Last Updated March 2023
Purpose and Scope
Acumatica, Inc. (“Acumatica,” “us” or “we”) provides this services privacy statement (“Privacy Statement”) to explain how we collect, use and share your personal information and your data protection rights when you purchase and use of our cloud-based enterprise resourcing platform and related services (such as our mobile application) that we provide to our customers (the “Services“).
In this Privacy Statement, the organizations that have procured and contracted for our Services are referred to as our “customers” and “users” or “you” refers to individuals authorized by our customers to use the Services. Further information about our Services is available here: https://www.acumatica.com/cloud-erp-software
This Privacy Statement addresses specific requirements that may apply depending on the country in which you are located and the data protection laws that apply. Please see the heading entitled “supplemental region-specific privacy requirements” for further information.
This Privacy Statement does not cover personal information that Acumatica processes in connection with the Services on behalf of our customers as a processor or service provider. If you have any specific questions about information processed for these purposes, please contact the relevant business (who will be the controller of this information).
This Privacy Statement also does not cover any information or data collected by Acumatica for other purposes outside of the Services. Please see our Website Privacy Statement for details on our privacy practices with respect to data collected on our websites and at events.
If there is a specific section of this Privacy Statement that you wish to read, you can most easily navigate to that section by clicking on the appropriate link below.
- Personal information Acumatica collects
- Cookies and other technologies
- How Acumatica uses personal information
- How Acumatica shares personal information
- Data retention
- Privacy Rights
- Changes to this Privacy Statement
- Contacting us
- Supplemental region-specific privacy requirements
Personal information Acumatica collects
Information you voluntarily provide
If you are a user, you may provide personal information to us through the Services. For example when you sign up to access and use the Services, when you contact customer support or send us an email or communicate with us in connection with the Services in any way (for example, to make a support request).
This information may include:
- Business contact information such as your name, contact details, country, job title and company;
- Marketing information (such as your contact preferences);
- Account log-in credentials (such as users IDs, passwords);
- Troubleshooting and support data (which is data you provide when you contact us for support and which include the Services you use and other details that help us provide support, such as contact or authentication data, the content of your chats and other communications with Acumatica).
If you communicate with us directly, we may retain a record of such communications.
Information we collect automatically
When you use the Services, we collect information automatically about your web browser, mobile, or other device and use of the Services. In some countries (like those in the European Economic Area), this information may be considered personal information.
This information may include:
Device specific information, such as your Internet Protocol (“IP”) address, device attributes (for example: hardware model, operating system, web browser version, as well as unique device identifiers and characteristics), connection information (for example, the name of your mobile operator or Internet Service Provider), browser type, language and time zone;
Product usage data, which may include the dates and times you access the Services, page views, which activities and features are used in our Services, crash logs, customer storage configuration settings, and technical data relating to devices accessing and using the Services and the performance of the Services in doing so. Our collection of this data, described in more detail below, allows us to provide more personalized high-quality services to you and to track usage of the Services.
Information we process on behalf of our Customers
When our customers use our Services to upload or store personal information about their customers, prospects, partners, employees and other personnel, we typically act as a processor or service provider and process such personal information on their behalf in accordance with our contract with our customer. This means such information is only processed for purposes of providing the Services and in accordance with our customer’s instructions.
Certain Services may request permission to access your location. Where you grant this permission, we will collect information about your location using GPS, wireless, or Bluetooth technology. You can control access to precise location information through your mobile device settings. We also may look up your IP address to determine your general location.
Cookies and other technologies
We use tracking technologies to automatically collect certain technical information from your web browser, mobile, or other device when you visit or use the Services, as further described above in the “Information we collection automatically” section. For further information about the types of cookies we use, why and how you can control cookies, see our Cookie Notice.
How Acumatica uses personal information
We use or disclose the personal information identified above for one or more of the following purposes (each a “Business Purpose”):
- To fulfil or meet the reason you provided the information (e.g., to send you product and service information).
- To send account related emails and respond to contact made by you.
- To personalize and develop our Services, and improve our offerings.
- To provide certain features or functionalities on the Services.
- To create, maintain, customize, and secure your account with us.
- To provide you with support, to communicate with you and respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
- To personalize our Services and to deliver content and product and service offerings, products, and services relevant to your interests
- To help maintain the safety, security, and integrity of our Services, services, databases, other technology assets, and business.
- For testing, research, analysis, and product development, including to develop and improve the Services, and our products and services.
- To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
- To prevent illegal activity, fraud, and abuse.
- As described to you when collecting your personal information.
- To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our users is among the assets transferred or liquidated.
How Acumatica shares personal information
We may share personal information for any other purposes listed above with the following third parties:
- Group companies and affiliates to assist with providing the Services;
- Affiliated persons or third-party service providers assisting us in the operation, management, improvement, research and analysis of the Services, including analytics providers, payment processors and marketing service providers;
- Government regulators, law enforcement authorities in accordance with applicable law or regulation;
- An actual or potential buyer (and it’s agents or advisors) in connection with any actual or proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer that it must use your personal information only for the purposes disclosed in this Privacy Statement;
- Any other person with your consent to the disclosure.
In accordance with and as permitted by applicable law and regulations, Acumatica will retain your personal information as long as necessary to serve you, to maintain your account for as long as your account is active, or as otherwise as long as is necessary for the uses described in this Privacy Statement. For Acumatica’s hosted Services, its backup policy is set forth on the Acumatica SaaS FAQ page.
When your account expires or becomes disabled, Acumatica will retain your information for at least 30 days before it is permanently removed from all of Acumatica’s systems. Acumatica will retain information about its customers and their users as required by applicable regulations and to comply with its legal and reporting obligations, resolve disputes, enforce agreements, complete any outstanding transactions and for the detection and prevention of fraud.
Your privacy rights
If you wish to exercise any rights in relation to the personal information that Acumatica collects and uses about you (including rights of access, correction or deletion, where applicable), please contact us using the details provided below. Acumatica will fulfil any data protection rights requests in accordance with its obligations under applicable data protection laws.
Please see the heading “Supplemental region-specific privacy requirements” for further information about the specific rights you can exercise depending on the territory you are in and the data protection laws that apply.
The Services are not intended for anyone under the age of 18, and we do not intend to, or knowingly, collect or solicit personal information online from anyone under the age of 18. Accordingly, we do not knowingly “sell” or disclose personal information of anyone under the age of 18. If you are a parent or guardian and you believe we have collected information from your child in a manner not permitted by law, contact us using the contact details provided below under the “Contact Us” section. Acumatica will delete any personal information which it becomes aware it has received from a minor in accordance with applicable laws.
Changes to this Privacy Statement
Acumatica will occasionally update this Privacy Statement to reflect changes in services, laws and regulations, or privacy practices, as well as customer feedback. When Acumatica posts changes to this Privacy Statement, the “last updated” date at the top of this Privacy Statement will be revised. If there are material changes to this Privacy Statement or in how Acumatica will use your personal information, Acumatica will notify you by prominently posting a notice of such changes prior to implementing the change. Acumatica encourages you to periodically review this Privacy Statement to be informed of how Acumatica is protecting your personal information.
Acumatica welcomes your comments regarding this Privacy Statement. If you have questions about this Privacy Statement, please contact Acumatica at:
Mail: Acumatica, Inc.
Attn: Acumatica Privacy
3933 Lake Washington Blvd NE #350,
Kirkland, WA 98033
Supplemental region-specific privacy requirements
EEA and UK
If you are located in the EEA or the United Kingdom, the following will be incorporated into the Privacy Statement:
Legal basis for processing
We base our processing of your personal information on our legitimate interesting in operating, improving and administering the Services.
In some cases, we may also have a legal obligation to collect personal information from you.
If we ask you to provide personal information to comply with a legal requirement, we will make this clear at the relevant time and advise you whether the provision of personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information).
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the “Contacting Us” heading above.
International Data Transfers
Your personal information may be transferred to, and processed in countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country and in some cases, may not be as protective.
Specifically, Acumatica is headquartered in the United States and the Services are mainly run from here. The data for our Services is hosted in the US, Canada and the UK and backs ups in other locations. Our UK and European customers provisioned in the UK. This means that when we collect your personal information we will process it in the US. Our service providers, who process personal information to help us provide the Services, may be located around the world. We have implemented appropriate safeguards, including entering into Standard Contractual Clauses approved by EEA and UK authorities where necessary to require that your personal information will remain protected in accordance with this Privacy Statement and applicable data protection laws. If you have any questions about our use of Standard Contractual Clauses, please contact us using the details set out in this Privacy Statement.
Specific rights for UK and EEA based visitors
You may have the following data protection rights:
- to access, correct, update or request deletion of your personal information;
- to object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information. Again, you can exercise these rights by contacting us using the contact details provided under the “Contacting Us” heading.
- to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. To opt-out of other forms of marketing (such as postal marketing or telemarketing), then please contact us using the contact details provided under the “Contacting Us” heading.
- similarly, if we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
- You have the right to complain to a data protection authority about our collection and use of your personal information. For EEA residents please use the following website: https://edpb.europa.eu/about-edpb/board/members_en. UK residents should contact the ICO whose contact details can be found at ico.org.uk.
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. If you request to exercise your rights above, we may require verification of your identity before we respond to any such request. Any requests to exercise the above-listed rights may be made to firstname.lastname@example.org.
The data controller of your personal information is Acumatica, Inc. who can be contacted using the contact details set out in this Privacy Statement.
If you are using the Services as a Californian resident, the following will be incorporated into the Privacy Statement:
Categories of personal information we collected about California residents
In the preceding twelve (12) months, we have collected the following categories of personal information:
|Category of personal information||Do we collect?||Do we disclose for Business Purposes?|
|A.||Name, contact information, and other identifiers such as a real name, alias, address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers.||Yes||Yes|
|B.||Personal information categories listed in the California Customer Records statute, such as name, signature, physical characteristics or description, address, telephone number. Some personal information included in this category may overlap with other categories.||Yes||Yes|
|C.||Characteristics of protected classifications under California or federal law such as race, color, sex, age, religion, national origin, and disability.||Yes||Yes|
|D.||Commercial information such as records of products or services purchased, obtained, or considered, or other purchasing or use histories or tendencies.||Yes||Yes|
|E.||Biometric Information such as physiological or behavioral characteristics that can be used alone or in combination with each other to establish individual identity, including facial recognition (subject to applicable laws and where relevant to the Services we provide to you).||Yes||Yes|
|F.||Usage data such as internet or other electronic network activity information, including, but not limited to, browsing history, clickstream data, search history, and information regarding a resident’s interaction with an internet website, application, or advertisement.||Yes||Yes|
|G.||Geolocation data such as precise geographic location information about a particular individual or device.||Yes||Yes|
|H.||Audio, video, sensory and other electronic data: audio, electronic, visual, or similar information such as, video footage, photographs, and call recordings.||Yes||Yes|
|I.||Professional or employment-related information, such as current or past job history or performance evaluations.||Yes||Yes|
|J.||Non-public education information, such as education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.||Yes||Yes|
|K.||Profiles and Inferences such as inferences drawn from Personal Information to create a profile reflecting a resident’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes.||Yes||Yes|
|L.||Information qualified as “sensitive personal information” under California law, such as social security number, driver’s license, state identification number, passport number, financial information, precise geolocation, racial and ethnic origin (when hired for a position), the contents of communications where Acumatica is not an intended recipient, personal information collected and analyzed concerning health and other similar information.||Yes||Yes|
If you have specific questions about the personal information that we collect about you or would like to exercise any of your privacy rights, please see the section below titled “Exercising Your Rights” for the different ways you can contact us.
Categories of sources of personal information that we collect
- Directly from you. For example, when you sign up to access and use the Services, when you contact customer support or send us an email or communicate with us in connection with the Services in any way (for example, to make a support request).
- Directly and indirectly from activity on our Services. The section “Information we collect automatically” above describes the types of data that we collect.
- Service providers who provide services on our behalf such as those used to assist us in the operation, management, improvement, research and analysis of the Services, including analytics providers, payment processors and marketing service providers.
Business or commercial purposes
We may use the personal information identified above for one or more of Business Purposes identified in the section “How Acumatica uses personal information” above.
Sale or disclosure of personal information
When we disclose personal information for a Business Purpose, we enter into a contract that describes the purpose and requires the recipient to keep that personal information confidential and use only for performance of the contract, and not for any other purpose. We share or make your information available, including any personal information, in the circumstances described below.
We do not sell your personal information to third parties for business or commercial purposes, nor do we share personal information for cross-context behavioral advertising purposes. Accordingly, we do not knowingly sell or share the personal information of consumers under 16 years of age.
We may disclose personal information that we collect and use it as described in this Privacy Statement and any other applicable privacy notices or opt-ins that you receive to the following categories of third parties:
- Analytics providers;
- Payment processors;
- Other third party marketing service providers; and
- Affiliated persons or third-party service providers assisting us in the operation, management, improvement, research and analysis of the Services. Affiliated persons or our third party service providers may augment, extend, and combine non-personally identifiable information with data from additional third party sources in order to assist us with the above. Use of information by affiliated persons and third party service providers will be subject to this Privacy Statement or an agreement that is at least as restrictive as this Privacy Statement.
In the preceding twelve (12) months, we have disclosed the following categories of personal information for the purposes described in this Privacy Statement’s Section titled “How Acumatica uses personal information“:
- Category A: Identifiers such as those set forth above;
- Category B: Personal information categories listed in the California Customer Records statute
- Category F: Usage data, including Internet or other electronic network activity information;
- Category C: Demographic information / Classification characteristics;
- Category D: Commercial information;
- Category G: Geolocation data;
- Category H: Audio, video and other electronic data; and
- Category K: Profiles and inferences.
By way of reminder, personal information under California law does not include:
- Publicly available information from government records;
- De-identified or aggregated consumer information; and
- Information excluded from the scope of the California Consumer Privacy Act (“CCPA“), as amended by the California Privacy Rights Act (CPRA), including, without limitation:
- Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; and
- personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.
Data protection rights for Californian residents
Right to Access Information and Data Portability Right
You may have the right under the CCPA to request that we disclose certain information to you about our collection and use of your personal information over the past twelve (12) months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
- The categories of personal information that we have collected about you.
- The categories of sources for the personal information that we have collected about you.
- Our business or commercial purpose for collecting or making available that personal information.
- The categories of third parties with whom we share that personal information.
- The specific pieces of personal information that we have collected about you (also called a data portability request).
- If we disclosed your personal information for a Business Purpose, the Business Purpose for which such personal information was disclosed, and the personal information categories that each category of recipient obtained.
- If applicable, (1) the categories of your personal information that we have made available for valuable consideration; (2) the categories of third parties to whom such personal information was made available; and (3) the category or categories of personal information that we have made available to each category of third parties.
You also have a right to know if we have sold or shared your personal information for a business purpose. As mentioned above, we do not sell your personal information to third parties for business or commercial purposes, nor do we share personal information for cross-context behavioral advertising purposes.
Right to Delete
You may have the right under the CCPA to request that we delete any of your personal information that we have collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service provider(s) or vendor(s) to:
- Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation or legal order.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Right to Correct Inaccurate Personal Information
You have the right to request that we correct inaccurate personal information that we maintain about you. We will take into account the nature of the personal information and the purposes for which we process it. We may require documentation from you in order to process your request, including your name, email address, phone number, and request details.
Right to Opt-Out of Sale or Sharing of Personal Information
We do not sell your personal information to third parties for business or commercial purposes, nor do we share personal information for cross-context behavioral advertising purposes. We also do not knowingly sell or share the personal information of consumers under 16 years of age.
Right to Limit the Use of Sensitive Personal Information
We do not process information that is subject to this limitation.
Right to not receive discriminatory treatment
You have the right to not receive discriminatory treatment for exercising your CCPA privacy rights. We do not use the fact that you have exercised or requested to exercise any CCPA rights for any purpose other than facilitating a response to your request.
Exercising Your Rights
To exercise the access, correction, data portability, and deletion rights described above, or to access this policy in an alternative format, please submit a verifiable consumer request to us by:
- Sending us an e-mail at email@example.com
- Completing and submitting a web form located here: https://www.acumatica.com/access-correct-delete-my-information-request/
Once we receive your request, we are required to verify that you are the person that is the subject of the request. The verification process consists of matching identifying information provided by you with the information we have about you in our records. Upon making a request, you will be asked to provide your name, email address, phone number, and request details. A confirmation email will be sent to the email address you provide to begin the process to verify your identity. If we cannot verify your identity, we will not be able to respond to your request.
Only you, or an authorized agent that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. We may also request that your authorized agent have written permission from you to make requests on your behalf, and we may also need to verify your authorized agent’s identity to protect your personal information.
You may only make such a request for access or data portability twice within a twelve (12) month period. The verifiable consumer request must provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
We will respond to verifiable requests received from California residents as required by law. Any disclosures we provide will only cover the twelve (12) month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
As mentioned above, we will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time.
California Shine the Light Law
California Civil Code § 1798.83 permits users who are California residents to obtain from us once a year, free of charge, a list of third parties to whom we have disclosed personal information (if any) for direct marketing purposes in the preceding calendar year. If you are a California resident and you wish to make such a request, please send an e-mail with “California Privacy Rights” in the subject line to firstname.lastname@example.org. In your request, please attest to the fact that you are a California resident and provide a current California address. We will reply to valid requests by sending a response to the email address or physical address from which you submitted your request. Please note that not all information sharing is covered by the “Shine the Light” requirements and only information on covered sharing and the relevant details required by the Shine the Light law will be included in our response.
If you are a California resident who is under age 18 and you are unable to remove publicly-available content that you have submitted to us, you may request removal by contacting us at: email@example.com. When requesting removal, you must specify the information you want removed and provide us with specific information, such as the URL for each page where the information was entered, so that we can find it. We are not required to remove any content or information that: (1) federal or state law requires us or a third party to maintain; (2) was not posted by you; (3) is anonymized so that you cannot be identified; (4) you do not follow our instructions for removing or requesting removal; or (5) you received compensation or other consideration for providing the content or information. Removal of your information from the Services does not ensure complete or comprehensive removal of that information from our systems or the systems of our service providers. Please note that we are not required to delete information posted by you; our obligations under California law are satisfied so long as we anonymize the information or render it invisible to other users and the public.
If you are using the Services as a Canadian resident, the following will be incorporated into the Privacy Statement:
The Services and our privacy practices are compliant with The Personal Information Protection and Electronic Documents Act (“PIPEDA”) fair information principles. In addition to the disclosures made above, we:
- Have appointed a privacy officer to monitor our compliance with PIPEDA.
- Only collect personal information for the uses described herein.
- Only use and disclose personal information as described herein.
- Take reasonable steps to verify the accuracy of the personal information that we collect.
- Take appropriate safeguards to protect the personal information, as further described herein.
Data protection rights for Canadian residents
You have the right to request access to the existence, use and disclosure of your personal information. Additionally, you have the right to challenge the accuracy and completeness of the information and request to have it amended as appropriate. Finally, you have the right to challenge Acumatica’s compliance with the PIPEDA fair information principles by contacting our privacy officer. To exercise your rights under this Section, please send an e-mail to firstname.lastname@example.org or write us at the address listed above.