Privacy Notice

Last Updated: December 21, 2022

Scope

This Technology Platform Customer Privacy Notice (the “Policy”) applies to our collection and use of the Personal Data and Sensitive Personal Data, if any, received by Kyriba, in electronic and paper format, from its Customers only. We limit our use of the Personal Data collected through our service to the purpose of providing the service for which you as Customer have engaged Kyriba.

You represent and warrant that you will only provide information and use the technology platform acting in your capacity as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit or other legal entity, and that your communications and transactions with Kyriba occur solely within the context of Kyriba providing the technology platform to the company, partnership, sole proprietorship, nonprofit or other legal entity that you represent.

This Policy does not apply to information that may be received via Kyriba’s website located at www.kyriba.com; Kyriba’s website is governed by a separate Privacy Policy, and we encourage you to read those policies carefully before using Kyriba’s website. Please note that the website is a United States-based website and is subject to United States law.

Kyriba is responsible for the processing of Personal Data that it receives, and, where applicable, that it subsequently transfers to a third party acting as an agent on its behalf.
When transferring data from the EU, UK, and Switzerland, Kyriba relies upon a variety of legal mechanisms, such as contracts with our customers and affiliates, Standard Contractual Clauses (including the UK addendum thereto), and the European Commission’s adequacy decisions about certain countries, as applicable.

If you are a resident of California, please see the section below titled “YOUR CALIFORNIA PRIVACY RIGHTS” for more information.

Definitions

“Customer(s)” means any individual or entity that legally purchases, installs, activates or subscribes to Kyriba’s products or services. Kyriba acts as a processor with respect to Personal Data collected through the technology platform or Kyriba Social. The Customer is the Data Controller. The Customer as Controller is also responsible for identifying the lawful basis for the processing of Personal Data submitted through the technology platform or Kyriba Social.

“Personal Data” means any information that (i) relates to an identified or identifiable natural person. Personal Data does not include information that is anonymized.

“Sensitive Personal Data” means Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, the commission or alleged commission of any offense, any proceedings for any offense committed or alleged to have been committed by the individual or the disposal of such proceedings, or the sentence of any court in such proceedings.

Notice

Kyriba provides notice of how your Personal Data is collected, used, and shared in this notice, to which you must agree before using the Kyriba products and services. Kyriba will also provide notice before Kyriba uses or discloses such Personal Data for a purpose other than that for which it was originally collected or discloses information to a non-agent third party, if Kyriba ever engages in such use or disclosure.

Your Choices Regarding Personal Data

You are never required to submit Personal Data to us, but you must do so if you want to use the products and services for certain purposes, including to process payments to individuals or to track financial transactions.

Choice

Kyriba will offer you the opportunity to opt-out if Kyriba decides (i) to disclose Customer Personal Data to a non-agent third party, or (ii) to use such Customer Personal Data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the Customer. You can exercise opt-out rights at any time by contacting us at [email protected] or writing to:

Kyriba Corp.
Office of the Chief Information Security Officer
4435 Eastgate Mall, Suite 200, San Diego, California 92121

There are circumstances in which Kyriba collects Personal Data about EU, UK,or Swiss residents with whom Kyriba does not have a direct relationship because Kyriba obtained or maintains such Personal Data as vendor for its Customers. In those circumstances, you as the Customer are responsible for providing the relevant individuals with a choice as to whether their Personal Data may be (i) disclosed to and by Kyriba to certain third parties, or (ii) used for a purpose that is incompatible with the purpose for which the information originally was collected or subsequently authorized by such individual.

Kyriba may disclose Personal Data gathered from its Customers without offering an opportunity to opt out (i) if it is required to do so by law, regulation or legal process (such as a court order or subpoena), (ii) in response to requests by government agencies, such as law enforcement authorities, or (iii) when Kyriba believes disclosure is necessary or appropriate to prevent physical, financial or other harm, injury or loss or in connection with an investigation of suspected or actual illegal activity. Kyriba also reserves the right to transfer Personal Data in the event it sells or transfers all or a portion of its business or assets, or merges with another entity. Should such a sale, transfer or merger occur, Kyriba will use reasonable efforts to direct the transferee to use the Personal Data in a manner that is consistent with this Policy.

We disclose information (described herein) that we collect, in accordance with our legitimate interests and business purposes as stated in this Policy including as set forth in this section. We share information we collect with our affiliates, subsidiaries and service providers who perform activities on our behalf, such as hosting and technical support.

We do not disclose Personal Data about you to third parties for their independent use unless you expressly authorize Kyriba and direct Kyriba to do so.

Kyriba also discloses Personal Data when it is required or permitted to do so for any or all of the following reasons: (i) to comply with a subpoena, legal process, government request or any other legal obligation, (ii) to prevent, investigate, detect, or prosecute criminal offenses or attacks on the technical integrity of the technology platform or our network or systems, and/or (iii) to protect the rights, privacy, property, business, or safety of Kyriba, their partners and employees, the technology platform, or the public.

Onward Transfers (Transfers to Third Parties)

Kyriba may share Personal Data with Kyriba’s subsidiaries and affiliates to perform services directed by Customers. Please also note that Kyriba may also share Personal Data with service providers we have retained to perform services on our behalf. We require service providers to whom we disclose Personal Data and who are not subject to either the laws based on the European Union Data Protection Directive the UK General Data Protection Regulation, or the Swiss Federal Act on Data Protection, as applicable, to either (i) enter into the EU Standard Contractual Clauses, or (ii) be subject to another European Commission adequacy finding.

Access and Correction

Upon request, Kyriba will provide you with information about whether or not we hold any of your Personal Data. To the extent required by law, we provide you with (i) reasonable access to the Personal Data you provide to us, and (ii) the ability to review, correct and delete such Personal Data. If you believe that any of the Personal Data that you have submitted through Kyriba’s technology platform is no longer accurate, or you wish to make any updates or changes, or request deletion, you may do so by emailing us at [email protected]. Upon appropriate request we will update or amend your information, but we reserve the right to use any information previously obtained to verify your identity or take other actions that we believe are appropriate and lawful. We will endeavor to comply with your request as soon as reasonably practicable.

We may decline to process requests that are unreasonably repetitive, require disproportionate technical effort, jeopardize the privacy of others, are impractical, or for which access is not otherwise required by local law. Please note we may need to retain certain information for record keeping purposes, and there may also be residual information that will remain within our archival databases and other records.

Security

The security of your Personal Data is important to us. We implement appropriate technical and organizational measures designed to protect the Personal Data submitted to us, both during transmission and once it is received. If you have any questions about the security of your Personal Data, you can contact us at  [email protected].

Data Integrity

Kyriba takes reasonable steps designed to ensure that Customer Personal Data collected by Kyriba is (i) relevant for the purposes for which it is to be used, (ii) reliable for its intended use, and (iii) accurate, complete and current. We depend on our Customers to update or correct their Personal Data whenever necessary. Kyriba will use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. Please note that in circumstances in which Kyriba maintains Personal Data about EU, UK, or Swiss residents on behalf of one of its Customers, we do not take any responsibility for the integrity of the Personal Data.

Enforcement & Oversight

Kyriba will conduct compliance audits, as needed, of its relevant privacy practices to verify adherence to this Policy. Any employee that Kyriba determines is in violation of this Policy will be subject to disciplinary action up to and including termination of employment, and should any process or procedure be found not to be in accordance with this Policy, Kyriba will, if commercially reasonable, amend as needed.

In circumstances in which Kyriba maintains Personal Data about EU, UK or Swiss consumers with whom Kyriba does not have a direct relationship because we obtained or maintain such consumer’s Personal Data as an agent for our Customer(s), consumers are directed to submit any complaints concerning the processing of their Personal Data to the relevant Customer, in accordance with the Customer’s dispute resolution process. Kyriba will participate in this process as required and at the request of the Customer. If the issue cannot be resolved through the Customer’s internal dispute resolution mechanism, the consumer may submit the complaint to the relevant data protection authority in the EEA, UK or Switzerland.

Kyriba has established procedures for periodically verifying implementation of and compliance with the applicable data protection laws. Customers residing in the EEA, UK or Switzerland should direct any questions or concerns regarding the use or disclosure of Personal Data to [email protected]. Customers may also file a complaint with our Office of the Chief Information Security Officer in connection with Kyriba’s processing of their Personal Data; letters should be sent to 4435 Eastgate Mall, Suite 200, San Diego, California 92121. Kyriba will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of Personal Data by reference to the principles contained in this Policy.

Clients or Employees of Customers

Kyriba collects information under the direction of our Customers, and has no direct relationship with the individuals whose Personal Data we process. If you are a client or employee of one of our Customers and would no longer like to be contacted by one of our Customers that use our service, please contact the Customer that you interact with directly. We may transfer Personal Data (e.g., name, email, address, telephone, government-issued identification) to companies that help us provide our service. Transfers to subsequent third parties are covered by the service agreements with our Customers.

If you would like to gain access, seek correction, amendment or deletion of inaccurate information you should direct your query to Kyriba’s Customer (the data controller). If requested to remove data we will respond within a reasonable timeframe. We will retain the Personal Data we process on behalf of our Customers for as long as needed to provide services to our Customer. Kyriba will retain this Personal Data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Limitations on Application of the Policy

Adherence by Kyriba to this Policy may be limited (a) to the extent required or permitted by law or legal process, such as to respond to or investigate a legal or ethical obligation or request or pursuant to court orders, subpoenas, interrogatories or similar directive carrying the force of law, including any matters related to national security or public interest; and (b) to the extent expressly permitted by an applicable law, rule or regulation.

Additional Information for California Residents

Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively “CCPA”), California residents have the right to receive certain disclosures regarding our information practices related to “Personal Information,” as defined under the CCPA. To the extent you are a resident of California, and we collect Personal Information subject to CCPA, the following applies.

What Personal Information We Collect

The following identifies the categories of Personal Information we collect (and have collected in the prior 12 months), as enumerated by the CCPA.

  • Identifiers, such as your name, address, country of origin, email address, and phone number.
  • Internet or Other Electric Network Activity Information, such as device operating system, browser type, and IP address. For more information, please see our Cookie Policy.
  • Financial Information, such as bank account information and financial institution name.
  • Sensitive Personal Information, such as account login, passport numbers, and other government issued identification, may be provided by you to us. The uploading of any identification is not required for the use of our platform. Our processing of sensitive personal information is limited to what is reasonable and proportionate to provide our services.

For more information about the Personal Information we collect and how we use or disclose it please refer to the sections above.

How Long We Retain Personal Information

We store your Personal Information for as long as needed, or permitted, based on the reason why we obtained it (consistent with applicable law). When deciding how long to keep your Personal Information, we consider whether we are subject to any legal obligations (e.g., any laws that require us to keep records for a certain period of time before we can delete them) or whether we have taken any legal positions that require data retention (e.g., issued any legal holds or otherwise need to preserve data).
Rather than delete your Personal Information, we may also deidentify it in accordance with the CCPA, by removing identifying details. If we deidentify any Personal Information, we will not attempt to reidentify it.

Your California Privacy Rights

If you are a California resident, you may have the following rights under the CCPA with respect to your Personal Information.

  • Right to Know/Access. You have the right to request (subject to certain exemptions):
    • The categories of Personal Information we collected about you;
    • The sources from which we have collected that Personal Information;
    • Our business or commercial purpose for collecting, selling, or sharing that Personal Information;
    • The categories of third parties to whom we have disclosed that Personal Information; and
    • A copy of the specific pieces of Personal Information we have collected.
  • Right to Correct. You have the right to request that we correct inaccuracies in your Personal Information.
  • Right to Delete. Subject to certain exceptions, you have the right to request deletion of Personal Information that we have collected from you. Please note, Kyriba is not obligated to delete Personal Information that is necessary to provide services that you request or required to comply with applicable laws.
  • Right to Opt-Out. Under the CCPA, California residents may have the right to opt-out of the “sale,” or “sharing,” of Personal Information. California CCPA defines a “sale” as disclosing or making available to a third-party Personal Information in exchange for monetary or other valuable consideration, and “sharing” broadly includes disclosing or making available Personal Information to a third party for purposes of cross-context behavioral advertising. We do not disclose personal information to third parties in exchange for monetary compensation. We do not “sell” or “share” (as defined by the CCPA).
  • Right to Limit Use and Disclosure. Subject to certain conditions and exceptions, you may have the right to limit the use and disclosure of “sensitive personal information,” as defined under the CPRA. However, we do not engage in activities triggering this right.
  • Right to Non-Discrimination. We will not discriminate against you for exercising any of the rights described in this section.

How To Exercise Your Privacy Rights

To exercise any of these rights, California residents may submit a request through our online form available at info.kyriba.com/ca-consumer-privacy-act-opt-out, call our toll free number at 844-845-7161, or email us at [email protected].

In the request, please include “California Privacy Rights Request” in the first line of the description and specify which right you are seeking to exercise. Kyriba will need to confirm your identity before fulfilling the request, so please provide us with your name, street address, city, state, and ZIP code. We may require additional information from you to help us verify your identity and process your request. If we are unable to verify your identity after a good faith attempt, we may deny the request and, if so, will explain the basis for the denial.

You may designate someone as an authorized agent to submit requests and act on your behalf. To do so, you must provide us with written permission to allow the authorized agent to act on your behalf. We may also ask you directly to verify that you have authorized your authorized agent to act on your behalf.

How to Contact Us

Please address any questions or concerns regarding our Policy or our practices concerning Personal Data by:
Contacting us via email at [email protected] or writing to:

Kyriba Corp.
Office of the Chief Information Security Officer
4435 Eastgate Mall, Suite 200
San Diego, California 92121

Amendment

We may update this Policy to reflect changes to our information practices. If we make any material changes we will notify you by email (sent to the e-mail address specified in your account) or by means of a notice on this website prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.