ThoughtSpot® Privacy Statement

 

Effective as of September 1, 2023

ThoughtSpot, Inc., together with its corporate affiliates, including Mode Analytics, Inc. (collectively “ThoughtSpot”, “we” or “us”), respects the privacy of its customers, business partners, event attendees, and website visitors. This Privacy Statement describes our privacy practices with respect to the collection, use, and disclosure of Personal Data (as defined below) obtained: (a) through the ThoughtSpot websites that link to this Privacy Statement ("Website"); (b) in connection with your purchase and use of our software-as-a-service and software products (“Products”) and related support and consulting services (“Services”); and (c) in connection with events hosted by us where we collect information from registrants and attendees (“Events”).

This Privacy Statement does not apply to third-party products, services, or businesses governed under separate terms, agreement, or privacy policy, or that are otherwise not offered under ThoughtSpot’s express agreements, regardless of whether they integrate with or interact with our Products (e.g., a Customer’s on-site repository, chosen cloud data warehouse, or a connected platform) (“Third-Party Services”). Product delivery, access, and use will be governed by separate terms signed between us and each Customer, under which the Customer will control its deployment of our Product and any data hosted therein. If you have any questions about specific Product settings or privacy practices, please contact the administrator assigned to that role in the related Product.

For the purposes of this Privacy Statement:

  • Authorized User” means an individual who was provided access credentials to access and use the Product by Customer, or otherwise using Customer’s account.
  • Customer” means the entity that purchases our Product, or if a Product is offered for free, the entity or individual that is subject to the applicable terms of use.  
  • Mobile Applications” means our applications you’ve downloaded to a mobile device.
  • Partner” means an entity that is a participant in a ThoughtSpot channel sales, technology, or other program to offer ThoughtSpot Products and Services for sale, or provide services, or technology to ThoughtSpot Customers.
  • Personal Data” means information about an identified or identifiable natural person.

If you have any questions or concerns about our use of your Personal Data, please contact us using the contact details provided at the bottom of this Privacy Statement.     

What Personal Data ThoughtSpot Collects

The types of Personal Data we collect will depend upon your interactions with ThoughtSpot. We may collect information directly from you when you use our Websites, attend our Events, or purchase or use our Products and Services. We may also collect information from trusted third-party sources and engage third-parties to collect Personal Data to assist us. The types of information we collect from you may include the following:

  • Contact Information. User credentials, name, employer, title, email address, physical address, phone number, and other contact information. For some Products (e.g., the Mode platform), we may enable profiles. This may include a photo of you, a short bio, links to your presence on social media sites, and other information you think other users might want to know about you. The information you submit for display in your profile, including any Personal Data, may be viewable by other users of the Mode platform based on the type and configuration of your account.
  • Payment and Billing Information. Financial information in connection with billing including, without limitation, billing information and shipping address.    
  • Demographic Information. On occasion, ThoughtSpot may collect demographic information, such as gender, race, ethnicity, veteran status, and age (where data is deemed “sensitive” under applicable data privacy laws, we will only process with your consent unless a recognized exception applies).
  • Event Information. Information related to your attendance at Events, including travel and contact information, scheduling information, food preferences or allergies and accessibility requests, and session ratings or other feedback.
  • Online Identifiers. Device and user identifiers, Internet protocol address or location data when you access the Website, Products, or Mobile Applications.
  • Device Information. Information relating to settings, attributes, identifiers, and interactions when you access the Website, Products, or Mobile Applications.
  • Search Queries. The search text submitted by Authorized Users of the Products when using our natural language processing functionality.     
  • Predictive Search Setup. Upon purchase and subject to Customer choices, a Customer may have the opportunity to store limited, selected information via search suggestion indexing and search cache features provided in the Products.
  • Mode Uploaded Content. For registered users of the Mode platform, you may upload data to the platform or post various queries, comments, analyses and other content on the data or work made available on the platform by other users. This content you provide (“Your Content”) will be viewable by other users of the platform in accordance with the privacy settings you specify when uploading, posting or otherwise creating Your Content on the platform in either Mode’s public or private function, as described in the Mode Terms of Service. If Your Content is posted in Mode’s public function, Your Content is deemed a contribution to the community, and Mode will treat such information as public information.
  • Products Operations Data and Usage Data. Information from our software or systems comprising our Products and from Customer systems, applications, and devices that are used to access the Products.
  • Authentication and Access Information. Information that provides access to the Products, such as username, passwords, and device identifiers.
  • Diagnostic Information. Diagnostic information may be contained in log files, event files, and other trace and diagnostic files.
  • Third-Party Services Information. A Customer can choose to permit or restrict Third-Party Services for its Product(s) and ThoughtSpot can receive Personal Data from such Third-Party Services.

Please note, Third-Party Services are typically software that integrate with our Product, and a Customer can permit its Authorized Users to enable and disable these integrations. ThoughtSpot may also develop and offer extensions that connect the Products with a Third-Party Service. Once enabled, the provider of a Third-Party Service may share certain information with ThoughtSpot. For example, if a cloud storage application you are using is enabled to permit files to be imported to a Product, that Product may host the username and email address of Authorized Users, along with additional information that the extension makes available to ThoughtSpot to facilitate the integration.

Customers should check the privacy settings and notices in these Third-Party Services to understand what data may be disclosed to ThoughtSpot. When a Third-Party Service is enabled, ThoughtSpot is authorized to connect and access the information made available to ThoughtSpot in accordance with our agreement with the provider of the Third-Party Service and any permission(s) granted by our Customer (including, by its Authorized User(s)). Examples of information which ThoughtSpot may receive in this manner include whether you successfully created a new account or interacted with a third-party application in a way that is attributable to ThoughtSpot usage activity.

How We Use Your Personal Data

We may use your Personal Data for the purposes of operating our business, delivering, improving, and customizing our Websites and Products, selling our Products and Services, sending marketing and other communications related to our business, and for other legitimate purposes permitted by applicable law. Some of the ways we may use Personal Data include:

  • To understand your preferences so we may enhance your experience with the Website, Products, and Services;
  • To send our Customers and Partners ThoughtSpot-related information, including confirmations, account verification, invoices, technical notices, updates, security alerts, and support and administrative messages;
  • To communicate with you about promotions, upcoming Events, or contact you for marketing purposes (in accordance with your marketing preferences), and provide you news about ThoughtSpot and our selected Partners’ products and services;
  • To help understand your needs by linking or combining information about you with other Personal Data we get from third-parties, to provide you with better and more personalized Website experience;
  • To enforce our terms and conditions or protect our business, Partners, or Authorized Users;
  • To operate, maintain, and provide the features and functionality of the Website;
  • To register you for Events you sign up for and populate profiles for you in our records;
  • For industry analysis, benchmarking, analytics, and marketing purposes;
  • For billing and contracting purposes;
  • To make recommendations to customers regarding their use of the Products;
  • To improve the Products and Services we offer;  
  • For tracking entitlements, providing support, monitoring, and ensuring the performance, integrity, and stability of the Products infrastructure and preventing or addressing service or technical issues;
  • For other legitimate business purposes when necessary, such as protecting ThoughtSpot’s confidential and proprietary information; and
  • To comply with legal obligations and operate our business.

If you are from the European Economic Area (“EEA”), our legal basis for collecting and using the Personal Data described above will depend on the Personal Data concerned and the specific context in which we collect it.

However, we will normally collect Personal Data from you only where we have your consent to do so, where we need the Personal Data to perform a contract with you, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect Personal Data from you.

You can edit your communication preferences at any time. See Controlling Your Personal Data below.

How We Share Your Personal Data    

We may share your Personal Data with third-parties for the purposes of operating our business, selling, delivering, and improving our Products and Services, sending marketing and other communications related to our business, and for other legitimate purposes permitted by applicable law, or otherwise with your consent.

We may share Personal Data in the following ways:

  • Within ThoughtSpot, Inc. and any of our global subsidiaries. Subsidiaries will use your Personal Data in the same way as we can under this Privacy Statement.
  • With third-party vendors, contractors, consultants and other service providers that perform services on our behalf. Examples include but are not limited to: processing of orders and credit card transactions, hosting websites, hosting Event registration, assisting with sales-related efforts or post-sales support, and providing our Products and Services.
  • Your profile information, Your Content, and other technical information relevant to your use of the Mode platform may be shared with other Authorized Users of the Product depending on the type and configuration of your Mode account, and your designation of Your Content.
  • In connection with, or during negotiations of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of our business by or to another company.
  • In response to a request for information by a competent authority if we believe disclosure is in accordance with, or is otherwise required by, any applicable law, regulation, or legal process.
  • With law enforcement officials, government authorities, or other third-parties as necessary to comply with legal process or meet national security requirements; protect the rights, property, or safety of ThoughtSpot, its business partners, you, or others; or as otherwise required by applicable law.
  • In aggregated, anonymized, or de-identified form which cannot reasonably be used to identify you.
  • We do not sell Personal Data nor do we rent or trade Personal Data collected through the Website with third-parties for their promotional purposes.
  • Google API data - Use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Mobile Applications

We may obtain additional information through Mobile Applications that you download to your mobile device (“Device”). Our Mobile Applications may obtain, collect or access information from your Device in connection with your use of the Products, and are designed to interoperate with the Products; for instance, to provide you with access to information within the Products.

To provide and operate the Mobile Applications, we need certain information from you. For example, we ask you to provide some Personal Data, such as login credentials to access and use the Products through the Mobile Applications. We may only be able to collect or access this information if the Device settings allow it, so you should always review our Mobile Applications settings under the Device settings menu to determine the access restrictions for the Mobile Applications.

Our Mobile Applications may also provide us with information regarding your Device, such as the Device model, manufacturer, and operating system. We may also collect Device event information, such as error logs and crashes related to our Mobile Applications, which allows us to improve our Mobile Application for a better user experience. In addition, we may use information collected by our Mobile Applications to enforce our rights arising from contracts we enter into with you.

In addition, to provide Mobile Applications, we work with our group companies and certain partners and service providers who may have access to your information.

How We Secure Your Personal Data

We implement physical, administrative, and technical safeguards designed to protect your Personal Data from unauthorized access, use, or disclosure. We also contractually require that our service providers protect such information from unauthorized access, use, and disclosure. In addition, we limit access to Personal Data to those employees, agents, contractors, and other third-parties that have a legitimate business need for such access. For more information about our security practices, please visit the Trust Center at https://www.thoughtspot.com/trust. For security information related to the Mode platform, please see https://www.mode.com/security.

How Long We Retain Your Personal Data

We will retain your Personal Data as needed to fulfill the purposes for which it was collected.  We will retain and use your Personal Data as necessary to comply with our business requirements, legal obligations, resolve disputes, protect our assets, and enforce our agreements. When we have no ongoing legitimate business need to process your Personal Data, we will either delete it, anonymize it, or securely store your Personal Data and isolate it from any further processing until deletion is possible.

Controlling Your Personal Data

Our marketing emails permit you to "opt-out" of or “unsubscribe” from receiving further marketing emails. Certain jurisdictions, for example the EEA and California, also provide their residents certain privacy rights under applicable law. Subject to local law, you may have the right to access, delete, receive a copy of or object to or restrict the processing of, to data portability, or to request that we correct any inaccuracies or otherwise update your Personal Data.

You may contact us to exercise your rights using the contact details in the section titled “How to Contact Us” below. We will respond to such requests in accordance with the requirements of applicable data protection laws. Please note that in order to fulfill your request, we may need you to provide certain information to verify your identity. When you or your authorized agent contacts us in connection with your Personal Data under applicable local law, we will ask you to validate your identity before fulfilling your request. Authorized agents may also be required to provide a copy of the consumer’s signed permission authorizing the agent to submit requests on the consumer’s behalf.

These choices do not apply to service notifications or other required communications that are considered part of the Products or Services, which you may receive periodically unless you stop using or cancel your rights to access the Product or Services in accordance with its terms and conditions.  Moreover, these rights may be limited or denied in some circumstances. For example, we may retain your Personal Data where required or permitted by applicable law. In such situations we will put in place appropriate measures to prevent any further processing or use of the Personal Data.

Event registrants and attendees may update their user profiles for events we host by logging into the applicable Event website or registration page while the Event registration and related website remain active.

Cookies and Web Beacons

Like many websites, ThoughtSpot uses automatic data collection tools, such as cookies, embedded web links, and web beacons. “Cookies” are small text files that we and others may place in users' computer browsers to store their preferences. "Web beacons" or “pixel tags” are small pieces of code placed on a web page or within the body of an email to monitor the behavior and collect data about the users viewing a web page or viewing or opening an email.

While ThoughtSpot attempts to honor do not track (“DNT”) instructions we receive from a user’s browser, we cannot guarantee that ThoughtSpot will always respond to such signals, in part, because of the lack of common industry standard for DNT technology. We continue to monitor developments in DNT technology and stay apprised of DNT industry standards as they evolve.

In addition, our Products may use cookies in furtherance of the purposes described in this Privacy Statement. Some of these technologies are essential for the provision of the Product, such as account access/authentication; others assist with the performance and functionality of the cloud service, such as recognizing returning users, remembering preferences or facilitating in-product educational content; and others enable us to analyze usage to improve our Products and Services well as trouble-shoot issues. See our  Cookie Policy for more information.

International Data Transfers

ThoughtSpot stores and processes any information collected in: (a) any country where we have facilities, (b) any country in which we engage service providers; or (c) any country where our hosted Events are held. A list of ThoughtSpot global offices is available here.

International transfers between ThoughtSpot Affiliates

To conduct our operations, we transfer information to ThoughtSpot Affiliates in their respective countries of operation for the purposes described in this Privacy Statement. These countries may not have equivalent privacy and data protection laws to the laws of many of the countries where our Customers and Authorized Users are based. When we disclose information about you within and among ThoughtSpot corporate affiliates, we will rely on the EU-U.S. Data Privacy Framework to receive personal data transfers from the EEA to the U.S. (see “EU-U.S. Data Privacy Framework Notice” section below), and the Standard Contractual Clauses, to safeguard the transfer of information we collect from the EEA, the United Kingdom ("UK"), and Switzerland.

International transfers to Third Parties

Some of the third parties described in this Privacy Statement, which provide services to us under a written contract, are based in countries that may not have equivalent privacy and data protection laws to the country in which you reside. When we disclose Personal Data of customers in the EEA, the UK, or Switzerland, we make use of the Standard Contractual Clauses or will implement other appropriate legal mechanisms to safeguard the transfer.

EU-U.S. Data Privacy Framework Notice

On July 10, 2023, the European Commission’s adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) entered into force. ThoughtSpot adheres to the Data Privacy Framework Principles regarding the collection, use, and retention of Personal Data that is transferred from the EEA, UK, and Switzerland to the United States.

ThoughtSpot has self-certified its commitment to comply with the EU-U.S. DPF Principles, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. ThoughtSpot has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom in reliance on the UK Extension to the EU-U.S. DPF.

ThoughtSpot. has self-certified its commitment to comply with the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF”). If there is any conflict between the terms in this Privacy Statement and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To view ThoughtSpot’s certifications, please visit this page and search for ”ThoughtSpot”. To view ThoughtSpot’s Data Privacy Framework Policy, please click here.

If you require further information about our international transfers of Personal Data, please contact us using the contact details in the section titled “How to Contact Us” below.

California Privacy Disclosures

The California Consumer Privacy Act (“CCPA”) requires businesses to provide additional disclosures of California consumer rights relating to the sharing of, access to, and deletion of Personal Data that is collected. We may share Personal Data with third-parties or allow them to collect Personal Data as described in this Privacy Statement. We may share or disclose the Personal Data listed in the section above titled “How We Share Your Personal Data”.

California consumers have a right to request information about the collection of your Personal Data, and access to and deletion of your Personal Data under the CCPA. We do not sell the Personal Data of California consumers and do not discriminate in response to privacy rights requests. Further, we do not collect or process “sensitive” data or protected characteristics under applicable law for the purpose of inferring characteristics about an individual.

If you are a California consumer and you or your authorized agent would like to exercise your privacy rights, please contact us using the contact details in the section titled “How to Contact Us” below. We may need to verify your identity and place of residence before completing your rights request.

General

Websites

We may provide links to other third-party websites and services that are outside our control and not covered by this Privacy Statement. We encourage you to review the privacy statements posted on those websites (and all websites) you visit.

Forums and Chat Rooms

We offer you the ability to post information and exchange ideas through our websites and other services such as ThoughtSpot Community.

If you participate in the ThoughtSpot Community or other discussion forum or chat feature on a ThoughtSpot Website, be aware that the information you provide there (i.e., your public profile) will be made broadly available to others, and could be used to contact you, send you unsolicited messages, or for purposes neither ThoughtSpot nor you have control over.  ThoughtSpot will not be responsible in the event that you disclose Personal Data in your posts, through our public services or during any other communication with other Website users.

Children's Privacy

ThoughtSpot does not knowingly collect Personal Data from children without appropriate parental or guardian consent. If you believe that we may have collected Personal Data from someone under the applicable age of consent in your country without proper consent, please let us know using the methods described in the How to Contact Us section and we will take appropriate measures to investigate and address the issue promptly.

Changes to this Privacy Statement

ThoughtSpot may modify or update this Privacy Statement from time to time to reflect the changes in our business and practices, and so you should review this page periodically. When we make a material change to the Privacy Statement, we will post the revised version with an updated ‘effective date’ as provided at the top of this page.

How to Contact Us

If you have any questions about this Privacy Statement or our privacy practices, or wish to exercise applicable rights regarding your data, please email us at [email protected], call us at (800) 508-7008, or write to us at:

ThoughtSpot, Inc.
Attn: General Counsel
444 Castro Street, Suite 1000
Mountain View, CA 94041