Privacy Notice

Last Updated: January 12, 2022

Scope

This Technology Platform Customer Privacy Notice (the “Policy”) applies to our collection and use of the Personal Data and Sensitive Personal Data, if any, received by Kyriba, in electronic and paper format, from its Customers only. We limit our use of the Personal Data collected through our service to the purpose of providing the service for which you as Customer have engaged Kyriba.

You represent and warrant that you will only provide information and use the technology platform acting in your capacity as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit or other legal entity, and that your communications and transactions with Kyriba occur solely within the context of Kyriba providing the technology platform to the company, partnership, sole proprietorship, nonprofit or other legal entity that you represent.

This Policy does not apply to information that may be received via Kyriba’s website located at www.kyriba.com; Kyriba’s website is governed by a separate privacy policy, kyriba.com/company/privacy-notice , and we encourage you to read those policies carefully before using Kyriba’s website. Please note that the website is a United States-based website and is subject to United States law.

Kyriba is responsible for the processing of Personal Data that it receives, and, where applicable, that it subsequently transfers to a third party acting as an agent on its behalf.

To read more about how we treat information collected from the European Union (“EU”), United Kingdom (“UK”), and Switzerland, please read this Policy: Kyriba Technology Platform Customer Privacy Notice

When transferring data from the EU, UK, and Switzerland, Kyriba relies upon a variety of legal mechanisms, such as contracts with our customers and affiliates, Standard Contractual Clauses, and the European Commission’s adequacy decisions about certain countries, as applicable.

Definition

“Customer(s)” means any individual or entity that legally purchases, installs, activates or subscribes to Kyriba’s products or services. Kyriba acts as a processor with respect to Personal Data collected through the technology platform or Kyriba Social. The Customer is the Data Controller. The Customer as Controller is also responsible for identifying the lawful basis for the processing of Personal Data submitted through the technology platform or Kyriba Social.

“Personal Data” means any information that (i) relates to an identified or identifiable natural person. Personal Data does not include information that is anonymized.

“Sensitive Personal Data” means Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, the commission or alleged commission of any offense, any proceedings for any offense committed or alleged to have been committed by the individual or the disposal of such proceedings, or the sentence of any court in such proceedings.

Notice

Kyriba provides notice of how your Personal Data is collected, used, and shared in this notice, to which you must agree before using the Kyriba products and services. Kyriba will also provide notice before Kyriba uses or discloses such Personal Data for a purpose other than that for which it was originally collected or discloses information to a non-agent third party, if Kyriba ever engages in such use or disclosure.

How We Collect, Use, and Disclose Your Information

We generally do not collect nor seek to collect Personal Data from our Customers. When such Personal Data is gathered, it is limited to information necessary to use Kyriba’s technology platform. Our technology platform does allow Customers to provide information via “custom fields,” so Customers may store Personal Data in our platform, but this is neither required nor encouraged. In those limited instances in which we do collect and use such Personal Data of Customers, such Customers can always contact Kyriba (as further specified below under “How to Contact Us”) regarding Kyriba’s use or disclosure of their Personal Data or to opt out.

When you use the Kyriba products and services, including Kyriba’s technology platform and Kyriba Social, we use any Personal Data that you voluntarily submit through the products and services in order to provide you with the ability to use Kyriba’s products and services, including Kyriba’s technology platform and Kyriba Social. You may choose to submit through the services a variety of Personal Data, including names, addresses, email addresses, phone numbers, birthdate, country of origin, financial account information, passport numbers and other government issued identification. We disclose such information with vendors only to the extent necessary for the service providers to assist us in providing the Kyriba products and services to you.

When you use Kyriba Social, we use your Personal Data to provide you with a knowledge base, a peer-to-peer interactive social forum, ideas portal, and online support. Customers can also use Kyriba Social to voluntarily promote their ideas for new Kyriba product and service enhancements, and to vote on the ideas of their peers. Customers can also share Personal Data on Kyriba Social to create and view support cases online, and to view support cases from others in their organization.

Personal Data that Customers choose to post on Kyriba Social will be accessible to other Customers. When you post Personal Data, comment, vote, collaborate, upload, or share ideas or content on or through Kyriba Social, please think carefully about what you are sharing with other Customers and potentially the public. You are solely responsible for any information, including Personal Data, that you include in uploaded information, content or other ideas on Kyriba Social. Do not submit any content where you do not own or have licenses to all underlying rights.

Your Choices Regarding Personal Data

You are never required to submit Personal Data to us, but you must do so if you want to use the products and services for certain purposes, including to process payments to individuals or to track financial transactions.

Choice

Kyriba will offer you the opportunity to opt-out if Kyriba decides (i) to disclose Customer Personal Data to a non-agent third party, or (ii) to use such Customer Personal Data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the Customer. You can exercise opt-out rights at any time by contacting us at [email protected] or writing to:

Kyriba Corp.
Office of the Chief Information Security Officer
4435 Eastgate Mall, Suite 200, San Diego, California 92121

There are circumstances in which Kyriba collects Personal Data about EU, UK,or Swiss residents with whom Kyriba does not have a direct relationship because Kyriba obtained or maintains such Personal Data as vendor for its Customers. In those circumstances, you as the Customer are responsible for providing the relevant individuals with a choice as to whether their Personal Data may be (i) disclosed to and by Kyriba to certain third parties, or (ii) used for a purpose that is incompatible with the purpose for which the information originally was collected or subsequently authorized by such individual.

Kyriba may disclose Personal Data gathered from its Customers without offering an opportunity to opt out (i) if it is required to do so by law, regulation or legal process (such as a court order or subpoena), (ii) in response to requests by government agencies, such as law enforcement authorities, or (iii) when Kyriba believes disclosure is necessary or appropriate to prevent physical, financial or other harm, injury or loss or in connection with an investigation of suspected or actual illegal activity. Kyriba also reserves the right to transfer Personal Data in the event it sells or transfers all or a portion of its business or assets, or merges with another entity. Should such a sale, transfer or merger occur, Kyriba will use reasonable efforts to direct the transferee to use the Personal Data in a manner that is consistent with this Policy.

We disclose information (described herein) that we collect, in accordance with our legitimate interests and business purposes as stated in this Policy including as set forth in this section. We share information we collect with our affiliates, subsidiaries and service providers who perform activities on our behalf, such as hosting and technical support.

We do not disclose Personal Data about you to third parties for their independent use unless you expressly authorize Kyriba and direct Kyriba to do so.

Kyriba also discloses Personal Data when it is required or permitted to do so for any or all of the following reasons: (i) to comply with a subpoena, legal process, government request or any other legal obligation, (ii) to prevent, investigate, detect, or prosecute criminal offenses or attacks on the technical integrity of the technology platform or our network or systems, and/or (iii) to protect the rights, privacy, property, business, or safety of Kyriba, their partners and employees, the technology platform, or the public.

Onward Transfers (Transfers to Third Parties)

Kyriba may share Personal Data with Kyriba’s subsidiaries and affiliates to perform services directed by Customers. Please also note that Kyriba may also share Personal Data with service providers we have retained to perform services on our behalf. We require service providers to whom we disclose Personal Data and who are not subject to either the laws based on the European Union Data Protection Directive the UK General Data Protection Regulation, or the Swiss Federal Act on Data Protection, as applicable, to either (i) enter into the EU Standard Contractual Clauses, or (ii) be subject to another European Commission adequacy finding.

Access and Correction

Upon request, Kyriba will provide you with information about whether or not we hold any of your Personal Data. To the extent required by law, we provide you with (i) reasonable access to the Personal Data you provide to us, and (ii) the ability to review, correct and delete such Personal Data. If you believe that any of the Personal Data that you have submitted through Kyriba’s technology platform is no longer accurate, or you wish to make any updates or changes, or request deletion, you may do so by emailing us at [email protected]. Upon appropriate request we will update or amend your information, but we reserve the right to use any information previously obtained to verify your identity or take other actions that we believe are appropriate and lawful. We will endeavor to comply with your request as soon as reasonably practicable.

We may decline to process requests that are unreasonably repetitive, require disproportionate technical effort, jeopardize the privacy of others, are impractical, or for which access is not otherwise required by local law. Please note we may need to retain certain information for record keeping purposes, and there may also be residual information that will remain within our archival databases and other records.

Security

The security of your Personal Data is important to us. We implement appropriate technical and organizational measures designed to protect the Personal Data submitted to us, both during transmission and once it is received. If you have any questions about the security of your Personal Data, you can contact us at [email protected].

Data Integrity

Kyriba takes reasonable steps designed to ensure that Customer Personal Data collected by Kyriba is (i) relevant for the purposes for which it is to be used, (ii) reliable for its intended use, and (iii) accurate, complete and current. We depend on our Customers to update or correct their Personal Data whenever necessary. Kyriba will use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. Please note that in circumstances in which Kyriba maintains Personal Data about EU, UK, or Swiss residents on behalf of one of its Customers, we do not take any responsibility for the integrity of the Personal Data.

Enforcement & Oversight

Kyriba will conduct compliance audits, as needed, of its relevant privacy practices to verify adherence to this Policy. Any employee that Kyriba determines is in violation of this Policy will be subject to disciplinary action up to and including termination of employment, and should any process or procedure be found not to be in accordance with this Policy, Kyriba will, if commercially reasonable, amend as needed.

In circumstances in which Kyriba maintains Personal Data about EU, UK or Swiss consumers with whom Kyriba does not have a direct relationship because we obtained or maintain such consumer’s Personal Data as an agent for our Customer(s), consumers are directed to submit any complaints concerning the processing of their Personal Data to the relevant Customer, in accordance with the Customer’s dispute resolution process. Kyriba will participate in this process as required and at the request of the Customer. If the issue cannot be resolved through the Customer’s internal dispute resolution mechanism, the consumer may submit the complaint to the relevant data protection authority in the EEA, UK or Switzerland.

Kyriba has established procedures for periodically verifying implementation of and compliance with the applicable data protection laws. Customers residing in the EEA, UK or Switzerland should direct any questions or concerns regarding the use or disclosure of Personal Data to [email protected]. Customers may also file a complaint with our Office of the Chief Information Security Officer in connection with Kyriba’s processing of their Personal Data; letters should be sent to 4435 Eastgate Mall, Suite 200, San Diego, California 92121. Kyriba will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of Personal Data by reference to the principles contained in this Policy.

Clients or Employees of Customers

Kyriba collects information under the direction of our Customers, and has no direct relationship with the individuals whose Personal Data we process. If you are a client or employee of one of our Customers and would no longer like to be contacted by one of our Customers that use our service, please contact the Customer that you interact with directly. We may transfer Personal Data (e.g., name, email, address, telephone, government-issued identification) to companies that help us provide our service. Transfers to subsequent third parties are covered by the service agreements with our Customers.

If you would like to gain access, seek correction, amendment or deletion of inaccurate information you should direct your query to Kyriba’s Customer (the data controller). If requested to remove data we will respond within a reasonable timeframe. We will retain the Personal Data we process on behalf of our Customers for as long as needed to provide services to our Customer. Kyriba will retain this Personal Data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Limitations on Application of the Policy

Adherence by Kyriba to this Policy may be limited (a) to the extent required or permitted by law or legal process, such as to respond to or investigate a legal or ethical obligation or request or pursuant to court orders, subpoenas, interrogatories or similar directive carrying the force of law, including any matters related to national security or public interest; and (b) to the extent expressly permitted by an applicable law, rule or regulation.

How to Contact Us

Please address any questions or concerns regarding our Policy or our practices concerning Personal Data by:
Contacting us via email at [email protected] or writing to:

Kyriba Corp.
Office of the Chief Information Security Officer
4435 Eastgate Mall, Suite 200
San Diego, California 92121

Amendment

We may update this Policy to reflect changes to our information practices. If we make any material changes we will notify you by email (sent to the e-mail address specified in your account) or by means of a notice on this website prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.