Privacy Supplement

Effective Date: April 8, 2019

Your privacy is important to us. This Products & Services Privacy Statement Supplement applies to the Esri products, services and related offerings that display or link to this Products & Services Privacy Statement Supplement (the "Products & Services"). Esri established this Products & Services Privacy Statement Supplement in order to clarify that the use of information to which it may be provided access in order to deliver Product & Services is more limited than the use of information covered by the general Esri Privacy Statement.

Esri complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom and Switzerland to the United States.  Esri has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.  If there is any conflict between the terms in this privacy statement and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

Esri is subject to the investigatory and enforcement powers of the Federal Trade Commission. Esri has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. To learn more about the Privacy Shield program, please visit https://www.privacyshield.gov/welcome ; to view Esri's certification, please visit https://www.privacyshield.gov/list.

Esri is responsible for the processing of personal data it receives, under the Privacy Shield Framework, and subsequent transfers to a third party acting as an agent on its behalf. Esri complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, the United Kingdom and Switzerland, including the onward transfer liability provisions.

Key offerings that fall within the scope of Products & Services include: ArcGIS Online, Esri Managed Cloud Services, Customer Support, and Professional Service engagements. Customers who utilize organization (cost-based) accounts of Products & Services, such as ArcGIS Online, expect a higher level of privacy assurance which is reflected in this Products & Services Privacy Statement Supplement, whereas consumers of public accounts are provided the privacy assurance level of the Esri Privacy Statement. Esri's marketing sites and other public websites are governed by the general Esri Privacy Statement.

The datasets within the scope of Products & Services can be broken down into four main areas: Customer data, Administrator data, Payment data, and Support data as described below.

Customer Data

Customer Data consists of all data including text, sound, video, or image files, and software, that are provided to Esri by, or on behalf of, you or your end users through the use of Esri Products & Services. Esri treats Customer Data as confidential in accordance with the terms of your orders for Products & Services.

Customer Data will be used only to provide customer the Products & Services including purposes compatible with providing those services. For example, we may use Customer Data to provide a personalized experience, improve service reliability, combat spam or other malware, or improve features and functionality of the Products & Services. Esri will not use Customer Data or derive information from it for any advertising or similar commercial purposes. Customer Data is not Administrator Data, Payment Data, or Support Data.

You have the choice to access your information and Customer Data and to correct, control or delete your information and Customer Data in our Products & Services by logging in to your account and making the appropriate changes. For more information about the features and functionality that enable you to control Customer Data, please review documentation specific to the Products & Services available through Trust.ArcGIS.com.

Administrator Data

This is information the customer provides about itself typically as part of marketing, sales, or contractual interactions with Esri, including for example its name, address, billing information, and some employee contact information. Esri may also collect other information about the customer and some employees, for example through its web sites, as part of that interaction. All of that information is Administrator Data, and is treated according to Esri's general Privacy Statement.

In contrast, having contracted with Esri for ArcGIS Online or other Products & Services, when the customer provides Esri access to its production, development or test environment, which may include personal information about its employees, customers, partners or suppliers (collectively "end users"), this is considered Customer Data and treated under the supplementary obligations of this Products & Services Privacy Statement Supplement.

Payment Data

Esri stores no payment instrument number information (e.g. credit card) within their systems for Products & Services. Esri utilizes a third party provider which has been audited by a Payment Card Industry Standard certified auditor to ensure your information remains secure. Payment information is transmitted directly to the provider via HTTPS for secure transmission so that payment data is never transmitted or stored by Esri Products & Services.

Support Data

Support Data is the information we collect when you contact or engage Esri for technical support. It includes information you submit in a support request or provide when you run an automated troubleshooter. It may also include information about hardware, software, and other details gathered related to the support incident, such as contact or authentication information, chat session personalization, information about the condition of the machine and the application when the fault occurred and during diagnostics, system and registry data about software installations and hardware configurations, and error-tracking files. In addition to using Support Data to resolve your support incident, we use Support Data to operate, improve and personalize the products and services we offer.

Support may be provided through phone, email, or online chat. With your permission, we may use Remote Access ("RA") to temporarily navigate your machine or, for certain Products & Services, you may add a support professional as an authorized user for a limited duration to view diagnostic data in order to resolve a support incident. Phone conversations, online chat sessions, or RA sessions with support professionals may be recorded and/or monitored. Support Data is subject to this Products & Services Privacy Statement Supplement.

Cookie Technologies

Esri may use cookies (small text files placed on a device's hard disk by a web service) or similar technologies to provide Products & Services. For example, cookies and similar technologies such as web beacons may be used to store a user's preferences and settings, to gather web analytics, to authenticate users, and to detect fraud. In addition to the cookies Esri may set when you visit Esri Products & Services sites, third parties that we have hired to provide certain services on our behalf, such as site analytics, may also set cookies when you visit Esri sites. To learn more about how to control cookies and similar technologies, please see your Internet browser's documentation. Choices you make regarding the use of cookies may impact your use of the Products & Services. Please be aware that many of our products and services require cookies when non-anonymous access is required.

On-Premises / Local Software

Some Products & Services may require, or may be enhanced by, the installation of local software (e.g., agents, device management applications) on a device.

By default, local software may transmit the following which they can opt-out of (i) data, which may include Customer Data, from a device or appliance to or from the Products & Services; or (ii) logs or error reports to Esri for troubleshooting purposes; (iii) data collected about the use and performance of the local software or the Products & Services that may be transmitted to Esri and analyzed to improve the quality, security, and integrity of the products and services we offer. For additional information on what is collected and sent, please review the Esri User Experience Improvement Program FAQ's.

Online Services and Data Location

Online Services are the subset of Esri Products & Services hosted by Esri, typically within a cloud infrastructure provider. Many Esri Online Services such as ArcGIS Online are intended for use by organizations. If you use an email address provided by an organization you are affiliated with, such as an employer or school, to access the Online Services, the owner of the domain associated with your email address may: (i) control and administer your Online Services account and (ii) access and process your data, including the contents of your communications and files. Your use of the Online Services may be subject to your organization's policies, if any. If your organization is administering your use of the Esri Online Services, please direct your privacy inquiries to your administrator. Esri is not responsible for the privacy or security practices of our customers, which may differ from those set forth in this Products & Services Privacy Statement Supplement.

Customer Data that Esri Online Services process on your behalf may be transferred to, and stored and processed in, the United States or any other country in which Esri or its affiliates or subcontractors maintain facilities. You appoint Esri to perform any such transfer of Customer Data to any such country and to store and process Customer Data in order to provide the Online Services.

ArcGIS Online and Esri Managed Cloud Service's Advanced Plus offerings both currently only store Customer Data in the contiguous United States. Please visit Trust.ArcGIS.com or consult your agreement(s) for details.

Use of Subcontractors and Third parties

Esri may hire subcontractors to provide services on its behalf. Any such subcontractors will be permitted to obtain data from the Products & Services only to deliver the services Esri has retained them to provide and have agreed not to use data for any other purpose.

Esri's Products & Services may enable you to purchase, subscribe to, or use services, software, and content from companies other than Esri ("Third Party Offerings"). If you choose to purchase, subscribe to, or use a Third Party Offering, we may provide the third party with your Administrator Data. Subject to your contact preferences, the third party may use your Administrator Data to send you promotional communications. Use of that information and your use of a Third Party Offering will be governed by the third party's privacy statement and policies.

Disclosure of Data

Esri will not disclose Customer Data to law enforcement unless required by law. Should law enforcement contact Esri with a demand for Customer Data, Esri will attempt to redirect the law enforcement agency to request that data directly from you. If compelled to disclose Customer Data to law enforcement, then Esri will promptly notify you and provide you a copy of the demand unless legally prohibited from doing so.

Upon receipt of any other third party request for Customer Data (such as requests from customer's end users), Esri will promptly notify you unless prohibited by law. If Esri is not required by law to disclose the Customer Data, Esri will reject the request. If the request is valid and Esri could be compelled to disclose the requested information, Esri will attempt to redirect the third party to request the Customer Data from you.

Except as customer directs, Esri will not provide any third party: (1) direct, indirect, blanket or unfettered access to Customer Data; (2) the encryption keys used to secure Customer Data or the ability to break such encryption; or (3) any kind of access to Customer Data if Esri is aware that such data is used for purposes other than those stated in the request.

In support of the above, Esri may provide your basic contact information to the third party.

Esri will not disclose Customer Data, Administrator Data, Payment Data or Support Data outside of Esri or its controlled subsidiaries and affiliates except (1) as you direct, (2) with permission from an end user, (3) as described in this Products & Services Privacy Statement Supplement or in your agreement(s) with Esri, or (4) in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may share Administrator Data with third parties for purposes of fraud prevention.

Security

Esri is committed to helping protect the security of your information. We have implemented and will maintain appropriate technical and organizational measures intended to protect your information against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction.

For more information about the security of Esri Products & Services, please visit Trust.ArcGIS.com or contact Esri's Software Security & Privacy Team at SoftwareSecurity@Esri.com.

Contacting Us

For more information about Esri's Product and Services information practices, please visit Trust.ArcGIS.com.

Questions regarding this Product & Services Privacy Statement Supplement or information practices should be directed to Privacy@Esri.com.

For information regarding Esri's general privacy practices please review the Esri Privacy Statement at http://www.esri.com/legal/privacy.

In compliance with the Privacy Shield Principles, Esri commits to resolve complaints about our collection or use of your personal information.  EU, United Kingdom and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Esri at  Privacy@Esri.com.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at  https://feedback-form.truste.com/watchdog/request.

Under certain conditions, more fully described on the Privacy Shield website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.