Legal Notices and Privacy Statements

OneStream Software LLC. has created these comprehensive legal notices in order to demonstrate our commitment to customer privacy

 

Privacy Statements

View the OneStream Privacy Statement

View the OneStream Consolidated Privacy Statement

Note: This is the general Privacy Statement, the Privacy Shield Privacy Statement appears below.

When you or your representative or agent give us personal information of, or about, you, you consent (and/or your agent consents on your behalf) to the collection, storage, processing, sharing and other activities with respect to your information as provided for in this Privacy Statement. This Privacy Statement does not apply to human resources information with respect to OneStream’s own employees, which is covered by OneStream’s internal privacy policies and/or the Privacy Shield Privacy Statement discussed below.

When this Privacy Statement refers to “OneStream,” “we, “us,” “our,” or similar terms, it means OneStream Software LLC, a Michigan, USA, limited liability company, or the specific division, subsidiary, or affiliate that collects, stores, uses, and/or shares personal information under a OneStream brand.

When this Privacy Statement refers to “you” or uses similar words, it means the subject of the personal information discussed in this Privacy Statement.

Other privacy statements may also apply to specific services for which you sign up, or to OneStream apps and/or resources that you use. Those privacy statements should be read together with this one. Other third-party services or applications that are used in connection with OneStream’s services might also have their own privacy statements. Those statements have separate terms and should be read independently from this Privacy Statement.

Note that OneStream has subscribed to the US-EU Privacy Shield program and that OneStream transfers certain personal data of citizens of European Economic Area member states (and, when applicable, Switzerland) to the United States in reliance on the Privacy Shield program. You can see the OneStream Privacy Shield Privacy Statement below and see OneStream’s certification at https://www.privacyshield.gov/list. If your personal data is covered by the Privacy Shield Privacy Statement, the Privacy Shield Privacy Statement will apply to that personal data.

What information does OneStream collect?

OneStream collects personal information like name, address, telephone number, other contact information, billing and payment information, information about business roles, and information about softwaqre and service support requirements and inquiries.

OneStream, or its Internet service provider (“ISP”), may collect log-file information, such as Internet protocol (“IP”) addresses, browser type, ISP, referring/exit pages, platform type, date/time stamp, and number of clicks.

If you provide personal information of a third party to OneStream (such as when you sign up a colleague to receive information from or about OneStream or when you provide information about a person to enable the person to have credential or receive services), you represent and warrant to OneStream that you have all necessary authority to provide that information to OneStream and to grant to OneStream all rights in the information necessary for OneStream to do everything with that information that this Privacy Statement permits OneStream to do.

How does OneStream collect personal information?

OneStream collects some of the information directly from you when you provide it to OneStream, whether through OneStream’s website(s) or OneStream applications, at conferences or marketing events, and when you acquire goods and/or services from OneStream or its affiliates or suppliers.

OneStream collects information from other sources, as well, such as directories, membership lists, conference attendee information, people who acquire OneStream services for you or for your benefit, and third-party information providers.

How does OneStream use the information that it collects?

OneStream uses personal information in the following ways.

To provide goods and services to you and/or to your organization;

To analyze trends, administer websites, apps, and other resources;

To communicate with you, and

To provide offers by OneStream or third parties that might interest you.

If OneStream anonymizes the information (combines it with other information, redacts it, or otherwise makes it so that it no longer reasonably identifies you), OneStream can use the information for any purpose.

How does OneStream treat information of persons under the age of 18?

It is OneStream’s policy to refrain from knowingly collecting or maintaining personally identifiable information relating to any person under the age of 18. If you are under the age of 18, please do not supply any personal information to OneStream. If you are under the age of 18 and have already provided personal information to OneStream, please have your parent or guardian contact OneStream immediately using the information below so that OneStream can remove such information from its files. If you are the parent or guardian of a person under the age of 18 and you have reason to believe that that person’s personal information has been collected by OneStream, please contact OneStream immediately.

How does OneStream use online tracking methods?

OneStream uses cookies and other methods on its website(s) and/or other resources to provide offers that might interest you and to personalize the content that OneStream provides to you on OneStream’s website(s) and/or other resources. OneStream may also serve, provide, or designate the content of ads or other presentations on third-party websites, including on third-party websites or as part of third-party services. Some cookies or similar devices exist only during a particular session, and some are persistent over multiple sessions over time.

These methods can allow you to maintain your account log-in information and other information between visits, and they allow OneStream to measure and record activity.

OneStream may use advertising service providers to serve OneStream advertisements on other websites or resources that you visit or use. In serving OneStream advertisements, these companies may use cookies and other tracking devices to collect information about your visits to other websites and resources, like browser type, IP address, which page or content was visited, and time of day. OneStream uses this information to evaluate advertising, customize user experience, and focus marketing and other communications to you and users like you.

Third parties whose websites or other resources you use might also use cookies or other tracking methods. This Privacy Statement does not apply to third parties’ practices. You should obtain and read the privacy statements of those third parties to understand their practices with respect to cookies and other tracking devices.

You can set your web browser to reject cookies. Each browser is different, so you should check your browser’s “Help” menu to learn how to change your cookie preferences. If you reject or block cookies, OneStream’s website(s) might not function as intended.

Many web browsers have a “do not track” setting. That said, there is no widely-accepted standard (through the World Wide Web Consortium or otherwise) governing what should happen when a user selects “do not track” in his or her browser. If and when an industry consensus is reached about how to treat a “do not track” setting, OneStream will determine whether to follow that consensus approach. In the meantime, enabling “do not track” in your browser will not change what information is exchanged with your computer, or how that information is used.

You might be able to exercise choices regarding third-party cookies and/or tracking devices. You can obtain more information about those choices at https://www.networkadvertising.org/choices/ or https://www.aboutads.info/choices/.

With whom, and how, does OneStream share your information?

  • Anonymized information. If OneStream anonymizes information (i.e., combines it with other information, redacts it, or otherwise makes it so that it no longer reasonably identifies you), OneStream may share that information with anyone for any purpose.

  • Outsourcing providers. OneStream may provide your information to outsourcing providers to process and ship orders, provide technical support, provide training, or perform other functions in support of OneStream’s conduct of its business.

  • Successors. If OneStream sells or otherwise transfers (or investigates the potential sale or other transfer of) all or a part of its business, OneStream may transfer to, or share with, the actual or potential buyer or other transferee, the personal information associated with the potentially or actually transferred business. Such transfer would be for the purpose of facilitating due diligence and/or allowing the buyer or other transferee to operate the business.

  • General use. OneStream may share your information with others, (whether in return for compensation or otherwise) for joint marketing initiatives or to permit third parties to market goods or services to you.

  • To comply with legal requirements. OneStream may share your information if required by law enforcement, government agencies, courts, or others where OneStream believes that its cooperation with information requests is required by law.

  • International Transfer. OneStream may transfer your information to, and store and process your information in, jurisdictions other than the jurisdiction in which you live and/or work. Such other jurisdictions might have laws that treat your privacy differently from the jurisdiction in which you live and/or work. You consent to any such transfer, storage, and/or processing.

What about links and other information provided by others?

One or more OneStream websites or other resources might contain links to other websites or other resources that are not operated by OneStream. OneStream does not operate those websites or resources, and OneStream cannot control the information that the operators of such websites gather or what the operators of such websites do with the information. OneStream is not responsible for the activities of the operators of such other websites or resources.

How does OneStream secure and safeguard my information?

OneStream uses, and requires that its service providers use, commercially reasonable physical, technical, and other safeguards designed to prevent unauthorized access to, use of, or alteration of, your information.

Does OneStream supplement the information that I provide?

OneStream sometimes supplements the information that it receives from you with other information that OneStream receives from third-party sources, such as credit card issuers, directories, and/or information clearinghouses.

How May OneStream notify me in the case of a data breach?

For the purposes of any applicable law regarding notification of persons whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person, OneStream’s information security policy provides that any required notification may, where permitted by law, be made by the use of e-mail, telephone, fax, mail (including, but not limited to, a notice printed in an available area of a bill or statement) or posting a notice on a OneStream website or other electronic resource. The specific means used is up to OneStream, and OneStream will use its commercially reasonable judgment based on the circumstances. Where any notice is to be sent to a specific address or number (such as e-mail address, physical address, telephone number, etc.), OneStream will use the latest available address in its records. EXCEPT TO THE EXTENT PROHIBITED BY LAW, YOU AGREE TO THIS MEANS OF NOTIFICATION.

How can you correct your personal information?

If your personal information changes, if you have reason to believe that your personal information as OneStream maintains it is incorrect, or if you no longer desire service, you may contact OneStream using the contact information below and OneStream will accommodate all reasonable requests for such changes.

How does OneStream handle choice and opt-out?

Users who no longer wish to receive newsletters, digital notifications, or promotional materials or have their information provided to third parties may opt to not receive such communications or have information shared by contacting OneStream using the information below. Please be prepared to tell us the specific OneStream good or service with respect to which you wish to opt out. OneStream will comply with such requests as soon as is commercially practicable. Such compliance may involve batch processing and other processes that take 30 days or longer. If you opt not to receive such communications or allow OneStream to share your information and then give your personal information to OneStream again using a site or under other circumstances that permit us to use your information, OneStream will regard your opt-out as rescinded.

Note that opting out will not have any effect on information that OneStream has shared with third parties as permitted by this Privacy Statement.

To change your preference with regard to the way your information is treated, contact us using the contact information below.

What if I opt out and then do things that opt me back in?

If, after opting out, you do certain things that invite us to use your personal information again, OneStream will regard you as having opted back in. Examples include, but aren’t limited to, asking one of OneStream’s personnel (verbally or otherwise) to send you information, signing up for an event, or similar communications or transactions. As always, OneStream will abide by the provisions of this privacy statement with respect to your personal information that you provide to OneStream.

How quickly does OneStream respond to requests?

OneStream will use commercially reasonable efforts to timely make any changes you request. Many such changes are accomplished using batch processing (i.e. collecting a number of similar change requests and making all such changes at once), so the changes might not be immediately effective. If you require an immediate change to your personally identifiable information and are unable to make such a change using the available site resources, please contact us.

How does OneStream handle changes to this Privacy Statement?

If OneStream decides to change this privacy policy, OneStream will post the changes on one or more websites  and/or other places that OneStream reasonably believes will give you notice of the change if you’re paying reasonable attention to the privacy provisions of OneStream’s website(s) and/or resources.

Except as stated below, OneStream will use information in accordance with the privacy statement, or version of the privacy statement, under which the information was collected.

If OneStream decides to use information about you in a manner different from that stated in the privacy statement in effect at the time of collection, OneStream will notify you by e-mail if, and to the extent that, you have provided your e-mail address. If you reply to such an e-mail within a reasonable time and request that OneStream not use your personally identifiable information in the proposed new manner, OneStream will honor your request, but OneStream reserves the right to suspend your access to all or part of the services offered through one or more sites if you do so.

If you do not reply to such an e-mail, or OneStream receives a reply of “undeliverable” or similar message from your last known e-mail address, in either case after a reasonable time, OneStream will use the information in the proposed new manner.

Please be sure to update your e-mail and other contact information from time to time so that you don’t miss any communication by OneStream of the kind contemplated by this section.

Are there exceptions to the other provisions of this Privacy Statement?

Notwithstanding anything else in this privacy statement to the contrary, OneStream may collect personally identifiable information and use such information in ways other than those described above if OneStream is required to do so by law or if OneStream deems it advisable in the course of assisting law enforcement activities or protecting OneStream’s sites, resources, or property. Without limiting the foregoing, OneStream reserves the right to use and disclose any information that you provide to us if OneStream deems it advisable in the prosecution or defense of any litigation involving your use of a good or service of OneStream.

Special Information for California Residents

Your California Privacy Rights: California privacy law requires us to provide California residents with specific disclosures about our privacy practices, including telling you about the information we share with other third parties for their marketing purposes. You may request this information by contacting us using the contact information below.

How do you contact OneStream?

If you (a) feel that OneStream is not abiding by this privacy policy or if you have questions regarding the policy, (b) wish to begin or end receipt of newsletters, digital notifications or promotional information, (c) wish to update your user information, or (d) wish to opt in or out of any other service offered through OneStream; please contact OneStream using the following information.

Privacy Office

OneStream Software, LLC

362 South Street

Rochester, Michigan 48307

Telephone: 248-650-1430

E-Mail: privacy@onestreamsoftware.com

__________________________________________________________

Privacy Shield Privacy Statement

Privacy Shield is a program administered by the United States Department of Commerce (the “Department”). This Privacy Shield Privacy Statement describes the Privacy Principles that are a part of the Privacy Shield program (the “Principles”) and tells you how we comply with those Principles.

When we say “we” or “our” or words like those, or “OneStream” we mean OneStream Software LLC, a Michigan USA limited liability company. OneStream Software LLC, together with its subsidiaries and affiliates in other countries, are the “OneStream Enterprise” and each of them is a “OneStream Enterprise Company.”

Scope

The “European Union,” or “EU,” consists of Austria, Belgium, Bulgaria, Croatia, the Republic of Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.  The “European Economic Area” or “EEA” consists of all of the EU member states, plus Iceland, Liechtenstein and Norway.

This Privacy Shield Privacy Statement covers personal data about data subjects who are citizens of any EEA member state. If, and when, Switzerland accepts the Privacy Shield as a means of transferring personal data of Swiss citizens and the Department acknowledges that fact in the Privacy Shield program, this Privacy Shield Privacy Statement will thereafter cover personal data about data subjects who are citizens of Switzerland.

In any case, this Privacy Shield Privacy Statement covers personal data about these data subjects where the personal data is transferred to, and processed in, the United States.

If a data subject gives his or her consent to the export of his/her personal data to the United States, and/or processing of his or her personal data in the United States, that consent governs such export and processing and this Privacy Shield Privacy Statement doesn’t apply to any export or processing within the scope of that consent.  To the extent that the data subject’s consent does not apply, this Privacy Shield Privacy Statement will apply.

Some Important Concepts

The Privacy Shield program and its Privacy Principles use certain terms that are defined by European law. Here are some of those terms.

“Personal data” means any information relating to an identified or identifiable natural person.

A “natural person” is a human being. The law sometimes treats corporations and other business entities as “persons,” so using the term “natural person” makes it clear that we’re talking about human beings.

A “data subject” is the identified or identifiable natural person to which the personal data relates.

An “identifiable natural person” is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

A “controller” of personal data is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

A “processor” of personal data is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

The Way We Refer to the Personal Data that We Collect

We collect, maintain, use, and share “Business Personal Data” and “Human Resources Personal Data.” Here’s what we mean by those terms.

“Business Personal Data” is personal data that enables identification of, authentication of, coordination of, and/or communication to, from, between, and/or among people who work for or with us, and/or for whom we provide goods or services. These people include, but aren’t limed to, employees, agents, contractors, customers, trainees, and suppliers, and others with or through whom we do business or might do business, or for whose direct or indirect benefit we do business, including, but not limited to, trainers and trainees, and those who give and/or receive technical support. Business Personal Data includes, but it not limited to, contact information, identification information, information about whereabouts, information about travel plans, information about goods and/or services to be provided by (or to) us, and directory information such as name, mobile and/or land telephone number, fax number, e-mail address, physical address, user ID, IP address, picture, language(s) spoken, title, organizational role, and systems or processes that such persons are authorized to utilize.

“Human Resource Personal Data” is human resources and benefit information used by one or more OneStream Enterprise Companies to evaluate, employ, retain, administer the employment and/or or contractor relationship with, and/or receive or provide the services of, employees and/or direct or indirect contractors who are being considered to do, who do, or have done work for, or for the benefit of, one or more OneStream Enterprise Companies.

Other Important Concepts

Where we say that we “anonymize” personal data, that means that we combine it with other information, redact it, or otherwise make it so that it no longer reasonably identifies the data subject.

How We Comply with the Privacy Shield Privacy Principles

We think that the best way to tell you about how we comply with the Principles is to show you the Principles and tell you side-by-side how we comply with them. That way, you get to learn about the Principles and see how our practices line up at the same time.

What the Principles Require.

What we do.

1. NOTICE An organization must inform individuals about:

Its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List.

We participate in the Privacy Shield and this Privacy Shield Privacy Statement tells you that we participate and how we do it. You can see the Privacy Shield List, and find out more about the Privacy Shield program, athttps://www.privacyshield.gov/list.

The types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles.

We collect Business Personal Data and Human Resources Personal data, defined above. Each of the Company Co Enterprise Companies collects such data.

Its commitment to subject to the Principles all personal data received from the EU in reliance on the Privacy Shield.

We commit to subject to the Principles all of the personal data received from the EU in reliance on the Privacy Shield.

The purposes for which it collects and uses personal information about them.

We collect personal data for the following reasons.

(a) So that data subjects can be contacted, and/or can contact each other, in order to do business.

(b) So that we can provide goods or services to data subjects and/or their organizations and/or receive goods or services from data subjects and/or their organizations.

(c) So that we can give to employees, agents, and/or contractors access to the  systems and databases that they need to perform their work.

(d) So that each OneStream Enterprise Company can effectively manage human resources, provide opportunities for individuals, and generally make advice and analyses available regarding employer-employee and contractor relationships of OneStream Enterprise Companies and prospective, current, and past employees and/or contractors.

How to contact the organization with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints.

You can contact us using the information below in the section called “How to Contact Us.”

The type or identity of third parties to which it discloses personal information, and the purposes for which it does so.

(a) Anonymized information.  If we anonymize personal data, we may share that personal data with anyone for any purpose.

(b) Persons with whom we do business. We may provide personal data to others involved in the provision or receipt of goods and/or services so that we can cooperate in providing or receiving goods and/or services.

(c) Outsourcing providers. We may provide personal data to outsourcing providers who perform functions in support of our conduct of business. This might include data processing, storage, system administration, and similar functions.

(d) Successors. If we sell or otherwise transfer all or a part of our business, or are investigating the possibility of doing so, we may transfer to, or share with, the actual or potential buyer or other transferee, the personal data associated with the actually or potentially sold or transferred business.

(e) To comply with legal requirements. We may share your information if required by law enforcement, government agencies, courts, or others where we believe that our cooperation with information requests is required by law.

We provide personal information to others so that we can accomplish the purposes stated above.

The right of individuals to access their personal data.

You have the right to know what personal data we possess about you. You can access that personal data by contacting us using the information below in the section called “How to Contact Us.”

The choices and means the organization offers individuals for limiting the use and disclosure of their personal data.

You have choices about what personal data we retain and how we use it. See the answers in Principle 2: Choice.

The independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by [Data Protection Authorities, sometimes called] DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution provider based in the United States.

For Business Personal Data, we use JAMS in the United States as our alternative dispute resolution provider. Such services are available in the United States. Information about JAMS is available athttps://www.jamsadr.com/files/Uploads/Documents/Corporate-Fact-Sheet.pdf And information about the JAMS EU-U.S. Privacy Shield Program is available at https://www.jamsadr.com/eu-us-privacy-shield.

In the case of Human Resources Personal Data,  we cooperate with the panels established by European Data Protection Authorities.

Being subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body

We are subject to the investigatory and enforcement powers of the United States Federal Trade Commission (the “FTC”). You can learn more about the FTC’s role in enforcement of the Privacy Shield at https://www.commerce.gov/page/eu-us-privacy-shield.

The possibility, under certain conditions, for the individual to invoke binding arbitration.

Under certain circumstances, you can invoke binding arbitration. We use JAMS in the United States as our alternative dispute resolution provider. Such services are available in the United States.

The requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

We will disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Its liability in cases of onward transfers to third parties.

If we transfer personal data to a third party and that transfer, or an act or omission by the third party, results in a violation of the Principles, we are liable for the transfer and/or the act or omission, even if it was the third party that committed the act or omission.

2. CHOICE

An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise choice.

You have the right to choose (opt out) whether your personal data is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by you.

If you wish to opt out, all you need to do is contact us using the information in the section called “How to Contact Us.”

Applicable law allows certain exceptions to your ability to opt out, such as where we are parties to a contract that is still being performed, where law requires us to maintain information tow warranty claims, or otherwise. Where applicable law permits us to retain and continue to use such information and we do so, we will do so only to the extent permitted or required by law.

If you contact us to opt out , we will explain the options available and comply with your request as required by the Principles and applicable law.

By derogation to the previous paragraph, it is not necessary to provide choice when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of the organization. However, an organization shall always enter into a contract with the agent.

The above choice/opt-out doesn’t apply where the sharing of your personal data is with a third party who is acting as our agent (such as our service providers who perform services that help us to run our business). We won’t provide your personal data to a third party under these circumstances unless we have a contract in place with that third party that requires the third party to comply with the Principles.

For sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), organizations must obtain affirmative express consent (opt in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. In addition, an organization should treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.

We will obtain your affirmative express consent (opt in) from you if we connect sensitive information and that information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice.

We also treat as sensitive any personal data received from a third party where the third party identifies and treats it as sensitive.

3. ACCOUNTABILITY FOR ONWARD TRANSFER

To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.

When we transfer personal data to a third party acting as a controller, we comply with the Notice and Choice Principles in the ways stated above.

We also enter into contracts third-party controllers that provide that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the third-party controller will provide the same level of protection as the Principles and will notify us if the third party makes a determination that it can no longer meet this obligation. Those contracts provide that, when such a determination is made, the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.

To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; (iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.

Where we transfer personal data to a third party acting as an agent, (i) we transfer such data only for limited and specified purposes; (ii) we require (usually by contract)  at least the same level of privacy protection as is required by the Principles; (iii) we take reasonable and appropriate steps to ensure that the agent effectively processes the personal data transferred in a manner consistent with the organization’s obligations under the Principles; (iv) we require the agent to notify us if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), we take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) we will provide a summary or a representative copy of the relevant privacy provisions of our contract with that agent to the Department of Commerce upon request.

4. SECURITY

Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data

We take reasonable and appropriate measures to protect personal data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing and the nature of the personal data. We do this by adhering to internal policies and practices designed to meet these requirements.

5. DATA INTEGRITY AND PURPOSE LIMITATION

Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information.

We process personal data that we need in order to carry out our business. We only process personal information in a way that is compatible with the purposes for which we collected it or subsequently authorized by the data subject.

We take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.

We adhere the Principles for as long as we retain the personal data.

Information may be retained in a form identifying or making identifiable the individual only for as long as it serves a purpose of processing within the meaning of the paragraph above. This obligation does not prevent organizations from processing personal information for longer periods for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research, and statistical analysis. In these cases, such processing shall be subject to the other Principles and provisions of the [Privacy Shield] Framework. Organizations should take reasonable and appropriate measures in complying with this provision

Except as otherwise permitted by The Principles, we destroy or anonymize personal data after it no longer serves a purpose of processing as contemplated above.

6. ACCESS

Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.

We give data subjects access to such personal data as we have that pertains to them and will help to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles If you wish to contact us to access your information, you can do so using the information in the section called “How to Contact Us.”

We reserve the right to limit such access and related activity where the burden or expense of providing access would be disproportionate to the risks to your privacy in the case in question, or where the rights of persons other than you would be violated.

7. RECOURSE, ENFORCEMENT AND LIABILITY

Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must include:

(i) Readily available independent recourse mechanisms by which each individual’s complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the Principles, and damages awarded where the applicable law or private-sector initiatives so provide;

For Business Personal Data, we use JAMS in the United States as our alternative dispute resolution provider. Such services are available in the United States. Information about JAMS is available athttps://www.jamsadr.com/files/Uploads/Documents/Corporate-Fact-Sheet.pdf And information about the JAMS EU-U.S. Privacy Shield Program is available at https://www.jamsadr.com/eu-us-privacy-shield.

In the case of Human Resources Personal Data,  we cooperate with the panels established by European Data Protection Authorities.

(ii) Follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of noncompliance; and

The corporate officer identified in our Privacy Shield certification (which you can see by looking us up athttps://www.privacyshield.gov/list) is in charge of verifying that our attestations are true and that privacy practices have been implemented. That person has the necessary authority to carry out these functions. Additionally, our policies and procedures require our personnel to treat complaints and noncompliance as required by the Principles.

(iii) Obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations.

Our procedures, as contained in appropriate handbooks, job descriptions, policies, and notices announce our compliance with the Principles and provide for appropriate sanctions for noncompliance by our employees and agents.

Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. Organizations that have chosen to cooperate with DPAs, including organizations that process human resources data, must respond directly to such authorities with regard to the investigation and resolution of complaints

We will, and we will cause our independent recourse mechanisms to, promptly comply with any requests by any applicable government agency for information relating to the Privacy Shield and we will respond to complaints by EU Member State authorities as required by the Principles.

Organizations are obligated to arbitrate claims and follow the terms as set forth in Annex I, provided that an individual has invoked binding arbitration by delivering notice to the organization at issue and following the procedures and subject to conditions set forth in Annex I.

“Annex I” contains the terms under which Privacy Shield certifying organizations are obliged to arbitrate claims as required by the Recourse, Enforcement, and Liability Principles. Where an individual has invoked binding arbitration by delivering notice the required notice, we will arbitrate as required by the terms in Annex I. You can see Annex I for yourself if you like at https://ec.europa.eu/justice/data-protection/files/annexes_eu-us_privacy_shield_en.pdf.

In the context of an onward transfer, a Privacy Shield organization has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. The Privacy Shield organization shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

We take responsibility for our agents’ compliance with the Principles for all personal data that we receive under the Privacy Shield. We require our agents, by contract or otherwise, to comply with the Principles when processing such personal data. We will be and remain liable for such processing unless we prove that we are not responsible for the event giving rise to the damage.

When an organization becomes subject to an FTC or court order based on noncompliance, the organization shall make public any relevant Privacy Shield related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements. The Department has established a dedicated point of contact for DPAs for any problems of compliance by Privacy Shield organizations. The FTC will give priority consideration to referrals of non-compliance with the Principles from the Department and EU Member State authorities, and will exchange information regarding referrals with the referring state authorities on a timely basis, subject to existing confidentiality restrictions.

When an we become subject to an FTC or court order based on noncompliance, we will make public any relevant Privacy Shield -related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements.

How to Contact Us

You can contact us using the following information.

Privacy Office

OneStream Software LLC

362 South Street
Rochester, Michigan 48307-2240 USA
Phone: +1 248-650-1430
E-Mail: privacy@onestreamsoftware.com

Trademarks

Extensible Dimensionality, OneStream Software and OneStream XF are trademarks or registered trademarks of OneStream Software LLC. in the United States and other countries.

Oracle, UpStream Software and Hyperion are registered trademarks of Oracle Corporation in the United States and/or other countries. Microsoft, Microsoft Office, Windows, Excel, Word and PowerPoint are registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. SAP, Business Objects, and OutlookSoft are registered trademarks of SAP Corporation in the United States and/or other countries. IBM is a registered trademark of IBM Corporation in the United States and/or other countries.

Other names may be trademarks of their respective owners.

Privacy Policy

OneStream Software LLC. has created this privacy policy (“Policy”) in order to demonstrate our commitment to customer privacy. Privacy on the OneStream Software LLC. web site (the “Site”) is of great importance to us. Because we gather important information from our visitors and customers, we have established this Policy as a means to communicate our information gathering and dissemination practices. We reserve the right to change this Policy and will provide notification of the change at least thirty (30) business days prior to the change taking effect. To be effective, the change will include directions on how users may respond to the change.

Children’s Online Privacy Protection

Our services are not designed for or directed to children under the age of 13, and we will not intentionally collect or maintain information about anyone under the age of 13.

Additional Information

Questions regarding this policy or the practices of this Site should be directed to OneStream Software LLC.’s Security Administrator by e-mailing such questions to info@onestreamsoftware.com or by regular mail addressed to OneStream Software LLC.,362 South Street, Rochester, MI 48307-2240.

Collected Information

We require customers who register to use the services offered on our Site (collectively, the “Service”) to give us contact information, such as their name, company name, address, phone number, and e-mail address, and financial qualification and billing information, such as billing name and address, credit card number, and the number of users within the organization that will be using the Service. At the time you express interest in obtaining additional information, or when you register for the Service, we may also ask for additional personal information, such as title, department name, fax number, or additional company information, such as annual revenues, number of employees, or industry. Customers can opt out of providing this additional information by not entering it when asked. Customers can update or remove their personal information at any time by asking their organizations system administrator to update their user profile by logging into the Website and editing their user information through the user details page. Customers can view their updated profile to confirm their edits have been made.

OneStream Software LLC. uses the information that we collect to set up the Service for individuals and their organizations. We may also use the information to contact customers to further discuss customer interest in our company, the Service that we provide, and to send information regarding our company, such as promotions and events. Customers are invited to receive an e-mail newsletter by providing an e-mail address. Customer e-mail addresses and any personal customer information will not be distributed or shared with third parties. Customers can opt out of being contacted by us, or receiving such information from us, at any time by sending an e-mail to info@onestreamsoftware.com. Separately, customers are also asked to provide an e-mail address when registering for the Service, in order to receive a username and password. We may also e-mail information regarding updates to the Service or company, and will send a Customer Newsletter. Again, e-mail addresses will not be distributed or shared and customers can opt out of receiving any communication by e-mailing info@onestreamsoftware.com at the time it is distributed, or at the time any customer registers for the Service.

We do not disclose to third parties any information provided. All financial and billing information that we collect through the Site is used solely to check the qualifications of prospective customers and to bill for the Service. Of course, customers are responsible for maintaining the confidentiality and security of their user registration and password.

OneStream Software LLC. may also collect certain information from visitors to and customers of the Site, such as Internet addresses. This information is logged to help diagnose technical problems, and to administer our Site in order to constantly improve the quality of the Service. We may also track and analyze non-identifying and aggregate usage and volume statistical information from our visitors and customers.

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and e-mail address. OneStream Software LLC. will automatically send the friend a one-time e-mail inviting them to visit the site. OneStream Software LLC. does not store this information.

The Site may contain links to other web sites. OneStream Software LLC. is not responsible for the privacy practices or the content of these other web sites. Customers and visitors will need to check the policy policy of these others web sites to understand their policies. Customers and visitors who access a linked site may be disclosing their private information. It is the responsibility of the user to keep such information private and confidential.

Sensitive Information

We will not intentionally collect or maintain, and do not want you to provide, any information regarding your medical or health condition, race or ethnic origin, political opinions, religious or philosophical beliefs or other sensitive information. Sensitive Information

Security

Our Site has security measures in place to help protect against the loss, misuse, and alteration of the Data under our control. When our Site is accessed using Microsoft Internet Explorer versions 6.0 or higher, Secure Socket Layer (SSL) technology protects information using both server authentication and data encryption to help ensure that Data is safe, secure, and available only to you. OneStream Software LLC. hosts the Site in a secure server environment that uses a firewall and other advanced technology to prevent interference or access from outside intruders. Finally, OneStream Software LLC. provides unique user names and passwords that must be entered each time a customer logs on. These safeguards help prevent unauthorized access, maintain data accuracy, and ensure the appropriate use of Data.

Opt-Out Policy

OneStream Software LLC. offers its visitors and customers a means to choose how we may use information provided. If, at any time after registering for information or ordering the Service, you change your mind about receiving information from us or about sharing your information with third parties, send us a request specifying your new choice. Simply send your request to info@onestreamsoftware.com.

Correcting & Updating Your Information

If customers need to update or change registration information they may do so by editing the user or organization record. To update a User Profile, have your organizations system administrator log on to OneStream Software LLC. and select Users to add or update information. To update Organization’s data, please e-mail info@onestreamsoftware.com. To update billing information, please e-mail info@onestreamsoftware.com or call 404-786-7932. To discontinue the Service and to have data returned, e-mail info@onestreamsoftware.com or call 404-786-7932. OneStream Software LLC. will respond to your correction or update request within at most 30 days from the date of your request.