Last Updated: May 26, 2021
In July 2020, the European Court of Justice held that the EU-U.S. Privacy Shield Framework is no longer valid as a transfer mechanism for personal information from the European Union. Similarly, the Swiss Federal Data Protection and Information Commissioner invalidated the Swiss-U.S. Privacy Shield Framework in September 2020. The U.S. Department of Commerce continues to administer both Privacy Shield Frameworks and continues to hold participants to their obligations under Privacy Shield Frameworks. Zuora, Inc., as a participant in the Privacy Shield Frameworks, will continue to comply with its commitments under the Privacy Shield Frameworks and its robust internal data protection policies as described more fully below. Please see our Privacy Statement for information on how we protect cross-border transfers of personal data in accordance with applicable legal requirements, including the Standard Contractual Clauses approved by the European Commission.
We, Zuora, Inc. and our affiliates (“Zuora”), subscribe to and comply with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (“Privacy Shield”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the European Union/European Economic Area (“EEA”), the United Kingdom and/or Switzerland, as applicable, to the United States. We certified to the Department of Commerce that we adhere to the Privacy Shield Principles (“Principles”) with respect to such data. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
This Notice does not apply to data that we collect from employees of our subsidiaries in the EEA, United Kingdom and Switzerland or to data that we collect from other jurisdictions; we cover such data in other, separate notices.
Types of personal data collected
As a data controller, we collect personal data from individual contacts of corporate customers, suppliers and other business partners in the EEA, United Kingdom and Switzerland (“Business Contacts”), as applicable. From our Business Contacts, we collect the following types of personal data: name, job title, company affiliation and contact information.
We also store and process personal data on behalf of our corporate customers. Our corporate customers use our software-as-a-service products to process personal data at their discretion, including data pertaining to their own subscribers. Our corporate customers provide information on how they process their subscribers’ data in their own, separate privacy notices. We support our corporate customers as a data processor but do not know or control their data processing practices. The remainder of this EU-U.S. and Swiss-US Privacy Shield Notice explains how we process personal data that we control.
Commitment to comply with the Principles
We comply with the Principles in processing all personal data that we receive from companies or individuals in the EEA, the United Kingdom and/or Switzerland, as applicable. We also receive data in reliance on other compliance mechanisms, including data processing agreements based on the EU, United Kingdom and/or Swiss Standard Contractual Clauses.
Purposes of collection and use
We collect and use personal data of Business Contacts for purposes of providing products and services to our customers, communicating with corporate business partners about business matters, processing data on behalf of corporate customers, providing information on our services, and conducting related tasks for legitimate business purposes. With respect to marketing, data subjects in the EEA, the United Kingdom and Switzerland may opt-out of receiving marketing communications from us or onward transfers of their data to other data controllers by following opt-out instructions that are contained in each marketing email or contacting email@example.com.
How to contact us
If you have any questions regarding this notice or if you need to update, change or remove personal data that we control, you can do so by contacting firstname.lastname@example.org or by regular mail addressed to:
101 Redwood Shores Parkway
Redwood City, CA 94065
Types of third parties to which we disclose personal data and purposes
We share personal data of data subjects in the EEA, the United Kingdom and Switzerland with our subsidiaries, affiliates and contractors, who process personal data on behalf of Zuora. We also provide information to our channel partners, such as distributors and resellers, to fulfill product and information requests, and to provide customers and prospective customers with information about Zuora and its products and services. We also share EEA, United Kingdom and Switzerland data with other third parties for the purposes for which we receive the EEA, United Kingdom and Switzerland data (e.g., performance of contractual obligations and rights), and we may also disclose EEA, United Kingdom and Switzerland data where we are legally required to disclose (e.g., under statutes, contracts or otherwise) or where the disclosure is permitted by law or the Privacy Shield Principles and we have a legitimate business interest in such disclosure. Data subjects in the EEA, the United Kingdom and Switzerland may opt out of disclosures to entities other than agents unless the disclosure is required by law or necessary under contracts by sending an email to email@example.com, but such an opt-out request may make it difficult or impossible for us to provide requested services. We try to minimize disclosures of personal data as reasonably practical because we are mindful of our responsibility and potential liability in cases of onward transfers to third parties.
Right to access
EEA and Switzerland Business Contacts have the right to access personal data about them. To access your personal data, contact firstname.lastname@example.org.
Choices and means
EEA and Switzerland Business Contacts may choose to change personal data, unsubscribe from e-mail lists, or cancel an account by contacting email@example.com. EEA and Switzerland Business Contacts may choose to unsubscribe from our marketing communications by following the instructions or unsubscribe mechanism in the e-mail message.
Independent dispute resolution body
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Investigatory and enforcement powers of the FTC
Zuora, Inc. is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
Under certain conditions, more fully described on the Privacy Shield website at www.privacyshield.gov, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
Requirement to disclose
Zuora, Inc. may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.