Salesforce Apps, Add-ins and Extensions Privacy Statement
Last updated July 2019
At salesforce.com, inc., trust is our #1 value. The Salesforce mobile app, add-in or browser extension (the “App”) that links to this Privacy Statement helps our customers to manage the Services we offer, as well as their businesses and customer relationships on the go.
A reference to “Salesforce,” “we,” “us” or the “Company” is a reference to salesforce.com, inc. We refer to the products and services that are ordered by our Customers and made available online by Salesforce, as described at https://help.salesforce.com, as the “Services.” The App and the Services exclude information obtained by Salesforce from publicly available sources or its third party content providers (“Content”) and any Web-based, mobile, offline or other software application functionality that interoperates with a Service that is provided by a Customer or a third party and/or listed on an online directory, catalog or marketplace of applications that interoperate with the App or Service (“Non-SFDC Application”). “Personal Data” means data that identifies or relates to an identifiable individual. “Customer” means the organization that subscribes to the Services and through whom you, the end user of such Services, are provided access to the App and Services.
This Privacy Statement describes how Salesforce processes Personal Data that it collects on its own behalf from or through the App. For the avoidance of doubt, Salesforce is the controller of this Personal Data, meaning that we determine how and why it is processed. Furthermore, this Privacy Statement applies solely to our processing of this Personal Data.
Note that Personal Data and other data submitted by or on behalf of a Customer to the Services through the App, excluding Content and Non-SFDC Applications, is considered by Salesforce to be “Customer Data.” As between the Customer and Salesforce, each Customer is the controller of its Customer Data and Salesforce does not process that Customer Data except as provided in our Master Subscription Agreement, including any applicable Order Forms, with the Customer. If you have questions or would like to exercise your legal rights regarding Customer Data, please contact the Customer responsible for such Customer Data. Additional information is available at the bottom of this Privacy Statement.
What data do we collect?
Personal Data collected directly from you
In connection with your download and use of the App, we may collect certain account information, such as your name, username, password, email address, physical address, phone number, date of birth, affiliated Customer and job title, and other information that you provide.
Other data collected from your device or browser
We may collect other data, including Personal Data, from your device or browser, such as, without limitation:
- Data about your device. We collect certain data about your device or browser automatically via log files, such as your Media Access Control (MAC) address, device ID, operating system name and version, browser type and device manufacturer and model. We may also collect your IP address. We use data about your device to ensure the App functions properly, diagnose server problems, and administer the App and the Services. We may derive your approximate location from your IP address.
- Cookies. When you are using a browser extension, we may place cookies on your browser, including session cookies, authentication cookies and security cookies. If you have chosen to identify yourself to us, we may place on your browser a cookie that allows us to uniquely identify you when you are logged in and to process your online transactions and requests. When these cookies are necessary for the operation of the browser extension, you cannot opt out of them.
- Usage data. We collect certain technical data related to your use of the App, such as the date and time your device accesses our servers, what data and files have been downloaded to the App on your device, and the parts of the App that were visited. We use this data to ensure the App functions properly and to improve the App and the Services.
- Analytics. We collect data through Google Analytics to better understand your use of the app. You can learn about Google’s practices by going to www.google.com/policies/privacy/partners/ and opt out by downloading the Google Analytics opt out browser add-on, available at https://tools.google.com/dlpage/gaoptout.
- Data collected from other sources. We may combine the foregoing types of data with data we already have or data provided by third parties, including third parties from whom we have purchased Personal Data.
- Data about other individuals. If you provide Personal Data about other individuals to us, then our Customers or you, and not Salesforce, are responsible for providing notice and obtaining consent as may be required by law.
Our Purposes for Processing Personal Data
We process Personal Data:
- Based on our legitimate interests or as necessary to perform our contract with you or your affiliated Customer, to administer, improve and provide to you the App and the Services. In particular, we may use Personal Data to analyze trends and usage, assess capacity requirements, identify Customer opportunities and conduct surveys, build models and train our algorithms to allow us to better serve you and other users and personalize content and features for you, and for research and development activities for new products and services;
- Based on our legitimate interests, to keep the App and the Services secure, including through identity management and security monitoring to detect, prevent and respond to suspicious activity, fraud, intellectual property infringement, misuse of the App or the Services, violations of our terms or law and for other similar purposes;
- Based on our legitimate interests or to comply with applicable law, to communicate with you, to provide notices regarding our policies, terms and conditions or to send you marketing communications or product recommendations.
How We May Share Your Personal Data
We may share your Personal Data:
- With your affiliated Customer, if we are providing this App to you pursuant to a Customer’s subscription to the Services;
- With our service providers, who provide services such as IT and system administration and hosting, credit card processing, research and analytics, marketing, customer support and data enrichment for the purposes and pursuant to the legal bases described above; and
- Within the Salesforce corporate group and with companies that we acquire in the future when they are made part of the Salesforce corporate group. A list of companies within the Salesforce corporate group is provided as an exhibit to our Annual Report, available here. When we share your Personal Data as described above, we take reasonable steps to ensure that recipients provide the same or equal protection of your Personal Data as Salesforce provides here.
Other Uses and Disclosures
On the basis of our legitimate interests or compliance with legal obligations, we may use or share your Personal Data as necessary or appropriate (a) to comply with applicable law, including laws outside your country of residence; (b) to comply with legal process; (c) to respond to requests from public and government authorities, including authorities outside your country of residence and to meet national security or law enforcement requirements; (d) to enforce our terms and conditions; (e) to protect our operations; (f) to protect the rights, privacy, safety or property of the Salesforce, you or others; and (g) to allow us to pursue available remedies or limit the damages that we may sustain.
We may also share your Personal Data with relevant third parties if we are involved in a corporate transaction, such as a merger, reorganization, dissolution or other fundamental corporate change, or if all or a portion of our business, assets or stock are acquired by a third party.
Your Rights Relating to Your Personal Data
You have certain rights relating to your Personal Data, subject to local data protection laws. Depending on the applicable laws and, in particular, if you are located in the EEA, these rights may include:
- To access your Personal Data held by us;
- To rectify inaccurate Personal Data and, accounting for the purpose of processing the Personal Data, ensure it is complete;
- To delete your Personal Data;
- To restrict our processing of your Personal Data;
- To transfer your Personal Data to another controller;
- To object to any processing of your Personal Data carried out on the basis of our legitimate interests. Where we process your Personal Data for direct marketing purposes or share it with third parties for their own direct marketing purposes, you can exercise your right to object at any time to such processing without having to provide any specific reason for such objection;
- To not be subject to a decision based solely on automated processing, including profiling, which produces legal effects; and
- To the extent we base the collection, processing and sharing of your Personal Data on your consent, to withdraw your consent at any time, without affecting the lawfulness of the processing based on such consent before its withdrawal.
To exercise your rights in connection with Personal Data processed by Salesforce on its own behalf, please contact us by using the information in the “Contacting us” section, below. To exercise your rights with respect to Customer Data processed by the Services on behalf of your affiliated Customer, please inquire with your affiliated Customer directly.
Some users may update their user settings, profiles, organization settings and event registrations by logging into the App on their device and editing their settings or profiles.
How We Secure Your Personal Data
International Transfer of Personal Data
Your Personal Data may be collected, transferred to and stored by us in the United States and by our affiliates and third-parties which are based in other countries. The addresses of our offices where salesforce.com, inc. and its affiliates are located can be found here.
Therefore, your Personal Data may be processed outside your jurisdiction and in countries which (a) are not subject to an adequacy decision by the European Commission or your local legislature or regulator, and (b) may not provide for the same level of data protection as your jurisdiction, such as the EEA. In this event, or if we transfer Personal Data to a third party that provides services to us, we will ensure that the recipient of your Personal Data offers an adequate level of protection, for instance by entering into the appropriate agreements and, if required, standard contractual clauses for the transfer of data as approved by the European Commission (Art. 46 GDPR), or we will ask you for your prior consent to such international data transfers.
Changs To This Privacy Statement
To exercise your rights regarding your Personal Data, or if you have questions regarding this Privacy Statement or our privacy practices, please fill out this form or mail us at:
Salesforce Data Protection Officer (Salesforce Privacy Team)
Salesforce Tower, 415 Mission Street, 3rd Floor
San Francisco, CA 94105
We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, and you are located in the EEA, you have the right to lodge a complaint with the competent supervisory authority.
Personal Data and other data submitted by or on behalf of a Customer to the Services through the App, excluding Content and Non-SFDC Applications, is considered by Salesforce to be Customer Data. Salesforce does not process Customer Data except as provided in our Master Subscription Agreement, including any applicable Order Forms, with the Customer. We make our template Master Subscription Agreement, Data Processing Addendum and Trust & Compliance Documentation for Salesforce Inbox publicly available here, here and here. Our terms with the Salesforce Customer through whom you are provided access to the App and Services, however, may differ from these templates and a Customer may configure the App and the Services as provided to the Customer’s end users, affecting the data accessed or obtained by the App. Please contact the Salesforce Customer through whom you are provided access 5 to the App and the Services for more information about its practices and how Customer Data is processed. We are not responsible for the privacy or data security practices of our Customers, which may differ from those set forth in this Privacy Statement.
Where appropriate, your consent may be requested for the collection of Customer Data from your device to enable certain App features. This Customer Data may include, without limitation:
- Phone numbers, email addresses and other contact information from your device’s address book;
- Call or text histories or other telephony log information collected from your device’s telephone service or app[s), such as phone numbers, time, date and duration of calls, SMS routing information, and types of calls;
- Scheduling information collected from your device’s calendar app(s);
- Facial characteristics and other physical identifiers collected through your device’s camera(s);
- Voice recordings collected through your device’s microphone(s);
- Social media account data, including your account profile photo, collected from your device’s social media app(s); and
- Precise geolocation data collected from your device.
- If you connect your App to apps or services provided by other parties, such as Google, Microsoft, Dropbox and Box (each, a “Third Party Provider”), certain Customer Data may be collected from your device by Third Party Providers. This data may be collected automatically through the use of application programming interfaces such as the Google API Services or the Outlook Mail REST API, and may include:
- The contents, metadata and related information of emails, calendar events and stored files when you choose to sync your App with Third Party Provider’s email, calendar and cloud storage services;
- Phone numbers, email addresses and other contact information from your device’s address book, as well as data maintained by a Third Party Provider regarding your contacts, when you choose to sync your App with your device’s address book; and
- Customer Data that you send from the App or Services to a Third Party Provider, or data that you request from a Third Party Provider, automatically or otherwise. Note that, as a security precaution, if you choose to connect your App to apps or services provided by a Third Party Provider and you request data from that Third Party Provider, information that identifies you or your device may also be sent in order to authenticate the request.
Salesforce is not responsible for the data processing practices of Third Party Providers. We encourage you to review your Third Party Providers’ respective privacy notices before connecting your App.
Additional information about Salesforce’s privacy and data security practices with respect to Customer Data is available here.