Skip to content

Privacy Policy

Updated Jan 24, 2024

1. Exterro as a Data Controller

This is the Data Privacy Notice (“Privacy Notice”) of Exterro, Inc. and its affiliate and subsidiary entities (“Exterro”). We maintain websites (the “Websites”) to provide products and services to you. These Websites may ask for and collect your personal information to provide our products and services, enhance your experience, and provide you with other relevant information about our offerings. This Privacy Notice governs our treatment of personal information where Exterro acts as a data controller, including personal information processed on its Websites, offline activities, and information relating to customers, suppliers and others who do business with us. This Privacy Notice does not govern Exterro as a processor or service provider, such as when we license our software to our customers.

Exterro is committed to protecting the information that our customers, employees, suppliers, and others have entrusted to us. We are providing this Privacy Notice to explain our information practices and the choices you may have about the way your personal information is collected and used. We expect all of our employees and those with whom we share personal information to adhere to this Privacy Notice.

2. Exterro as a Service Provider

Exterro customers are businesses that deploy our Software as a Service ("SaaS") cloud-based solutions for legal governance, risk and compliance ("GRC") to solve complex business processes. Our customers may use our SaaS solutions to process business confidential information that may include personal information about their data subjects ("Customer Data Subjects"). Exterro processes personal information about Customer Data Subjects subject to our customer's instructions, so this Privacy Notice does not apply to such processing.

If you are a Customer Data Subject and believe that your personal information may be processed using one of our SaaS solutions, you should directly contact the organization regarding their processing of your personal information. Exterro is unable to access, view, or identify any data of its customers or Customer Data Subjects without the explicit authorization of its customer.

If you are a customer and have questions about how Exterro processes the personal information of Customer Data Subjects, you should direct your inquiry to [email protected].

3. Personal information we collect and use

A. Personal Information You Provide

We only collect personal information that you provide to us or that we are authorized to obtain by you or by law. The types of personal information we collect will depend on how you interact with us or our Websites. For example, we may collect different information from you through online purchases than if you request a demo. Depending on our interactions, we may collect the following categories of personal information:

  • When you engage with us: To register you for an event, interact with us at a conference or trade event, schedule a demo or respond to your questions, we may collect your name, organization name, organization address, job title, business email address, phone number, and topic of interest.
  • When you request a demo on our website, we will collect your name, business email, company name, country, and job title.
  • When you register for an account, we may collect your name and contact information, as well as information collected automatically, which is described below.
  • When you interact with us on behalf of your employer, we may collect your name and contact information.
  • When you give us feedback or contact us for support, we may collect your name and email address, as well as any other content you send to us, so that we can respond to your feedback and questions.
  • When you sign up for a mailing list, we will collect your postal or email address to provide you the content you requested.\
  • When we engage in a partner promotion, we collect information that you provide as part of the co-branded promotion with another company, such as the Association of Corporate Counsel. This information typically includes your name, title, company, email address, and phone number.
  • When you participate in surveys, we collect the information that you provide in your survey response. If the survey is provided by a third-party service provider, the service provider’s privacy notice will apply to the collection, use, and disclosure of your personal data.
  • When you submit a job application on our website, we may collect your name, phone number, email address, home address, resume items, gender, race, veteran status, and disability status.
  • When you make a purchase or payment: We may collect your name, payment card number, expiration date, security code, phone number, and billing address from you.
  • For marketing: For Exterro’s marketing and other purposes, we may collect your full name, address, email, postal address, unique personal identifier, account age, phone numbers, attorneys’ state bar information, and t-shirt size. We will also collect certain information automatically from your devices and from third parties. You can find more details in the rest of this section.
  • To process invoices: If you are a vendor, we collect your company name, tax ID or Social Security number, address, phone number, email address, and banking information.
  • To automate accounts payable and related marketing: If you are a vendor, to automate accounts payable and payment processing, and to send you related marketing communications, we may collect your name, address, phone number, and Usage Information, as defined below. We will also collect certain information automatically from your devices and from third parties. You can find more details in the rest of this section.
  • With your consent, we may record your image and voice when you participate in a
    video conference, video demo, implementation call or other call.

B. Information Collected Automatically

Exterro, its Service Providers, and/or Third-Party Services may also automatically collect certain information about you when you access or use the Websites (“Usage Information”). When you interact with us through our Websites, we collect information regarding your interaction as detailed below.

The following are the methods may be used to collect Usage Information, including the personal information collected automatically from your device:

  • When you register for an account, we may collect information relating to the actions you perform while logged into your account.
  • When you interact with our blogs posted on our website, we may collect information about the pages you visited on our website and the length of time spent on our site.
  • Log Information. Log information is data about your use of the Websites, such as your browser type, operating system, Internet service provider, Internet Protocol (IP) address (a number that is automatically assigned to a computer when the Internet is used), domain name, click activity, referring website, and/or a date/time stamp for visitors.
  • Website Interaction Information. This information will include data on how you interact with our website, including what links you click on, or information that you type into online forms. This may also include information about your device or browser.
  • Information Collected by Cookies and Other Tracking Technologies. Cookies, web beacons (also known as “tracking pixels”), embedded scripts, location-identifying technologies, device fingerprinting, device recognition technologies, in-app tracking methods and other tracking technologies now and hereafter developed (“Tracking Technologies”) may be used to collect information about interactions with the Websites or emails, including information about your browsing and purchasing behavior.

    • For more detail on how we collect and use Cookies, see the COOKIES AND TARGETED ADVERTISING section below.
    • Web Beacons (“Tracking Pixels”). Web beacons are small graphic images, also known as “Internet tags” or “clear gifs,” embedded in web pages and email messages. Web beacons may be used, without limitation, to count the number of visitors to the Websites, to monitor how users navigate the Websites, and to count content views.
    • Embedded Scripts. An embedded script is programming code designed to collect information about your interactions with the Websites. It is temporarily downloaded onto your computer from Exterro’s web server, or from a third party with which Exterro works, and is active only while you are connected to the Websites and deleted or deactivated thereafter.
  • Location-identifying Technologies. Geo-filtering and other location-aware technologies locate you, or make assumptions about your location, for purposes such as verifying your location and delivering or restricting content based on your location. If you have enabled GPS or use other location-based features on the Websites, your device location may be tracked.
  • Device Fingerprinting. Collection and analysis of certain attributes from your device, such as, without limitation, your operating system, plug-ins, system fonts, and other data, for purposes of identification and/or tracking.
  • Device Recognition Technologies. Technologies, including application of statistical probability to data sets, as well as linking a common unique identifier to different device use (e.g., Facebook ID), which attempt to recognize or make assumptions about users and devices (e.g., that a user of multiple devices is the same user or household) (“Cross-device Data”).
  • In-App Tracking Methods. There are a variety of Tracking Technologies that may be included in mobile applications, and these are not browser-based like cookies and cannot be controlled by browser settings. Some use device identifiers, or other identifiers such as “Ad IDs” to associate app user activity to a particular app and to track user activity across apps and/or devices.

Some information about your use of the Websites and certain Third-Party Services may be collected using Tracking Technologies across time and services, and used by Exterro and third parties for purposes such as to associate different devices you use and deliver relevant ads and/or other content to you on the Websites and certain Third-Party Services.

Exterro may use any Usage Information detailed above for the following purposes:

  • To facilitate, manage, personalize, and improve your online experience, including using analytics to provide more personalized experiences and advertisements, and to improve our products and services;
  • To capture data related to your interactions with Exterro’s marketing emails;
  • To automate accounts payable and payment processing and send related marketing;
  • To provide and improve our Websites;
  • To create and manage your account with us;
  • To facilitate and process online payments; and
  • To fix any technical issues that arise while providing the Websites.

C. Information Collected from Other Sources

Exterro may also obtain information about you from other sources, including Service Providers and Third-Party Services, and combine that with personal information. We may use information collected from Service Providers and Third Parties for the following purposes:

  • Engagement: To engage with us online, or via social media, we may collect personal information, including your social media contact(s) and profile, chat logs, and email address to respond to your comments, questions, and requests. If you engage with us via LinkedIn forms, we will also collect your company and location;
  • Transactions: To transact with you, provide services, serve you content and/or advertising, we may collect your email address;
  • Marketing: To service Exterro’s marketing and other purposes, we may collect your name; email address; social media contact; visual information (e.g., videos); alias; information about your records of products or services considered; records of products or services purchased; social media contact, and username;
  • Account Creation and Management: To manage your account, we may collect your device information, email address, and social media contact(s); and
  • Debugging: To fix any technical issues that arise while providing the Websites.

Third-Party Services. The Websites may include hyperlinks to, or include on or in connection with, the Websites (e.g., apps and plug-ins), websites, locations, platforms, applications, or services operated by third parties (“Third-Party Service(s)”). These Third-Party Services may use their own cookies, web beacons, and other tracking technology to independently collect information about you and may solicit personal information from you.

Interest-Based Advertising. Exterro may engage and work with Service Providers and other third parties to serve advertisements on the Websites and/or on third-party services. Some of these ads may be tailored to your interest based on your browsing of the Websites and elsewhere on the internet, sometimes referred to as “interest-based advertising” and “online behavioral advertising” (“Interest-based Advertising”), which may include sending you an ad on a third-party service after you have left the Websites (i.e., “retargeting”).

Analytics. Exterro may use Google Analytics, Adobe Analytics, or other Service Providers for analytics services. These analytics services may use cookies and other Tracking Technologies to help Exterro analyze website users and how they use the Websites. Information generated by these services (e.g., your IP address and other Usage Information) may be transmitted to and stored by these Service Providers on servers in the U.S. (or elsewhere) and these Service Providers may use this information for purposes such as evaluating your use of the Websites, compiling statistic reports on the Websites’ activity, and providing other services relating to website activity and other Internet usage.

D. Other Purposes

We may also use any of the Usage Information we listed above for the following purposes:

  • To operate, evaluate, and improve our business, including improving and personalizing the experience for you and others;
  • To maintain and improve our services, including to audit, research, and conduct analysis to protect people who use our Websites;
  • For safety and security, by making sure third parties protect your information, and monitoring the technical functioning and security of our network;
  • For legal and compliance, including complying with applicable laws, regulations, and legal obligations; and
  • To protect the rights or property of Exterro, its employees, its customers, and people who use its Websites.

E. De-Identified Information

Sometimes we will de-identify personal information by removing or modifying the personally identifiable elements or extracting non-personally identifiable elements so they can’t be associated with a person (“de-identified information”). De-identified information is non-personal information and may be used and shared without obligation to you, except as prohibited by applicable law. To the extent any non-personal information is combined by or on behalf of Exterro with personal information Exterro itself collects directly from you on the Websites, Exterro will treat the combined data as described in this Notice.

4. Cookies and Targeting Advertising and third-party service providers use cookies, pixel tags, web beacons, clear GIFs, or similar technologies to track the actions of Site users and email recipients across non-affiliate websites over time, in order to personalize your experience on the Websites by presenting advertisements that are more relevant to you. For example, we use third-party service providers, to present products and offers tailored to the preferences and interests demonstrated by your online activity over time. If you would like opt-out of receiving personalized ads from third-party advertisers and ad networks who are members of the Network Advertising Initiative (NAI) or who follow the Digital Advertising Alliance’s Self-Regulatory Principles for Online Behavioral Advertising, you may visit the opt-out pages on the NAI websiteand DAA website. You understand that these opt-out mechanisms are maintained by third parties, not Exterro. Exterro is not responsible for, nor does it control these mechanisms of the third parties who choose to participate in these opt-out programs.


"Cookies" are small files which enable us to store individual information related to your computer or other device used to access our website. Cookies help us, e.g., to determine the frequency of use and the number of people visiting our website and to create our services as comfortable and efficient as possible for you.

Classes of Cookies. There are two types of cookies: session cookies, and persistent cookies.

  • Session cookies make it easier for you to navigate the Websites and expire and disappear from your device when you close your browser.
  • Persistent cookies remain longer and help in understanding how you use the Websites, and enhance your user experience, and they stay on your device even after you close your device’s browser or end your session. Session cookies may remain on your hard drive for an extended period of time.

Sources of Cookies. Cookies also come from different sources – Exterro (these would be “first-party cookies” because Exterro places the cookies itself), and other third parties (these are “third-party cookies” because they are not placed by Exterro).

  • First-party cookies are set by the website you are visiting, and they can only be read by that site.
  • Third-party cookies are not set by the owner of the website you are visiting, but by a different organization. For example, advertisers and other third parties may use their own cookies when you click on an advertisement or link on our website, or we might engage a third-party analytics company that will set their own cookie to perform this service.

Third-Party Cookies and Website Analytics. We use third-party services including Google Analytics to analyze Website activity. When you visit the Websites, Google Analytics automatically collects information from you through the use of Google’s analytics IDs, and Google provides some of this information to us. An analytics ID is a specific string of numbers and letters (often called a “character string”) that is assigned to your computer or device but does not name you. The analytics ID allows Google to track usage data of the Websites, such as date and time of visit, duration of visit, Website traffic patterns, “clickstreams,” other similar ‎information about your use of the Websites, ‎the type of web browser used, the operating ‎system/platform you are using, your IP address, the ‎websites that referred or linked you to our ‎Website, and your CPU speed.‎ Google Analytics does not share the analytics ID assigned to your computer or device that you use to access and use the Websites. Google Analytics provides information about the use of our Websites to us in aggregate form (i.e., data about many Website users combined and not just about you). Some of this data might include the regional location of Website users, but again, this data will be in aggregate (and not individual) form. We rely on this aggregate data to inform us how users are using the ‎Websites and to help us improve the Websites.

Social Media Widget Cookies. Some pages of our Websites include social media features, such as the Facebook “Like” button, and widgets, such as the “Share This” button or interactive mini-programs that run on our Websites. These ‎features may collect your IP address, which page you are visiting on the Websites, ‎and may set a cookie to enable the feature to function properly. Social media features and ‎widgets are either hosted by a third party or hosted directly on the Websites. See the Social Media section under the heading How We Share Personal Information, below, for more details about your interactions with these features on our Websites.

Types of Cookies. The different types of cookies can be categorized as follows:

  • Necessary cookies are cookies that are required for the operation of our website, such as to ensure security. Other necessary cookies allow us to provide features or services that you expressly request. These cookies do not require your consent and cannot be switched off (although in some cases you can change your requests). You can set your browser to block or alert you about these cookies, but some parts of our website may not work if you block these types of cookies.
  • Performance cookies are used to improve the performance of our website and to enhance your experience. Google Analytics automatically collects certain usage and performance data from our Website users. The information these cookies collect is aggregated and anonymous information, and we are never provided with your personal information from these cookies.
  • Functional cookies are used to provide certain functionalities to you by recording your choices and settings regarding our Services, maintaining your preferences over time and recognizing you when you return to our website so that we can offer you a better experience on this website. We will only store and access functional cookies on your device if you consent to such storage and access. If you do not consent to these types of cookies, we will not be able to provide certain functionalities to you.
  • Analytics cookies allow us to analyze website usage and understand how visitors use it. These cookies recognize and collect information about the number of visitors, the pages they view, how long they view pages and how they move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that visitors are easily finding what they are looking for. We will only store and access analytics cookies on your device if you consent to such storage and access. If you do not consent to these types of cookies, we will not be able to improve our website based on information from your visit.
    Targeting and advertising cookies track browsing habits and are used to deliver targeted (interest-based) advertising. They are also used to limit the number of times you see an ad and to measure the effectiveness of advertising campaigns. They are usually placed by advertising networks with the Websites operator’s permission. They remember that you have visited a website and this information is shared with other organizations, such as advertisers.

Cookies We Use: We use the following "cookies" on our Websites in connection with some of the functionalities described above.

Cookie Type




Necessary cookiesosano_consentmanager_uuidThis cookie is set by the provider Osano. This cookie is used for storing the user's unique consent identifier. It helps in consent management.-
Performance cookies_gatThis cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites.-
_uetsidBing Ads sets this cookie to engage with a user that has previously visited the website.-
_uetvidBing Ads sets this cookie to engage with a user that has previously visited the website.-
Functional cookiesvisitorIdZoomInfo sets this cookie to identify a user.-
__cf_bmThis cookie, set by Cloudflare, is used to support Cloudflare Bot Management.-
UserMatchHistoryLinkedIn sets this cookie for LinkedIn Ads ID syncing.-
bcookieLinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.-
lidcLinkedIn sets the lidc cookie to facilitate data center selection.-
bscookieLinkedIn sets this cookie to store performed actions on the website.-
li_gcLinkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.-
Analytics cookiesti_This cookie is set by Triblio to track the way a visitor uses the website and to monitor the performance of marketing campaigns.-
_gcl_auProvided by Google Tag Manager to experiment advertisement efficiency of websites using their services.-
suidSimpli. fi sets this cookie to store a distinct session ID.-
_gaThe _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors./td>-
_gidInstalled by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.-
_gat_gtag_UA_*Google Analytics sets this cookie to store a unique user ID.-
AnalyticsSyncHistoryLinkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.-
_ga_*Google Analytics sets this cookie to store and count page views.-
ln_orLinkedin sets this cookie to register statistical data on users' behavior on the website for internal analytics.-
_hjFirstSeenHotjar sets this cookie to identify a new user's first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.-
_hjIncludedInPageviewSampleHotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.-
_hjAbsoluteSessionInProgressHotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.-
uThis cookie is used by Bombora to collect information that is used either in aggregate form, to help understand how websites are being used or how effective marketing campaigns are, or to help customize the websites for visitors.-
_gat_UA-*Google Analytics sets this cookie for user behavior tracking.-
pardotThe pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.-
Advertising cookiestest_cookieThe test_cookie is set by and is used to determine if the user's browser supports cookies.-
MUIDBing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.-
abOwned by agkn, this cookie is used for targeting and advertising purposes.-
TapAd_TSTapAd sets this cookie to track users across devices to enable targeted advertising.-
TapAd_DIDTapAd sets this cookie to offer personalized content, social media features, and traffic analysis for its retargeting of online advertising.-
anProfileThis cookie is set by the provider This cookie is used for personalizing online ads based on the behavior of the online customers.-
IDEGoogle DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.-
__io_cidThis cookie is set by the provider This cookie is used for detecting where the video advertisement should be displayed on the website.-
anHistoryThe domain of this cookie is owned by Datonics. This cookie is used for tracking the visitor on multiple websites in order to serve them with relevant advertisements.-
TapAd_3WAY_SYNCSTapAd sets this cookie for data synchronization with advertising networks.-
audienceSpotXchange sets this cookie as a unique ID that tracks audiences internally. The cookie is used to limit the number of repetitive ads shown to the user.-
uuid2The uuid2 cookie is set by AppNexus and records information that helps in differentiating between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.-
bkuBluekai uses this cookie to build an anonymous user profile with data like the user's online behavior and interests.-
bkpaSet by Bluekai, this cookie stores anonymized data about the users' web usage in an aggregate form to build a profile for targeted advertising.-
anjAppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.-
suid_legacyCollects information on user preferences and interaction with web-campaign content which is used on CRM-campaign-platforms used by website owners for promoting events or products.-
uid_syncdThe domain of this cookie is owned by This cookie is used for targeted advertising based on visitor preferences.-
Other cookies_cfuvidThis cookie is only set when a site uses this option in a Rate Limiting Rule, and is only used to allow the Cloudflare WAF-
_hjSessionUser_663812This cookie is used to persist the Hotjar User ID-
hjIncludedInSessionSampleSet to determine if a user is included in the data sampling-
_hjSession_663812Ensures subsequent requests in the session window are attributed to the same session.-
uid_syncd_securesimplifi http_cookie-
__141_cidThis cookie is associated with sites using CloudFlare to identify bots-
loglevelpersistent cookie that collects data on user interaction-

The content of a cookie is limited to an identification number. Name, IP-address, or other information regarding your true identity is only collected to the extent necessary for the operation of the functionality cookies (i.e., in connection with the log-in function).

Managing Cookies and Withdrawing Consent We will obtain your opt-in consent to the use of the cookies and other tracking technologies on this Website when you first access the Website and if we introduce any new cookies to the Website, unless they are necessary cookies, in which case your consent is not required. When you visit this website, a pop up will appear to inform you about our use of such cookies. You can then consent by clicking on “Accept”, or you may refuse cookies (except necessarily cookies) by clicking on “Deny”. You may alternatively click on the link to the cookie manager to visit our Consent Management Platform and decide the categories of cookies that you wish to accept, and the cookies you wish to reject.

You may withdraw your consent at any time with effect in the future.

If you deny cookies, we will not set those cookies on your device, except necessary cookies and a cookie to remember that you don't want any cookies set when you visit this website.

If you have accepted cookies but want to deny them (withdraw your consent) for the future, you can delete the cookies in your website browser and the cookies window including the link to the cookie manager appears again.

Cookies and Browser Settings. You can disable cookies by changing your website browser settings to reject cookies. How to do this will depend on the browser you use. Rejecting cookies will prevent your browser from accepting new cookies, as well as (depending on the sophistication of your browser software) allow you to decide on acceptance of each new cookie in a variety of ways. You can also delete all cookies that are already on your device. If you do this, however, you may have to manually adjust some preferences every time you visit this website. All modern browsers allow you to change your cookie settings, typically by going to the 'options' or 'preferences' menu of your browser. Use the 'Help' option in your browser for more details.

Blocking all cookies (including necessary cookies) will have a negative impact upon the usability of many websites, including ours. If you block necessary cookies, you may not be able to use all the features on this website. You can also delete cookies already stored on your computer. However, deleting cookies might have a negative impact on the usability of many websites, including ours.

To find out more about or

5. Choices: Selling, Tracking AND Communications Options

Tracking Technologies Generally

Regular cookies may generally be disabled or removed by tools available as part of most commercial browsers, and in some instances blocked in the future by selecting certain settings. Browsers offer different functionalities and options so you may need to set them separately. Also, tools from commercial browsers may not be effective with Flash cookies (also known as locally shared objects), HTML5 cookies, or other Tracking Technologies. For information on disabling Flash cookies, go to Adobe’s website Please be aware that if you disable or remove these technologies, some parts of the Websites may not work and that when you revisit the Websites your ability to limit browser-based Tracking Technologies is subject to your browser settings and limitations.

Some app-related Tracking Technologies in connection with non-browser usage (e.g., most functionality of a mobile app) can only be disabled by uninstalling the app. To uninstall an app, follow the instructions from your operating system or handset manufacturer.

“Do Not Track” Signals; Opt-Out Preference Signals

Your browser settings may allow you to automatically transmit an opt-out preference signal or “Do Not Track” signal to online services you visit. Note, however, there is no consensus among industry participants as to what “Do Not Track” means in this context. Like many online services, Exterro currently does not alter its practices when Exterro receives an opt-out preference signal or “Do Not Track” signal from a visitor’s browser.

Analytics and Advertising Tracking Technologies

You may exercise choices regarding the use of cookies from Google Analytics by going to or downloading the Google Analytics Opt-out Browser Add-on.


You can opt out of receiving certain promotional communications from Exterro at any time by following the instructions provided in emails to click on the unsubscribe link, or if available by changing your communication preferences by logging onto your account. Please note that your opt-out is limited to the email address used and will not affect subsequent subscriptions. If you opt-out of only certain communications, other subscription communications may continue. Even if you opt out of receiving promotional communications, Exterro may, subject to applicable law, continue to send you non-promotional communications, such as those about your account, transactions, servicing, or Exterro’s ongoing business relations.

6. How we share personal information

We may share information about you to third parties as indicated below:

  • Affiliates, Subsidiaries, and Locations. We may share your personal information with our different locations, affiliates, and subsidiaries. If we share your information, we will share only the information that is necessary and we will take reasonable steps to make sure that third parties take prudent steps to protect your information.
  • Service Providers, Suppliers, Agents, and Business Partners. Other companies sometimes provide certain services to us or on our behalf (e.g., maintenance, IT support, analysis, development, security). Unless we tell you differently or as described elsewhere in this Privacy Notice, our service providers are not permitted to use your information except to assist us.
  • Marketing. We may share your personal information to deliver marketing communications to you. Absent your consent (which may be by means of opt-in, or a third-party interaction described in the next bullet point), however, Exterro will not share your personal information with third parties, other than Affiliates, for their own direct marketing purposes, except in connection with changes in business structure or ownership (defined below).
  • Social Media. Certain pages of our Websites might include social media features, such as the Facebook “Like” button, and widgets, as well as the ‎‎“Share This” button or interactive mini-programs that run on our Website‎. These features might require us to implement cookies, plug-ins, or application programming interfaces (APIs) provided by such social media platforms to facilitate the communications and features. When you provide us with information through these platforms, the information also becomes subject to their privacy statements. In addition, by choosing to use any third-party social media platform or choosing to share content or communications with any social media platform, you allow us to share information with the designated social media platform. We cannot control any policies or terms of such third-party platforms. As a result, we cannot be responsible for any use of your information or content by a third-party platform, which you disclose at your own risk. We encourage you to review the privacy statements of these platforms.
  • Your Disclosure or Agreement. Your activities on the website may, by their nature, result in the sharing of your personal information (as well as your non-personal information) with third parties and by engaging in these activities you agree to that and further sharing and disclosure to third parties. Such third-party data receipt and collection is subject to the privacy and business practices of that third party, not Exterro.
  • Compliance with Legal Obligations. We may need to disclose certain information to auditors, government authorities, law enforcement, regulatory agencies, our legal counsel, third-party litigants and their counsel, or other authorized individuals in order to comply with laws that apply to us, or other legal obligations such as contractual requirements.
  • Changes in Business Structure/Ownership. We may disclose or transfer your personal information to a third party in the event of any reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of Exterro’s business, assets, or ownership interest (including any bankruptcy or similar proceedings).
  • With your Employer, Company, or Client. We may share video and voice recordings of calls you participate in and consented to the recording of with your employer, company, or the client that you represent when requested. Where we share video recordings of calls, you have the right to withdraw consent at any time.

We do not sell any individual’s personal information, including information belonging to children under the age of 16, nor do we share that personal information with third parties for those parties’ commercial use.

7. How we protect your personal information

We strive to take appropriate security measures to help safeguard your personal information from unauthorized access and disclosure. For example, only authorized employees are allowed to access personal information, and they may only access it for permitted business functions. We also use technology to protect your information, including encrypting sensitive personal information that is transferred to or from our systems.

While we cannot guarantee that loss, misuse, or alteration will never occur, we use reasonable efforts to prevent it. Please keep in mind that no method of storage or transmission over the Internet is completely secure, so your use of our services and provision of information to us is at your own risk.

Our Websites may contain links to other third-party sites on the Internet. The information practices of those websites are not covered by this Privacy Notice. We are not responsible for the privacy policies of other websites.

8. Required Disclosures

In certain circumstances, we may choose to or may be required to provide additional or different disclosures to residents of different U.S. states or other countries. Below are the disclosures that may be applicable to you.

“Legal Categories” of Personal Information Certain laws require us to tell you about the personal information we collect about you in a certain way – specifically, we need to tie it back to “legal categories” of personal information that are listed in the law. To do this, we bundled up the information we gave you above in this Notice and matched the different types of personal information we collect about you with the legal category. To make things easier to understand, we’ve put this information in a chart that shows you five things:

  • The legal category of personal information,
  • Examples of the types of personal information included in each legal category,
  • The source from which your personal information is collected,
  • The purpose for why we collect and use your personal information for each legal category, and
  • The business purposes for which we share your personal information and with whom,

We’ve included these things and a list of personal information We Disclose for a Business Purpose in the Personal Information Privacy Chart at the end of this Privacy Notice.

European Disclosures

This section of our Privacy Notice applies to individuals located in the European Economic Area (EEA) and the United Kingdom (UK).

International Data Transfers Exterro primarily stores the personal information we collect in the United States. To facilitate Exterro’s global operations, staff who work for Exterro and/or our service providers may transfer and access such personal information from locations around the world. This will involve transferring your personal information outside the EEA and the UK. We will take all steps reasonably necessary to ensure that your personal information is treated securely and in accordance with this Privacy Notice. Whenever we transfer your personal information out of the EEA or the UK, we will ensure one of the following safeguards is implemented:

  • We will only transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal information by the European Commission; or
  • We may use specific contracts approved by the European Commission which give personal information the same protection it has in Europe; or
  • We will ensure there is some other protection in place which has been approved by the European Commission as giving personal information the same protection it has in Europe.

Legal Bases for Processing This section describes some of the legal bases we rely on to process your personal information. We may process your personal information for more than one legal basis depending on the specific purpose(s) for which we are using your personal information, including the following legal bases:

  • Contracts. Where we need to perform the contract we are about to enter into or have entered into with you, including to provide you products or services.
  • Legitimate Interests. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. The following are non-exhaustive examples of where Exterro relies on legitimate interest to process personal information:
    • Exterro has a legitimate interest in processing personal information relating to our existing customers in order to manage our business relationship and provide communications and information that may be of interest, including marketing communications.
    • Exterro has a legitimate interest in using cookies as outlined in this Privacy Notice.
  • Legal Obligations. Where we need to comply with a legal or regulatory obligation.

Generally we do not rely on consent as a legal basis for processing your personal information.

9. Your rights and choices

A. Privacy Rights: Some privacy laws require that we disclose to you the privacy rights that you have regarding personal information. We have defined the various privacy rights below.

Access: You may have the right to access your personal information and to receive a copy of your information.

Data Portability: You may have the right to request the transfer of your Personal Information to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Deletion: You also may request that we erase your information. You also have the right to ask us to delete or remove your Personal Information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Know: You may have the right to know the categories of personal information collected about you, the legal basis for processing your personal information, and to know whether your personal information is disclosed / sold and to whom.

Limit Use and Disclosure of Sensitive Personal Information: Exterro limits its use of your sensitive personal information to that use which is necessary to perform the services and which is reasonably expected by the average consumer requesting the services. “Sensitive Personal Information” includes your Social Security number, driver’s license number, state ID card, passport number, precise geolocation, racial or ethnic origin, religious beliefs, union membership, health and genetic data, biometric data, information about a sex life or sexual orientation, account login, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account, the contents of mail, email, and text messages if the business is not the intended recipient. For the avoidance of doubt, "special categories of personal data" under the General Data Protection Regulation (GDPR) and implementing regulations in Europe shall have the same meaning as "sensitive personal information." If you believe Exterro is processing your sensitive personal information beyond what is necessary and reasonably expected, you have the right to request that Exterro limit its use of your sensitive personal information.

Non-Discrimination / Non-Retaliation: You may have the right not to receive discriminatory treatment by the Company because you exercise your privacy rights.

Object to Processing: You may have the right to object to the processing of your Personal Information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Opt Out of Direct Marketing, Targeted Advertising, or Profiling: You may have the right to opt out of direct marketing, targeted advertising, or profiling we carry out for direct marketing.

Opt Out of the Sale or Sharing: You may have the right to opt out of the sale of your personal information, to the extent applicable. Exterro does not engage in the sale of personal information. You may also have the right to request that we do not share your personal information with third parties for cross-context behavioral advertising.

Request Correction: You may have the right to request correction of the Personal Information that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Restrict Use: You may have the right to restrict the use of your Personal Information. This enables you to ask us to suspend the processing of your Personal Information in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Withdraw Consent: You may have the right to withdraw consent where we collected or processed your personal information based on consent, and no other legal basis for processing exists.

Right to Make a Complaint: If you are in the EEA, you have a right to complain to us about our Personal Information practices, and you can do so using one of the methods in the Contact Us section below. We will evaluate your complaint and will contact you if we need further information to resolve it. In addition, you may have the option of complaining to a government authority if you believe we have not processed your Personal Information in compliance with the laws and principles that apply in your home country. If you would like to make a complaint to an authority, you may contact your country’s supervisory authority.

These rights may be subject to certain limitations or exceptions depending on your state of residency and the purpose for which we process personal information about you.

Where applicable and technically feasible, Exterro will accommodate your valid request to exercise your privacy rights and choices. You may also designate an authorized agent to make a request on your behalf.

B. Making Privacy Requests

How to Make a Request: If you would like to make a request, please use one of the methods in the “Contact Us” section of this Privacy Notice. You will need to provide your first and last name, email address, physical address, and company or organization name.

Exterro may provide web pages or other mechanisms allowing you to delete, correct, or update some of the personal information, and potentially certain other information about you (e.g., account information). For instance, you can make changes to your account information by updating or modifying your online account information via the profile settings menu in the dashboard. Exterro will make good faith efforts to make requested changes in Exterro’s then-active databases as soon as practicable, but it is not always possible to completely change, remove, or delete all of your information or public postings from Exterro’s databases and residual and/or cached data may remain archived thereafter. Further, we reserve the right to retain data (a) as required by applicable law; and (b) for so long as reasonably necessary to fulfill the purposes for which the data is retained except to the extent prohibited by applicable law.

Responding to RequestsYour request will be evaluated to determine whether the requested change meets legal regulatory requirements and does not risk making our other data less secure or changing our other data. If we aren’t able to honor any part of your request, we will tell you that in our response, as well as the reason(s) we cannot do so.

Verifying Your Identity: In order for us to look into your request, we first need to verify your identity, meaning that we need to make sure that you are the consumer we may have collected personal information about or a person who has been duly authorized to make the request on behalf of the consumer. For example, if you make a request, we will ask you to confirm your name and email address. For certain requests, we will use a combination of your email address, name, and/or zip code to verify your identity, so that we can help protect your information.

Appealing a Denied Request: If we deny all or part of your privacy request, you may have a right to appeal that decision. If you would like to make an appeal, please contact us using the methods in the “Contact Us” section below, and include your name, email address, physical address, the type of request you made, and the reason for requesting an appeal.

Requests by Authorized Agents: You may have the right to designate an authorized agent to make a request on your behalf. Authorized agents of consumers may make a request by using the methods in the “Contact Us” section of this Privacy Notice. Privacy laws require that any request you submit to us is subject to an identification and verification process, and confirmation of the agent’s authority, which may include attestation under penalty of perjury. Absent a power of attorney, we will also require the consumer to verify their own identity. We may verify identity based on matching information you provided with data we have maintained on you in our systems. This data could include, but is not limited to, email address, mailing address, or phone number.

C. Third-Party Marketing and Your Additional California Privacy Rights

Separate from your “Do Not Sell” rights, California residents have the following additional rights regarding disclosure of your personal information to third parties for their own direct marketing purposes:

We provide California residents with the option to opt-in to sharing of “personal information” as defined by California’s “Shine the Light” law with third parties, other than with our affiliates, for such third parties’ own direct marketing purposes. We do not share personal information with non-Affiliate third parties for their direct marketing purposes absent your consent. If you are a California resident, you may request information about our compliance with the Shine the Light law and/or withdraw previously given consent to sharing with non-Affiliated third parties for their direct marketing purposes by contacting using the methods in the “Contact Us” section below. Requests must include “California Marketing Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code. Please note that we are only required to respond to one request per customer each year, and we are not required to respond to requests made by means other than through the provided email address or mailing address.

As these rights and your privacy rights are not the same and exist under different laws, you must exercise your rights under this law and the other privacy laws separately.

D. Children’s Privacy 

The Websites are not directed at nor intended for use by children under the age of 18, and we do not knowingly collect any personal information directly from children under the age of 18. We will never use or disclose any personal information of a child under the age of 18 for marketing or advertising purposes. If you are under age 18, you should not use our Websites and you should not send us personal information about yourself. If you suspect that a child is using our Websites, please contact Exterro by email at [email protected].

10. How long we keep your personal information 

We will only retain your personal information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

We cannot (fully) comply with a request to erase or delete if we have to retain your personal information for certain purposes and for a longer period due to a statutory retention period. After the retention period has expired, we will delete your personal information.

11. Changes to this Privacy Notice

We reserve the right to change this Notice prospectively effective upon the posting of the revised Notice and your use of our Websites indicates your acknowledgement of the Notice posted at the time of use. However, should we update this Notice, we will post a new version online, and will notify you if the personal information processed about you will be materially different than that which was represented to you at the time it was collected. To the extent any provision of this Notice is found by a competent tribunal to be invalid or unenforceable, such provision shall be severed to the extent necessary for the remainder to be valid and enforceable.

12. Contact us

For questions regarding this Privacy Notice or to submit any of the requests mentioned above relating to your personal information, contact us using any of the following options:



2175 NW Raleigh St., Suite 400

Portland, OR 97210


[email protected]



13. Personal information privacy chart 

We collect customers’ personal information as described above for the following purposes, when permissible under applicable law.



Purposes for Collection and Use

Sharing with Third Parties for a Business Purpose

A. Identifiers. Real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
  • Directly from You
  • Automatically from your devices
  • From Third Parties
  • Engagement
  • Demo
  • Account Registration
  • Business Interaction
  • Support / Feedback
  • Mailing List
  • Partner
  • Promotion
  • Surveys
  • Job Application
  • Purchase
  • Marketing
  • Invoices
  • Online Experience
  • Marketing Information
  • Account and Payment Automation
  • Website Improvement
  • Online Check / Payments
  • Engagement
  • Transactions
  • Account Management
  • Affiliates, Subsidiaries, Locations
  • Service Providers
  • Marketing
  • Social Media
  • Your Disclosure
  • Legal Obligations
  • Changes in Business Structure / Ownership

B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).

Name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some Personal Information included in this category may overlap with other categories.

  • Directly from You
  • Automatically from your devices
  • From Third Parties
  • Engagement
  • Demo
  • Account Registration
  • Business Interaction
  • Support / Feedback
  • Mailing List
  • Partner
  • Promotion
  • Surveys
  • Job Application
  • Purchase
  • Marketing
  • Invoices
  • Online Experience
  • Marketing Information
  • Account and Payment Automation
  • Website Improvement
  • Online Check / Payments
  • Engagement
  • Transactions
  • Account Management
  • Affiliates, Subsidiaries, Locations
  • Service Providers
  • Marketing

C. Protected classification characteristics under California or federal law.

Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).

Directly from YouJob Applciation

Affiliates, Subsidiaries, Locations

Service Providers

Your Disclosure

Legal Obligations

Changes in Business Structure / Ownership

D. Commercial information

Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

Directly from You

From your account history




Account Management

Affiliates, Subsidiaries, Locations

Service Providers

Your Disclosure

Legal Obligations

Changes in Business Structure / Ownership

E. Biometric information

Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke

Not CollectedNot CollectedNot Collected

F. Internet or other similar network activity.

Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.

Automatically from your devices



Online Experience

Marketing Information

Account and Payment Automation

Website Improvement

Online Check / Payments

Website Interaction

Log Information




Account Management

Affiliates, Subsidiaries, Locations

Service Providers


Your Disclosure

Legal Obligations

Changes in Business Structure / Ownership

G. Geolocation data

Physical location or movements

Not CollectedNot CollectedNot Collected

H. Sensory data

Audio, electronic, visual, thermal, olfactory, or similar information.

Not CollectedNot CollectedNot Collected

I. Professional or employment-related information.

Current or past job history or performance evaluations.

Directly from YouJob Applications

Affiliates, Subsidiaries, Locations

Service Providers

Your Disclosure

Legal Obligations

Changes in Business Structure / Ownership

J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99))

Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records

Directly from YouJob Applications

Affiliates, Subsidiaries, Locations

Service Providers

Your Disclosure

Legal Obligations

Changes in Business Structure / Ownership

K. Inferences drawn from other Personal Information

Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes

Not CollectedNot CollectedNot Collected

L. Sensitive Personal Information as defined in § 1798.140(ae) of the California Privacy Rights Act

Personal information that reveals a consumer's: Social Security number, driver's license number, state identification card number, or passport number; a consumer's account log-in, financial account, debit card, or credit card number in combination with any security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; the contents of a consumer's mail, email, and text messages (not business related); genetic data; biometric data used to uniquely identify a consumer; health data; or data related to sex life or sexual orientation.

Directly from You

Automatically from your devices


Purchase / Payment

Job Application

Affiliates, Subsidiaries, Locations

Service Providers

Your Disclosure

Legal Obligations

Changes in Business Structure / Ownership

We may also collect information to comply with applicable law or regulatory requirements or legal requests.

Disclosures of Personal Information for a Business Purpose

In the preceding twelve (12) months, we have disclosed the following categories of personal information for a business purpose:

  • Category A: Identifiers
  • Category B: California Customer Records Categories
  • Category C: Protected Classifications
  • Category D: Commercial Information
  • Category F: Internet and Network Activity
  • Category I: Professional or Employment-Related Information
  • Category J: Non-Public Education Information
  • Category L: Sensitive Personal Information


Ready to Get Started?

Get an Exterro data risk management platform demo today.

Get a Demo