Last Updated: 11 January 2024
OneStream Software LLC (“OneStream”, “we” or “us”) provides Corporate Performance Management SaaS solutions and related services (the “Services”). This privacy policy covers the personal information that OneStream and its subsidiaries collect through their business relationships, via this website and through other sources that post a link to this policy.
This policy informs you about how we collect, use, disclose, and store personal information in our role as a controller of personal information when you:
This policy also serves as a notice at collection by including the mandatory information to be disclosed at or before collection of your personal information pursuant to California’s applicable privacy laws and South Africa’s Protection of Personal Information Act. Please refer to Section 1 “What information does OneStream collect,” Section 2 “How does OneStream use your personal information,” and Section 3 “Legal Grounds to Use your Personal Information.”
This policy does not cover the processing by OneStream of any of its customers and partners’ personal information resulting from their use of OneStream Services. Such processing for Service performance purposes is covered by applicable Data Processing Terms which covers customers and partners use of the OneStream Services where OneStream acts as a processor. OneStream’s Data Processing Terms is available at https://www.onestream.com/saas-terms-and-conditions/.
OneStream collects personal information you provide directly to us including:
OneStream, or its Internet service provider(s) (“ISP”), may also collect:
OneStream collects personal information indirectly from third parties including:
OneStream does not contemplate that we will collect or process any personal information that qualifies as sensitive data under applicable privacy laws.
OneStream uses personal information for the following purposes:
Where OneStream anonymizes or deidentifies the information so that it is no longer personal information, we may use it for additional purposes.
1. Providing Services
We use your personal information to provide Services to you in accordance with the Agreement that we have in place with you, or based on our legitimate interests, typically, either for billing, security, and contractual compliance purposes or business practice improvement.
2. Use of websites
Personal information used in connection with your use of our websites is based on our legitimate interest to improve such websites and tailor their content.
3. Communication and Marketing
Use of your personal information for marketing purposes, including attending events, is based on your consent or OneStream’s legitimate interest. You always have the right to opt out of any direct marketing by clicking the “Unsubscribe” link in any marketing message or by emailing [email protected].
OneStream may transfer your personal information within its group from the location where it was first collected pursuant to its Internal Data Transfer Agreement, which incorporates relevant Standard Contractual Clauses, or by other means approved by applicable law such as the EU-US Data Privacy Framework.
Information relating to individuals in the European Economic Area (“EEA”) and the United Kingdom (“UK”)
As a global service provider, OneStream may transfer personal information from the EEA or the UK to the United States and other countries, including personal information we receive from individuals residing in the EEA or the UK who visit our websites and/or who may use our Services or otherwise interact with us.
When OneStream engages in such transfers of personal information, it relies on:
– Adequacy Decisions, as adopted by:
o the European Commission (“EC”), based on Article 45 of Regulation (EU) 2016/679 (GDPR). For more information, and to access the full list of countries deemed adequate to date, please visit https://ec.europa.eu/info/law/law- topic/data-protection/international-dimension-data-protection/adequacy- decisions
o the UK Secretary of State, based on Article 45 of the UK GDPR and Section 17A of the Data Protection Act 2018. For more information, and to access the full list of countries deemed adequate to date, please visit https://ico.org.uk/for- organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr/international-transfers/; or
– The European Commission’s Standard Contractual Clauses (“SCCs”) and the UK Information Commissioner’s Office’s International Data Transfer Addendum (“IDTA”), as applicable, supplemented by additional security measures as recommended by the European Data Protection Board. If you are a OneStream customer, to access our Data Processing Terms , please visit https://www.onestream.com/saas-terms-and-conditions/
Additionally, OneStream has carried out several transfer impact assessments (“TIA”) and regularly reviews the circumstances surrounding such transfers to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the EEA and UK data protection laws.
We share and disclose information about you, including personal information, in the following limited circumstances:
Suppliers
We may share your personal information with third parties we employ to perform services on our behalf. These third parties include:
Business transfers
If we or our assets are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, personal information may be one of the assets transferred to or acquired by the third party.
OneStream affiliates
We may also share your personal information within any OneStream affiliates for the purposes consistent with this privacy policy and based on our legitimate interests or contractual necessity.
Legal reasons
We reserve the right to access, read, preserve, and disclose any personal information as necessary to i) comply with a law or a court order, ii) enforce or apply our Agreements with you and other agreements, or iii) protect the interest, rights, property, or safety of OneStream, our affiliates, our employees, our users, or others.
Under certain circumstances, we may be required to disclose your personal information in response to valid requests by public authorities, including to meet national security or law enforcement requirements, based on our legitimate interests or legal obligations. OneStream does not voluntarily or actively transfer or disclose our customers’ personal information to the government or law enforcement authorities and/or otherwise grant any authorities access to your personal information. In the event of a valid request, we will take reasonable steps to minimise the personal information to be disclosed.
OneStream does not and will not sell your personal information to any third parties nor disclose it for cross-context behavioral advertising.
We store your personal information for different time periods depending on the category of personal information and the nature of relationship that you have with us. We aim to keep your personal information as long as necessary to fulfil the purposes for which it was collected.
We use appropriate technical, organizational, and administrative security measures to protect any personal information we store against loss, misuse, and unauthorized access, disclosure, alteration, and destruction. Please see our Data Security Processes and Terms at
https://www.onestream.com/saas-terms-and-conditions/. We require materially similar security measures from third parties that may receive your personal information.
You may have certain rights relating to your personal information, depending on the laws applicable in your jurisdiction. These rights may include, subject to any exceptions or limitations:
We do not knowingly collect or solicit personal information from anyone under the age of 18. If you are under 18, please do not visit our websites, do not attempt to register for any Services, nor send any personal information about yourself to us in any other way. If we learn that we have collected personal information from a person under age 18, we will delete that information promptly. If you believe that a person under 18 may have provided us their personal information, please contact us at [email protected].
OneStream complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. OneStream has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. OneStream has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
In compliance with the EU-US DPF Principles, OneStream commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the EU/SWISS DPF Principles. European Union, UK and Swiss individuals with DPF inquiries or complaints should first contact [email protected]. We will investigate and attempt to resolve any complaints or disputes regarding processing of personal information within 30 days of receiving your privacy complaint.
Any unresolved privacy complaints under the EU/SWISS DPF Principles will be referred to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by JAMS. This service will be provided free of charge to you and can be accessed via the following link: https://www.jamsadr.com/DPF-Dispute-Resolution.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration- Procedures-dpf?tabset-35584=2. OneStream is subject to the jurisdiction of the US Federal Trade Commission for the purposes of DPF enforcement.
We are constantly trying to improve our websites and Services, so we may need to update this privacy policy from time to time. We will alert you about material changes by, for example, placing a notice on our website, customer portal and/or sending you an e-mail (if you have registered your e-mail with us) when we are required to do so by applicable law. You can see when this privacy policy was last updated by checking the date at the top of this page. You are responsible for periodically reviewing this privacy policy.
OneStream Software, LLC
191 N Chester Street, Birmingham, Michigan, 48009 United States
Telephone: +1 248-650-1430
E-Mail: [email protected]
For residents of California, OneStream’s privacy hotline is: 1-866 -467-8688, service code 1987.