Gigya is now SAP Customer Data Cloud. Learn more
Forrester logo Download the report

Privacy Policy

Effective: September 28, 2018

Protecting the individual’s privacy on the Internet is crucial to the future of Internet-based business and the move towards a true Internet economy. We have created this Privacy Policy to demonstrate our firm commitment to the individuals’ right to data protection and privacy. This Privacy Policy outlines our handling practices with regards to such information that can be used to directly or indirectly identify an individual (“Personal Data”).


When does this Privacy Policy apply? This Privacy Policy applies to Personal Data that you provide to us or which is derived from such Personal Data as further outlined below. For additional information about cookies and other web tracking technologies that we are using please see also our Cookie Policy.

Data Controller. Data controller in case of the website (“Website”) is Gigya, Inc., 2513 E. Charleston Rd, Suite 200, Mountain View, CA 94043, USA (“Gigya”). Gigya, Inc. is a subsidiary of SAP America Inc., which is an affiliate of SAP SE and thus part of the SAP group. The group’s data protection officer is Mathias Cellarius (

What does Gigya do with my Personal Data? Gigya will process the Personal Data provided hereunder only as set out in this Privacy Policy. Where the processing of your Personal Data is based on a statutory permission, you can find information on which Personal Data Gigya is processing or using and the corresponding purposes for such processing or use in Section B. below. Where consent for the processing of your Personal Data is required you can find further information in Section C. below. Section D. describes Gigya’s processing operations (as a data processor) with regard to Personal Data about individuals (“End Users”) at the direction and on behalf of users (“Customers”) of the Gigya services (“Services”) (as the data controllers). In this Privacy Policy, “Services” include Gigya’s web services, products, offerings, contests, sweepstakes, other content, non-marketing related newsletters, whitepapers, tutorials, trainings and events. Section E. provides further information about transfers of Personal Data outside of the European Economic Area (“EEA”).

Duration of processing of Personal Data. Notwithstanding those instances where your Personal Data is processed or used by Gigya based on a statutory permission (see Section B. below) or your consent (see Section C. below), Gigya will only store your Personal Data (i) for as long as it is required to fulfil the purposes set out below, (ii) until you object to Gigya’s use of your Personal Data (if Gigya uses your Personal Data based on legitimate interest), or (iii) until you withdraw your consent (if Gigya uses your Personal Data based on your consent). However, where Gigya is required by mandatory law to retain your Personal Data longer or where your Personal Data is required for Gigya to assert or defend against legal claims, Gigya will retain your Personal Data until the end of the relevant retention period or the settlement of the claims in question.

Why am I required to provide Personal Data? As a general principle, granting of any consent and the provision of any Personal Data hereunder is entirely voluntarily to you. However, there are circumstances where Gigya cannot take action without certain Personal Data (e.g., because Personal Data is required to process your orders or provide you with access to a web offering or newsletter). In these cases it will unfortunately not be possible for Gigya to provide you with what you request without the relevant Personal Data.

Where Gigya will my Personal Data be processed? The Website is hosted in the United States, and as part of the SAP global group of companies, Gigya has affiliates and third-party service providers within as well as outside of the EEA. As a consequence, whenever Gigya is using or otherwise processing your Personal Data for the purposes set out in this Privacy Policy, Gigya may transfer your Personal Data to countries outside of the EEA, including to such countries where a statutory level of data protection applies that is not comparable to the level of data protection within the EEA, as further described in this Privacy Policy under Section E.

Data subjects’ rights. You can request from Gigya at any time information about which Personal Data Gigya processes about you and the correction or deletion of such Personal Data.  Notwithstanding your request, Gigya may retain your Personal Data if there is a statutory obligation or prevailing right of Gigya to retain it. Kindly note that if you request the deletion of your Personal Data from Gigya you will not be able to further use such Gigya Services which require Gigya’s use of your Personal Data.

If Gigya uses your Personal Data based on your consent or to perform a contract with you, you may further request from Gigya a copy of the Personal Data that you have provided to Gigya  To make such a request, please contact the email address below and specify the information or processing activities to which your request relates, the requested format for your Personal Data (provided it is commonly used), and whether the Personal Data shall be provided to you or another recipient. Gigya will carefully review your request and discuss with you how it can be best implemented.

Furthermore, you can request from Gigya that Gigya restricts your Personal Data from any further processing in any of the following events: (i) you state that the Personal Data Gigya has about you is incorrect, however, only for as long as Gigya requires to check the accuracy of the relevant Personal Data, (ii) there is no legal basis for Gigya’s processing of your Personal Data and you demand that Gigya restricts your Personal Data from further processing, (iii) Gigya no longer requires your Personal Data but you claim that you require such data in order to claim or exercise legal rights or to defend against third party claims, or (iv) in case you object to the processing of your Personal Data by Gigya for as long as it is required to review as to whether Gigya has a prevailing interest or legal obligation in processing your Personal Data.

Please direct any such request to

Right to lodge a complaint. If you take the view that Gigya is not processing your Personal Data in accordance with the requirements set out herein or applicable EEA data protection laws, you can at any time lodge a complaint with the data protection authority of the EEA country where you live.

Use of this website by children. The Website is not directed toward individuals under the age of thirteen (13), and we request that such individuals do not provide Personal Data through our Website. Additionally, we do not knowingly collect or maintain Personal Data from anyone under the age of 13, unless or except as permitted by law. If we learn that Personal Data has been collected from a user under 13 years of age on or through the Website, then we will take the appropriate steps to cause this information to be deleted. If you are the parent or legal guardian of a child under 13 who has registered on the Website or you believe has otherwise provided Personal Data to Gigya, please contact Gigya at to have that child’s account terminated and information deleted.

Links to other websites. This Privacy Policy covers the information practices of websites that link to this Privacy Policy, including, but not limited to,, and their subdomains. The websites may contain links to websites operated by third parties. Gigya is not responsible for the privacy practices or the content of such other websites. We encourage you to learn about such third parties’ privacy and security policies before providing them with Personal Data.

Security. Gigya is committed to protecting the Personal Data you share with us. Gigya uses a combination of industry-standard security technologies, procedures, and organizational measures to help protect your Personal Data from unauthorized access, use or disclosure. Gigya supports online security using secure server technology because we want your data to be safe. We bind our employees and data processors to observe your privacy and confidentiality rights.

Contact Us. If you have questions about this Privacy Policy, you may contact us at You may also write to us at: Gigya Inc., 2513 E. Charleston Rd, Suite 200, Mountain View, CA 94043, USA.


In the following cases Gigya may process your Personal Data based on a permission under applicable data protection law.

Providing the requested Gigya Services. If you order Services from Gigya, Gigya will use the Personal Data which you enter into the order or registration form (usually (a subset of) your name, (email) address, telephone number, company name and address, your job title/role and, if payment is to be made to Gigya, credit card number or banking details) only to process your order or to provide the requested Service. This may include taking the necessary steps prior to entering into the contract, responding to your related inquiries and providing you with shipping and billing information and to provide customer feedback and support. Gigya may further collect and use conversation data that you may provide via contact forms, e-mails or telephone.

If you participate in tutorials or trainings provided by Gigya, Gigya may also track your learning progress in order to make this information available to you. Furthermore, the use of your Personal Data for the above purposes also includes (i) the provision of support, (ii) processing and verifying of customer feedback, (iii) shipping and billing, and (iv) providing such other information which is required for the business relationship between you and Gigya including responding to your inquiries as follows:

We communicate with users who subscribe to our Services on a regular basis via email, and we may also communicate by phone to resolve customer complaints or investigate suspicious transactions. We may use your email address to confirm your opening of an account, to send you notice of payments, to send you information about changes to our Services, and to send notices and other disclosures as required by law. Generally, users cannot opt out of these communications, which are not marketing related but merely required for the relevant business relationship. With regard to marketing related types of communication (such as emails and phone calls), Gigya will (i) where legally required only provide you with such information after you have granted your opt-in, and (ii) provide you the opportunity to exercise an opt-out choice if you do not want to receive further marketing related types of communication from us, as further described below under “Updates about Gigya’s Services.”

Based on Gigya’s legitimate Interest. Each of the below use cases constitutes a legitimate interest of Gigya to process or use your Personal Data. In case you do not agree with this approach, you may object against Gigya’s processing or use of your Personal Data, as set out in the last paragraph of this subsection.

Compelled disclosure. We may disclose Personal Data if we have a good-faith belief that doing so is required by a subpoena or other judicial or administrative order or otherwise required by law. Additionally, we may disclose Personal Data where we, in good faith, deem it appropriate or necessary to prevent violation of the Gigya Terms of Service, or our other agreements; take precautions against liability; protect the rights, property, or safety of Gigya, any individual, or the general public; maintain and protect the security and integrity of our Services or infrastructure; protect ourselves and our Services from fraudulent, abusive, or unlawful uses; investigate and defend ourselves against third-party claims or allegations.

Export laws. Gigya and its Services (including the technology underlying such Services) are subject to the export laws of various countries, including without limitation, to those of the United States. Pursuant to the applicable export laws, trade sanctions and embargoes issued by these countries, Gigya is required to take measures to prevent entities, organizations and parties listed in government issued sanctioned party lists from accessing certain Services through Gigya’s Website or other delivery channels controlled by Gigya This may include (i) automated checks of any user registration data as set out herein and other information a user provides about her/his identity against applicable sanctioned party lists; (ii) regular repetition of such checks whenever a sanctioned party list is updated or when a user updates her/his information; (iii) blocking of access to Gigya’s Services and systems in case of a potential match; and (iv) contacting a user to confirm her/his identity in case of a potential match.

Participation in Questionnaires and Surveys. Gigya may invite you to participate in questionnaires and surveys. These questionnaires and surveys will be generally designed in a way that they can be answered without any Personal Data. If you include Personal Data in your responses to questionnaires and surveys, Gigya may use such Personal Data to improve its Services.

Aggregate Information and Non-Identifying Information. Gigya may anonymize Personal Data provided under this Privacy Policy to create anonymized data sets which will then be used to improve its and its affiliates’ Services.

We may also share aggregated Personal Data with Clients, prospective Clients, partners or the press in order to demonstrate usage of the Service, identify industry and advertising trends, and to generate publicity for the Gigya Services.

Information about Services. Within an existing business relationship between you and Gigya, Gigya may inform you, where permitted in accordance with applicable law, about its Services (including webinars, seminars, or events) which are similar to such Services you have already purchased or used from Gigya Furthermore, where you have attended a webinar, seminar, or event of Gigya or purchased Services from Gigya, Gigya may contact you for feedback regarding the improvement of the relevant webinar, seminar, event, product or service.

Transfers of Personal Data to Gigya Affiliates. We may share some or all of your Personal Data (including account data and contact data, such as name, email address, and phone number) with our affiliates for the purpose of customer support, in which case we will require those affiliates to honor this Privacy Policy (see also below in Section E. the information given with regard to transfers to affiliates outside of the EEA).

Transfers to Third Parties. We may provide Personal Data to third parties for their use in performing internal business functions (e.g., maintenance, security, data analysis, email transmission, CRM, database management services, email marketing, surveys, or data hosting) on our behalf. We have concluded contractual arrangements as necessary under applicable law with such third parties and require them to agree not to use your Personal Data for purposes beyond those stated in this Privacy Policy and for no other purpose than to provide us with necessary services (see also below in Section E. the information given with regard to transfers to third parties outside of the EEA).

Personal Data Received from Third Parties. We may also obtain information, including Personal Data, from third party sources. This may include aggregated anonymous information or certain Personal Data that may be provided to us, including, but not limited to, through third party surveys conducted on our behalf, companies that publish and disseminate press releases on our behalf, social networks providing information about our fans and followers on their platform, and analytics from companies that perform email marketing on our behalf. If we receive Personal Data from third parties, we will handle it in accordance with this Privacy Policy. If we directly combine information from other third parties with Personal Data that we collect on the Website, we will treat the combined information as Personal Data and handle it in accordance with this Privacy Policy. Additionally, we may use any aggregated anonymous information received by third parties as set forth above in the subsection “Aggregate Information and Non-Identifying Information”.

Right to object. You may object to Gigya using Personal Data for the above purposes at any time by contacting If you do so, Gigya will cease using your Personal Data for the above purposes (i.e., under a legitimate interest set out above) and remove it from its systems unless such Personal Data is permitted to be used by Gigya for another purpose set out in this Privacy Policy or Gigya determines and demonstrates a compelling legitimate interest to continue in processing your Personal Data.


In the following cases Gigya, will only use your Personal Data as further detailed below after you have granted your prior consent into the relevant processing operations. This information matches with the respective consent declarations pertaining to individual processing operations made available here:   

Updates about Gigya’s Services. If you opted in to receive communications from us, Gigya may use your name, email and postal address, telephone number, job title and basic information about your employer (name, address and industry) as well as an interaction profile based on prior interactions with Gigya (prior purchases, participation in webinars, seminars or events or the use of Services) in order to send you updates regarding the Website, and information regarding our offer and Services, including, without, limitation, through social media updates, by email and postal mail. If you no longer want to receive commercial messages, you may withdraw your consent at any time with effect for the future as further described below in subsection “Withdrawal of consent”. You may also indicate your preferences regarding commercial email messages by taking the steps described in such messages.

Personal Data made publicly available. Any Personal Data that you voluntarily choose to display on any publicly available portion of the Website, or on any Service, becomes publicly available and may be collected and used by us or others in accordance with applicable laws.

Forwarding your Personal Data to other SAP companies. Gigya may transfer your Personal Data to the other members of the SAP group (these are currently all SAP, Ariba, SuccessFactors, Hybris, Sybase, Business Objects, Fieldglass, Concur, Multiposting and SeeWhy subgroup companies) for the purpose to inform you about their latest products, service offers, and events. Any such use of information is based on the consent you grant hereunder.

Withdrawal of consent. You may at any time withdraw a consent granted hereunder. In case of withdrawal, Gigya will not process Personal Data subject to this consent any longer unless legally required to do so. In case Gigya is required to retain your Personal Data for legal reasons your Personal Data will be restricted from further processing and only retained for the term required by law. However, any withdrawal has no effect on past processing of Personal Data by Gigya up to the point in time of your withdrawal. Furthermore, if your use of an Gigya offering requires your prior consent, Gigya will not be (any longer) able to provide the relevant Service, offer, or event to you after your withdrawal. Please direct any such request for withdrawal to or write to Gigya at the address set out under “Contact us” above.

Webtracking (Cookies, Web Beacons etc.). Like most web-based services, we automatically receive and record information on our server logs from your browser when you use the Website. We may use a variety of methods, including clear GIFs (also known as “web beacons”) and “cookies”, to collect this information. We use both session and persistent cookies as further described in our Cookies Policy at

The information that we may collect with these automated methods may include, for example, your IP address, cookie information, a unique device or user ID, browser type, system type, the content and pages that you access on the Website, the frequency and duration of your visits to the Website, and the “referring URL” (i.e., the page from which you navigated to the Website). We may also use cookies on the to store session validators on your hard drive.

On the Website, we may use passively collected data to: (a) remember your information so that you will not have to re-enter it during your visit or the next time you visit the Website; (b) monitor your participation in various sections of the Website; (c) customize our Service to you, including by providing you with recommendations; (c) monitor aggregate website usage metrics such as total number of visitors and pages viewed; and (d) administer, operate, and improve the Website and our other Services and systems, and to provide Services and content that are tailored to you.

To the extent legally required, any such use of information is based on the consent you grant hereunder.

Unless another means to make your choice is listed below, you may furthermore refuse the use of these automated methods, like cookies, by selecting the appropriate settings in your browser. Kindly note that settings in your browser regarding cookies are limited to the particular browser installed on a particular device and that, as a consequence, if you visit the Website with different browsers or different devices, you have to disable cookies in the browsers of all relevant devices. However, kindly further note that if you do this you may not be able to use the full functionality of the Website.

For additional information about the technologies that we use and how they operate, please see our Cookie Policy. Gigya is in particular currently using the following automated methods on its Website for the purposes set out below.

Third-Party Ad Networks. We use third parties such as network advertisers to assist us in displaying advertisements on third party websites, and to evaluate the success of our advertising campaigns. Network advertisers are third parties that display advertisements based on your visits to our Website as well as other websites. This enables us, and these third parties, to target advertisements by displaying ads for products and services in which you might be interested. Third party ad network providers, advertisers, sponsors and/or traffic measurement services may use cookies, JavaScript, web beacons (including clear GIFs), Flash LSOs and other technologies to measure the effectiveness of their ads and to personalize advertising content to you. These third-party cookies and other technologies are governed by each third party’s specific privacy policy, not this one. We may provide these third-party advertisers with information about your usage of our Website, as well as aggregate information about visitors to our Website.

You may opt-out of many third-party ad networks, including those operated by members of the Network Advertising Initiative (“NAI”) and the Digital Advertising Alliance (“DAA”). For more information regarding this practice by NAI members and DAA members, and your choices regarding having this information used by these companies, including how to opt-out of third-party ad networks operated by NAI and DAA members, please visit their respective websites: (NAI) and (DAA).

Opting out of one or more NAI member or DAA member networks (many of which will be the same) only means that those members no longer will deliver targeted content or ads to you. It does not mean you will no longer receive any targeted content or ads on our Website or other websites. You may continue to receive advertisements, for example, based on the particular website that you are viewing. Also, if your browsers are configured to reject cookies when you visit this opt-out page, or you subsequently erase your cookies, use a different computer or change web browsers, your NAI or DAA opt-out may no longer be effective. Additional information is available on NAI’s and DAA’s websites accessible by the above links.


We collect, use, and retain (as a data processor) certain Personal Data of visitors to Customer’s website at the direction and on behalf of our Customers (as the data controllers) from such visitors (“Customer Data”) through the use of the Gigya Services. We have no relationship with such visitors whose Personal Data we process on behalf of our Customers.  We do not access and use such Customer Data, except as directed by our Customers or required by law. The Customer’s and such visitors’ interaction with the Gigya Services are governed by the privacy policy of the applicable Customer.  We maintain no rights to use such Customer Data transmitted to us through the Customer website or received from the social networks, except to make the Gigya Services available to Customer.


Gigya complies with the E.U.- U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data obtained from European Union member countries and Switzerland. Gigya has certified that its processing of Personal Dataa from E.U. member countries and Switzerland is in accordance with the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, Recourse, Enforcement and Liability (the “Principles”). You may view our certification here Gigya and its subsidiaries are subject to the investigatory and enforcement authority of the Federal Trade Commission.

Information We Process. We collect, in accordance with the Privacy Shield principles, the categories of information described in this Privacy Policy.  We process Personal Data about website users for the purposes described herein.

Accessing Personal Data. The Privacy Shield Principles provide individuals located in the E.U. and Switzerland whose Personal Data we process with the right to access their Personal Data in order to review, correct, amend or delete information processed under the Principles. E.U. and Swiss individuals who use our Site and would like to access their Personal Data may contact Gigya at or at the address set forth in the “Contact Us” section. Additionally, anyone with a registered account on the Gigya Console may, at any time, review, update or correct the Personal Data in their registration profile by logging into their account, clicking on dropdown next to their name in the upper right-hand corner, and clicking to the Account section.

E.U. and Swiss End Users whose personal information we process on behalf of a Gigya Customer (as a data processor) should first contact the Gigya Customer, who is the controller of your Personal Data, to access their Personal Data; Gigya will work with its Customers to provide such visitors to the Customer website the necessary access about what Personal Data is processed.

Transfers to Third Parties.  We may transfer Personal Data from the E.U. and Switzerland to third parties. We contractually require third parties to whom we transfer Personal Data to provide the same level of protections as the Principles. Gigya remains responsible for the Personal Data we receive and transfer under Privacy Shield.

In accordance with our legal obligations, we may also transfer, subject to a lawful request, Personal Data to public authorities for law enforcement or national security purposes.

Contacting Us, Complaints and Dispute Resolution. E.U. and Swiss individuals who have questions or complaints about how we process their Personal Data  may contact us at We will work to resolve your issue and respond no later than 45 days of receipt.

If you are unable to resolve the issue directly with us, you may file, free of charge, a complaint with our independent dispute resolution provider JAMS, located in the United States.  For more information about JAMS dispute resolution process or to file a complaint, please visit  E.U. or Swiss individuals may invoke binding arbitration in accordance with the Privacy Shield Framework.

Gigya has updated its Privacy Policy as Gigya, Inc. has been acquired by SAP America, Inc. and Gigya has updated the information regarding how we collect and use your Personal Data. You can see the updated Privacy Policy here.