Effective Date: September 22, 2020
The collection and use of personal data collected by Xactly is limited to the purpose of providing the service for which the customer has engaged Xactly and for communication with visitors and potential customers who have provided their information.
In order to access certain portions of the Site, you will be required to register by providing certain limited information regarding you and the company you represent such as name, email address, address and phone number. Xactly collects this information and engages third parties to collect personal data to assist us for a variety of reasons, including personalizing your experience, contacting visitors to further discuss their interest in our company, when you register for a webinar or other informational offering, and sending information regarding Xactly, such as newsletters and events. Xactly and the third parties we engage may combine the information we collect with information obtained from other sources to help us improve its overall accuracy and completeness, and to help us better tailor our interactions with you. Any visitor and personal data collected by Xactly will not be distributed or shared with any third parties under any circumstance other than as outlined in this Policy. Customers can opt out of being contacted by us, or receiving such information from us, at any time by following the unsubscribe instructions contained in the email communications you receive or by unsubscribing at this link.
When you download our mobile application and use our services, we automatically collect information on the type of device and operating system version you use.
When you interact with the Site and Platforms, we strive to make that experience easy and meaningful. When you come to our Site and Platforms, our web server may send a cookie to your computer. Cookies are files that web browsers place on a computer’s hard drive and are used to tell us whether customers and visitors have visited the Site previously. Standing alone, cookies do not identify you personally. They merely recognize your browser. Unless you choose to identify yourself to Xactly by either requesting a download or registering for a demo or webinar, you remain anonymous to Xactly. If you do not accept cookies from the Site, you cannot access certain portions of the Site or Platforms without registering again each time you would like to access restricted information.
As is true of most websites, we gather certain information automatically and store it in log files. This information may include internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and/or clickstream data. We use IP addresses to analyze trends, administer the Site, track user’s movement, and gather broad demographic information for aggregate use. IP addresses and other data that we automatically collect are not linked to personally identifiable information. We may work with partners or sponsors to provide access to content. When you access such content, we may share your personal data with the associated partners or sponsors.
We use mobile analytics software to allow us to better understand the functionality of our mobile software application on your phone. This mobile analytics software may record information such as how often you use the application, the events that occur within the application, aggregated usage, performance data, and where the application was downloaded from.
We display personal testimonials of satisfied customers on our Site in addition to other endorsements. With your consent, we may post your testimonial along with your name. If you wish to update or delete your testimonial, you can contact us at firstname.lastname@example.org.
Xactly strives to comply with all applicable laws worldwide that are designed to protect your privacy. Although legal requirements may vary by jurisdictions, Xactly intends to adhere to the principles set forth in this Policy. Our goal is to provide protection for your personal data no matter where that personal data is collected, transferred, or retained.
Users from European Union (EU) member countries and Switzerland are provided with further information under the Privacy Shield section of this Policy.
Regardless of the country of origin or residence, Xactly may process your personal data in the U.S. Xactly collects and transfer to the U.S. personal data only:
• with your consent;
• to perform a contract with you or to provide a service to you;
• for purposes of communicating with you
• or to fulfill a compelling legitimate interest of Xactly in a manner that does not outweigh your rights and freedoms.
Xactly takes care to apply suitable safeguards to protect the privacy and security of your personal data and to use it only consistent with your relationship with Xactly and the practices described in this Policy. Xactly also minimizes the risk to your rights and freedoms by not collecting or storing sensitive information about you.
The European Union’s General Data Protection Regulation and other countries’ privacy laws provide certain rights for data subjects.
This Policy is intended to provide you with information about what personal data Xactly collects about you and how it is used. If you have any questions, please contact us at email@example.com.
If you wish to confirm that Xactly is processing your personal data, or to have access to the personal data Xactly may have about you, please contact us at firstname.lastname@example.org.
You may also request information regarding:
• the purpose of the processing; the categories of personal data concerned;
• who else outside Xactly might have received the data from Xactly;
• what the source of the information was (if you didn’t provide it directly to Xactly);
• how long it will be stored.
You have a right to correct (rectify) the record of your personal data maintained by Xactly if it is inaccurate. You may request that Xactly erase that data or cease processing it, subject to certain exceptions. You may also request that Xactly cease using your data for direct marketing purposes. In many countries, you have a right to lodge a complaint with the appropriate data protection authority if you have concerns about how Xactly processes your personal data. When technically feasible, Xactly will—at your request—provide your personal data to you or transmit it directly to another controller.
Reasonable access to your personal data will be provided at no cost upon request made to Xactly at email@example.com. If access cannot be provided within a reasonable time frame, Xactly will provide you with a date when the information will be provided. If for some reason access is denied, Xactly will provide an explanation as to why access has been denied.
Xactly takes substantial precautions to protect data and information under its control from misuse, loss or alteration. We utilize some of the most advanced technology available today for internet security and are constantly taking measures to adjust to the changing security landscape. As such, Xactly maintains layered, defense in-depth security measures, including hosting our solution in a Tier IV (the highest recognized level) datacenter, to allow only authorized personnel access to your information. When you provide us with sensitive information (such as your login credentials) we transmit your personal data in an encrypted state. Unfortunately, no system can ensure complete security, and Xactly disclaims any liability resulting from use of the Site. If you have any questions regarding security on our Site, you can contact us at firstname.lastname@example.org.
The Site contains links to other web sites. Xactly is not responsible for the privacy practices or the content of these other web sites. Visitors are advised to check the privacy policies of other web sites to understand their policies. Accessing a linked web site may expose your private information.
Through this Policy, Xactly hereby informs you of the purpose for which it collects and uses personal data. Xactly will notify you in the event of any unintentional disclosure of your personal data to a third party. You have the option to limit the use of any personal data through the means described herein.
Xactly provides you with a choice to opt out of disclosure of your personal data to a third party or the use of personal data for something other than it was originally collected. If you would like to opt out, please contact email@example.com or write to us at the address below.
Xactly collects information under the direction of its customers, and has no direct relationship with the individuals whose personal data it processes. If you are an individual whose personal data was provided to Xactly by an Xactly customer (such customer the “data controller”) and would no longer like to be contacted by the data controller that uses our service, please contact the data controller that you interact with directly.
Xactly may transfer personal data to companies that help us provide our services to our customers and users such as an email service provider to send emails on our behalf and a career management partner to collect potential employee information. Transfers to these third parties are covered by the provisions in this Policy regarding notice and choice and the service agreements with our customers.
We reserve the right to disclose personal data as required by law, such as to comply with a subpoena, bankruptcy proceedings, or similar legal process when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
In the event Xactly goes through a business transition, such as a merger, acquisition by another company, or sale of all or a portion of its assets, your personal data will likely be among the assets transferred. You will be notified via either email or prominent notice on our Site for 30 days of any such change in ownership or control of your personal data.
Xactly shall use information collected for its relevant and intended purpose only. If there is any change of use of the personal data collected, Xactly shall inform you and gain your approval before making such changes of the use of the personal data collected. Further, Xactly shall take reasonable steps to ensure that the personal data collected is accurate and reliable for its intended use.
Upon request Xactly shall provide you with information about whether we hold any of your personal data and reasonable access, as required by law, to your personal data in order to confirm that it is correct or to amend or delete inaccurate information. If you need to correct, update, or remove personal data provided to Xactly, please contact Xactly at firstname.lastname@example.org or by our postal mail at the contact information listed below.
Xactly acknowledges that you have the right to access your personal data. Xactly has no direct relationship with the individuals whose personal data it processes. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct the query to the Xactly customer who provided the personal data to Xactly(such customer, the “data controller”). If the data controller needs to contact Xactly to request Xactly remove the data, such data controller can contact us at: email@example.com. We will endeavor to respond to all requests for within 30 days.
Xactly will retain your personal data and the personal data we process on behalf of our customers for as long as needed to provide services to our customers. Xactly will retain and use this personal data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
Xactly Corporation (‘Xactly”) participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce. We are committed to subjecting all personal data received from European Union (EU) member countries, the United Kingdom, and Switzerland, respectively, to the United States in reliance on each Privacy Shield Framework and their applicable principles, respectively. To learn more about the Privacy Shield Frameworks, and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List. https://www.privacyshield.gov/list.
Recently, the European Court of Justice (CJEU) invalidated the EU-U.S. Privacy Shield program and ruled that standard contractual clauses (SCC) need to be evaluated on a case-by-case basis for transferring data from the EU. With this decision, you may be wondering how does this impact you and how Xactly manages data flows to the U.S.
Our standard DPA already includes the standard contractual clauses (SCC), click here to download our DPA. If you already have an executed DPA or SCC in place with Xactly, no further action is required. If you do not, please contact us at firstname.lastname@example.org to get them in place. Based on the CJEU’s ruling, as well as statements from the U.S. Secretary of Commerce and the European Commission, Xactly has begun work with the certification bodies to evaluate alternative assurance program options that will preserve the Privacy Shield program's core principles and standards for protecting personal data by commercial enterprises, along with a review of the standard contractual clauses that are already within our DPA.
Xactly is responsible for the processing of personal data it receives under each Privacy Shield Framework and subsequent transfers to a third party acting as an agent on its behalf. Xactly complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, the United Kingdom, and Switzerland, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Xactly is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Xactly remains committed to subjecting all personal data received from European Union (EU) member countries, the United Kingdom, and Switzerland, respectively, to the United States in reliance on each Privacy Shield Framework and their applicable principles, respectively.
Under certain conditions, more fully described on the Privacy Shield website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
Xactly has established internal mechanisms to verify its ongoing adherence to this Policy. Xactly encourages individuals covered by this Policy to raise any concerns about our processing of personal data by contacting us at: email@example.com or at the address listed below.
505 South Market Street
San Jose, CA 95113
After a complaint or concern is received, Xactly will work internally to resolve the issue. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Xactly is headquartered in San Jose, California, in the United States. Xactly has appointed an internal data protection officer for you to contact if you have any questions or concerns about Xactly’s personal data policies or practices. Xactly’s data protection officer’s name and contact information are as follows:
505 South Market Street
San Jose, CA 95113
Local Phone: +1.408.977.3132
This Policy may be amended from time to time. We will notify you by email sent to the e-mail address specified in your account or by means of a prominent notice on this Site prior to any material amendments becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.
The General Data Protection Regulation (GDPR) is a European privacy law that took effect on May 25, 2018. This law is an important step forward in streamlining data protection requirements across the European Union.
Xactly is compliant with the requirements of GDPR and able to demonstrate compliance.
Last Modified: April 6, 2021
Xactly uses sub-processors to assist in providing Xactly’s service offerings (“Services”), as more fully described in the applicable subscription and services agreement (“Agreement”) entered into by and between the Customer named in such Agreement and Xactly. For purposes of this document, “Xactly” means the Xactly entity which is a party to the Agreement, as specified in the Agreement being Xactly Corporation, a company incorporated in Delaware, or Obero Technologies, Inc., a company incorporated in Canada, as applicable.
A sub-processor is any entity engaged by Xactly to process Personal Data on behalf of Xactly as a Processor and you as the Data Controller. A sub-processor has or will potentially have access to or process Personal Data. Xactly requires sub-processors to satisfy equivalent obligations as those required by Xactly as a Data Processor as more fully set forth in Xactly’s Data Processing Addendum (“DPA”).
The following is a list of Xactly sub-processors:
Xactly works with certain sub-processors to provide specific functionality within the Services. In order to provide the relevant functionality these sub-processors process Personal Data.
|Entity Name||Primary Purpose||Applicable Services|
|Akamai Technologies, Inc.||Content Delivery Network and Web Acceleration||Incent Suit, Insights|
|Amazon Web Services, Inc.||Cloud Services Provider and Content Delivery Network||AlignStar for Salesforce, SimplyComp|
|Cloudflare, Inc||Content Delivery Network and Web Acceleration||Incent Suite, Insights|
|Dimension Data||Cloud Service Provider and Content Delivery Network||Incent Suite, Insights|
|The Rocket Science Group, LLC (Mailchimp)||Customer Communication||Incent Suite, Insights|
|Microsoft Corporation||Cloud Service Provider and Content Delivery Network||Obero SPM, Xactly Commision Expense Accounting, Advanced Quota Planning|
|Pendo.io Inc.||Analytics Management Platform||All|
|Recurly, Inc.||Billing and Subscription Management||SimpleComp|
|Salesforce.com||Cloud Service Provider and Content Delivery Network||Express, AlignStar for Salesforce|
|Khoros, LLC||Customer Engagement Platform||All|
|Oracle Corporation and its affiliates||Cloud Service Provider and Content Delivery Network||Incent Suite, Insights|
|Salesforce.com, Inc.||Customer Relationship Management||All|
|SendGrid, Inc.||Customer Communication||SimplyComp|
|Workday, Inc.||Financial Management Application||All|
|Zendesk, Inc.||Customer Support and Document Management||Express, SimplyComp|
Xactly Affiliate Sub-Processors
Xactly may also engage one or more of the following affiliates as sub-processors to deliver some or all of the Services and may access Personal Data.
|Entity Name||Entity Country|
|Xactly Canada, Inc.||Canada|
|Xactly Corporation, Inc||United States|
|Xactly France SAS||France|
|Xactly Germany Gmbh||Germany|
|Xactly Limited||United Kingdom|
|Xactly Technologies India Private Limited||India|
|TopOpps, Inc.||United States|
As our business grows and evolves, the sub-processors we engage may also change. We will endeavor to provide the owner of customer’s account with notice of any new sub-processors to the extent required under the Agreement, along with posting such updates here.
Sign up for updates here.
Privacy Notice for California Residents
Effective Date: January 1, 2020
Xactly does not sell your personal information and will not do so in the future without providing you with notice and an opportunity to opt-out of such sale as required by law. Similarly, we do not offer financial incentives associated with our collection, use, or disclosure of your personal information.
Information We Collect
Our Website collects information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device ("personal information"). In particular, the Xactly website, www.xactlycorp.com (“Website”), has collected the following categories of personal information from its consumers within the last twelve (12) months:
Personal information does not include:
- Publicly available information from government records.
- Deidentified or aggregated consumer information.
- Information excluded from the California Consumer Privacy Act's (“CCPA”) scope, including but not limited to:
- health or medical information covered by
- the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- California Confidentiality of Medical Information Act (CMIA)
- clinical trial data
- health or medical information covered by
- personal information covered by certain sector-specific privacy laws:
- the Fair Credit Reporting Act (FRCA)
- the Gramm-Leach-Bliley Act (GLBA)
- California Financial Information Privacy Act (FIPA)
- the Driver's Privacy Protection Act of 1994
Xactly Corporation obtains the categories of personal information listed above from the following categories of sources:
- Directly from you or your agents. For example, from documents that you or your agents provide to us related to the services for which you engage us.
- Indirectly from you or your agents. For example, through information we collect from you in the course of providing services to you.
- Directly and indirectly from activity on our website (www.xactlycorp.com). For example, from submissions through our website portal or website usage details collected automatically.
- From third-parties that interact with us in connection with the services we perform. For example, from prospective customers when we prepare RFPS for our products or services.
Use of Personal Information
We may use, or disclose the personal information we collect for one or more of the following business purposes:
- To personalize your Website experience and to deliver content and product and service offerings relevant to your interests, including targeted offers and ads through our Website, third-party sites, and via email or text message (with your consent, where required by law).
- To provide you with support and to respond to your inquiries.
- To provide, support, personalize, and develop our Website, products, and services.
- To create, maintain, customize, and secure your account with us.
- To help maintain the safety, security, and integrity of our Website, products and services, databases and other technology assets, and business.
- For testing, research, analysis, and product development, including to develop and improve our Website, products, and services.
- To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
- As described to you when collecting your personal information or as otherwise set forth in the CCPA.
- To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Xactly Corporation's assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by Xactly Corporation about our Website users is among the assets transferred.
Xactly Corporation will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
Sharing Personal Information
Xactly Corporation may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.
We share your personal information with the following categories of third parties:
- Service providers
- Data aggregators
Disclosures of Personal Information for a Business Purpose
In the preceding twelve (12) months, Company has disclosed the following categories of personal information for a business purpose:
- Category A: Identifiers.
- Category B: California Customer Records personal information categories.
- Category D: Commercial information.
- Category F: Internet or other similar network activity.
- Category G: Geolocation data.
We disclose your personal information for a business purpose to the following categories of third parties:
- Service providers
- Data aggregators
Sales of Personal Information
In the preceding twelve (12) months, Company has not sold personal information
Your Rights and Choices
The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.
Access to Specific Information and Data Portability Rights
You have the right to request that Xactly Corporation disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will disclose to you:
- The categories of personal information we collected about you.
- The categories of sources for the personal information we collected about you.
- Our business or commercial purpose for collecting or selling that personal information.
- The categories of third parties with whom we share that personal information.
- The specific pieces of personal information we collected about you (also called a data portability request).
- If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
- sales, identifying the personal information categories that each category of recipient purchased; and
- disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
Deletion Request Rights
You have the right to request that Xactly Corporation delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
- Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Exercising Access, Data Portability, and Deletion Rights
To exercise the access, data portability, and deletion rights described above, please submit a verifiable request to us by either:
- Completing the following form, click here
- Emailing us at firstname.lastname@example.org
- Calling us at 1-855-467-5740
Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.
Making a verifiable consumer request does not require you to create an account with us. However, we do consider requests made through your password protected account sufficiently verified when the request relates to personal information associated with that specific account.
We will only use personal information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.
Response Timing and Format
We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.
If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.
Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily usable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Other California Privacy Rights
California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of our Website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to email@example.com or write us at:
Attn: Data Privacy Officer
505 South Market Street
San Jose, CA 95113
Changes to Our Privacy Notice
Xactly Corporation reserves the right to amend this privacy notice at our discretion and at any time. When we make changes to this privacy notice, we will post the updated notice on the Website and update the notice's effective date. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.
Attn: Data Privacy Officer
505 South Market Street
San Jose, CA 95113
Xactly recognizes that many of our customers are subject to at least some privacy-related laws that govern the handling of personal data. We seek to support our customers’ compliance with such laws by providing a comprehensive privacy and security program that includes technology, policies, practices, people and certifications.
Xactly has privacy and security policies that apply to all of our information handling practices.
• For information collected, Xactly provides assurances about the types of information collected, how that information may be used, and how that information may be shared.
• Xactly offers individuals the opportunity to manage their receipt of marketing and other non-transactional communications.
• Xactly offers individuals the opportunity to update or change the information they provide.
Xactly’s comprehensive privacy program includes ongoing education and communication with personnel and customers about current issues and best practices.
Internal Training and Communications for Xactly Personnel
• Xactly provides privacy training to all employees and contractors at hire and on an annual basis thereafter.
• Xactly regularly communicates with our personnel about our obligation to safeguard confidential information, including customer data and personal data.
Customer End User Awareness
• Xactly strongly encourages all of our customers and users to adopt industry-standard solutions to secure and protect their authentication credentials, networks, servers, and computers from security attacks.
• Xactly maintains a proactive client communication process which includes notifying end users about specific privacy issues, when warranted.
• The Xactly help system contains information about implementing customer-controlled security settings within the application.
• The security section of the Trust Web site, accessed here https://trust.xactlycorp.com/security/, includes a security-related white paper.
For additional questions, or to be taken off our marketing lists, please send an e-mail to firstname.lastname@example.org or to the contact information above.