Privacy Statement for SAP Ariba

Protecting the individual's privacy on the Internet is crucial to the future of Internet-based business and the move toward a true Internet economy. We have created this Privacy Statement to demonstrate our firm commitment to the individual`s right to data protection and privacy. This Privacy Statement outlines how we handle information that can be used to directly or indirectly identify an individual ("Personal Data").

Note: The SAP Ariba Privacy Statement for Cloud Services available at http://www.ariba.com/legal/privacy-policy describes SAP Ariba practices for processing personal data submitted to the SAP Ariba Cloud Services by customers.

A. General Information

When does this Privacy Statement apply? This Privacy Statement applies to Personal Data that you provide to SAP Ariba or which is derived from the Personal Data as outlined below. The use of any information that is gathered by cookies or other web tracking technologies is subject to the disclosures and options provided in this Privacy Statement.  This policy applies to the websites and services that reference it including www.ariba.com and the SAP Ariba customer support systems (SAP Ariba Connect and SAP Ariba Community services).

Data Controller. The data controller of www.ariba.com is Ariba Inc., 3420 Hillview Ave, Palo Alto, CA 94304, USA (“SAP Ariba”). The SAP Group’s data protection officer is Mathias Cellarius (privacy@sap.com).

What does SAP Ariba do with my Personal Data? SAP Ariba will process the Personal Data provided hereunder only as set out in this Privacy Statement. Further information can be found in Sections B. and C. below. Where the processing of your Personal Data is based on a statutory permission, you can find information on which Personal Data SAP Ariba is processing or using for which purposes in Section B below. Where consent for the processing of your Personal Data is required you can find further information in Section C. below. This information matches with the respective consent statements pertaining to individual processing operations in the Consent Resource Center.

Duration of processing of Personal Data. Where SAP Ariba is processing and using your Personal Data as permitted by law (see B. below) or under your consent (see C. below), SAP Ariba will store your Personal Data (i) only for as long as is required to fulfil the purposes set out below or (ii) until you object to SAP Ariba’s use of your Personal Data (where SAP Ariba has a legitimate interest in using your Personal Data), or (iii) until you withdraw your consent (where you consented to SAP Ariba using your Personal Data). However, where SAP Ariba is required by mandatory law to retain your Personal Data longer or where your Personal Data is required for SAP Ariba to assert or defend against legal claims, SAP Ariba will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled. 

Why am I required to provide Personal Data? As a general principle, your granting of any consent and your provision of any Personal Data hereunder is entirely voluntary; there are generally no detrimental effects on you if you choose not to consent or to provide Personal Data. However, there are circumstances in which SAP Ariba cannot take action without certain Personal Data, for example because this Personal Data is required to process your orders, provide you with direct support assistance or provide you with access to a web offering or newsletter. In these cases, it will unfortunately not be possible for SAP Ariba to provide you with what you request without the relevant Personal Data.

Where will my Personal Data be processed? As part of a global group of companies, SAP Ariba has affiliates and third-party service providers within as well as outside of the European Economic Area (the “EEA”). As a consequence, whenever SAP Ariba is using or otherwise processing your Personal Data for the purposes set out in this Privacy Statement, SAP Ariba may transfer your Personal Data to countries outside of the EEA including to such countries in which a statutory level of data protection applies that is not comparable to the level of data protection within the EEA. Whenever such transfer occurs, it is based on the Standard Contractual Clauses (according to EU Commission Decision 87/2010/EC or any future replacement) in order to contractually provide that your Personal Data is subject to a level of data protection that applies within the EEA. You may obtain a redacted copy (from which commercial information and information that is not relevant has been removed) of such Standard Contractual Clauses by sending a request to privacy@sap.com.

Data subjects’ rights. You can request from SAP Ariba at any time information about which Personal Data SAP Ariba processes about you and the correction or deletion of such Personal Data. Please note, however, that SAP Ariba can delete your Personal Data only if there is no statutory obligation or prevailing right of SAP Ariba to retain it. Kindly note that if you request that SAP Ariba delete your Personal Data, you will not be able to continue to use any SAP Ariba service that requires SAP Ariba’s use of your Personal Data.

If SAP Ariba uses your Personal Data based on your consent or to perform a contract with you, you may further request from SAP Ariba a copy of the Personal Data that you have provided to SAP. In this case, please contact the email address below and specify the information or processing activities to which your request relates and whether the Personal Data is to be sent to you or another recipient. SAP Ariba will carefully consider your request and discuss with you how it can best fulfill it.

Furthermore, you can request from SAP Ariba that SAP Ariba restricts your Personal Data from any further processing in any of the following events: (i) you state that the Personal Data SAP Ariba has about you is incorrect, (but only for as long as SAP Ariba requires to check the accuracy of the relevant Personal Data), (ii) there is no legal basis for SAP Ariba processing your Personal Data and you demand that SAP Ariba restricts your Personal Data from further processing, (iii) SAP Ariba no longer requires your Personal Data but you claim that you require SAP Ariba to retain such data in order to claim or exercise legal rights or to defend against third party claims or (iv) in case you object to the processing of your Personal Data by SAP Ariba (based on SAP Ariba’s legitimate interest as further set out in B. below) for as long as it is required to review as to whether SAP Ariba has a prevailing interest or legal obligation in processing your Personal Data.

Please post such requests at https://support.ariba.com/privacy-request.

Right to lodge a complaint. If you believe that SAP Ariba is not processing your Personal Data in accordance with the requirements set out herein or applicable EEA data protection laws, you can at any time lodge a complaint with the data protection authority of the EEA country in which you live or with the data protection authority of the country or state in which SAP Ariba has its registered seat.

Use of this website by children. This website is not intended for anyone under the age of 16 years. If you are younger than 16, you may not register with or use this website.

Links to other websites. This website may contain links to foreign (meaning non-SAP Ariba Group companies) websites. SAP Ariba is not responsible for the privacy practices or the content of websites outside the SAP Ariba Group of companies. Therefore, we recommend that you carefully read the privacy statements of such foreign sites.

Automated Tools. In addition to the information you provide, SAP may also collect information during your visit to a SAP website through Automated Tools, which include Web beacons, cookies, embedded Web links, and other commonly used information-gathering tools. These tools collect certain standard information that your browser sends to our website such as your browser type and language, access times, and the address of the website from which you arrived at an SAP website. Using these tools, SAP Ariba can also track other information such as pages visited on the relevant SAP Ariba site and certain other aggregate data that is not related to a particular individual.

  1. Sitecore.Some websites which refer to this Privacy Statement use the Sitecore Experience Manager platform to personalize content on the website.It does this based on observe visitor behavior, such as how many clicks a visitor has on certain types of content, or how long a visitor has spent in certain sections of the site, or how many pages of a certain type a visitor has views.It also uses information (a profile ID) from Marketo to determine more granular personalization’s.The data that goes into the profile is only store in Marketo and does not exist in Sitecore.Users may prevent Sitecore’s personalization by opting out of cookies (see below).

  2. Demandbase. Some websites which refer to this Privacy Statement use tools from Demandbase for the following tasks:
    1. Forms. used to provide data for forms. When someone’s IP resolves to a company IP address, a number of data points from Demandbase are inserted into the form and those fields are hidden automatically. Additionally, when a visitor enters their email address into a form, the domain name portion of the email address is sent to Demandbase as well, however when data is returned in this way, it is inserted into the form but the fields thus completed are not hidden.In both cases, this data includes Annual Revenue, Company Size, Company Name, Business Phone Number, Business Address. This data is entirely on the client (browser) until and unless the user submits a form, at which point this data along with any other data entered into the form is transmitted directly to our Marketing Automation platform.

    2. Analytics. used to enrich web analytics. Every web request sends request data to Adobe Analytics (see below). Demandbase is used to enrich data with the same sort of data described under “Forms” above.As with Forms, only visitors whose IP address resolves to a corporate IP has any of this data transmitted to Adobe Analytics.

    3. Chat. Used to enrich and better target chat interactions. We use the LiveEngage platform from LivePerson. There are two parts to this, one currently in use (#1) and another is a project that is currently underway (#2).

      1. Reactive Chat. When a user clicks a control to open a chat session, and they have Demandbase data available, the company name and the company’s annual revenue amount is transmitted to the LiveEngage platform where chat representatives can better route that chat request.

      2. Proactive chat. By using the Demandbase data, we can proactively prompt users to engage in a chat session based on their corporate information.

    Demandbase Data is acquired via IP GeoLocation. IP addresses that resolve to corporate IPs in Demandbase’s company registry return a block of data about that company. IPs that do not resolve to a corporate IP address return only IP Geolocation data (IP country of origin, lat/long, etc) in which case, no acquired data is recorded or stored.

     

  3. Adobe Analytics. Some websites which refer to this Privacy Statement use Adobe Analytics. Adobe Analytics is using IP addresses to establish the approximate region where a user is coming from. Therefore, Adobe Analytics is collecting the full IP address of users in a first step and then anonymizes it in a second step. Only the anonymized IP address is used to determine the approximate location from where a user is accessing a certain website.

    Furthermore, if you are a registered user and logged on, SAP uses Adobe Analytics to track your user ID together with how you use the relevant website.

    You can opt-out of the use of Adobe Analytics by using this link: http://ariba.d1.sc.omtrdc.net/optout.html?optout=1&confirm_change=1

  4. Usage tracking for marketing purposes. Certain SAP websites may collect the way you are accessing and using such websites by other means in order to prepare pseudonymous usage profiles that are used to determine which content is the most appropriate to be displayed while you visit a certain website.

    In this case, SAP is capturing your usage behavior together with a unique identifier (that allows SAP to establish that there is a certain person active on its websites) but no information like your name that can be used to directly identify you. SAP will use the collected information only in order to display appropriate and relevant content on its websites. Each SAP website making use of such tracking mechanism will contain further information about the collected information as well as an opt-out choice.

  5. Cookies. Cookies are identifiers that can be sent from a site via your browser to be placed on your computer's hard drive. SAP uses cookies to deliver personalized content, to save you having to re-enter your password or complete registration forms repeatedly, to keep track of your shopping cart, and to tailor our information offerings to how you and others use the site.

You may refuse the use of cookies by selecting the appropriate settings in your browser. Kindly note that the settings in your browser regarding cookies is limited to the particular browser installed on a particular device and that, as a consequence, if you visit SAP Ariba’s websites with different browsers or different devices, you have to disable the cookies in the browsers of all relevant devices. Furthermore, please note that if you disable cookies you may not be able to use the full functionality of a website.

B.  Where SAP Ariba uses my Personal Data based on the Law

In the following cases, SAP Ariba is permitted to process your Personal Data under the applicable data protection law.

Providing the requested goods or services. If you order goods or services from SAP, SAP Ariba will use the Personal Data that you, or a representative of your company, enters into the order or registration form (usually your name, email address, telephone number, company name and address, your job title and role and, if payment is to be made to SAP Ariba, credit card number or bank details) only to process your order or to provide the requested goods or service. This may include taking the necessary steps prior to entering into the contract, responding to your related inquiries, and providing you with shipping and billing information and to process or provide customer feedback and support. This may also include conversation data that you may trigger via the chat functionalities on SAP.com or other local SAP Ariba web presences, contact forms, emails, or telephone. In this Privacy Policy, “goods and services” includes (access to) SAP Ariba’s web services, offerings, contests, sweepstakes, other content, customer support services, non-marketing related newsletters, whitepapers, tutorials, trainings and events.

If you participate in tutorials or trainings provided by SAP, SAP Ariba may also track your learning progress in order to make this information available to you. Furthermore, we communicate on a regular basis by email with users who subscribe to our services, and we may also communicate by phone to resolve customer complaints or investigate suspicious transactions. We may use your email address to confirm your opening of an account, to send you notice of payments, to send you information about changes to our products and services, and to send notices and other disclosures as required by law. Generally, users cannot opt out of these communications, which are not marketing-related but merely required for the relevant business relationship. With regard to marketing-related types of communication (i.e. emails and phone calls), SAP Ariba will (i) where legally required only provide you with such information after you have opted in and (ii) provide you the opportunity to opt out if you do not want to receive further marketing-related types of communication from us. You can opt out of these at any time at https://my.ariba.com/UnsubscribePage.html.

If you are a contact for your company on the SAP Ariba customer support systems, SAP will use Your name, email address and telephone number (Personal Data) only for as long as it is required (plus, where applicable, statutory data retention periods) to provide You with access to the SAP Ariba customer support systems, provide support services to You and enable You to download content from the SAP Ariba customer support systems.

Ensuring compliance. SAP Ariba and its products, technologies, and services are subject to the export laws of various countries including, without limitation, those of the European Union and its member states, and of the United States of America. You acknowledge that, pursuant to the applicable export laws, trade sanctions, and embargoes issued by these countries, SAP Ariba is required to take measures to prevent entities, organizations, and parties listed on government-issued sanctioned-party lists from accessing certain products, technologies, and services through SAP Ariba’s websites or other delivery channels controlled by SAP. This may include (i) automated checks of any user registration data as set out herein and other information a user provides about his or her identity against applicable sanctioned-party lists; (ii) regular repetition of such checks whenever a sanctioned-party list is updated or when a user updates his or her information; (iii) blocking of access to SAP Ariba’s services and systems in case of a potential match; and (iv) contacting a user to confirm his or her identity in case of a potential match.

Furthermore, you acknowledge that any information required to track your choices regarding the processing or use of your Personal Data or receipt of marketing materials (that is to say, depending on the country in which the relevant SAP Ariba Group company operates, whether you have expressly consented to or opted out of receiving marketing materials) may be stored and exchanged between members of the SAP Ariba Group as required to ensure compliance.

SAP Ariba’s legitimate interest. Each of the use cases below constitutes a legitimate interest of SAP Ariba to process or use your Personal Data. If you do not agree with this approach, you may object against SAP Ariba’s processing or use of your Personal Data as set out below.

Questionnaires and surveys. SAP Ariba may invite you to participate in questionnaires and surveys. These questionnaires and surveys will be generally designed in a way that they can be answered without any Personal Data. If you nonetheless enter Personal Data in a questionnaire or survey, SAP Ariba may use such Personal Data to improve its products and services.

Creation of anonymized data sets. SAP Ariba may anonymize Personal Data provided under this Privacy Statement to create anonymized data sets, which will then be used to improve its and its affiliates’ products and services.

Recording of calls and chats for quality improvement purposes. In case of telephone calls or chat sessions, SAP Ariba may record such calls (after informing you accordingly during that call and before the recording starts) or chat sessions in order to improve the quality of SAP Ariba’s services.

In order to keep you up-to-date/request feedback. Within an existing business relationship between you and SAP Ariba, SAP Ariba may inform you, where permitted in accordance with local laws, about its products or services (including webinars, seminars or events) which are similar or relate to such products and services you have already purchased or used from SAP. Furthermore, where you have attended a webinar, seminar or event of SAP Ariba or purchased products or services from SAP Ariba, SAP Ariba may contact you for feedback regarding the improvement of the relevant webinar, seminar, event, product or service.

Right to object. You may object to SAP Ariba using Personal Data for the above purposes at any time by unsubscribing at https://my.ariba.com/UnsubscribePage.html. If you do so, SAP Ariba will cease using your Personal Data for the above purposes (that is to say, under a legitimate interest set out above) and remove it from its systems unless SAP Ariba is permitted to use such Personal Data for another purpose set out in this Privacy Statement or SAP Ariba determines and demonstrates a compelling legitimate interest to continue processing your Personal Data.

C. Where SAP Ariba uses my Personal Data based on my Consent

In the following cases SAP Ariba will only use your Personal Data as further detailed below after you have granted your prior consent into the relevant processing operations. Therefore, each information about a processing operation with regard to Personal Data is linked to one consent statement in the Consent Resource Center. If you re-open this Privacy Statement after you have initially one or more consents granted you will not only see the information related to the consents you have granted but the full privacy statement.

News about SAP Ariba’s Products and Services. Subject to a respective provision and your consent, SAP Ariba may use your name, email and postal address, telephone number, job title and basic information about your employer (name, address, and industry) as well as an interaction profile based on prior interactions with SAP Ariba (prior purchases, participation in webinars, seminars, or events or the use of (web) services in order to keep you up to date on the latest product announcements, software updates, software upgrades, special offers, and other information about SAP Ariba’s software and services (including marketing-related newsletters) as well as events of SAP Ariba and in order to display relevant content on SAP Ariba’s websites. In connection with these marketing-related activities, SAP Ariba may provide a hashed user ID to third party operated social networks or other web offerings (such as Twitter, LinkedIn, Facebook, Instagram or Google) where this information is then matched against the social networks’ data or the web offerings’ own data bases in order to display to you more relevant information.

Creating user profiles. SAP Ariba offers you the option to use its web offerings including forums, blogs, and networks (such as the SAP Ariba Community) linked to this website that require you to register and create a user profile. User profiles provide the option to display personal information about you to other users, including but not limited to your name, photo, social media accounts, postal or email address, or both, telephone number, personal interests, skills, and basic information about your company.

These profiles may relate to a single web offering of SAP Ariba or, if created in the SAP Ariba Cloud Platform Identity Authentication Service, may also allow you to access other web offerings of SAP Ariba or of other entities of the SAP Ariba Group, or both (irrespective of any consent granted under the section “Forwarding your Personal Data to other SAP Ariba companies.” below). It is, however, always your choice which of these additional web offerings you use and your Personal Data is only forwarded to them once you initially access them. Kindly note that without your consent for SAP Ariba to create such user profiles SAP Ariba will not be in a position to offer such services to you where your consent is a statutory requirement that SAP Ariba can provide these services to you.

Within any web offering, beyond the mere provision of access your profile is used to personalize interaction with other users (for example, by way of messaging or follow functionality) and by SAP Ariba to foster the quality of communication and collaboration through such offerings and for SAP Ariba to provide gamification elements (gamification is the process of taking something that already exists, such as a website, an enterprise application, or an online community, and integrating game mechanics into it to motivate participation, engagement, and loyalty). To the greatest extent supported by the relevant web offering, you can use the functionality of the relevant web offering to determine which information you want to share.

Special categories of Personal Data. In connection with the registration for and provision of access to an event or seminar, SAP Ariba may ask for information about your health for the purpose of identifying and being considerate of individuals who have disabilities or special dietary requirements throughout the event. Any such use of information is based on the consent you grant hereunder.

Kindly note that if you do not provide any such information about disabilities or special dietary requirements, SAP Ariba will not be able to take any respective precautions.

Event profiling. If you register for an event, seminar, or webinar of SAP, SAP Ariba may share basic participant information (your name, company, and email address) with other participants of the same event, seminar, or webinar for the purpose of communication and the exchange of ideas.

Forwarding your Personal Data to other SAP companies. SAP Ariba may transfer your Personal Data to other entities in the SAP Group. The current list of SAP Group entities can be found here https://www.sap.com/legal-entities (PDF). In such cases, these entities will then use the Personal Data for the same purposes and under the same conditions as outlined in this Section C. above.

Revocation of a consent granted hereunder. You may at any time withdraw a consent granted hereunder by unsubscribing at https://my.ariba.com/UnsubscribePage.html. In case of withdrawal, SAP Ariba will not process Personal Data subject to this consent any longer unless legally required to do so. In case SAP Ariba is required to retain your Personal Data for legal reasons your Personal Data will be restricted from further processing and only retained for the term required by law. However, any withdrawal has no effect on past processing of personal data by SAP Ariba up to the point in time of your withdrawal. Furthermore, if your use of an SAP Ariba offering requires your prior consent, SAP Ariba will not be (any longer) able to provide the relevant service (or services, if you revoke the consent for SAP Ariba to use your profile under the SAP Ariba Cloud Platform Identity Authentication Service for multiple SAP Ariba offerings), offer or event to you after your revocation.

D.  U.S.-Specific Provisions

Where SAP Ariba is subject to U.S. privacy requirements, the following also applies:

Do Not Track. Your browser may allow you to set a “Do not track” preference. Unless otherwise stated, our sites do not honor “Do not track” requests. However, you may elect not to accept cookies by changing the designated settings on your web browser or, where available, by way of the TrustArc Consent Manager if the relevant website contains a link to it. Cookies are small text files placed on your computer while visiting certain sites on the Internet used to identify your computer. Please note that if you do not accept cookies, you may not be able to use certain functions and features of our site. This site does not allow third parties to gather information about you over time and across sites.

Requirements to Protect Children's Privacy. We do not intend for our websites or online services to be used by anyone under the age of 13. If you are a parent or guardian and believe we may have collected information about a child, please contact at privacy@sap.com.

E. Russia-Specific Provisions

The following applies to users who are resident in the Russian Federation:

The services hereunder are not intended for use by citizens of the Russian Federation who are resident in Russia. If you are a Russian citizen residing in Russia, you are hereby notified that any Personal Data that you input into the services will be solely at your own risk and responsibility, that you expressly agree that SAP Ariba may gather your Personal Data and will process this data in the United States and in other countries, and that you will not hold SAP Ariba accountable for any potential non-observance of legislation of the Russian Federation.

Revised and posted as of May 1, 2018