Privacy Notice
Last modified December 3, 2020
OneLogin, Inc. (“OneLogin”, “We”, “Us”, or “Our”) is committed to protecting the privacy of your personal information while using our web site (developers.onelogin.com) OneLogin has established this Privacy Policy (“Policy”) to describe how we collect and use your personal data if and when you use our Web site as a “Visitor” or provide information to us in connection with your use of the Service as a “Subscriber”. It also describes your choices regarding use, access and correction of your personal information.
Who We Are
You may contact us under OneLogin Inc., 848 Battery Street, San Francisco, CA 94111.
Our EU representative is: OneLogin Ltd, 2 Sheraton Street, W1F 8BH London.
You may contact our Data Protection Officer at privacy@onelogin.com.
The Information We Process
Information you provide: When a Subscriber registers for the Service, we require a first and last name, company name, email, and phone number. After the initial registration, the Subscriber’s designated Client Administrator can share additional end user information with OneLogin in order to enable those end users to use the Service; however, OneLogin never directly collects any end user information, personal or otherwise, without the explicit direction of the Client Administrator. Subscribers are responsible for providing notice to end users concerning the information they collect and share with OneLogin as part of their use of the Service.
Cookies: When you visit the Web site or use the Service, we use session “cookies” – a piece of information stored on your computer – to allow the Web site or Service to uniquely identify your browser while you are logged in and to enable OneLogin to process your online transactions.Please see the “Use of Cookies” section for further information.
- Clear Gifs: We also use third party advertising and tracking tools that employ a software technology called clear gifs (a.k.a. Web Beacons/Web Bugs), to help us better manage content on our site by informing us what content is effective. Clear gifs are tiny graphics with a unique identifier, similar in function to cookies, and are used to track the movements of the visitors to our Web site. In contrast to cookies, which are stored on a user’s computer hard drive, clear gifs are embedded invisibly on Web pages and are about the size of the period at the end of this sentence. We tie the information gathered by clear gifs to our Visitors and Subscribers in order to optimize and enhance the Web site and Service experience. We use clear gifs in our HTML-based emails to let us know which emails have been opened by recipients. This allows us to gauge the effectiveness of certain communications and the effectiveness of our marketing campaigns.
- Log Files: As is true of most Web sites, we and our third party utility-tracking partners gather certain information automatically and store it in log files. This information includes Internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data.
- HTML5: We use Local Storage, such as HTML5, to store content information and preferences. Third Parties, with whom we partner to provide certain features on our site or to display advertising based upon your Web browsing activity, use local storage objects (HTML5) to collect and store information. Various browsers may offer their own management tools for removing HTML5 Local Storage.
- Analytics and Remarketing: OneLogin uses remarketing on the Web site with Google Analytics and services like AdRoll to advertise online. Third-party vendors, including Google, show our ads on sites across the Internet. OneLogin and third-party vendors, including Google, use first-party cookies (such as the Google Analytics cookie) and third-party cookies (such as the DoubleClick cookie) together to inform, optimize, and serve ads based on your past visits to our website. You may opt-out of Google Analytics for Display Advertising and customize Google Display Network ads using Google’s Ads Preferences Manager. If you wish to not have your information used for the purpose of serving you interest-based ads, you may opt-out by clicking here (or if located in the European Union click here). Please note this does not opt you out of being served advertising. You will continue to receive generic ads.
If you do not provide the listed personal data to us, we may not be able to provide you with certain features of our Web site.
We use mobile analytics software to allow us to better understand the functionality of our Mobile Software on your phone. This software may record information such as how often you use the application, the events that occur within the application, aggregated usage, performance data, and where the application was downloaded from. OneLogin collects PII in order to provide a high level of security by assessing the risk of the user authenticating from the correct user device.
Mobile: When you download and use our Services, we automatically collect information on the type of device you use, the frequent usage, application version, operating system version, the time it been used, and the device identifier (or “UDID”).
How We Process Personal Data
OneLogin uses the personal data including your use of the Service to operate and make the Service available to you, for billing, identification and authentication, to contact you about your use of the Service, research purposes, and to generally improve the content, functionality, and security of the Web site and the Service. OneLogin will also use the collected personal information to send you periodic newsletters to inform you about OneLogin and our services.
The processing is based on our legitimate interests (Art. 6 (1)(f) of the GDPR).
We may use personal data provided as testimonials, which is always based on consent (Art. 6(1)(a) of the GDPR).
We do not use automated decision-making, including profiling.
Information Related to Data Collected through the Service
The use of information collected through our Service shall be limited to the purpose of providing the service for which the client has engaged OneLogin.
OneLogin collects information under the direction of its clients. If your personal information changes, or if you no longer desire to use the Service, you may correct, update, delete or deactivate it by making the change within the Service or by reaching out to OneLogin Customer Success via support.onelogin.com. We will respond to your request within a reasonable timeframe. We may transfer personal information to companies that help us provide our service. Transfers to subsequent third parties are covered by the service agreements with our clients.
OneLogin (the data processor) has no direct relationship with the end users that are part of a Service Subscription plan. An end user who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct their request to their designated Client Administrator (the data controller). The Client Administrator can modify your account information at any time within the Service’s Account settings or by contacting our OneLogin Customer Success Team. If the Client Administrator requests that OneLogin remove the data, we will respond to their request within a reasonable timeframe.
We will retain end user information for as long as the Subscription is active, the Client Administrator requests the deletion of the same, or as needed to provide you with services. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
Sharing Information With Third Parties
OneLogin uses a third party intermediary to perform credit card processing when registering for the paid Subscription plans of the Service. This intermediary is not permitted to store, retain, or use your billing information except for the sole purpose of credit card processing on OneLogin’s behalf.
OneLogin may also transmit personal data to its third party vendors and hosting partners that provide the necessary hardware, software, networking, storage, and other technology and maintenance services required to operate and maintain the Web site and the Service. Transfers to subsequent third parties are covered by the provisions in this Policy regarding notice and choice and the service agreements with our Clients. This may require that your personal data be transferred from your current location to the offices and servers of OneLogin and these authorized third parties.
Recipients of the Personal Data
We share personal data with the following categories of recipients:
- Host providers,
- Payment providers,
- Email service providers,
- Authentication providers,
- User support providers,
- Advertising providers.
For a list of our current subprocessors, follow this link: https://www.onelogin.com/data-subscribe.
We intend to transfer personal data to the following countries:
| Third country | Legal safeguards |
|---|---|
| US | EU-U.S. Privacy Shield, Standard Contractual Clauses |
| Australia | Standard Contractual Clauses |
| Brazil | Standard Contractual Clauses |
| China | Standard Contractual Clauses |
| India | Standard Contractual Clauses |
| Japan | Standard Contractual Clauses |
| Philippines | Standard Contractual Clauses |
| Singapore | Standard Contractual Clauses |
| Taiwan | Standard Contractual Clauses |
You may get a copy of the respective safeguards by requesting these from privacy@onelogin.com.
Sharing Your Information
Except as described in this Policy, OneLogin will not give, sell, rent, share or loan any personal information to any third party other than as outlined in this Policy.
- Legal reasons: We may disclose personal data to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information if we believe it is necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Service, or as otherwise required by law. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Legal requests must meet the following requirements before we will consider complying with them:
- Must be in writing and legally issued by a relevant government entity, e.g., data belonging to a foreign entity or foreign citizen requires an order under the Foreign Intelligence Surveillance Act
- Must be as narrowly defined as possible, e.g., limited to records specific to the individual or entity in question. In addition, we strive to be as transparent as possible and we will periodically publish the number of requests received and responded to annually per the current Department of Justice guidelines.
- Business Transitions: If OneLogin is involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via email and/or a prominent notice on our Web site of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal data.
- Statistical analysis: OneLogin may provide summary or group statistics about our customers, sales, traffic patterns, and related Web site information to reputable third-party vendors, but these statistics will include no personal data.
- Links to other sites: This Web site contains links to other sites that are not owned or controlled by OneLogin. Please review the privacy policy of such other sites to familiarize yourself with their practices. We encourage you to be aware when you leave our Web site and to read the privacy statements of each and every Web site that collects personal data. This Policy applies only to personal data processed by this Web site.
- Social Media Widgets: Our Web site includes Social Media Features, such as the Facebook and Twitter buttons and Widgets, such as the Share this button or interactive mini-programs that run on our Web site. These Features may collect your IP address, which page you are visiting on our Web site, and may set a cookie to enable the Social Media Feature to function properly. Social Media Features and Widgets are either hosted by a third party or hosted directly on our Web site.
- Public Forums: Our Web site offers publicly accessible blogs or community forums. You should be aware that any personal data you provide in these areas may be read, collected, and used by others who access them. To request removal of your personal data from our blog or community forum, contact us at privacy@onelogin.com.
- Our blog functionality is also managed by a third party application that may require you to register to post a comment. You will need to contact or login into the third party application if you want the personal information that was posted to the comments section removed. Your interaction with these features is governed by the privacy policy of the company providing it.
- Testimonials: We post customer testimonials on our Web site which may contain personal data. We obtain a customer’s consent via email prior to posting the testimonial to post that customer’s name along with their testimonial. A customer may always withdraw such consent at privacy@onelogin.com, without affecting the lawfulness of the processing based on consent before its withdrawal.
- Surveys: From time-to-time we may provide you the opportunity to participate in surveys and contests. Participation in these surveys or contests is completely voluntary and you therefore have a choice whether or not to disclose this information. The requested information typically includes contact information, such as email or phone number. We use this information to improve our Service and to send our customers updates on how we are improving the Service based on their feedback.
Protecting Your Information
OneLogin maintains reasonable security measures to protect your information from loss, destruction, misuse, unauthorized access or disclosure. These technologies help ensure that your data is safe, secure, and only available to you and to those you provided authorized access. When you enter sensitive information (such as your login information) on our Web site or connect to our Service, we encrypt the transmission of that information using Transport Layer Security (TLS). If you have any questions about security on our Web site, you may contact us at privacy@onelogin.com.
Use of Cookies
We use session “cookies” to allow the Web site or Service to uniquely identify your browser while you are logged in and to enable OneLogin to process your online transactions. We do not link the information we store in cookies to personal data you submit while using the Web site other than the email address you provided. Session cookies also help us verify your identity and are required in order to use the Service. OneLogin uses persistent cookies, that only OneLogin can read and use, to identify you as a valid user of a OneLogin Subscription plan and make it easier for you to log in to the Service. Analytical cookies and similar technologies are also used to allow OneLogin to recognize how visitors move around the Web site and the Service when they’re using it. We use this information, to analyze trends, to troubleshoot the Web site and Service, to track end users’ movements while on the site and to gather demographic information about our user base as a whole. This helps us improve the overall user experience.
We use the following cookies on our Web site:
| Cookie | Purpose | Expiry |
|---|---|---|
| AddThis | Content sharing | 1 year |
| AdRoll | Cookies users, tracks conversions | 1 year |
| AdRoll Pixel | Cookies users, tracks conversions | 2 years |
| AdWords Conversion | Tracks user conversions | 2 years |
| AdWords Remarketing | Cookies users, tracks conversions | 3 months + 1 year |
| App Nexus | Ads targeting | 12 years |
| Beeswax | Not used directly by us, but some of our vendors | 12 years |
| BidSwitch | Used by demandbase | 1 year |
| Bing Conversion Tag All Site | Tracks user conversions | 1 year |
| Bizable | Ads targeting | 1 year |
| Bizographics | Used by linkedin | 5 months |
| class button clicks | Just an event no cookies attached | No cookie |
| contactus4 - Contact Us | Just an event no cookies attached | No cookie |
| Demandbase | for dynamically customized content based on user’s company/department | 1 year - 10 years |
| demorequest3 - Demo Request | Just an event no cookies attached | No cookie |
| DoubleClick | Ads targeting | 2 years |
| DoubleClick Ad Exchange-Buyer | Ads targeting | 2 years |
| DoubleClick Bid Manager | Ads targeting | 2 years |
| Engagio Tag | b2b marketing/leads tracking | 2 years |
| Facebook Base Pixel | Cookies users, tracks conversions | 3 months - to unlimited |
| Facebook Connect | Tracks user conversions | 3 months - to unlimited |
| Facebook Custom Audience | Tracks user conversions | 3 months - to unlimited |
| Facebook Lead Event - Contact Page | Tracks user conversions | 3 months - to unlimited |
| Facebook Lead Event - Demo Request | Tracks user conversions | 3 months - to unlimited |
| Facebook Lead Event - Free Trial Request | Tracks user conversions | 3 months - to unlimited |
| Facebook Lead Event - Other Requests - PAUSED | Tracks user conversions | 3 months - to unlimited |
| Facebook Lead Event - SaaS Tsunami Kit | Tracks user conversions | 3 months - to unlimited |
| Facebook Pixel | Cookies users, tracks conversions | 3 months - to unlimited |
| freetrial2 - Free Trial | Just an event no cookies attached | No cookie |
| GA Audiences | No cookies | No cookie |
| Google Adwords Conversions | Cookies users, tracks conversions | No cookie |
| Google Adwords User Lists | Cookies users, tracks conversions | No cookie |
| Google Analytics | For website usage analysis | 1 year |
| Google Dynamic Remarketing | Ads targeting | 1 year |
| Google Tag Manager | No cookie, only used to load other trackers | No cookie |
| Hotjar | To analyse user’s behaviour on website | 1 Day to 2 years |
| Hotjar Tracking Code | Same as above | No cookie |
| IAM Kit LP | Just an event no cookies attached | No cookie |
| IAM Kit Re-Targeting | Just an event no cookies attached | No cookie |
| Kenshoo Tier 1 | ads conversion | No cookie |
| Kenshoo Tier 2 | ads conversion | No cookie |
| Kits IAM Conversion | Just an event no cookies attached | No cookie |
| LeadLander | Lead tracking | 1 year |
| LinkedIn Ads | LinkedIn ads tracking | 6 months - 2 years |
| LinkedIn Analytics | LinkedIn ads tracking | 6 months - 2 years |
| LinkedIn Marketing Solutions | LinkedIn ads tracking | 6 months - 2 years |
| LinkedIn Tag | LinkedIn ads tracking | 6 months - 2 years |
| LiveRamp | Used by demandbase | no cookie |
| LP_Demo_Phone_Chat | Just an event no cookies attached | no cookie |
| Marketo | Tracks user conversions | 2 years |
| Mixpanel | for signup analysis | 1 year |
| OpenX | ads targeting | 1 year |
| Optimizely | for a/b testing | 2 months - 10 years |
| Quantcast | Tracks user conversions | 2 months - 1 year |
| Quantcount | Tracks user conversions | 2 months - 1 year |
| Quora Retargeting | Quora ads | no cookie |
| Rubicon | Ads | 1 month - unlimited |
| Twitter Advertising | twitter ads | 2 years |
| Twitter Analytics | twitter ads | 2 years |
| Twitter Conversion Tracking | twitter ads conversion | 2 years |
| Yahoo Ad Exchange | yahoo ads | 1 day |
You may set your browser to block all cookies, including cookies associated with our Service. Users who disable their browsers’ ability to accept cookies will be able to browse our Web site, but will not be able to access or take advantage of the Service.
You can also opt out of our newsletters and surveys and you may follow the unsubscribe/opt out instructions contained in each of those communications.
Retention Periods
We retain your personal data as long as it is necessary for the purposes stated above, if not stated otherwise in this Policy. We might process your personal data longer than stated above if it is necessary because of legal requirements or decisions made by authorities.
Your Rights
If you would like to exercise any of your rights, or receive more information about them, please contact us via the contact details set forth in the “Contact Us” section of this Policy. We promptly respond to all requests from individuals seeking to exercise their rights described below and pursuant to applicable data protection laws. Please note that some of the following rights may not be applicable to your situation:
Right of access: You have the right to gain access to information about the personal data that we process about you. Should you have any questions regarding the processing or want more insight into the personal data we process from you, you are always welcome to contact us and we will provide you with further information.
Right to rectification: You have the right to get your personal data updated or corrected. Upon your request to us, we will promptly (in no event more than 72 hours from your request) correct your information inaccurately stored by us and/or supplement incomplete personal data completed by including a supplementary statement provided by you.
Right to erasure/right to be forgotten: You have the right to request of us to permanently delete your personal information. You can make such a request if you for example believe that the personal data are no longer necessary in relation to the purpose for which the personal data were collected or otherwise processed.
Right to restrict the processing activities: You have the right to restrict our processing activities. If you choose to restrict our processing activities regarding certain personal data, note that you may not be able to use our Web site properly.
If you are unsatisfied with the way we treat your personal data, you may reach out to us at all times to discuss the issue. However, you always have the right to lodge a complaint to a supervisory authority.
Your California Privacy Rights
The California Consumer Privacy Act provides some California residents with the additional rights listed below. Please note that some of the following rights may not be applicable to your situation:
Right to know - You have a right to request information about our collection, use, and disclosure of your personal information over the prior 12 months. For more details about the personal information we have collected over the last 12 months, including the categories of sources, please see “The Information We Process” section above.
Right to delete - You also have a right to request that we delete personal information, subject to certain exceptions. You may exercise your right to delete by contacting us via the contact details set forth in the “Contact Us” section of this Policy.
Right to opt-out of the sale of personal data - We do not sell the personal information we collect.
Right to non-discrimination for the exercise of your privacy rights - You have the right not to receive discriminatory treatment by us for the exercise of your privacy rights conferred by the CCPA.
Authorized agent - You may designate an authorized agent to make a request under the CCPA on your behalf by us with a copy of your power-of-attorney document granting that right.
Financial incentives - We do not provide any financial incentives tied to the collection, sale, or deletion of your Personal Data. To exercise any of your rights, or receive more information about them, please contact us via the contact details set forth in the “Contact Us” section of this Policy. We may need to verify your identity and place of residence before a request pursuant to this Policy can be fulfilled.
Notification of Changes to This Policy
OneLogin may update this Policy from time to time. You can review the most current version of this Privacy Policy at any time at developers.onelogin.com/privacy. If we make any material changes we will notify you by email (sent to the e-mail address specified in your account) or by means of a notice on this website prior to the change becoming effective.
Privacy Shield Frameworks
OneLogin participates in and has certified its compliance with both the EU-U.S. Privacy Shield Framework and the Swiss-US Privacy Shield Framework (collectively, the “Frameworks”). We are committed to subjecting all personal data received from European Union (EU) member countries, United Kingdom, and Switzerland, in reliance on the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework, respectively, to the Frameworks’ applicable Principles. To learn more about the Privacy Shield program, and view our certifications, visit the U.S. Department of Commerce’s Privacy Shield List, https://www.privacyshield.gov/list.
Under the Frameworks, OneLogin is responsible for the processing of personal data it receives and subsequently transfers to a third party acting as an agent on its behalf. We comply with the Privacy Shield Principles for all onward transfers of personal data from the EU, United Kingdom (UK), and Switzerland, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Frameworks, OneLogin is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Under certain conditions, more fully described on the Privacy Shield Web site, https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
Contact Us
If you have any questions regarding this Policy you may contact us at privacy@onelogin.com or via postal mail at:
OneLogin, Inc.
848 Battery Street
San Francisco, CA 94111