web browsers (including some mobile web browsers) provide settings that allow you to control or reject cookies or to alert you to when a cookie is placed on your computer, tablet or mobile device. Although you are not required to accept cookies, if you block or reject them, you may encounter limitations using the Exari website and accessing certain pages, specifically password-protected pages.

For more information, visit the help page for your web browser or see http://www.allaboutcookies.org or visit www.youronlinechoices.com which has further information about behavioral advertising and online privacy.

We may use third party analytics such as Google Analytics or similar analytics services. For information on how Google processes and collects your information regarding Google Analytics and how you can opt-out, please see https://tools.google.com/dlpage/gaoptout.

DATA RETENTION

To the extent permitted by applicable law, we may retain information for as long as the account of the customer for whom we collected the information is active, for at least six (6) months thereafter, or as long as is reasonably necessary to provide the Exari Services or as needed for other lawful purposes. We may retain cached or archived copies of information. We may retain anonymized or pseudonymized, aggregated data indefinitely, to the extent permitted under applicable law. We may be required to retain some data for a longer period of time because of various laws and regulations or because of contractual obligations. We also will retain information as long as reasonably necessary to comply with our legal obligations, resolve disputes and enforce our agreements. Once information is no longer needed for the purposes for which it was collected, we will take reasonable steps to de-identify and destroy it.

CHOICES AND OPT-OUT

To the extent required by applicable law, or in our discretion otherwise, we will allow customers and individuals to limit use of personal information. If at any time after providing us with your personal information such information changes or you change your mind about receiving information from us, you may request access to your data or that your data be changed.

You may elect not to identify yourself or you may use a pseudonym in your dealings with us, except where it is impracticable for us to deal with you on this basis (for example, we will need to identify you in order to provide most of our products and services).

We may use your personal information for direct marketing. This includes the use of personal information to:

  • invite you to a user conference; and
  • notify you about an existing or new product or service.

If you prefer not to receive these communications from us, you may ask us at any time to stop sending you direct marketing information or to stop being contacted by us. You can do this by emailing us at privacy.marketing@coupa.com.

CROSS-DEVICE TRACKING

When you use your mobile device to interact with us or use the Exari Services, we may receive information about your mobile device, including a unique identifier for your device. We and our service providers and third parties we collaborate with, including ad networks, may use cross-device/cross-context tracking. For example, you might use multiple browsers on a single device, or use various devices (such as desktops, smartphones, and tablets), which can result in your having multiple accounts or profiles across these various contexts and devices. Cross-device/cross-context technology may be used to connect these various accounts or profiles and the corresponding data from the different contexts and devices.

ACCESSING AND CORRECTING YOUR PERSONAL INFORMATION

We will, upon your request, and subject to any exemptions under applicable privacy laws, provide access to the personal information that we hold about you. We will need to first identify you and understand the type(s) of information you wish to access. We will promptly deal with access requests. If we deny access to all or any part of the personal information that you request, we will notify you of our reasons in writing and explain how you can complain if you are not satisfied with our decision.

You can ask us to confirm whether we are processing your personal data, or to correct or update personal information we hold about you at any time. We will need to verify your identity. We will also independently take reasonable steps to correct personal information we hold if we are satisfied that it is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regard to the purpose for which it is held. Please also see “Additional Rights” section below.

If you require access to, or wish to update your personal information, please contact us at gdpr@coupa.com.

THIRD PARTY SITES

The Exari Services may provide links to other websites or resources over which Exari does not have control (“External Web Sites”). Such links do not constitute an endorsement by Exari of those External Web Sites. You acknowledge that Exari is providing these links to you only as a convenience, and further agree that Exari is not responsible for the content of such External Web Sites. Your use of External Web Sites is subject to the terms of use and privacy policies located on the applicable External Web Site. We encourage you to be aware when leaving our Services and to read the privacy statements of External Web Sites that collect your personal information.

SECURITY

We hold your personal information in both electronic and hardcopy files. We use security techniques to protect your personal information that we hold from misuse interference and loss, and from unauthorised access, modification or disclosure. The techniques we use include firewalls, encryption and access control procedures. For example, when you use Exari software over the internet, the information exchange between you and the Exari software is encrypted using the Secure Sockets Layer (SSL) protocol.

To prevent unauthorized access or disclosure, to maintain data accuracy, and to ensure the appropriate use of personal information, we employ procedural and technological measures that are reasonably designed to help safeguard the information we collect. All our employees are bound by non-disclosure agreements intended to prevent them from disclosing any personal information. Further, our employee guidelines state that our employees must abide by all state and federal laws and regulations in the performance of their employment duties. Our policies also limit access to personal information to only those employees, contractors, agents or representatives that require the information to perform their jobs or assist us with providing our products and services to you.

Unfortunately, no data transmission over the Internet or data storage system can be guaranteed to be 100% secure. Therefore, despite our efforts, we cannot guarantee its absolute security. We do not warrant or represent that personal information about you will be protected against, loss, misuse, or alteration by third parties.

If you use the Services, you are responsible for maintaining the confidentiality of your access information and password. You are responsible for restricting access to your computer, and you agree to accept responsibility for all activities that occur under your password. We cannot secure any personal information that you release on your own, that you request us to release or that is released through another third party to whom you’ve given access.

Where required under applicable law or by contract, we will notify the appropriate parties or individuals of any loss, misuse or alteration of personal information so that such parties or individuals can take the appropriate actions for the due protection of their rights.  If such personal information is information of an Exari customer, we will notify such customer and coordinate with them regarding any required notices to particular individuals.

CHILDREN

We recognize the importance of protecting the privacy and safety of children. The Exari Services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from individuals under 18. Anyone under 18 should not use the Exari Services. If we learn we have collected or received personal information from an individual under 18 without verification of parental consent, we will delete that information. If you believe we might have any information from or about an individual under 18, please contact us as set forth below.

INTERNATIONAL DATA TRANSFERS

The Exari Services may be provided using resources and servers located in various countries around the world, including the United States and other countries. We may also share your personal information with our related bodies corporate, some of which are located overseas, including in the USA, Norway, and the United Kingdom. Therefore, personal information about individuals or customers may be transferred, processed and stored outside the country where the Exari Services are used, including to countries outside the European Union (“EU”), European Economic Area (“EEA”) or Switzerland, where the level of data protection may not be deemed adequate by the European Commission. With respect to Europe, we comply with the EU-US Privacy Shield Framework as described in the section entitled European Privacy Policy, which supplements this policy, and may also use standard data protection clauses adopted by supervisory authorities and approved by the European Commission to safeguard transfers.

U.S. PRIVACY INCLUDING CALIFORNIA CONSUMER PRIVACY ACT

For purposes of this section only: (i) “Personal Information” means any information relating, directly or indirectly, to any identified or identifiable natural person or household, including but not limited to information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular natural person or household; (ii) “Process” or “Processing” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means; (iii) “Applicable Law” means any U.S. privacy, security, breach notification, or other data protection laws applicable to Personal Information, including but not limited to the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq.

To the extent that Exari collects or Processes Personal Information in connection with performing functions on behalf of Customer and further to the extent applicable and required by Applicable Law, Exari agrees as follows:

  1. Exari shall use, disclose, or otherwise Process the Personal Information only to perform functions under the Exari Services terms or as otherwise required by law. Without limiting the generality of the foregoing, Exari agrees it shall not: (i) sell the Personal Information; (ii) retain, use, or disclose the Personal Information for any purpose other than for the specific purpose of performing functions under the Exari Services, including retaining, using, or disclosing the Personal Information for a commercial purpose other than performing functions; or (iii) retain, use, or disclose the Personal Information outside of the direct business relationship between Exari and Customer. Exari hereby certifies that it understands the restrictions set forth in this section and will comply with them.
  2. Exari shall reasonably assist Customer to comply with Applicable Law, including but not limited to providing reasonable assistance honoring individual rights requests as necessary for Customer to comply with Applicable Law. In the event Exari receives any requests relating to Personal Information directly from an individual in connection with the Agreement, Exari shall direct the individual to Customer, promptly notify Customer of the request, and reasonably assist Customer to respond to such request.

  3. Exari shall maintain reasonable security measures to protect Personal Information within Customer Data in accordance with the Exari Services terms.

QUESTIONS, COMPLAINTS, AND DISPUTES

If you have questions, concerns, or complaints about this Policy or our privacy practices, please contact our Privacy Officer by email at gdpr@coupa.com. . We will respond to your inquiries as soon as is practicable.

CLASS ACTION WAIVER. YOU AND WE AGREE THAT EACH MAY BRING CLAIMS AGAINST THE OTHER ONLY IN YOUR OR OUR INDIVIDUAL CAPACITY AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS OR REPRESENTATIVE PROCEEDING.

PRIVACY POLICY UPDATES

Exari may update this Privacy Policy from time to time in our sole discretion to reflect changes to our information and privacy practices. Exari will post any updated Privacy Policy on its websites or in the Exari Services, or with any notice to individual users if required by applicable law. Continued use of the Exari Services after any such modifications constitutes acceptance to any such modified Privacy Policy. Exari encourages you to review this Privacy Policy regularly for any changes. The date of last revision is shown at the “Last Updated” legend at the top of this page.

AFFILIATES OF EXARI GROUP, INC

  • Exari Systems, Inc. (Boston, MA, USA)
  • Exari Solutions (Europe) Limited (Dundee, Scotland)
  • Exari Systems Pty Ltd (Melbourne, Australia)
  • Exari Norway AS (Oslo, Norway)
  • Coupa Software UK Limited, previously named Exari Limited (London, England)
 

EUROPEAN PRIVACY POLICY

The following European Privacy Policy applies if you are in the European Union, the European Economic Area and Switzerland.

Personal Data and Processing. For the purposes of the European Privacy Policy:

"Personal Data" means any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of such natural person; and

"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

EU-U.S. and Swiss-U.S. Privacy Shield Notice. Exari and its U.S. affiliates have certified compliance with the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield (collectively, the “Privacy Shield Framework”) https://www.commerce.gov/tags/eu-us-privacy-shield with respect to the Personal Data of users of the Exari Services in the European Union (“EU”), European Economic Area (“EEA”) and Switzerland that we receive and process through the Exari Services. We certify that we adhere to the Privacy Shield Framework principles of notice, choice, onward transfer, security, data integrity, access, liability and enforcement (the “Privacy Shield Principles”) for Personal Data of users of the Exari Services in the countries participating in the Privacy Shield Framework. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  We are responsible for the processing of personal data we receive under the Privacy Shield Framework and subsequently transfer to a third party agent and may be liable for onward transfers in violation of the Privacy Shield Principles. Our certification is available here  https://www.privacyshield.gov/participant?id=a2zt0000000L0XcAAK&status=Active. We may also process Personal Data relating to individuals in Europe via other compliance mechanisms, including use of the European Union Standard Contractual Clauses.

Purposes and Legal Basis for Processing Personal Data. Exari processes data for the purposes as set forth in our Privacy Policy, including to provide the Exari Services and as explained in the Use of Information and Sharing of Information sections. To fulfill these purposes, Exari may access data, including Personal Data, to provide the Exari Services, to correct and address technical, service or security problems, or in response to contractual requirements. Please see our Exari Privacy Policy Information We Collect and Data Retention sections for additional details on how we collect, use, disclose and share data, make automated decisions, and retain data, including Personal Data, about individual users or customers.

Our legal basis for the processing of Personal Data are: (i) consent or (ii) any other applicable legal basis, such as our legitimate interest in engaging in commerce, offering products and services of value to the customers of the Exari Services, preventing fraud, ensuring information and network security, direct marketing and advertising, and complying with industry practices.

Data Transfers: Where personal data is transferred from the EU or Switzerland to the US in the context of an employment relationship, we will cooperate in investigations by and comply with the advice of EU data protection agencies and the Swiss Federal Data Protection and Information Commissioner (FDPIC).

Exari will not transfer personal information originating in the EU or Switzerland to third parties unless such third parties have entered into an agreement in writing with us requiring them to provide at least the same level of privacy protection to your personal information as required by the Principles of the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework. We will only transfer data to our agents, resellers or third party service providers (such as accountants, attorneys, consultants, and other service providers) who need the information in order to provide services to or perform activities on behalf of Exari, including in connection with the delivery of services or products, Exari’s management, administration, or legal responsibilities. We acknowledge our liability for such data transfers to third parties.

Additional Rights: Under European law, you may have one or more of the following additional rights:

Access. To request a copy of the Personal Data we have collected about you by contacting us.

Rectification & Erasure. To request that we rectify or delete any of the Personal Data about you that is incomplete, incorrect, unnecessary or outdated.

Restriction of Processing. To request restriction of Processing of Personal Data about you for certain reasons, such as, for example, if you consider Personal Data about you collected by us to be inaccurate or you have objected to the Processing and the existence of legitimate grounds for Processing is still under consideration.

Data Portability. To request and receive the Personal Data we have collected about you in a  commonly used and machine-readable form. 

Right to Withdraw Consent. If Personal Data about you is processed solely based on your consent and not for any other legitimate interest, to withdraw your consent at any time, without affecting the lawfulness of our Processing based on such consent before it was withdrawn, including processing related to existing contracts for our products and services.

Right to Lodge a Complaint with a DPA. If you believe our Processing of Personal Data about you is inconsistent with the applicable data protection laws, to lodge a complaint with your local supervisory data protection authority (“DPA”). 

To exercise any of the above listed rights, please contact us as set forth below and provide sufficient details so that we can respond appropriately. We will process any requests in accordance with applicable law and within a reasonable period of time. We may need to verify the identity of the individual submitting a request before we can address such request. If the request relates to data our customers collect and process through the Exari Services, we will refer the request to that customer and will support them in responding to the request.  For Exari customers, certain information may be reviewed, corrected and updated by logging into the Exari Services account and editing the profile information.

Questions and Complaints. Residents of a country participating in the Privacy Shield Framework may direct any questions or complaints concerning our Privacy Shield compliance to our Privacy Shield and Data Protection Contact. We will work with you to resolve your issue. 

In compliance with the Privacy Shield Principles, Exari commits to resolve complaints about our collection or use of your personal information.  EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Exari by email at gdpr@coupa.com.

Exari has further committed to refer unresolved Privacy Shield complaints to the American Arbitration Association an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the American Arbitration Association or visit https://www.adr.org/Support, for more information or to file a complaint.  The services of the American Arbitration Association are provided at no cost to you.

Under certain conditions, more fully described at https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

Exari is under the jurisdiction as well as the investigatory and enforcement powers of the US Federal Trade Commission for purposes of the EU-US Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.

Compelled Disclosures. Exari may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.