LeanIX Privacy Statement

The controller of this website is LeanIX GmbH, Friedrich-Ebert-Allee 37-39, 53113 Bonn, Germany, a fully owned subsidiary of the SAP group.

You can reach LeanIX Data Protection Officer at dataprivacy@leanix.net

This Privacy Statement applies to the collection and processing of personal data:

• during the central operation of this website and other globally operated business activities by
  • LeanIX GmbH,  Friedrich-Ebert-Allee 37-39, 53113 Bonn, Germany or other fully owned subsidiaries of the SAP group
  • a specific SAP group entity as may be stated in the Additional Country and Regional Specific Provisions at the end of this privacy statement.
• in the context of a pre-contractual or contractual business relationship with you or your employer by a local SAP group entity
• in the context of a registration form when LeanIX or a specific SAP group entity is directly collecting personal data for the purpose of registering to a service or event and is therefore presented as the relevant controller on this registration page or website by referencing to this privacy statement. Where a registration form is presented on this website, the controller may vary depending on the actual offering or the purpose of the data collection, but it is in any case displayed on the individual registration form’s privacy statement.

You can reach LeanIX’s data protection officer any time at dataprivacy[@]leanix.net

Depending on the applicable law, the Processing of Personal Data is subject to a justification, sometimes referred to as legal basis.

LeanIX’s compliance with statutory obligations

• LeanIX processes your Personal Data for the purpose of ensuring an adequate level of technical and organizational security of LeanIX’s products, services, online events, facilities, and premises. For this, LeanIX will take the measures necessary to verify or maintain the quality and safety of a product or service which is owned, manufactured by or for, or controlled by LeanIX. This may comprise the use of Personal Data for sufficient identification and authorization of designated users, internal quality control through auditing, analysis, and research, debugging to identify and repair errors that impair existing or intended functionality, account and network security, replication for loss prevention, detecting security incidents, protection against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for such kind of activity. We may further process your name, likeness, and other contact or compliance related data when you visit a local LeanIX or SAP affiliate or lab in the context of access management and video surveillance to protect the security and safety of Our locations and assets.
• LeanIX and its products, technologies, and services are subject to the export laws of various countries including, without limitation, those of the European Union and its member states, and of the United States of America. Applicable export laws, trade sanctions, and embargoes issued by these countries oblige LeanIX to prevent organizations, legal entities and other parties listed on government-issued sanctioned-party lists from accessing certain products, technologies, and services through LeanIX’s websites or other delivery channels (e.g. the European Union Sanctions List, the US sanctions lists including the Bureau of Industry and Security’s (BIS) Denied Persons Lists (DPL), the Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals and Blocked Persons List (SDN-List) and the US DOCs Bureau of Industry and Security’s Entity Lists and the United Nations Security Council Sanctions). LeanIX processes Personal Data to the extent necessary to comply with these legal requirements. Specifically, LeanIX processes Personal Data to conduct automated checks against applicable sanctioned-party lists, to regularly repeat such checks whenever a sanctioned-party list is updated or when a user updates his or her information. In case of a potential match, LeanIX will block the access to LeanIX’s services and systems and contact the user to confirm his or her identity.
• If necessary, LeanIX uses Personal Data to prevent or prosecute criminal activities such as any form of cybercrime, the illegal use of Our products and services or fraud, to assert Our rights or defend LeanIX against legal claims.
• If necessary, LeanIX uses Personal Data to comply with data protection and unfair competition law related requirements. Depending on the country in which LeanIX or the relevant SAP Group company operates, LeanIX may process Personal Data necessary to accommodate your data protection and privacy choices for the receipt of such information and, when necessary to ensure compliance, exchange such information with the other entities of the SAP Group.

When ensuring compliance, LeanIX processes your Personal Data if and to the extend necessary to fulfill legal requirements under European Union or EU Member State law to which LeanIX is subject, and laws and regulations extraterritorial to the EU (legitimate interest to comply with extraterritorial laws and regulations).

LeanIX’s operation of Web Services

LeanIX processes your Personal Data to operate web presences, web offerings, or online events (“Web Services”)

• to provide the Web Services and functions, create and administer your online account, updating, securing, troubleshooting the service, providing support, improving, and developing the Web Services, answering and fulfilling your requests or instructions.
• to manage and ensure the security of Our Web Services and prevent and detect security threats, fraud or other criminal or malicious activities and as reasonably necessary to enforce the Web Services terms, to establish or preserve a legal claim or defense, to prevent fraud or other illegal activities, including attacks on Our information technology systems.
• to create specific user profiles that may be specific to a single Web Service of LeanIX, but also allows you to access LeanIX’s other Web Services. It is your choice whether or not to use any of these additional Web Service. If you do, LeanIX will make your Personal Data available to such other Web Service to provide you with initial access. Kindly note that without your consent for LeanIX to create such user profiles, LeanIX will not be able to offer such services to you where your consent is a statutory requirement that LeanIX can provide these services to you.
• to process information that relates to your visit to Our Web Services to improve your user experience, identify your individual demand and to personalize the way We provide you with the information you are looking for. For this purpose, We collect information regardless of whether you register with a user profile or not.
• To create your user profile for registration for LeanIX Connect Summit or similar events. Through the user profile you can share Personal Data about you with other users, such as your name, photo or email address, job title, and basic information about your company. The user profiles serve to personalize the interactions between the users (for example, by way of messaging or follow functionality) and to allow LeanIX to foster the collaboration and quality of communication through such offerings.
• to share basic participant information (your name, company, and email address) with other participants of the same event, seminar, or webinar to promote the interaction between the participants and stimulate the communication and the exchange of ideas.

When operating LeanIX’s Web Services, LeanIX processes your Personal Data if and to the extent,

• LeanIX obtained your consent, if required by law, to process your Personal Data for this purpose,
• necessary to fulfill (pre-)contractual obligations with you,
• necessary to fulfill legal requirements applicable to LeanIX,
• necessary to pursue LeanIX’s legitimate interest to efficiently perform or manage LeanIX’s Web Services and business operation and assert or defend itself against legal claims. We believe that LeanIX’s interest in pursuing these business purposes is legitimate and thereby not outweighed by your personal rights and interest to refrain processing for such purpose. In any of these cases, We duly factor into Our balancing test: the business purpose reasonably pursued by LeanIX in the given case, the categories, amount and sensitivity of Personal Data that is necessarily being processed, the level of protection of your Personal Data which is ensured by means of Our general data protection policies, guidelines, and processes, and the rights you have in relation to the processing activity.

LeanIX’s pursuit of business relationships

LeanIX processes Personal Data to pursue its business relationships with customers, partners, and others to fulfill pre-contractual and contractual business relations. This may include satisfying requests, processing orders, delivering an ordered product or service, or engaging in any other relevant action to establish, fulfill and maintain Our business relationships.

• Products and services may include any of LeanIX’s cloud software products, web services, apps, online-forums, webinars and events, non-marketing related newsletters, white papers, tutorials, trainings, as well as other offerings like contests or sweepstakes. When you purchase or intend to purchase products or services from LeanIX on behalf of a corporate customer or are otherwise associated as contact person for the business relationship between LeanIX and a corporate customer or partner (“Customer Contact”), LeanIX will use your Personal Data for this purpose. More specifically, LeanIX may use your Personal Data to confirm your opening of an account, manage the contract execution, send you disclosures as may be required by law, notice of payments, and other information about Our products and services. LeanIX may respond to related inquiries, provide you with necessary support and process your feedback. In the context of your or your employers use of Our products or services, LeanIX may communicate with you by post, email, live chat, contact forms, phone or any other medium to resolve your, a user’s, or a customer’s question or complaint or to investigate suspicious transactions. In case of telephone calls or chat sessions, LeanIX may record such calls or chat sessions to improve the quality of LeanIX’s services after informing you accordingly during that call and, subject to applicable law, receiving your prior consent before the recording begins.
• Customer Satisfaction: Within an existing business relationship between you or your employer and LeanIX, LeanIX processes your Personal Data to help Us understand how satisfied you are with the functionality and quality of Our products and services, to provide you with relevant information on Our latest product announcements, software updates or upgrades, events, special offers, and other information about LeanIX’s software and services that is relevant and useful to you.
• To keep you up to date: Within an existing business relationship between you or your employer and LeanIX, LeanIX processes your Personal Data to inform you about LeanIX’s products or services which are similar or relate to products and services you or your employer have already purchased or used. LeanIX will inform you by email or phone about such news only as far as it is allowed by law, or if LeanIX has collected such information in the context of the business relationship. You are entitled to object to LeanIX’s use for this purpose at any time by selecting the opt-out option at the bottom of each marketing related approach. We aim to keep customers and prospects updated on upcoming events and LeanIX’s latest products and services. Further, We also desire to keep Our customers and partners satisfied with Our products and services and therefore ask them on a regular basis for their feedback. If possible, We may contact you to discuss further your interest in LeanIX services and offerings.
• Feedback requests and surveys: To the extent allowed by applicable law, LeanIX may contact you for feedback regarding the improvement of the relevant material, product, or service. LeanIX may also invite you to participate in questionnaires and surveys. These will generally be designed so you can participate without having to provide information that identifies you as a participant. If you nonetheless provide your Personal Data, LeanIX will use it for the purpose stated in the questionnaire or survey or to improve its products and services.
• Personalized Content: LeanIX processes information about your interactions with LeanIX across its various business areas and its offerings (your or your employers prior and current use of LeanIX products or services, your participation in and use of LeanIX’s web offerings, events, white papers, free trials or newsletters) to provide you with the requested products and services and to improve Our personal communications with you. This data may also be used to efficiently operate LeanIX’s business, which also includes: the automation and aggregation of data to support various analytic and statistical efforts, performance and predictive analytics and exploratory data science to support your customer journey and to fulfill such requests. To the extent permitted by law, LeanIX may combine and use such information in an aggregated manner to help Us understand your interests and business demands, develop Our business insight and marketing strategies, and to create, develop, deliver, and improve Our personalized communications with you. It may also be used by LeanIX to display relevant content on LeanIX owned or third-party websites.
• Advertising ID’s: LeanIX may create a hashed user ID to provide to third party operated social networks or other web offerings (such as Twitter, LinkedIn, Facebook, Instagram or Google). This information is then matched against the third party’s own user database to display to you more relevant LeanIX content.

When pursuing business relationships including engaging in direct marketing and sales activities, LeanIX may process your Personal Data if and to the extend

• it is covered by your consent, provided your consent is required by law for LeanIX to process your Personal Data for this purpose,
• necessary
  • to fulfill (pre-)contractual obligations with the company or other legal body you represent as a customer contact (legitimate interest to efficiently perform or manage LeanIX’s business operation),
  • to maintain Our business relationships with you or your employer,
  • to ensure your satisfaction as a user or customer contact,
  • to map the relevant group internal structures and bundle relevant business activities at central sources within the SAP Group to operate them uniformly and to provide you with information about other LeanIX products and services as indicated by your interest or demand, which may also comprise the combination about you from different sources (profiling) (legitimate interest to maintain and operate intelligent and sustainable business processes in a group structure optimized for the division of labor and in the best interest of Our employees, customers, partners, and shareholders and to operate sustainable business relationship with LeanIX customers and partners).

LeanIX may provide you with this information to your postal address to pursue Our legitimate interest to address customers, prospects and targets for the purpose of advertising Our products and services, to your email address for the purpose of direct marketing of similar products or services provided that We (i) received your email address in connection with the purchase of Our products or services, (ii) you did not object to the use of your email address for direct advertising and (iii) and We inform you in every approach that you may object to Our use of your email address for marketing purposes at any time, and by other electronic means (e.g., telephone, MMS) to the extent permitted under applicable law, generally either explicit or presumed consent.

• the contract or pre-contractual relation relates to a company or other legal body and if LeanIX processes your Personal Data as Customer Contact to fulfill (pre-) contractual obligations with your employer (legitimate interest to efficiently perform or manage LeanIX’s business operation)
• to maintain Our business relationships with you, ensure your satisfaction as a user or customer representative, and provide you with information about other LeanIX products and services as indicated by your interest or demand (legitimate interest to operate sustainable business relationship with LeanIX customers and partners).

LeanIX processes various types of personal data about the people we interact with when conducting our business or operating our various web presences and other communication channels. Depending on the individual case, this may comprise the following types of personal data:

Contact Data:

LeanIX processes the following categories of personal data as contact data: first name, last name, email addresses, postal address/location (country, state/province, city), telephone numbers, and your relationship history with LeanIX.

Personal data related to the business relationship with LeanIX:

In the context of established business relationships, LeanIX processes the business partner’s company name, industry, your job title and role, department and function and your company’s relationship history to LeanIX. If you provide a credit card number or bank details to order products or services, LeanIX will collect this information to process your payment for the requested products or services.

Compliance-related personal data:

If required by statutory law or regulation, LeanIX may process data categories like academic credentials, geolocation, business partner relevant information about e.g., significant litigation or other legal proceedings, and other export control or custom compliance relevant information.

Data generated through your use of, or participation in  LeanIX's internet pages, web, or online offerings:

Usage data: LeanIX processes certain user-related information, e.g., info regarding your browser, operating system, or your IP address when you visit LeanIX’s web properties. We also process information regarding your use of our web offerings, like the pages you visit, the amount of time you spend on a page, the page which has referred you to our page and the links on our sites you select.

Registration data: LeanIX may process your contact data as set out above and other information which you may provide directly to LeanIX if you register for any of LeanIX's events or other web services.

Participation data: When you participate in webinars, virtual seminars, events, or other LeanIX web services, LeanIX may process your interactions with the relevant webservice to organize the event including its sessions, polls, surveys, or other interactions between LeanIX and/or its participants. Depending on the event and subject to a respective notification of the participants, LeanIX may collect audio and video recordings of the event or session.

Special categories of personal data:

In connection with the registration for an event, LeanIX may ask for your dietary preferences or information about possible disabilities for purposes of consideration for the health and well-being of our guests. Any collection of such information is always based on the consent of the participants. Kindly note that if you do not provide such information about dietary preferences, LeanIX may not have the opportunity to respond to such requests at the time of the event.

Personal data received during an application for a job at LeanIX:

LeanIX processes personal data of individuals applying for a job at LeanIX as set out in the privacy statement of the LeanIX Career Portal or equivalent website.

Personal data necessary for customer satisfaction:

To the extent permitted by law or based on your consent, LeanIX may combine the information we collect either directly or indirectly about specific users to ensure the completeness and correctness of the data and to help us better tailor our interactions with you and determine the information which best serves your respective interest or demand.

If LeanIX  processes special categories of Personal Data under applicable law, LeanIX will ask you for your consent in a specific declaration.

LeanIX generally aims to collect Personal Data directly from you. If you obliged by statutory law or contractual requirements to provide Personal Data to LeanIX and you fail to provide such Personal Data, then kindly note that LeanIX may not be able to provide you with the respective service and/or business relationship.

If you or applicable law allows Us to do so, We may obtain Personal Data also from Third Party which may include:

• your employer in the context of its business relationship with LeanIX and/or the SAP Group,
• third Parties you directed to share your Personal Data with LeanIX, 
• third-party sources and publicly available sources like business-oriented social networks or information brokers

When We collect Personal Data from Third Parties, established internal controls aim to ensure that the third-party source was permitted to provide this information to LeanIX and that We may use it for this purpose. LeanIX will treat this Personal Data according to this Privacy Statement and any additional restrictions imposed by the third party that provided the Personal Data to LeanIX or by applicable national law.

LeanIX may retain your Personal Data for additional periods if necessary for compliance with legal obligations to process your Personal Data or if the Personal Data is needed by LeanIX to assert or defend itself against legal claims. LeanIX will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled. LeanIX does only store your Personal Data for as long as it is required:

• for LeanIX to comply with statutory obligations to retain Personal Data, resulting inter alia e.g. from applicable export, finance, tax or commercial laws.
• for the performance of a contract between you and LeanIX.
• to fulfill LeanIX’s legitimate business purposes as further described in this Privacy Statement, unless you object to LeanIX’s use of your Personal Data for these purposes.
• to process your Personal Data for this purpose and LeanIX obtained your consent, if required by law.

Your Personal Data will be transferred to or accessed by the following categories of third parties to process your Personal Data:

SAP Group entities:

Other entities of the SAP Group may also receive or gain access to Personal Data either when rendering group internal services centrally and on behalf of LeanIX and the other SAP group entities or when Personal Data is transferred to them on a respective legal basis. In these cases, these entities may process the Personal Data for the same purposes and under the same conditions as outlined in this Privacy Statement. The current list of SAP Group entities can be found here.

Service providers:

Third-party service providers: LeanIX may engage third-party service providers to process personal data on LeanIX’s behalf, e.g., for consulting or other services, the provision of the website, the fulfillment and provisioning of offers from LeanIX or newsletter dispatch. These service providers may receive or are granted with access to personal data when rendering their services and will constitute recipients within the meaning of the relevant data protection law, including GDPR.

LeanIX honors your statutory rights when it comes to the Processing of your Personal Data. To the extent provided by applicable data protection laws, you have the right to:

• access your Personal Data that we have on you, or have it updated.
• Data portability of the Personal Data you provided to LeanIX, if LeanIX uses your Personal Data based on your consent or to perform a contract with you. In this case, please contact dataprivacy@leanix.net and specify the information or processing activities to which your request relates, the format in which you would like to receive the Personal Data, and whether it should be sent to you or another recipient. LeanIX will carefully consider your request and discuss with you how it can best be fulfilled.
• Delete your Personal Data we hold about you. Please note, however, that LeanIX can or will delete your Personal Data only if there is no statutory obligation or prevailing right of LeanIX to retain it. If you request from LeanIX to delete your Personal Data, you may not be able to continue to use any LeanIX service that requires LeanIX’s use of your Personal Data.
• Object against LeanIX further processing your Personal Data, if and to the extent LeanIX is processing your Personal Data based on its Legitimate Interest. When you object to LeanIX's processing of your Personal Data, LeanIX will carefully review your objection and cease further use of the relevant information, subject to LeanIX’s compelling legitimate grounds for continued use of the Personal Data, which may override your interest in objecting, or if LeanIX requires the information for the establishment, exercise, or defense of legal claims.
• Object to direct marketing or to apply profiling in relation to direct marketing. When you object to LeanIX's processing of your Personal Data for direct marketing purposes, LeanIX will immediately cease to process your personal data for such purposes.
• Revoke consent, wherever LeanIX is processing your Personal Data based on your consent, you may at any time withdraw your consent by unsubscribing or giving Us respective notice of withdrawal. In case of withdrawal, LeanIX will not process Personal Data subject to this consent any longer unless legally required or permitted to do so (e.g. if your Personal Data is needed by LeanIX do assert or defend against legal claims). In case LeanIX is required or permitted to retain your Personal Data for other legal reasons your Personal Data will be restricted from further processing and only retained for the term required by law or fulfil the other purpose. However, any withdrawal has no effect on past processing of Personal Data by LeanIX up to the point in time of your withdrawal. Furthermore, if your use of an LeanIX offering requires your prior consent, LeanIX will no longer be able to provide the relevant service, offer or event to you after your revocation.
• Be not subject to a decision based solely automated means, if the decision produces legal effects concerning you or significantly affects you in a similar way.
• Lodge a complaint to the competent supervisory authority if you are not satisfied with how LeanIX is processing your Personal Data. Your competent supervisory authority can be found in the country specific section.

Depending on applicable local data protection laws, your rights may be subject to deviations, limitations, or exceptions as set out in the country specific section “B. Additional Country and Regional Specific Provisions”. Please be aware, that LeanIX honors your statutory rights when it comes to the Processing of your Personal Data to the extent provided by applicable data protection laws.

How you can exercise your data protection rights.

Please direct any requests to exercise your rights dataprivacy@leanix.net . LeanIX will take steps to ensure it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise. When feasible, LeanIX will match Personal Data provided by you in submitting a request to exercise your rights with information already maintained by LeanIX. This could include matching two or more data points you provide when you submit a request with two or more data points that are already maintained by LeanIX.

LeanIX will decline to process requests that are manifestly unfounded, excessive, fraudulent, represented by third parties without duly representing respective authority or are otherwise not required by local law.

In general, this website is not directed to users below the age of 16 years, or equivalent minimum age in the relevant jurisdiction. If you are younger than 16 or the equivalent minimum age in the relevant jurisdiction, you should not register and use any LeanIX offering.

Where LeanIX is subject to privacy requirements in the EU/EEA or a country with national laws equivalent to the GDPR

1. Who is the relevant Data Protection Authority?

You may find the contact details of your competent data protection supervisory authority here. SAP’s lead data protection supervisory authority is the Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg and can be reached at Lautenschlagerstraße 20, 70173 Stuttgart/Germany.

2. How does LeanIX justify international data transfers?

As a global group of companies, LeanIX has group affiliates and uses third party service providers also in countries outside the European Economic Area (the “EEA”). LeanIX may transfer your Personal Data to countries outside the EEA as part of LeanIX’s international business operations. If We transfer Personal Data from a country in the EU or the EEA to a country outside the EEA and for which the EU Commission has not issued an adequacy decision, LeanIX uses the EU standard contractual clauses to contractually require the data importer to ensure a level of data protection consistent with the one in the EEA to protect your Personal Data. You may obtain a copy (redacted to remove commercial or irrelevant information) of such standard contractual clauses by sending a request to dataprivacy@leanix.net . You may also obtain more information from the European Commission on the international dimension of data protection here.

Where LeanIX is subject to privacy requirements in Australia

Where LeanIX is subject to the requirements of the Privacy Act 1988 (Cth) (‘Privacy Act’), the following applies:

LeanIX may store your Personal Data in paper-based files or as an electronic record in the Cloud or on physical devices e.g. computer systems. Your Personal Data will likely be held and stored by the SAP Group entity or another affiliate located in another country for our general business purposes including outsourcing and data processing. We will only do this where it is necessary or appropriate to achieve the purposes set out in this Privacy Statement. We take reasonable steps to protect your personal information from misuse, interference and loss and from unauthorized access, modification or disclosure.

You can contact Us either by the telephone number +61 2 9935 4939 or via email at dataprivacy@leanix.net to exercise the following rights:

• You can request from LeanIX at any time access to information about which Personal Data LeanIX processes about you and, if necessary, the correction of such Personal Data. Please note, however, that LeanIX can or will delete your Personal Data only if there is no statutory obligation or prevailing right of LeanIX to retain it.
• Wherever LeanIX is processing your Personal Data based on your consent, you may at any time withdraw your consent by unsubscribing or giving Us respective notice of withdrawal. In case of withdrawal, LeanIX will not process Personal Data subject to this consent any longer unless legally required to do so. In case LeanIX is required to retain your Personal Data for legal reasons your Personal Data will be restricted from further processing and only retained for the term required by law. However, any withdrawal has no effect on past processing of Personal Data by LeanIX up to the point in time of your withdrawal.
• In Australia, a complaint should first be made to LeanIX in writing as required by law. You can find more information about privacy and the protection of Personal Data on the Office of the Australian Information Commissioner website.

Where LeanIX is subject to privacy requirements in Colombia.

Where LeanIX is subject to the requirements of the Colombian Statutory Law 1581 of 2012 and Decree 1377 of 2013, the following applies:

Within Colombia you have the right to:

• access, update and rectify your Personal Data.
• Request evidence of your consent.
• Upon request, receive information about how LeanIX Processes your Personal Data.
• Lodge a complaint with the Superintendence of Industry and Commerce (“SIC”) about a violation of the applicable laws.
• Revoke your consent and/or request the deletion of your Personal Data, provided that there is no supervenient legal or contractual obligation that allows LeanIX to keep your Personal Data in LeanIX’s databases.

SAP Colombia S.A. may Process your Personal Data by itself or on behalf of the SAP Group, with its main office located at Carrera 9 No 115 – 06, Edificio Tierra Firme Of. 2401 Bogotá D.C., Colombia. You can contact Us either by the telephone number +57-6003000 or via email at privacy[@]sap.com. LeanIX will be responsible to answer any requests, questions, and complaints that you might have to your right to access, update, correct and delete your Personal Data, or revoke your consent.

Where LeanIX is subject to the requirements of the Brazilian General Data Protection Law (“LGPD”).

SAP has appointed a Data Protection Officer for Brazil. Written inquiries, requests or complaints to our Data Protection Officer can be send via post to Avenida das Nações Unidas 14171 - Marble Tower – 7th Floor - São Paulo-SP, Brazil 04794-000 or email at privacy[@]sap.com.

Where LeanIX is subject to privacy requirements in the Philippines.

Where LeanIX is subject to the Philippine Data Privacy Act and its Implementing Rules and Regulations, the following applies:

• When you request to update or correct your Personal Data, LeanIX may deny the request if it is manifestly unfounded, vexatious, or otherwise unreasonable.
• When requesting the data portability of the Personal Data you provided to LeanIX, you must additionally specify the commonly used electronic or structured format in which you would like to receive the Personal Data.
• When you request to object against the processing of your Personal Data: (i) You may do so if LeanIX is processing based on its Legitimate Interest. LeanIX will carefully review your objection and cease further use of the relevant information, unless LeanIX has other lawful basis for processing in Sections 12 and 13 of the Data Privacy Act. (ii)You can also object to the processing of your Personal Data for direct marketing, profiling, or in cases of automated processing where your Personal Data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect you.
• You can reach out via email at dataprivacy@leanix.net to exercise your data protection rights.
• Compensation can only be claimed when National Privacy Commission or the courts determined that you sustained damages due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of Personal Data, considering any violation of your rights and freedoms. You may likewise seek redress from the National Privacy Commission, but it must be clearly shown that you are the subject of a privacy violation, Personal Data breach, or are otherwise personally affected by a violation of the Data Privacy Act.

The contact details of your local Data Protection Officer/s are as follows:

• Data Protection Officer, SAP Philippines Inc., 27th Floor NAC Tower, 32nd Street Bonifacio Global City, Taguig City, 1632; email: dpo_sap.ph@sap.com; telephone number:: +632-8705-2500

Where LeanIX is subject to privacy requirements in South Africa.

Where LeanIX is subject to the requirements of the Protection of Personal Information Act, 2013 (“POPIA”) in South Africa, the following applies:“Personal Data” as used in this Privacy Statement means Personal Information as such term is defined under POPIA. “You” and “Your” as used in this Privacy Statement means a natural person or a juristic person as such term is used under POPIA. Systems Applications Products (Africa Region) Proprietary Limited Systems Applications Products (South Africa) Proprietary Limited with registered address at 1 Woodmead Drive, Woodmead (LeanIX South Africa) is subject to South Africa's Protection of Personal Information Act, 2013 (Act 4 of 2013) and responsible party under the POPIA.

You have the right to:

• request details of personal information which We hold about you under the Promotion of Access to Information Act 2 of 2000 (“PAIA”). For further information please review the SAP PAIA manual, located here. If you believe that SAP South Africa as responsible party has utilized your Personal Information contrary to POPIA, you undertake to first attempt to resolve any concerns with SAP South Africa. You can contact Us via phone 011 325 6000, via post 1 Woodmead Drive, Woodmead, Johannesburg, South Africa 2148 or via email privacy[@]sap.com.
• If you are not satisfied with the process above, you have the right to lodge a complaint with the Information Regulator via post JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001, P.O. Box 31533, Braamfontein, Johannesburg, 2017 or via email: complaints.IR[@]justice.gov.za or for enquires: inforeg[@]justice.gov.za.

Where LeanIX is subject to privacy requirements in the United States of America.

Where LeanIX is subject to the requirements of the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Acts of 2020 (CPRA), from hereon referred to as “CCPA” or where other US state laws have similar requirements, the following applies:

You have the right to:

• Know what personal information the business has collected about the consumer, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom the business discloses personal information, and the specific pieces of personal information the business has collected about the consumer.
• Delete personal information that the business has collected from the consumer, subject to certain exceptions.
• Correct inaccurate personal information that a business maintains about a consumer.
• Opt-out of the sale or sharing of their personal information by the business (where applicable).
• Limit the use or disclosure of sensitive personal information by the business (subject to certain exceptions, where applicable).
• Receive non-discriminatory treatment for the exercise of these rights.

How you can exercise your Data Protection Right.

To exercise these rights, or to limit the Sharing of your Personal Information, please contact us at privacy@leanix.net. In accordance with the verification process set forth under US relevant state law (as appropriate), LeanIX may require a more stringent verification process for deletion requests (or for Personal Data that is considered sensitive or valuable) to minimize the harm that might be posed to you by unauthorized access or deletion of your Personal Data. If LeanIX must request additional information from you outside of information that is already maintained by LeanIX, LeanIX will only use it to verify your identity so you can exercise your data protection rights, or for security and fraud-prevention purposes. You can designate an authorized agent to submit requests to exercise your data protection rights to LeanIX. The agent must submit authorization to act on your behalf and, where required by relevant law, the agent must be appropriately registered.

Financial Incentives. LeanIX does not offer financial incentives in return for your consent to share your personal information, nor limit service offerings where you opt-out of such sharing (unless sharing is practically necessary to perform the relevant service).

Children’s Privacy. Given that no LeanIX offering is directed to users under 16 years of age, LeanIX does not sell or share the personal information of any minors under 16. If you are a parent or guardian and believe LeanIX collected information about your child, please contact LeanIX. LeanIX will take steps to delete the information as soon as possible.

Where LeanIX is subject to privacy requirements in Singapore.

Where LeanIX is subject to the requirements of the Singapore’s Personal Data Protection Act (“PDPA”), the following applies:

• You can request from LeanIX personal data about you that is in the possession or under the control of LeanIX and information about the ways in which such personal data has been or may have been used or disclosed by LeanIX within a year prior to this request. Please be informed that LeanIX is not obliged to accede to your request if any exceptions under the PDPA apply.
• You may submit a request to have inaccurate/incomplete personal data corrected in our systems. Please be informed that LeanIX is not obliged to accede to your request if any exceptions under the PDPA apply.
• Revoke consent, wherever LeanIX is processing your Personal Data based on your consent, you may at any time withdraw your consent by unsubscribing or giving Us respective notice of withdrawal. In case of withdrawal, LeanIX will not process Personal Data subject to this consent any longer unless legally required or permitted to do so (e.g. if your Personal Data is needed by LeanIX to assert or defend against legal claims). In case LeanIX is required or permitted to retain your Personal Data for other legal reasons your Personal Data will be restricted from further processing and only retained for the term required by law or fulfil the other purpose. However, any withdrawal has no effect on past processing of Personal Data by LeanIX up to the point in time of your withdrawal. Furthermore, if your use of an LeanIX offering requires your prior consent, LeanIX will no longer be able to provide the relevant service, offer or event to you after your revocation.
• Lodge a complaint to the Personal Data Protection Commission (PDPC) if you are not satisfied with how LeanIX is processing your Personal Data.

SAP has appointed a Data Protection Officer for Singapore. Written inquiries, requests or complaints to our Data Protection Officer can be send via post to Mapletree Business City, 30 Pasir Panjang Rd, #03-32, Singapore 117440 or email to privacy[@]sap.com with the subject “Data Protection Officer” or can be reached via phone +65 6664 6868.

Where LeanIX is subject to privacy requirements in South Korea.

Where LeanIX is subject to the requirements of the South Korea Personal Information Protection Act (“PIPA”), the following applies:

Your personal data may be processed globally. When personal data is processed across country borders, LeanIX complies with laws on the transfer of personal data between countries to keep your personal data protected. Your personal data may be transferred to, accessed or processed by the categories of third-parties as described above. 

How can you exercise your data protection rights?

SAP has appointed a local Chief Privacy Officer for South Korea.
Please direct any enquiries or requests via email at privacy[@]sap.com or via phone at +82-2-2194-2279.

Where LeanIX is subject to privacy requirements in Malaysia.

Where LeanIX is subject to the requirements of the Personal Data Protection Act (“PDPA”) of Malaysia, the following applies:

Written inquiries, requests or complaints can be sent to the Data Protection and Privacy Coordinator for Malaysia via email privacy[@]sap.com or can be reached via phone +60 3-2202 6000. LeanIX has implemented technology, security features and strict policy guidelines to safeguard the privacy of users’ Personal Data.

Where LeanIX is subject to privacy requirements in New Zealand

Where LeanIX is subject to the requirements of the Privacy Act 2020 (‘Privacy Act’), You have the right to:

• request from LeanIX at any time access to information about which Personal Data LeanIX processes about you and, if necessary, the correction of such Personal Data. Please note, however, that LeanIX can or will delete your Personal Data only if there is no statutory obligation or prevailing right of LeanIX to retain it.
• Withdraw your consent at any time by unsubscribing or giving Us respective notice of withdrawal, wherever LeanIX is processing your Personal Data based on your consent, l. In case of withdrawal, LeanIX will not process Personal Data subject to this consent any longer unless legally required to do so. In case LeanIX is required to retain your Personal Data for legal reasons your Personal Data will be restricted from further processing and only retained for the term required by law. However, any withdrawal has no effect on past processing of Personal Data by LeanIX up to the point in time of your withdrawal.

Where LeanIX is subject to privacy requirements in Canada

Your Personal Data may be processed globally. If personal data is processed across country borders, LeanIX complies with laws of the transfer of Personal Data between countries to keep your personal data protected. It may, however, based on the laws of such countries be subject to access by local law enforcement.

Where LeanIX is subject to privacy requirements of Mexico.

Where LeanIX is subject to the requirements of the Mexican Federal Law for the Protection of Personal Data Held by Private Parties of 2010, the following applies:

You have the right to file a complaint with the National Institute of Transparency Access to Information and Protection of Personal Data (INAI) to assert any disagreement related to the processing of your Personal Data by LeanIX.

LeanIX reserves the right to change, modify, add or remove portions of this Privacy Statement at its sole discretion. In such case, LeanIX shall maintain available a complete version of LeanIX’s Privacy Statement. LeanIX will notify you of any change or modification to this Privacy Statement via the respective communication channel We have with you, e.g., at Our website.

Where LeanIX is subject to privacy requirements in India 

Where LeanIX is subject to the requirements of the Digital Personal Data Protection Act, 2023 (‘DPDPA’) the following applies:

As part of a global group of companies operating internationally, LeanIX has affiliates (the SAP Group) and third party service providers outside of the Indian region and will transfer your Personal Data to countries outside the India region, subject to any restrictions as may be notified by the Central Government in this regard.

You have the right to:

• request from LeanIX at any time access to information about which Personal Data LeanIX processes about you and, if necessary, the correction, completion, update or deletion of such Personal Data. Please note, however, that LeanIX can or will delete your Personal Data only if there is no statutory obligation or prevailing right of LeanIX to retain it. If you request from LeanIX to delete your Personal Data, you may not be able to continue to use any LeanIX service that requires LeanIX’s use of your Personal Data.
• Wherever LeanIX is processing your Personal Data based on your consent, you may at any time withdraw your consent by unsubscribing or giving Us respective notice of withdrawal. In case of withdrawal, LeanIX will not process Personal Data subject to this consent any longer unless legally required to do so. In case LeanIX is required to retain your Personal Data for legal reasons, your Personal Data will be restricted from further processing and only retained for the term required by law. However, any withdrawal has no effect on past processing of Personal Data by LeanIX up to the point in time of your withdrawal.
• request from LeanIX the right to have readily available means of grievance redressal provided by LeanIX in respect of any act or omission of LeanIX regarding the performance of LeanIX’s obligations in relation to your Personal Data or your exercise of rights in relation thereto.
• nominate, any other individual, who shall, in the event of your death or incapacity, exercise your data protection rights.

Please direct any requests/queries to exercise your rights to privacy[@]sap.com. In India, after exhausting the opportunity of redressing the right of grievance, you may lodge a complaint to the Data Protection Board of India.