Last updated: May 4, 2020
European Union Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“EU GDPR”) and the laws of the United Kingdom and Switzerland require Sauce Labs to provide additional and different information about its data processing practices to data subjects in the European Economic Area (“EEA”), the United Kingdom and Switzerland (collectively, “EEA+”).
If you are located in the EEA+ and access our Services or otherwise provide us with your personal data in-person or via phone, email or mail, this Supplemental EEA+ Privacy Notice applies to you.
Who is the Data Controller?
If you are using our Services, the data controller is Sauce Labs Inc., 116 New Montgomery St, 3rd Floor, San Francisco, California, 94105 USA +1-855-677-0011.
If you are communicating with the personnel of a Sauce Labs entity in-person or via phone, email or mail, the data controller is the Sauce Labs entity with whom you are communicating and any other Sauce Labs entity with whom you or your organization does business. A list of our operating Affiliates and their addresses is available here.
Sauce Labs is a Data Processor on behalf of the applicable account holder with respect to Test Data (as defined in the Sauce Labs Privacy Notice) uploaded to an account in our Services.
What Are Our Legal Bases for Processing Personal Data?
We process your personal data on several different legal bases, as follows:
Contract Performance: Use of our Services is subject to our Conditions of Use and other applicable terms and conditions. We process the personal data of users of our Services as necessary to perform our contractual obligations in respect of such users or take steps at such users’ request prior to entering into a contract, pursuant to Article 6(1)(b) of the EU GDPR.
Legitimate Interests: We process the personal data of users of our Services as necessary to pursue the following legitimate interests, pursuant to Article 6(1)(f) of the EU GDPR: To provide users with a good user experience, to maintain and secure our Services, to manage and secure our events, to understand our users so that we can tailor our communications and services, including our marketing communications, to them, and to support and provide requested services and information to our users or customers. In these cases, we will ensure that your privacy and other fundamental interests do not override our legitimate interests.
Legal Obligations: If we are subject to a lawful access request, engaged in a legal proceeding or suspect a user of illegal conduct, we may need to process your personal data as necessary to comply with relevant laws, regulatory requirements and to respond to lawful requests, court orders, and legal process, pursuant to Article 6(1)(c) of the EU GDPR.
Consent: If we are required to obtain your consent to send you marketing communications, place certain cookies on your device, or engage in other processing activities associated with the Services, we may perform such processing on the basis of your consent if you have provided it, pursuant to Article 6(1)(a) of the EU GDPR. In such cases, you may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. In such cases, providing your consent is voluntary, but we will not be able to provide you with a service for which we require your consent until we obtain such consent.
Vital Interests: In extenuating circumstances, we may need to process your personal data to protect the vital interests of you or another natural person, pursuant to Article 6(1)(d) of the EU GDPR.
Where Do We Transfer Personal Data and How Do We Protect Such Transfers?
We disclose your personal data to recipients in the following jurisdiction or jurisdictions outside of the EEA+ which provide adequate protection to personal data according to the European Commission: Canada. In each case, the transfer is thereby recognized as providing an adequate level of data protection from a European data protection law perspective (see Article 45 of the EU GDPR).
We disclose your personal data to recipients in the following jurisdiction or jurisdictions outside of the EEA+ which do not provide adequate protection to personal data according to the European Commission: the United States of America. By entering into appropriate data transfer agreements based on Standard Contractual Clauses (2010/87/EU and/or 2004/915/EC) as referred to in Article 46(5) of the EU GDPR or other adequate means, we have established that all such recipients will provide an adequate level of data protection and that appropriate technical and organizational security measures are in place to protect personal data against accidental or unlawful destruction, loss or alteration, unauthorized disclosure or access, and against all other unlawful forms of processing. Any onward transfer (including to our Affiliates outside the EEA+) is subject to appropriate onward transfer requirements as required by the applicable contract or applicable law. You can ask for a copy of such appropriate data transfer agreements by contacting firstname.lastname@example.org.
What Data Subject Rights Do You Have?
Under the conditions set out under the EU GDPR and any other national data protection laws in the EEA+, you have the following rights:
Right of access: You have the right to obtain from us confirmation as to whether your personal data is being processed, and, where that is the case, to request access to the personal data. The access information includes, among other things, the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data have been or will be disclosed. You have the right to obtain a copy of the personal data undergoing processing. Subject to applicable law, we may charge a reasonable fee for copies, based on administrative costs.
Right to rectification: You have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure: You have the right to ask us to erase your personal data to the extent it is not required for legally required purposes.
Right to restriction of processing: You have the right to request restriction of processing of your personal data, in which case, it would be marked and processed by us only for certain purposes.
Right to data portability: You have the right to receive your personal data which you have provided to us in a structured, commonly used and machine-readable format and you have the right to transmit the personal data to another entity without hindrance from us.
Right to object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data by us and we can be required to no longer process your personal data. If you have a right to object and you exercise this right, your personal data will no longer be processed for such purposes by us. Exercising this right will not incur any cost. Such a right to object may not exist, in particular, if the processing of your personal data is necessary to take steps prior to entering into a contract or to perform a contract already concluded.
Right to Submit Complaints: You have a right to lodge a complaint with a supervisory authority.
Please note that these rights may be limited under the applicable national data protection law. To exercise your rights please please visit our privacy request webform.
How Long Do We Retain Your Personal Data?
If you register for an account on our Services, we retain your personal data for as long as you have an account with us. If you provide your personal data in connection with a request for information or other services from us, we retain your personal data for as long as necessary to provide you with the requested information or services. We will delete, erase or anonymize your personal data within one month after your personal data is no longer necessary for us to provide you with any information or services you have requested, pursue any of the legitimate interests specified herein where the legitimate interest is not overridden by your fundamental rights or privacy interests, comply with any legal obligations to which we are subject, or defend any legal claim against us or support any legal claim made by us, including any potential appeal.
Are You Required to Provide Personal Data?
You are not required to provide any personal data to us, but if you do not provide any personal data to us, you may not be able to use certain features of our Services, such as those available to account holders. You can use our Services without consenting to cookies that are not strictly necessary; the only consequence is that our Services will be less tailored to you. You can also use our Services without consenting to receiving marketing communications from us; the only consequence is that you may not receive marketing communications that you may be interested in.