Data collected about you

When you interact with our websites, products, services, customer support channels, or job application process at Anaplan, we may ask you to provide some personal data. When we request this type of data, we will notify you as to why we are asking for data and how this data will be used.
 

• Contact data: The data we may collect includes your personal and/or business contact data, such as your first and last name, email address, phone number, mailing address, and data about the organization you represent, and other similar data and identifiers.
• Account data: We collect first and last name, username, and passwords when your Anaplan account is activated.
• Professional and employment data: We may collect your job title, professional certifications details, employment history, and similar data when you register for our events or courses, participate in user research, or apply for a job at Anaplan.
• Payment and billing data: We collect data necessary for processing payments and preventing fraud, including bank account details and other related billing data.
• Location data: We collect location data when you choose and opt-in to provide location-related data when interacting with our website.
• Demographic data: We may collect when you choose to provide some demographic data, such as your gender, diversity and inclusion, veteran, or disability details when you apply for a job at Anaplan.
• Video or voice data: When you interact with our customer support or participate in user research studies, we may collect video and/or audio recordings, and transcripts of those recordings. We may also collect your photo or video footage via CCTV cameras or other technologies when you visit our office or participate in our events and conferences.
• Other data: Examples of other data that we may collect from you include data you provide when you interact online or by phone with our customer support channels, or any additional data you chose to provide to us while interacting with our websites, products, and services.
   

Data collected automatically

We may collect data automatically from your device, such as through the website’s internet access logs and technology.

• Device data: We may collect data about your device, including internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, the files viewed on our site (e.g., HTML pages, graphics, etc.), operating system, date/time stamp, and/or clickstream data to analyze trends in the aggregate and administer the site.
• Online activity data: we use cookies or similar technologies to analyze trends, administer the website, track users’ movements around the website, and to gather other data about our user-base. You can control the use of cookies at the individual browser level by updating your cookie preferences, but if you choose to disable cookies, it may limit your use of certain features or functions on our website or service.
   

Data collected from third parties

• Data brokers: We may receive commercially available data such as name, mailing address, email address, job title, and other business contact details.
• Advertising providers: Our third-party providers may use technologies such as cookies to gather information about your activities on this and other sites to provide you with advertising based upon your browsing activities and interests if you have accepted the use of such cookies when first accesing our site.  You can change your cookies settings at the individual browser level by updating your cookie preferences, but if you choose to disable cookies, it may limit your use of certain features or functions on our website or service.
• Analytics providers: We may receive non-personal data, such as aggregated or de-identified demographic/profile data, from third-party sources including selected partners and companies that specialize in providing enterprise data, analytics, and software as a service.
   

Data submitted through the Anaplan platform

While using Anaplan product and services, customers may load various types of data to our platform. Platform data is governed by the contractual agreements between Anaplan and customers. Anaplan will not disclose or distribute any such platform data except as provided in the contractual agreement between Anaplan and the customer or as may be required by law.

We use and process your data for the following business purposes:

• Provisioning and operating: We use your data to operate our websites and provision our products and services. The use of data collected through the platform is limited to the purpose of providing the service for which a customer engaged Anaplan.
• Marketing and advertising: We use your data to inform you about current and new products and services.
• Billing and payments: We use your data to invoice and process payments.
• General communication: We may use your data to respond appropriately to your comments, questions, requests, and inquiries.
• Product service communication: We may use your data to communicate with you directly for upcoming product releases, service updates, or if we detect suspicious activity on your account.
• Product support and improvement: We use your data to address or prevent service or technical problems and to respond to support issues. We may also use your data to improve the performance of our products, services, and support channels.
• Security: We use your data to provide online security for our websites, products, and services. We may also maintain additional security measures, such as CCTV, to safeguard our physical locations.
• Research and development: We use your data to innovate new and existing product features using research and development tools and incorporating data analysis activities.
• Mergers and acquisitions: If we take steps to enter into a reorganization, restructuring, merger, acquisition, or transfer of assets (“Business Transfer”), we may also use your personal data as reasonably necessary to give effect to that Business Transfer.
• Job applications: We may use your data to manage your job application process.
• Administering online education: We may use your data to manage your Anaplan online education account, to administer online courses, tests, and to issue certifications.
• Events and webinars: We may use your data to facilitate conferences, webinars, and other events.
• Compliance with law: Where required, we may use your data to comply with applicable laws, regulations, court orders, government, and law enforcement requests, to investigate security and privacy incidents, and to solve any customer disputes.
• Legal basis for processing: We process your personal data based on several different legal bases, as follows:
  • Based on necessity to perform contracts with you: When you access, use, or register for services, you form a contract with us based on the applicable terms of use or terms of service. We need to process your personal data to discharge our obligations in any such contract, fulfill your requests and orders, answer questions and requests from you, and provide tailored customer support.
  • Based on compliance with legal obligations: We may need to process your personal data to comply with relevant laws or regulatory requirements, and to respond to lawful requests, court orders, and legal processes.
  • Based on our legitimate interests: We process your personal data to send you invitations to relevant Anaplan products, services, and newsletters (unless you have opted out), understand which offerings may be relevant to you, and to improve our products, solutions, and business practices.
  • Based on your consent: In certain situations, we process your data based on your consent. When applicable, we will ask for your consent before we process your data. You have a right to withdraw your consent at any time.
• We may also use your personal data as instructed by you for other purposes, which we would describe to you when we collect the data.

• Anaplan entities: We may transfer your personal data to other Anaplan entities in the United States and internationally for the purposes outlined in this Statement.
• Service providers: We may disclose your data to affiliated and unaffiliated service providers such as our hosting, billing, collaboration, email service, analytics, advertising, customer service, event, or campaign management providers to help us with the activities described in this Statement. These companies are authorized to use your personal data only as necessary to provide these services to us or on our behalf.
• Trusted partners: We may partner with other companies that offer products or services related to ours or that host or sponsor-related events. We may disclose your data to these business partners if you express interest in such products, services, or events. If you provide your personal data to event sponsors at their booths or presentations, you should review their privacy policies to learn how they use personal data.
• Business transfers: If Anaplan is involved in a business transfer, you will be notified of any change in ownership or new uses of your personal data, as well as any choices you may have regarding your personal data.
• Compliance with law: We may also disclose your personal data as required by law or respond to valid legal requests.

Anaplan will not use or disclose your personal data in ways unrelated to those described above without first notifying you and offering you a choice as to whether we may use your personal data in a different manner.

In accordance with applicable laws, personal data covered by this Statement may be transferred to and processed outside of the country where you reside to Anaplan or its affiliates, subsidiaries, or service providers, including to the United States, Australia, Singapore, and other countries as we deem appropriate from time to time. These countries may not have equivalent privacy and data protection laws (and, in some cases, may not be as protective). We will protect your personal data in accordance with this Statement wherever it is processed. By submitting your personal data to Anaplan, you consent to such transfers and to the worldwide processing of your personal data.
 

Certain recipients (our service providers and/or Anaplan related entities) who process your personal data on our behalf may also transfer personal data outside the country in which you reside. Where such transfers occur, we will implement a transfer agreement to protect your personal data.
 

EU-U.S. transfer of personal data

When we transfer personal data out of the European Economic Area (“EEA”), Switzerland, and the UK to countries that do not benefit from an adequacy decision, as determined by the European Commission, we will rely on Standard Contractual Clauses approved by the European Commission and other contractual measures to ensure that adequate safeguards are in place with respect to the data. In addition to these measures, Anaplan complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) for transfers of personal data from the EEA, UK, and Switzerland.

Please note that we collect and process various types of personal data (e.g., business contact details, user account information, etc.) for the purposes described in this Privacy Statement. Individuals have the right to request access to, correction of, or deletion of their personal data. To submit a request regarding these rights, please use this form.
 

Data Privacy Framework

Anaplan Inc. (hereafter “Anaplan-U.S.”) has certified to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Anaplan-U.S. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF as well as from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  Anaplan-U.S. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Statement and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

In compliance with the DPF, if we use your personal data for a materially different purpose than originally disclosed, or if we share it with third parties not previously identified in this Privacy Statement, we will offer you the opportunity to opt out (or opt in if required for sensitive data) before such use or disclosure.
 

Anaplan-U.S. is responsible for the processing of personal data it receives, under the DPF, and subsequently transfers to a third party acting as an agent on its behalf. In the context of onward transfers, Anaplan-U.S. remains liable under the DPF Principles if its agent processes personal data in a manner inconsistent with the Principles, unless Anaplan-U.S. proves it is not responsible for the event giving rise to the damage. 
 

Anaplan-U.S. is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Anaplan-U.S. may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.   
 

If you have any questions, concerns, or complaints regarding our handling of personal data under the DPF, please contact us at privacy@anaplan.com. In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Anaplan-U.S. commits to refer unresolved complaints concerning its handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to our TRUSTe, an alternative dispute resolution provider based in the United States (free of charge). If you have an unresolved DPF-related privacy or data concern that we have not addressed satisfactorily, please contact TRUSTe via this form.

For complaints regarding DPF compliance not resolved by any of the other DPF mechanisms, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website.
 

APEC Privacy Certifications
 

Anaplan’s global privacy practices, described in this Privacy Statement, comply with the Asia Pacific Economic Cooperation (“APEC”) Cross Border Privacy Rules system (“CBPRs”) and Privacy Recognition for Processors (“PRP”). The APEC CBPR system and PRP provides a framework for organizations to ensure protection of personal data transferred among participating APEC economies. More information about the APEC framework can be found on the CBPRs site. Our certifications apply to our business processes across our global operations that process and transfer personal data to/from our affiliates around the world. To view our certifications, please see the CBPRs system Compliance Directory and the APEC PRP Compliance Directory.
 

If you have an unresolved privacy or data concern related to Anaplan’s APEC Certification that we have not addressed satisfactorily, please contact our U.S.- based third-party dispute resolution provider (free of charge).

Depending on your location and subject to applicable laws, you may have certain data protection rights. You may exercise your rights of access and request corrections, suppression, objection, portability, and deletion under applicable data protection laws in accordance with the process outlined below.
 

• When Anaplan is acting as a "data controller," you can exercise your rights under applicable data protection laws directly with Anaplan by submitting a request through a Data Subject Rights request form.
  
• When Anaplan is acting as a "data processor," and you wish to exercise your privacy rights, Anaplan will direct you to the data controller under the applicable data protection laws.

Subject to limited exceptions under applicable law, if you are a natural person residing in Virginia, Colorado, Connecticut or Utah acting only in an individual or household context (not for commercial or employment purposes), you may have the right to (i) request to access or obtain a copy of personal data we hold about you, (ii) request that we correct inaccurate personal data, and (iii) request that we delete certain personal data we have collected from you, subject to certain exceptions under the law.
 

We may deny certain requests, or fulfill a request only in part, based on our legal rights and obligations. We will not discriminate against you if you exercise any of these rights under applicable laws.
 

To exercise your rights, please submit a Data Subject Rights request or call +1 (833) 312-0166. For your protection, we may only process requests with respect to the personal data associated with the email address that you use to send us your request, and we may need to verify your identity before processing your request. We will respond to your request within the timelines prescribed by applicable law.
 

California residents

If you are a California resident, you can find information about how we use your personal data and about your privacy rights in the California Privacy Notice section of this Statement.
 

Automated decision-making

Anaplan processes personal data using both manual and automated methods of processing. Automated methods are often used to assist our manual methods in accordance with applicable laws. In situations where automated decision-making may produce legal effects or significantly affect an individual, Anaplan will provide the individual with an opportunity to inquire about the decision or request a manual review.  Manual review may be conducted by Anaplan employees or trusted third-party business partners working on Anaplan's behalf.
 

Platform Users' Rights

Subject to limited exceptions under applicable law, Anaplan acknowledges that you may have the right to access, update, correct, and delete your personal data.
 

Please be advised that if we act as data processor/service provider to process personal data, we do so on behalf of our customers under the terms of a service agreement or similar agreement, and the data you have requested therefore is under the control of that customer. Accordingly, an individual who seeks access, or who seeks to correct, amend, or delete inaccurate data, should direct his or her question to the applicable customer. If the customer requests Anaplan to remove the personal data to comply with data protection regulations, Anaplan will assist the customer with such removal in accordance with customer’s instructions and subject to Anaplan’s ability to access the data as needed to respond to the request.

This Notice supplements information contained in Anaplan’s Privacy Statement and  applies solely to residents of the State of California (“consumers” or “you”). Anaplan adopts this Notice and Statement to comply with the California Consumer Privacy Act of 2018 and its regulations (“CCPA”) and the subsequent California Privacy Rights Act of 2020 “CPRA”. Any terms defined in the CCPA and/or CPRA have the same meaning when used in this Notice and Statement. This Notice and Statement does not reflect our collection, use, or disclosure of California residents’ personal information where an exception under the CCPA and/or CPRA applies.
 

Collection of personal information

Please see the “What personal information we collect and how we collect it” section earlier in this Statement to understand the sources from which we get personal information.
 

We listed below categories of personal information we collect about California residents and that we have collected in the preceding 12 months. These categories correspond with the following categories listed in the CCPA’s definition of personal information:
 

• Identifiers: First and last name, address/billing address, telephone number, email address, user name, and IP address.
  
• Personal information categories listed in the California Customer Records Act (Cal. Civ. Code § 1798.80(e)): First and last name, date of birth, address, telephone number, bank account number, and other financial information.
  
• Characteristics of protected classifications under California or federal law: Age, gender, diversity, and inclusion information.
  
• Audio, electronic, visual, thermal, olfactory, or similar information: Video and voice recordings.
  
• Internet or network information: Browser type, internet service provider (ISP), referring/exit pages, the files viewed on our site (e.g., HTML pages, graphics, etc.), operating system, date/time stamp, and/or clickstream data, the approximate physical location associated with your IP address.
  
• Professional or employment information: Your job title and organizational affiliation, professional certification details, and employment history.
   

Sharing of personal information

Please see the “To whom do we disclose personal information” section earlier in this Statement to understand how we may disclose your personal information.

We only collect sensitive personal information, as the CCPA defines this term, if you voluntarily disclose it to us. Please see “How we use your personal information” above for information about the purposes for which we use your personal information. We do not “sell” or “share” (as the CCPA and/or CPRA defines these terms) personal information about you. We obtain your consent and direction before disclosing personal information to our partners.
 

Additional subject rights:
 

If you are a California resident, you have the following rights:
 

• Right to Know: You may request access to personal information we have collected about you, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom we disclose personal information, and the specific pieces of personal information we have collected about you. You may only exercise your right to know twice within a 12-month period.
  
• Right to Correct: You may request that we correct inaccurate Personal Information that we have collected about you.
  
• Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
  
• Right to Opt-out: of the “sale” or “sharing” of your personal information. We did not sell or share your personal information in the preceding 12 months, including for cross-context behavioral advertising.
  
• Right to Limit: the use and disclosure of sensitive personal information. We do not use or disclose sensitive personal information for purposes other than those specified in Cal. Civil Code 1798.121(a)To exercise your California privacy rights, submit a request using one of the methods described below, and provide the information required.
  
• Non-Discrimination: You may not be discriminated against because you exercise any of your rights under the CCPA, in violation of California Civil Code § 1798.125. including an employee's, applicant's, or independent contractor's right not to be retaliated against for the exercise of their CCPA rights.
   

To exercise your California privacy rights, submit a request using one of the methods described below, and provide the information required.
 

To exercise any privacy rights, please submit a Data Subject Rights request or by calling +1 (833) 312-0166. For your protection, we may only process requests with respect to the personal information associated with the email address that you use to send us your request, and we may need to verify your identity before processing your request. We will respond to your requests within the timelines prescribed by applicable law.
 

When a business sells your personal information, you have a right to opt out of such a sale. Anaplan does not sell, and in the preceding 12 months did not sell, California residents’ personal information. Anaplan does not have actual knowledge that it sells the personal information of minors under 16 years of age.

Verification
 

Only you, or someone legally authorized to act on your behalf, may make a request related to your personal information. You may designate an authorized agent by taking the steps outlined under "Authorized Agent" further below. In your request or in response to us seeking additional information, you, or your authorized agent, must provide sufficient information to allow us to reasonably verify that you are, in fact, the person whose personal information was collected which will depend on your prior interactions with us and the sensitivity of the personal information being requested. We may ask you for information to verify your identity and, if you do not provide enough information for us to reasonably verify your identity, we will not be able to fulfil your request. We will only use the personal information you provide to us in a request for the purposes of verifying your identity and to fulfill your request.
 

Authorized Agent

You can designate an authorized agent to make a request under the CCPA on your behalf if:
 

• The authorized agent is a natural person, or a business entity registered with the Secretary of State of California and the agent provides proof that you gave the agent signed permission to submit the request.
  
• You directly confirm with Anaplan that you provided the authorized agent with permission to submit the request.
   

If you use an authorized agent to submit a request to exercise your right to know or your right to request deletion, please ensure that the authorized agent sends an email to privacy@anaplan.com with the subject line “California request to know/delete” and including the attachment of both the user in question and the Authorized agent’s ID with a notarized letter verifying the relationship (e.g., parent or guardian), and including detailed information about the relevant data.
 

If you provide an authorized agent with power of attorney pursuant to Probate Code sections 4121 to 4130, it may not be necessary to perform these steps and we will respond to any request from such authorized agent in accordance with the CCPA.

California Shine the Light

Residents of the State of California, under California Civil Code § 1798.83, have the right to request a list of all third parties to which the company has disclosed personal information during the preceding year for direct marketing purposes from companies conducting business in California. Alternatively, the law provides that if the company has a privacy policy that gives either an opt-out or opt-in choice for use of your personal information by third parties (such as advertisers) for marketing purposes, the company may instead provide you with information about how to exercise your disclosure choice options.
 

This comprehensive Statement from Anaplan provides you with details about how you may either opt-out or opt-in to the use of your personal information by third parties for direct marketing purposes.