ThoughtSpot® Privacy Shield Policy

Effective as of June 21, 2022

ThoughtSpot, Inc. (“ThoughtSpot”, “our”, “we”, or “us”) complies with the EU‑U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework (collectively the “Framework”) set forth by the United States Department of Commerce with respect to the collection, use and retention of Personal Data transferred from the European Economic Area (“EEA”) and the United Kingdom, and Switzerland to the United States, respectively, as further described in the Scope section below.  This Privacy Shield Policy (“Policy”) outlines our commitment to the Privacy Shield Principles (the “Principles”) and our practices for implementing the Principles.  ThoughtSpot has certified to the Department of Commerce that it adheres to the Principles. If there is any conflict between the terms in this Policy and the Principles, the Principles shall govern to the extent of the conflict.  ThoughtSpot’s Privacy Shield certification can be found here. To learn more about the  Framework, please visit the Department of Commerce’s dedicated Privacy Shield website, located here.

Scope

ThoughtSpot complies with the Principles with respect to the Personal Data the company receives from its Customers or their Users in the EEA, the United Kingdom and Switzerland in connection with the use of (i) ThoughtSpot applications downloaded to a User’s Device (“Mobile Applications”); and (ii) ThoughtSpot’s hosted software applications (the “ThoughtSpot Cloud”) and related support services (“Support Services”), as well as expert services (including activation services, training and certification) (the “Expert Services”) that we provide to Customers. In this Policy, ThoughtSpot Cloud, Support Services and the Expert Services are collectively referred to as the “Service(s).”

Definitions

For the purposes of this Policy:

“Contoller” ” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

“Customer” means any entity that purchases the Service.

“Customer Data” means the electronic data uploaded into ThoughtSpot Cloud by or for a Customer or its Users.

“Device” means a mobile device.

“Partner” means an entity that sells the ThoughtSpot Service to Customers on behalf of ThoughtSpot.

“Personal Data” means any information, including Sensitive Data, that is (i) about an identified or identifiable individual and (ii) received by ThoughtSpot in the U.S. from the EEA, the United Kingdom or Switzerland in connection with the Service.

“Processor” means any natural or legal person, public authority, agency or other body that processes Personal Data on behalf of a Controller.

“Sensitive Data” means Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, the commission or alleged commission of any offense, any proceedings for any offense committed or alleged to have been committed by the individual or the disposal of such proceedings, or the sentence of any court in such proceedings.

“User” means an individual authorized by Customer to access and use ThoughtSpot Cloud.

Types of Personal Data Collected

ThoughtSpot hosts and processes Customer Data, including any Personal Data contained therein, at the direction of and pursuant to the instructions of ThoughtSpot’s Customers. ThoughtSpot also collects several types of information from our Customers, including:

• Information and correspondence our Customers and Users submit to us in connection with Expert Services or other requests related to our Service.
• Information we receive from our Partners in connection with our Customers’ and Users’ use of the Service or in connection with services provided by our Partners on their behalf, including configuration of ThoughtSpot Cloud.
• Information related to Users’ use of the Mobile Applications, including geographic location data and information regarding Users’ Devices and OS identification, login credentials, language, internet protocol address, settings, attributes, identifiers, and interactions and time zone.
• The search text submitted by users of ThoughtSpot Cloud when using SearchIQ, our natural language processing functionality.
• In addition, ThoughtSpot collects general information about its Customers, including a Customer’s company name and address, credit card information, banking information, billing and shipping information, and the Customer representative’s contact information (“General Information”) for billing and contracting purposes.

Purposes of Collection and Use

ThoughtSpot may use Personal Data submitted by our Customers and Users as necessary to provide the Service and Mobile Applications, including updating, enhancing, securing and maintaining ThoughtSpot Cloud and Mobile Applications and to carry out ThoughtSpot’s contractual obligations to its Customers. ThoughtSpot also obtains General Information in connection with providing the Service and maintaining ThoughtSpot’s relationships with its Customers and Partners. ThoughtSpot will only process Personal Data in ways that are compatible with the purpose that we collected it for, or for purposes the Customer or User later authorizes.

Third Party Disclosures

We may disclose Personal Data that our Customers and Users provide to our Service and Mobile Applications:

• Within ThoughtSpot and any of our global subsidiaries. These companies will use your Personal Information in the same way as we can under this Policy.;
• To third party vendors, consultants, Partners and service providers we use to support our Service;
• In connection with, or during negotiations of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of our business by or to another company, in which case Personal Data held by us about our Customers will be among the assets transferred to the buyer or acquirer;
• In response to a request for information by a competent authority if we believe disclosure is in accordance with, or is otherwise required by, any applicable law, regulation or legal process;
• With law enforcement officials, government authorities, or other third parties as necessary to comply with legal process or meet national security requirements; protect the rights, property, or safety of ThoughtSpot, its business partners, you, or others; or as otherwise required by applicable law.

Where required by the Framework, we enter into written agreements with those third-party agents and service providers restricting their access, use and disclosure of Personal Data in compliance with our Privacy Shield obligations. We take reasonable and appropriate steps to ensure that third-party agents and service providers process Personal Data in accordance with the Principles, including the onward transfer provisions, and to stop and remediate any unauthorized processing. Under certain circumstances, we may remain liable for the acts of our third-party agents or service providers who perform services on our behalf for their handling of Personal Data that we transfer to them.

Access

Individuals in the EEA, the United Kingdom and Switzerland generally have the right to access their Personal Data. As an agent processing Personal Data on behalf of its Customers, ThoughtSpot does not own or control the Personal Data that it processes on behalf of its Customers or their Users and does not have a direct relationship with the Users whose Personal Data may be processed in connection with providing the Service. Since each Customer is in control of what information, including any Personal Data, it collects from its Users, how that information is used and disclosed, and how that information can be changed, Users of ThoughtSpot Cloud should contact the applicable Customer administrator with any inquiries about how to access or correct Personal Data contained in Customer Data. To the extent a User makes an access or correction request to ThoughtSpot, we will refer the request to the appropriate ThoughtSpot Customer and will support such Customer as needed in responding to any request.

To access or correct any General Information Customer has provided, the Customer should contact their ThoughtSpot account representative directly or by using the contact details in the section titled “How to Contact Us” below.

Choice

In accordance with the Principles, ThoughtSpot will offer Customers and Users choice to the extent it (i) discloses their Personal Data to third party Controllers, or (ii) uses their Personal Data for a purpose that is materially different from the purposes for which the Personal Data was originally collected or subsequently authorized by the Customer or User. To the extent required by the Principles, ThoughtSpot also will obtain opt‑in consent if it engages in certain uses or disclosures of Sensitive Data. Unless ThoughtSpot offers Customers and Users an appropriate choice, ThoughtSpot uses Personal Data only for purposes that are materially the same as those indicated in this Policy.

Liability for Onward Transfers

ThoughtSpot complies with the Privacy Shield’s Principle regarding accountability for onward transfers. ThoughtSpot remains liable under the Principles if its onward transfer recipients process Personal Data in a manner inconsistent with the Principles, unless ThoughtSpot proves that it was not responsible for the event giving rise to the damage.

Dispute Resolution

If ThoughtSpot maintains your Personal Data in one of the Services within the scope of our Privacy Shield certification, you may direct any inquiries or complaints concerning our Privacy Shield compliance to [email protected], or in the U.S., EEA, the United Kingdom , or Switzerland by regular mail as indicated below. ThoughtSpot shall respond within 45 days. If your complaint cannot be resolved through ThoughtSpot’s internal processes, ThoughtSpot will cooperate with JAMS pursuant to the JAMS International Mediation Rules, available on the JAMS website at https://www.jamsadr.com/eu-us-privacy-shield. JAMS mediation may be commenced as provided for in the relevant JAMS rules. The mediator may propose any appropriate remedy, such as deletion of the relevant Personal Data, publicity for findings of non‑compliance, payment of compensation for losses incurred as a result of non‑compliance, or cessation of processing of Personal Data of the Customer or User who brought the complaint. The mediator, or the Customer or User, also may refer the matter to the U.S. Federal Trade Commission, which has Privacy Shield investigatory and enforcement powers over ThoughtSpot. Under certain circumstances, Customers and Users may be able to invoke binding arbitration to address complaints about ThoughtSpot’s compliance with the Principles.

How to Contact ThoughtSpot

If you have any questions about this Policy or our privacy practices, or if you need to update, change or remove your information, please email us at [email protected], call us at (800) 508-7008, or write to us at: