Last updated: 11 May 2023
European Union Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“EU GDPR”) and the EU GDPR it forms part of the laws of the United Kingdom (“UK GDPR”) by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”), including, in each case (i) and (ii) any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, amendment or re-enactment, to or of the foregoing (together, the “GDPR”) and Switzerland require Sauce Labs to provide additional and different information about its data processing practices to data subjects in the European Economic Area (“EEA”), the United Kingdom and Switzerland (collectively, “EEA+”).
Scope
If you are located in the EEA+ and access our Services or we collect, transmit, capture, or otherwise process your personal data, this Supplemental EEA+ Privacy Policy applies to you.
This Supplemental EEA+ Privacy Policy does not apply where:
You are not in the EEA+; or
Sauce Labs acts as a Processor and not a Controller.
Sauce Labs acts as a Processor on behalf of our customers where we process personal data contained in their Customer Data (as defined in the Sauce Labs Terms of Service) to provide our services to them. In these cases, we process that personal data on their behalf under the terms and conditions of our Sauce Labs Customer Data Processing Addendum.
Who is the Controller?
If you are using our Services, the Controller is Sauce Labs Inc, 450 Sansome Street, 9th Floor, San Francisco, California, 94111 USA +1-855-677-0011.
If you are communicating with the personnel of a Sauce Labs entity in-person or via phone, email or mail, the controllers are Sauce Labs Inc., the Sauce Labs entity with whom you are communicating and any other Sauce Labs entity with whom you or your organization does business.
What Are Our Legal Bases for Processing Personal Data?
We process your personal data on several different legal bases, as follows:
Contract Performance: We process the personal data of users of our Services as necessary to perform our contractual obligations to such users or take steps at such users’ request prior to entering into a contract, pursuant to Article 6(1)(b) of the GDPR.
Legitimate Interests: We process the personal data of users of our Services as necessary to pursue the following legitimate interests, pursuant to Article 6(1)(f) of the GDPR: To provide users with a good user experience, to maintain and secure our Services, to manage and secure our events, to understand our users so that we can tailor our communications and services, including our marketing communications, to them, and to support and provide requested services and information to our users or customers. In these cases, we will ensure that your privacy and other fundamental interests do not override our legitimate interests.
Legal Obligations: If we are subject to a lawful access request, engaged in a legal proceeding or suspect a user of illegal conduct, we may need to process your personal data as necessary to comply with relevant laws, regulatory requirements and to respond to lawful requests, court orders, and legal process, pursuant to Article 6(1)(c) of the GDPR.
Consent: If we are required to obtain your consent to send you marketing communications, place certain cookies on your device, or engage in other processing activities associated with the Services, we may perform such processing on the basis of your consent if you have provided it, pursuant to Article 6(1)(a) of the GDPR. In such cases, you may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. In such cases, providing your consent is voluntary, but we will not be able to provide you with a service for which we require your consent until we obtain such consent.
Vital Interests: In extenuating circumstances, we may need to process your personal data to protect the vital interests of you or another natural person, pursuant to Article 6(1)(d) of the GDPR.
We have set out below the legal bases we rely on in respect of the relevant purposes for which we use your personal data, as further described in ‘How Do We Use Your Personal Information?’ in the Privacy Policy.
Data Types | Purposes | Legal Bases |
Contact Data | To communicate with you in relation to your account | Contract Performance |
To provide you with marketing communications, promotional offers and updates on new products and services | Legitimate Interests We have a legitimate interest in promoting our operations and goals as an organization and sending marketing communications for that purpose Consent, in circumstances or in jurisdictions where consent is required under applicable data protection laws to the sending of any given marketing communications | |
To administer, secure, optimize, and run a Sauce Labs event, such as SauceCon, and improve future events | Contract Performance to administer Sauce Labs events in accordance with the terms or rules thereof In respect of securing, optimizing, and running Sauce Labs events and improving future events, these promotions and contests: Legitimate Interests – we have a legitimate interest in promoting Sauce Labs events, including associated publicizing of our business and operations; and Consent – in circumstances or in jurisdictions where consent is required under applicable data protection laws to the sending of any given promotional communications | |
Account Information | To create an account for you or the organization for which you work | Contract Performance Legitimate Interests We have a legitimate interest in using and authenticating your Account Information with a view to ensuring the ongoing security of our Services and associated systems and networks |
To manage the account | Contract Performance Legitimate Interests We have a legitimate interest in using and authenticating your Account Information with a view to ensuring the ongoing security of our Services and associated systems and networks | |
To fulfil your orders for products and services | Contract Performance Legitimate Interests We have a legitimate interest in using and authenticating your Account Information with a view to ensuring the ongoing security of our Services and associated systems and networks | |
Correspondence Data | To respond to any specific comments or questions you may have | Legitimate Interests We have a legitimate interest in responding to you where you have asked questions or made comments about our Services or Sauce Labs |
Technical Data and Usage Date | To provide, maintain, monitor, secure, debug, customize and optimize our Services | Legal Obligations Legitimate Interests We have a legitimate interest in ensuring the ongoing security and proper operation of our Services and associated systems and networks |
To develop and improve our products and Services | Legitimate Interests We have a legitimate interest in providing you with a good service, which is personalized to you and that remembers your selections and preferences Consent, in respect of any optional cookies used for this purpose | |
Publicly Available Information | To supplement the other personal data we hold about you in support of our sales and marketing activities | Legitimate Interests We have a legitimate interest in promoting our operations and goals as an organization and ensuring our marketing databases are accurate, relevant and up-to-date for that purpose |
Any and all data types relevant in the circumstances | To perform activities necessary to ensure compliance with applicable national, state, provincial and other applicable laws, and to respond to requests from government authorities | Legal Obligations Legitimate Interests Where Legal Obligations is not applicable, we have a legitimate interest in participating in, supporting, and following legal process and requests, including through cooperation with authorities. We may also have a legitimate interest in ensuring the protection, maintenance, and enforcement of our rights, property, and/or safety Vital Interests, where necessary in extenuating circumstances such as needing to protect the health or safety of a user or another natural person |
To protect the legal interests, health or safety of a user, us, or other third parties, such as in the event of a complaint or dispute, or to perform credit recovery procedures or credit assignments to authorized third parties | Legal Obligations Legitimate Interests Where Legal Obligations is not applicable, we have a legitimate interest in participating in, supporting, and following legal process and requests, including through co-operation with authorities. We may also have a legitimate interest in ensuring the protection, maintenance, and enforcement of our rights, property, and/or safety Vital Interests, where necessary in extenuating circumstances such as needing to protect the health or safety of a user or another natural person | |
Sharing amongst our Affiliates | Legitimate Interests We and our Affiliates have a legitimate interest in ensuring the effective and connected operation of our Group and to help to improve our and their services and business practices. | |
In the context of corporate events, we may share certain personal information in the context of actual or prospective business transactions (e.g., investments in Sauce Labs, financing of Sauce Labs, public stock offerings, or the sale, transfer or merger of all or part of our business, assets or shares), for example, we may need to share certain personal information with prospective counterparties and their advisers. We may also disclose your personal information to an acquirer, successor, or assignee of Sauce Labs. as part of any merger, acquisition, sale of assets, or similar transaction, and/or in the event of an insolvency, bankruptcy, or receivership in which personal information is transferred to one or more third parties as one of our business assets | Legitimate Interests We and any relevant third parties have a legitimate interest in providing information to relevant third parties who are involved in an actual or prospective corporate event (including to enable them to investigate – and, where relevant, to continue to operate – all or relevant part(s) of our operations). However, we would always look to take steps to minimize the amount and sensitivity of any personal information shared in these contexts as possible and as we consider appropriate in the circumstances. |
Where Do We Transfer Personal Data and How Do We Protect Such Transfers?
We disclose your personal data only to recipients in the following jurisdictions outside of the EEA+:
jurisdictions deemed by the relevant bodies to provide an adequate level of protection for personal data which is equivalent to that provided by applicable data protection laws in the EEA+; and
other jurisdictions in circumstances where:
we have established specific appropriate safeguards, which are designed to give personal data effectively the same protection it has in the EEA+ – for example, standard-form contracts approved by the relevant bodies used for this purpose (e.g., the ‘Standard Contractual Clauses’ in the EEA, or the ‘International Data Transfer Agreement’ in the UK); or
we can rely on an exception, or ‘derogation’, which permits us to transfer your personal data to such country despite the absence of an ‘adequacy decision’ or ‘appropriate safeguards’ – for example, reliance on your explicit consent to that transfer.
You can ask for more information, including a copy of such appropriate safeguards, by contacting privacy@saucelabs.com.
Privacy Shield Statement
Sauce Labs Inc complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the European Union and Switzerland to the United States. Sauce Labs Inc. has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
Although Sauce Labs Inc. adheres to the principles of the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, Sauce Labs Inc. does not rely on the EU-U.S. Privacy Shield Framework as a legal basis for transfers of personal data from the EU to third countries in light of the judgment of the Court of Justice of the EU in Case C-311/18. Nor do we rely on the Swiss-U.S. Privacy Shield Framework in light of the policy paper of the Swiss Federal Data Protection and Information Commissioner of September 8, 2020. To learn more, visit the U.S. Department of Commerce’s Privacy Shield website. Sauce Labs Inc. utilizes legally recognized mechanisms to facilitate the transfer of personal data from the European Union and Switzerland to the United States and other third countries as set out under ‘Where Do We Transfer Personal Data and How Do We Protect Such Transfers?’. If you have a question about a particular mechanism or safeguard used by us, please contact us using the contact details listed in the ‘Amendments; Contact Us’ section of the Privacy Policy.
What Data Subject Rights Do You Have?
Under the conditions set out under the GDPR and any other national data protection laws in the EEA+, you have the following rights:
Right of access: You have the right to obtain from us confirmation as to whether your personal data is being processed, and, where that is the case, to request access to the personal data. The access information includes, among other things, the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data have been or will be disclosed. You have the right to obtain a copy of the personal data undergoing processing. Subject to applicable law, we may charge a reasonable fee for copies, based on administrative costs.
Right to rectification: You have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure: You have the right to ask us to erase your personal data to the extent it is not required for legally required purposes.
Right to restriction of processing: You have the right to request restriction of processing of your personal data, in which case, it would be marked and processed by us only for certain purposes.
Right to data portability: You have the right to receive your personal data which you have provided to us in a structured, commonly used and machine-readable format and you have the right to transmit the personal data to another entity without hindrance from us.
Right to object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data by us and we can be required to no longer process your personal data. If you have a right to object and you exercise this right, your personal data will no longer be processed for such purposes by us. Exercising this right will not incur any cost. Such a right to object may not exist, in particular, if the processing of your personal data is necessary to take steps prior to entering into a contract or to perform a contract already concluded.
Right to Submit Complaints: You have a right to lodge a complaint with a supervisory authority. The contact information for the supervisory authority in your place of residence can be found below:
For users in the EEA+: https://edpb.europa.eu/about-edpb/board/members_en
For users in the UK: https://ico.org.uk/make-a-complaint/
For users in Switzerland: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html
Please note that these rights may be limited under the applicable national data protection law. To submit a request to exercise your rights to delete or access your personal data, please visit our privacy request webform and request the appropriate request type(s). Alternatively, and to submit a request to exercise all other rights available under applicable laws, please contact us using the details set out in ‘Amendments; Contact Us’ in the Privacy Policy and specify which right you would like to exercise. If you have such rights and your request complies with the requirements under applicable laws, we will give effect to your rights as required by law. We may request specific information from you to help us confirm your identity and process your request.
How Long Do We Retain Your Personal Data?
If you register for an account on our Services, we retain your personal data for as long as you have an account with us. If you provide your personal data in connection with a request for information or other services from us, we retain your personal data for as long as necessary to provide you with the requested information or services. We will delete, erase or anonymize your personal data within one month after your personal data is no longer necessary for us to provide you with any information or services you have requested, pursue any of the legitimate interests specified herein where the legitimate interest is not overridden by your fundamental rights or privacy interests, comply with any legal obligations to which we are subject, or defend any legal claim against us or support any legal claim made by us, including any potential appeal.
Are You Required to Provide Personal Data?
You are not required to provide any personal data to us, but if you do not provide any personal data to us, you may not be able to use certain features of our Services, such as those available to account holders.
You can use our Services without consenting to cookies that are not strictly necessary; the only consequence is that our Services will be less tailored to you.
You can also use our Services without consenting to receiving marketing communications from us; the only consequence is that you may not receive marketing communications that you may be interested in.
