Privacy Statement

Last Updated: November 4, 2024

OneStream Software LLC (“OneStream”, “we” or “us”) provides Corporate Performance Management SaaS solutions and related services (the “Services”). This privacy policy covers the personal information that OneStream and its subsidiaries collect through their business relationships, via the public websites operated by OneStream and through other sources that post a link to this policy.

This policy informs you about how we collect, use, disclose, and store personal information in our role as a controller of personal information when you:

Interact or use our websites, including when you download materials from our resources page, request a demo, participate in an online chat, or ask us to contact you.

Register and/or attend our events, conferences, or webinars.

Subscribe to receive marketing materials.

Provide your personal information for the purposes of administering our services and managing our relationship with you in any manner e.g. to process an invoice for accounting purposes.

This policy also serves as a notice at collection by including the mandatory information to be disclosed at or before collection of your personal information pursuant to California’s applicable privacy laws and South Africa’s Protection of Personal Information Act. Please refer to Section 1 “What information does OneStream collect,” Section 2 “How does OneStream use your personal information,” and Section 3 “Legal Grounds to Use your Personal Information.”

This policy does not cover the processing by OneStream of any of its customers and partners’ personal information resulting from their use of OneStream Services. Such processing for Service performance purposes is covered by applicable Data Processing Terms which covers customers and partners use of the OneStream Services where OneStream acts as a processor. OneStream’s Data Processing Terms are available at https://www.onestream.com/saas-terms-and-conditions/.

What information does OneStream collect?

OneStream collects personal information you provide directly to us including:

1. Your name, business contact information, job title and similar information about your business role;
2. Marketing and communications data, such as your preferences in receiving marketing from us and third parties and other information related to events;
3. Any communications you send via or post on our websites including any online chat; and
4. Your inquiries related to the Services, whether provided by email or during telephone calls (including without limitation via call transcription or recording, subject to specific prior notice at the time of collection).

OneStream, or its Internet service provider(s) (“ISP”), may also collect:

• Technical data, such as internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website(s) or the Services.
• Usage data, such as information about how you use our website or the Services.
• Cookie data – please see our cookie policy here.

OneStream collects personal information indirectly from third parties including:

• Your personal information, as stored in our Customer Relationship Management (CRM) service provider platform, may be enriched or updated to ensure it is accurate and up to date, and so we achieve the purposes for which it was originally collected.
• Where legally permitted, we may also collect personal information through the use of third parties’ data sets and conference attendee lists, to further OneStream’s legitimate business interests.

OneStream does not contemplate that we will collect or process any personal information that qualifies as sensitive data under applicable privacy laws.

How does OneStream use your personal information?

OneStream uses personal information for the following purposes:

1. To provide Services to you and your organization (either directly or via our partner network);
2. To validate your use of the Services;
3. To analyze trends, administer websites, apps, and other resources and to maintain security;
4. To allow and support your use of our websites (including any online chat);
5. To communicate with you, including the processing of any of your requests through our websites; and
6. To provide offers by OneStream or third parties that might interest you in connection with our marketing and business development activities.

OneStream may use artificial intelligence (AI) systems (whether proprietary to OneStream or procured from third party providers) to process your personal information for the above purposes. No AI system will be used by OneStream to make any automatic decision affecting your rights without any additional disclosure or your prior consent.

Where OneStream anonymizes or deidentifies the information so that it is no longer personal information, we may use it for additional purposes.

1. Legal grounds to use your Personal Information

1. Providing Services

We use your personal information to provide Services to you in accordance with the Agreement that we have in place with you, or based on our legitimate interests, typically, either for billing, security, and contractual compliance purposes or business practice improvement.

Use of websites

Personal information used in connection with your use of our websites is based on our legitimate interest to allow and support your use of our websites, as well as to improve such websites and tailor their content.

1. Communication and Marketing

Use of your personal information for marketing purposes, including attending events, is based on your consent or OneStream’s legitimate interest. You always have the right to opt out of any direct marketing by clicking the “Unsubscribe” link in any marketing message or by emailing privacy@onestreamsoftware.com.

International transfers

OneStream may transfer your personal information within its group from the location where it was first collected pursuant to its Internal Data Transfer Agreement, which incorporates relevant Standard Contractual Clauses, or by other means approved by applicable law such as the EU-US Data Privacy Framework. Please see details below.

Information relating to individuals in the European Economic Area (“EEA”) and the United Kingdom (“UK”)

As a global service provider, OneStream may transfer personal information from the EEA or the UK to the United States and other countries, including personal information we receive from individuals residing in the EEA or the UK who visit our websites and/or who may use our Services or otherwise interact with us.

When OneStream engages in such transfers of personal information, it relies on:

- Adequacy Decisions, as adopted by:

1. the European Commission (“EC”), based on Article 45 of Regulation (EU) 2016/679 (GDPR). For more information, and to access the full list of countries deemed adequate to date, please visit https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions

1. the UK Secretary of State, based on Article 45 of the UK GDPR and Section 17A of the Data Protection Act 2018. For more information, and to access the full list of countries deemed adequate to date, please visit https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/; or

- The European Commission’s Standard Contractual Clauses (“SCCs”) and the UK Information Commissioner’s Office’s International Data Transfer Addendum (“IDTA”), as applicable, supplemented by additional security measures as recommended by the European Data Protection Board. If you are a OneStream customer, to access our Data Processing Terms, please visit https://www.onestream.com/saas-terms-and-conditions/

Additionally, OneStream has carried out several transfer impact assessments (“TIA”) and regularly reviews the circumstances surrounding such transfers to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the EEA and UK data protection laws.

Who are the third parties to whom we disclose your personal information?

We share and disclose information about you, including personal information, in the following limited circumstances:

Suppliers

We may share your personal information with third parties we employ to perform services on our behalf. These third parties include:

1. website analytics providers (please see the cookie policy for more detail),
2. tools we use to prevent spam and other security risks related to the abusive automated software,
3. marketing database management providers
4. product support platform providers
5. CRM service providers (e.g., Salesforce),
6. e-mail and other communication service providers,
7. AI system providers,
8. event partners that support OneStream events or other organisations that co-sponsor events
9. Professional services and training partners.

If OneStream receives your personal information and subsequently transfers that information to a third party for processing, OneStream remains responsible for ensuring that such third party, acting as a data processor, processes your personal information to the standard required by any applicable privacy laws. These transfers will typically be based on our legitimate interests or as agreed upon in or necessary to comply with the Agreement.

Business transfers

If we or our assets are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, personal information may be one of the assets transferred to or acquired by the third party.

OneStream affiliates

We may also share your personal information within any OneStream affiliates for the purposes consistent with this privacy policy and based on our legitimate interests or contractual necessity.

Legal reasons

We reserve the right to access, read, preserve, and disclose any personal information as necessary to i) comply with a law or a court order, ii) enforce or apply our Agreements with you and other agreements, or iii) protect the interest, rights, property, or safety of OneStream, our affiliates, our employees, our users, or others.

Under certain circumstances, we may be required to disclose your personal information in response to valid requests by public authorities, including to meet national security or law enforcement requirements, based on our legitimate interests or legal obligations. OneStream does not voluntarily or actively transfer or disclose our customers’ personal information to the government or law enforcement authorities and/or otherwise grant any authorities access to your personal information. In the event of a valid request, we will take reasonable steps to minimise the personal information to be disclosed.

OneStream does not and will not sell your personal information to any third parties nor disclose it for cross-context behavioral advertising.

How long do we store your personal information?

We store your personal information for different time periods depending on the category of personal information and the nature of relationship that you have with us. We aim to keep your personal information as long as necessary to fulfil the purposes for which it was collected.

What security measures do we put in place to protect your personal information?

We use appropriate technical, organizational, and administrative security measures to protect any personal information we store against loss, misuse, and unauthorized access, disclosure, alteration, and destruction. Please see our Data Security Processes and Terms at https://www.onestream.com/saas-terms-and-conditions/. We require materially similar security measures from third parties that may receive your personal information.

How can I exercise my privacy rights?

You may have certain rights relating to your personal information, depending on the laws applicable in your jurisdiction. These rights may include, subject to any exceptions or limitations:

The right to know what personal information is being collected and for what purpose.

The right to know what personal information is being “sold” or “shared”, for what purpose and the categories of recipients of your personal information.

The right to access your personal information.

The right to have your personal information rectified, corrected or updated.

The right to have your personal information deleted, including from any third parties where your personal information has been sold, shared or disclosed.

The right to opt out of the “sale” or “sharing” of your personal information.

The right to object to the processing of your personal information.

The right not to be subject to any automated decision making and profiling.

The right to non-discrimination for exercising any of the rights listed above.

If you would like to exercise any of the privacy rights available to you, please email privacy@onestreamsoftware.com with your request. We will review your request under applicable privacy laws and respond to you promptly. If we are unable to comply with your request due to an exception or limitation, we will explain this to you in writing. If we need more information from you to validate your request, or more time to process it, we will inform you of the reason and extension period in writing.

For residents of South Africa, if you have cause for complaint then you can contact the South African Information Regulator using this link or contacting 010 023 5200, helpdesk@inforegulator.org.za

“Do Not Track” disclosure

Privacy regulations in the United States, such as the laws of California and Delaware, require OneStream to indicate whether it honors your browser’s “Do Not Track” settings concerning targeted advertising. OneStream’s website does not follow DNT settings and therefore does not follow responses to Do Not Track browser requests.

Does OneStream process the personal information of minors (under 18s)?

We do not knowingly collect or solicit personal information from anyone under the age of 18. If you are under 18, please do not visit our websites, do not attempt to register for any Services, nor send any personal information about yourself to us in any other way. If we learn that we have collected personal information from a person under age 18, we will delete that information promptly. If you believe that a person under 18 may have provided us their personal information, please contact us at privacy@onestreamsoftware.com.

EU-US Data Privacy Framework

OneStream complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.OneStream has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.OneStream has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

In compliance with the EU-US DPF Principles, OneStream commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the EU/SWISS DPF Principles. European Union, UK and Swiss individuals with DPF inquiries or complaints should first contact privacy@onestreamsoftware.com. We will investigate and attempt to resolve any complaints or disputes regarding processing of personal information within 30 days of receiving your privacy complaint.

Any unresolved privacy complaints under the EU/SWISS DPF Principles will be referred to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by JAMS. This service will be provided free of charge to you and can be accessed via the following link: https://www.jamsadr.com/DPF-Dispute-Resolution.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2. OneStream is subject to the jurisdiction of the US Federal Trade Commission for the purposes of DPF enforcement.

Changes to this Notice

We are constantly trying to improve our websites and Services, so we may need to update this privacy policy from time to time. We will alert you about material changes by, for example, placing a notice on our website, customer portal and/or sending you an e-mail (if you have registered your e-mail with us) when we are required to do so by applicable law. You can see when this privacy policy was last updated by checking the date at the top of this page. You are responsible for periodically reviewing this privacy policy.

Contact us

OneStream Software LLC

191 N Chester Street

Birmingham, Michigan, 48009

United States

Telephone: +1 248-650-1430

Privacy Hotline: +1 866-467-8688, service code 1987

E-Mail: privacy@onestreamsoftware.com