Privacy Policy
Coupa is committed to protecting and respecting your privacy. In this privacy policy (“Privacy Policy“), we explain how Coupa collects, uses, discloses and protects the Personal Information you submit to us, including, for example, when accessing and using Coupa websites or applying for job offerings.
Our Privacy Policy has been drafted to comply with applicable data privacy laws, in particular, the GDPR and the CCPA. If the GDPR or another Applicable Data Privacy Law does not apply to you, not all terms of this Privacy Policy may be relevant to you.
As used in this Privacy Policy,
- “Applicable Data Privacy Laws” may include (i) EU General Data Protection Regulation (EU) 2016/679 (“GDPR”), (ii) other data protection laws applicable in member states of the EEA, (iii) the UK Data Protection Act 2018, (iv) any U.S. privacy, security, breach notification, or other data protection laws applicable to Personal Information, including but not limited to the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq (“CCPA”).
- “Coupa”, “we,” “our” and “us” means Coupa Software Inc. and its affiliates.
- “Coupa Platform” means any software and hardware that enables Coupa to provide our customers and their business partners with access to and use of the Coupa services, including the Coupa Supplier Portal.
- “Controller” or “Processor” (as applicable) for the purposes of the GDPR, other data protection laws applicable in member states of the European Union and other provisions related to data protection is Coupa Software Inc., 950 Tower Lane, 20th Floor, Foster City, CA 94404, USA.
- “Personal Information” generally has the same meaning as personal data or personal identifiable information (PII). Personal Information is defined in the data privacy laws applicable in your country. It includes any information relating to an identified or identifiable natural person. This means any individual who can be identified directly or indirectly by reference to an identifier such as name, identification number, location data, online identifiers (for example, IP addresses – if they can be used to identify you) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Put simply, this includes data which either by itself or with other data held by us or available to us, can be used to identify you.
Coupa’s role
Coupa is acting in the capacity of Controller when collecting and processing personal data on its own behalf and for its own purposes. This means situations in which Coupa determines the purposes and the means of such processing at its own discretion.
For certain services, Coupa has been retained by our customers to process personal data as a Processor. In such cases, Coupa shall process your personal data on behalf of and based on the specific instructions given by our customer as the Controller. The subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, together with the rights and obligations of the parties with respect to such processing will be covered by a data processing agreement (or equivalent terms) agreed between Coupa and our customer.
When a Coupa customer uploads personal data (typically contact information) of their business partners (suppliers, prospective suppliers or other) to the Coupa Platform, then the Coupa customer is the Controller of such personal data. If a business partner creates a supplier account on the Coupa Supplier Portal, then Coupa is the Controller of any personal data provided.
Coupa is committed to the following key principles:
Principle 1. We limit how, and with whom, we share your Personal Information.
Coupa will only share your Personal Information with others for the following purposes:
- at your request;
- to process or service a transaction or product authorized or requested by you; this may include sharing within the Coupa group of entities;
- when required by law to disclose such information to appropriate authorities;
- to companies that assist us in marketing, placement and servicing our products and services; for example, in order to support our information technology or to handle mailings on our behalf;
- to our event sponsors and partners in connection with event registrations and marketing events, which may include sharing Personal Information with our sponsors and partners for their own commercial purposes if permitted by applicable law without your consent (See “Marketing Information” section herein);
- to companies that assist us in our job recruiting efforts or evaluating job applications; and
- to our professional advisers.
We do not sell Personal Information for money but some third-party cookies on our website or some of our relationships with event sponsors and partners may be considered a “sale” or “sharing” as defined under the CCPA.
Principle 2. We collect only the information necessary to deliver the products and services you request.
Coupa collects only the Personal Information necessary to serve your needs, to protect against fraud, to fulfill legal and regulatory requirements, and for the other purposes set forth below:
Personal Information | Purpose | Legal Basis |
---|---|---|
Information we receive from you when (i) you visit www.coupa.com and other Coupa websites and (ii) any other information you subsequently provide to us orally, in writing or through the internet: this may include your full name, postal address, e-mail address, employer/business and professional information, job titles, telephone and fax numbers, demographic information, IP address | The Personal Information is used in providing the website and answering requests from you (e.g. if you choose to register to receive information about our products and services or if you enquire about these, we will use your Personal Information in order to respond). | The processing is necessary for the performance of a contract to which you are party or in order to take steps at the request of you prior to entering into a contract. Processing is necessary for the purposes of our legitimate interests, i.e. providing a website for information and use. Your consent (if such consent is required by law). |
Name, address, e-mail address and other information about your transactions and communications with us. | The Personal Information is used to process or service a transaction or product authorized or requested by you. | The processing is necessary for the performance of a contract to which you are party or in order to take steps at the request of you prior to entering into a contract. |
Name, address, e-mail address and other contact information | To periodically contact you to inform you of new products, events and/or services we provide or that we consider to be of interest to you, and to provide to our event sponsors and business partners which enables them to inform you of products or services they provide that they consider to be of interest to you. | Your consent (if such consent is required by law). |
IP address and other information submitted by your browser | To diagnose any problems with our server and administer our website and in line with our Cookie Policy. | Processing is necessary for the purposes of our legitimate interests, i.e. providing a website for information and use. Your consent (if such consent is required by law). |
Application data, including your name, address, email, phone number, CV/resume, birthdate, education and job history, candidate job titles, any personal information you elect to provide via cover letters or links to third party sites (e.g., LinkedIn, Twitter, GitHub, Portfolio, etc.), gender, race, disability or veteran status if you elect to share that information during the job application process, photograph, travel-related information such as frequent flyer numbers (if applicable), and visa-related personal information (if applicable), such as passport numbers, proof of citizenship, and birth certificates. | Processing is required to enable us to administer the recruiting process, including the set-up of an electronic job applicant HR file, managing your application, organizing interviews. We may retain your Personal Information following your unsuccessful application so that we may contact you in case of future job vacancies. Your data may also be shared with other Coupa group companies to consider your application for other job openings. | Primarily, the processing is necessary to take steps for entering into a contract with you. We also have a legitimate interest to (i) store your data for a period of up to 3 years (unless local legal or regulatory requirements prescribe a shorter period) following the conclusion of an unsuccessful application and/or (ii) to share it with the Coupa group of entities and/or (iii) to retain and use your data as far as necessary for the establishment, exercise or defence of legal claims. |
All of the above | For compliance with legal and regulatory requirements and corporate governance obligations. | Processing is necessary for compliance with legal obligations to which we are subject. |
Where you wish to provide us with Personal Information about another person, including colleagues or the persons you act on behalf of, you must ensure that you have their prior permission to do this. You must also share with them a copy of this Privacy Policy as well as any other relevant privacy statements (see above) before you ask them for this permission.
We collect Personal Information for the purposes described above when you visit www.coupa.com and other Coupa websites and from public sources, such as recruiting and business portals (e.g. www.linkedin.com, http://www.zoominfo.com/, https://clearbit.com/, http://www.echobot.de/. We may collect Personal Information from public registers and authorities (e.g. the UK’s Companies House, tax authorities, the Securities and Exchange Commission) to verify the information provided and to increase its quality for our products and services.
Principle 3. We establish safeguards to help ensure the security and confidentiality of your information.
Coupa restricts access to your information to our employees who need it to do their job. Employees with access to your information are required to strictly maintain the confidentiality of such information.
Coupa maintains physical, electronic and procedural safeguards that comply with Industry standards to protect your company’s information. We routinely test our information systems and websites to help ensure that unauthorized access does not occur.
Principle 4. We keep your Personal Information for as long as it is necessary to do so to fulfil the purposes for which it was collected as described above.
The criteria we use to determine data retention periods for Personal Information includes the following: (i) Retention in case of queries: We will retain it for a reasonable period after the relationship between us has ceased in case of queries from you; (ii) Retention in case of claims: We will retain it for the period in which you might legally bring claims against us; (iii) Retention in accordance with legal and regulatory requirements: We will consider whether we need to retain it after the period described in (ii) because of a legal or regulatory requirement, e.g. to comply with tax or fiscal duties; (iv) Retention in case of job applications: If you applied for a job offering with Coupa and have not been successful, your application data will be retained in our talent pool for a limited period as defined in Principle 2.
Give Us Your Feedback
Our goal is to protect your privacy. To comment or help us improve, please contact us via email (see email contacts below) or telephone (+1.650.931.3200). You may also contact us via written letter at Coupa’s address listed above. We may ask you to provide a copy of your proof of identity.
Email contacts
If you: | Contact: |
---|---|
Are a job applicant, employee or alumni | [email protected] |
Are a prospect, customer, partner or other contact receiving Coupa product and services information | [email protected] |
Have general questions about data privacy at Coupa | [email protected] |
Wish to contact the Coupa Data Protection Officer directly | [email protected] |
Are a supplier on the Coupa Platform | [email protected] |
If you consider that we are in breach of our obligations under data protection laws, you may lodge a complaint with the competent Data Protection Authority, which may be the supervisory authority in your country of residence or place of work, of an alleged violation of data protection laws.
Changes to this Privacy Policy
This privacy policy may be modified from time to time to comply with applicable laws or to conform to our current business practices. We will post any changes to this on our website and, if required by applicable law, will endeavor to notify you via your contact email. We encourage you to revisit the Privacy Policy that is posted on our web site from time to time to check for updates.
ADDITIONAL INFORMATION WE WANT YOU TO KNOW:
Transfers outside the EU/EEA. We also transfer the Personal Information we process to countries outside the European Economic Area (”EEA”) (e.g., when one of our service providers or equipment is based outside the EEA, such as for hosting your Personal Information). We have put in place adequate safeguards with respect to the protection of your privacy, fundamental rights and freedoms, and the exercise of your rights, e.g. we establish an adequate level of data protection, usually through EU Standard Contractual Clauses based on the EU commission’s model clauses or by way of compliance with the EU-U.S. Data Privacy Framework described below, as applicable.
Data Privacy Framework (DPF). Coupa complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Coupa has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Coupa has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.
To learn more about the Data Privacy Framework (DPF) program, and to view Coupa’s certification, please visit https://www.dataprivacyframework.gov/.
To see Coupa’s full DPF Statement and learn about how Coupa complies with the DPF principles, please visit the Coupa Data Privacy Framework Statement page.
Provision of Personal Information / Automated decision making. Please note that the Personal Information we collect from you is necessary to providing the services and the website to you. Failure to provide such data may not enable us to provide our services to you or make our website accessible. We do not use automatic decision-making or profiling of individuals.
Your Rights. You may have various rights under data privacy laws in your country or state. These may include (where required by law): the right to request access (right to know) to the Personal Information we hold about you; the right to rectification (right to correct) including to require us to correct inaccurate Personal Information; the right to request restriction of processing concerning you or to object to processing of your Personal Information, the right to request the erasure (right to delete) of your Personal Information where it is no longer necessary for us to retain it; the right to data portability including to obtain Personal Information in a commonly used machine readable format in certain circumstances such as where our processing of it is based on a consent; the right to opt out of sales or sharing of your Personal Information; the right to object to automated decision making including profiling (if any) that has a legal or significant effect on you as an individual; and the right to withdraw your consent to any processing for which you have previously given that consent.
Marketing Information. With your consent (if obtaining such consent is required by law), we will keep your name, address and contact details (including telephone numbers and email addresses) in our databases and may from time to time use that information to make you aware of our related products and services as well as updates on developments in our industry sector generally which may be of interest to you. We may contact you in writing, by telephone or email for this. If permitted by applicable law, we may share such information with our event sponsors and/or partners for their own commercial purposes without your consent. If at any time you decide that you do not want your contact details used or shared for these purposes, where applicable, you may object or revoke your consent for receiving marketing communications by following the instructions in the relevant marketing communication (e.g., clicking on the “Unsubscribe” button), by contacting us (see “Give Us Your Feedback” above), or, if applicable to the scenario, by visiting the preference center at https://www.coupa.com/preference-center.html.
Security Statement. We take reasonable precautions to protect your information. In particular, we implemented appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, including as appropriate: (a) pseudonymisation (such as where data is separated from direct identifiers so that linkage to an identity is not possible without additional information that is held separately) and encryption, (b) protecting the ongoing confidentiality, integrity, availability and resilience of systems and services used to process your Personal Information, (c) providing the ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident; and (d) maintaining a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational security measures. When you submit information to us through our website, your information is protected both online and offline. All data transferred to/from the Coupa internal network, from/to an external entity, is encrypted to industry standards (256-bit encryption). Please keep in mind that messages you send to us by Internet e-mail may not be secure. We maintain appropriate physical, electronic and procedural safeguards to ensure the security, integrity and privacy of your personal information within our company. Only those employees who may require your information to perform a specific job are granted access to your organization’s identifiable information. Furthermore, all employees are kept up to date on our security and privacy practices.
Our Use of Cookies and Analytic Tools. Coupa uses “cookies” and analytic tools as further described in our Cookie Policy.
Third Party Websites. Our websites and mobile apps may contain links to third-party websites. If you follow these links, you will exit our websites or mobile apps. This privacy policy does not apply to websites of third parties. Coupa cannot accept liability for the use of your Personal Information by these third parties. Your use of these websites is at your own risk. For more information on how these third parties treat your Personal Information, please check their privacy policy (if available).