Privacy Notice 

Last updated: March 15, 2021 

  • Introduction

    Privacy is important to Conga. 

    We are providing this Privacy Notice (“Notice”) to help you understand what personal data we collect, why we collect it, and what we do with it. Personal information (“Personal Information”) or personal data means information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, and online identifier or to one or more factors specific to his/her physical, physiological, genetic, mental, economic, cultural, or social identity. 

    We strongly encourage you to read this Notice carefully and contact our Privacy Office if you have any questions about our privacy practices or your Personal Information choices. If you do not agree to this privacy notice, please do not provide us with your data. 

  • When does this privacy notice apply?

    This Notice applies to Apttus Corporation and its worldwide affiliates and subsidiaries including AppExtremes, LLC dba Conga, Conga EMEA Ltd., Conga APAC Pty Ltd., Apttus EMEA Ltd., Apttus Australia Pty Ltd.,  and Octiv, Inc., collectively “Conga” and describes Conga’s policies and procedures regarding the collection, use, and processing of data from, or through, our websites (“Websites”) and services (“Services”). 

  • What information do we collect and how?

    Our information collection practices are intended for interaction in the business environment. The nature of the business relationship and how you interact with us determines the data collected about you. Conga collects data regarding its current customers (“Customers”), potential customers (“Prospects”), website visitors (“Visitors”), and event attendees (“Attendees”). We collect this information to operate our business, provide information on our Services, and manage our relationships. You will voluntarily provide most of your Personal Information directly to us. We may also obtain Personal Information from other sources or persons. 

    An overview of the categories of information we collect is outlined below: 

    • We collect information that you voluntarily provide, such as by subscribing to Conga marketing communications, registering for events, or providing testimonials for our use on our Websites or other promotional materials. Information you directly provide to us includes your personal identification data (for example, name, surname) and contact information (phone, email, address, country). Additional transaction and billing information is also required when procuring Conga Services or registering for Conga fee-based events. 
    • We collect information when you visit our Websites and use our Services. This information may include, among other things: your Internet protocol (IP) address, browser type, internet service provider, referring/exit pages, operating system, date and time stamp, and clickstream data. 
    • We collect Personal Information about you or your business which is publicly available, for example on your employers’ website, public professional social networking sites, the press; and relevant electronic data sources. 
    • We may also collect Personal Information provided to us by third parties where such information is authorized and provided to us in connection with the relevant purposes set out in this Notice. 
  • Information processing on behalf of Conga customers

    Please note that information pertaining to other individuals and entities provided by our Customers during their use of Conga Services is not used by Conga for any purpose outside the scope of any agreement(s) with you, and remains under the ownership of Conga’s Customers. Conga processes Customer data under the direction of its Customers, and has no direct control or ownership of the personal data it processes. Customers are responsible for complying with any regulations or laws that require providing notice, disclosure, and/or obtaining consent prior to transferring the data to Conga for processing purposes. 

  • How do we use collected information?

    Depending on how you interact with us, we and our third-party service providers may also use Personal Information in a variety of ways, including: 

    If you are a prospective, former, or current customer: 

    • Providing Information and Services You Requested.  We may use the Personal Information about you to provide you information that you may request, e.g. information about a service we are offering. We may also use your Personal Information to deliver Services to you, and/or when you enroll to receive the Service. Such use may include: (a) generally managing your information and accounts; (b) responding to questions, comments and requests; (c) providing access to certain areas and features of our Websites; (d) permitting you to register for events or participate in webinars; and (e) improving the quality of the Services. 
    • Administrative Purposes. We may use the Personal Information about you for administrative purposes, including, without limitation, to: (a) measure interest in our Website or Services; (b) perform internal quality control; (c) verify identity; (d) send communications regarding the Conga Website or Services, your account, or any changes to any Conga policy or terms of service; (e) process payments; (f) prevent potentially prohibited or illegal activities; and (g) enforce our Terms of Use. 
    • Marketing Products and Services.  Conga may use the Personal Information about you to provide you with materials about offers, products and services offered by us, including new content or services on Conga Websites. Conga may provide you with these materials by phone, postal mail, facsimile or email, as permitted by applicable law. If you do not wish us to use your Personal Information for marketing purposes, we offer the option to decline these communications at no cost to you by following the instructions under “Choice/Modalities to Opt Out.” 
    • Information Submitted Via Websites.  You agree that we are free to use the content of any communications or other information submitted by you via the Websites, including any narratives, images, ideas, inventions, concepts, techniques, or know-how disclosed therein, for any purpose including developing, manufacturing, and/or marketing goods or services.  However, we do not release your name or otherwise publicize the fact that you submitted materials or other information to us unless: (a) you grant us permission to do so; (b) we first send notice to you that the materials or other information you submit to a particular part of a site will be published or otherwise used with your name on it; or (c) we are required to do so by law. 
    • Sharing Content with Friends or Colleagues.  Conga’s Websites may offer various tools and functionality.  For example, we may provide functionality on Websites that will allow you to forward or share certain content with a friend or colleague.  Email addresses that you may provide for a friend or colleague will be used to send your friend or colleague the content or link you request but will not be collected or otherwise used by Conga or any other third parties for any other purpose. 
    • Pseudonymous Data.  Including as discussed below, Conga may use and share your anonymized or aggregated information within the Conga group of companies or with third parties for research, analytics and any other legally permissible purposes. 
    • IP Addresses. When you connect to the Internet, your computer has a unique identification code called an “IP address.” Depending on the way you access the Internet, you may have a different IP address each time you connect, or your IP address may be the same each time. We log the IP addresses of users who visit our website. We use your IP address for system administration purposes, such as to help diagnose problems with our server. In addition, we may use your IP address to help identify you and to gather broad demographic information about you and the rest of the users who visit our website. 


    If you are our customer’s client: 

    • Providing Information and Services to our Customers. To provide Services to our customers, we may use Personal Information our customers provide to us, including client name, occupation/title, and signatures (digitized or other electronic signature); the kinds of Conga service(s) the client purchased, leased or returned, and was provided to the client; and business information, including postal address, phone number, fax number, e-mail address. 


    If you are an Employee: 

    • Conga may collect Personal Information from Employees, their contact points in case of a medical emergency, and beneficiaries under any insurance policy (collectively “Human Resources Data”).   
    • The Human Resources Data we collect may include title, contact information, date of birth, government-issued identification and identification numbers, financial information related to credit checks, bank details for payroll, information that may be recorded on a CV or application form, language abilities, contact information of third parties in case of an emergency and beneficiaries under any insurance policy.  We may also collect Sensitive Human Resources Data such as details of health and disability, including mental health, medical leave, and maternity, paternity, or compassionate leave.  
    • We acquire, hold, use and process Human Resources-related Personal Information for a variety of business purposes including: 
      • workflow management, assigning, managing and administering projects;  
      • Human Resources administration and communication;  
      • payroll and the provision of benefits; 
      • compensation, including bonuses and long-term incentive administration, stock plan administration, compensation analysis, including monitoring overtime and compliance with labor laws, and company recognition programs;  
      • job grading activities; 
      • performance and employee development management;  
      • organizational development and succession planning;  
      • benefits and personnel administration;  
      • absence management;  
      • helpdesk and IT support services; 
      • regulatory compliance;  
      • internal and/or external or governmental compliance investigations;  
      • internal or external audits; 
      • litigation evaluation, prosecution and defense;  
      • diversity and inclusion initiatives; 
      • restructuring and relocation;  
      • emergency contacts and services;  
      • employee safety; 
      • compliance with statutory requirements; 
      • processing of Employee expenses and travel charges; and  
      • acquisitions, divestitures and integrations. 


    Other uses: 

    • We may be obligated to collect certain Personal Information to comply with regulatory requirements. We may also use your Personal Information for other purposes disclosed to you at the time you provide Personal Information or with your consent. 
  • On what lawful basis do we use information?

    If you are an individual from the European Economic Area (EEA), we may rely on different legal bases to process the information we collect, including: 

    • Your consent, which you may withdraw at any time; 
    • The necessity to establish a contractual relationship with you and to perform our obligations under a contract; 
    • The necessity for us to comply with legal obligations and to establish, exercise, or defend our self from legal claims; 
    • The necessity to pursue our legitimate interests, including: 
      • To ensure that our networks and information are secure 
      • To administer and generally conduct business 
      • To prevent or investigate suspected or actual violations of law, breaches of a business customer contract, or non-compliance with Conga policies 
      • To maintain your marketing interests, attendance, and contact preferences 
      • To measure the effectiveness of our marketing activities and to try and ensure that you only receive material and information from us that you are likely to find of interest (you have the right to ask us not to process your Personal Information for marketing purposes, which may be exercised at any time by sending an email to [email protected], or clicking on ‘unsubscribe’ in a Conga marketing email) 
    • The necessity to respond to your requests; 
    • The necessity to protect the vital interests of any person; and/or 
    • Any other legal basis, as permitted by applicable law. 
  • How do we share information?

    As a global business, we will share certain Personal Information with our global offices and select third parties, subject to appropriate safeguards. We may share your Personal Information with third-parties for the purposes of operating our business, delivering, improving, and customizing our Services, sending marketing and other communications related to our business, and for other legitimate purposes permitted by applicable law or otherwise with your consent. When we share Personal Information, we do so in accordance with data privacy and security requirements. We will never share, rent, or sell your information to third-parties except as noted below: 

    • Affiliated Companies. We may share personal data with companies that are affiliated with us (for example companies that control, are controlled by, or are under common control with us). We may also share information that is collected between Websites that we, or our affiliates, control. 
    • Service Providers. We engage third-party subprocessors and subcontractors to help us provide you with the Services, for instance, Amazon Web Services (cloud hosting and related services). We may also share data about Conga Visitors, Customers, and Attendees with our contracted service providers, so that these service providers can provide services on our behalf. To view AppExtremes, LLC’s current list of subprocessors, please refer to our Subprocessors page.  
    • Compliance with the Law. We may disclose your information if we believe it’s necessary to comply with the law, such as (i) to comply with a subpoena, regulation or legal request, respond to a government request, to address fraud or security issues, to protect the safety of any person, to enforce our agreements with you, and (ii) to investigate, prevent, or take other action regarding illegal activity, suspected fraud or other wrongdoing or to protect our own rights or property. This includes sharing such information with our legal counsels. 
    • Business Transfers. If Conga is involved in a bankruptcy, merger, acquisition, reorganization or sale of assets, your information may be transferred as part of that transaction to a successor in interest and to the applicable legal authorities, as well as legal counsels and other professional counsels involved, such as accountants, and other officers of the government. Customers will be notified via email and/or prominent notice on our Website for at least 30 days after any such change in ownership or control. 
    • Behavioral Advertisers. We may permit third-party behavioral advertisers to use technology to collect information about your use of our Websites, so that they can provide advertising about products and services tailored to your interests. That advertising may appear either on our Websites or on other websites. 
    • Blog / Forum. Our Websites offer publicly accessible blogs or community forums. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them. To request removal of your Personal Information from our blog or community forum, contact us at[email protected] In some cases, we may not be able to remove your Personal Information, in which case we will let you know if we are unable to do so and why. 
    • Testimonials. From time to time, we may post testimonials on our Websites that may contain Personal Information. We obtain your consent to post your name along with your testimonial. If you wish to update or delete your testimonial, you can contact us at [email protected]
    • Links to Other Sites. Our Websites may contain links to other websites and the information practices and the content of such other websites are governed by the privacy statements of such other websites. We encourage you to review the privacy statements of any such other websites to understand their information practices. 
    • California Privacy Rights. California law permits users who are California residents to request and obtain from Conga once a year, free of charge, a list of the third parties to whom Conga has disclosed their Personal Information (if any) for their direct marketing purposes in the prior calendar year, as well as the type of Personal Information disclosed to those parties.  Conga does not share Personal Information with third parties for their own marketing purposes. Furthermore, Conga will not: (a) sell Personal Information; (b) collect, retain, use, or disclose Personal Information for any purpose other than performance of its obligations under any agreement with you, including for any commercial purpose, other than to perform the Services; or (c) collect, retain, use, or disclose Personal Information for any purpose outside the direct business relationship between Conga and you. The parties agree that, for purposes of this Notice, Conga is a “Service Provider” (not a “third party”) to you pursuant to the CCPA.  
  • When do we transfer information across borders?

    Conga is a U.S.-based, global company. Conga affiliates, subsidiaries and their Websites and Services are available around the globe. This means Personal Information may be processed in the country where it was collected, as well as in other countries (including the United States) where laws regarding processing of Personal Information may be less stringent. In such cases, we have put in place organizational and legal measures to ensure that data transfers are lawfully conducted. Such measures include: 

    • Standard Contractual Clauses
      •  Data Processing Addenda or Agreements, incorporating the Standard Contractual Clauses, as approved by the European Commission and incorporating stringent requirements of Article 28 of the EU General Data Protection Regulation 2016/679. Please find Conga’s DPA at the following link for your execution, if necessary: https://conga.com/legal.  
      • The Standard Contractual Clauses apply only to the Personal Data that is transferred from the EEA and/or Switzerland and the United Kingdom to outside the EEA and Switzerland or the United Kingdom, either directly or via onward transfer, to any country or recipient: (i) not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the EU Data Protection Directive or its successors), and (ii) not covered by a suitable framework (e.g. Binding Corporate Rules for Processors, EU-US and Swiss-US Privacy Shield, etc.) recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data. In the event the United Kingdom is no longer considered or effectively part of the EU or EEA then such transfers of Personal Data to and from the United Kingdom will be treated as a non-EU or EEA country and the Standard Contractual Clauses apply accordingly. 
      • The Standard Contractual Clauses apply to (i) the legal entity that has executed the Standard Contractual Clauses as a Data Exporter and, (ii) all Affiliates (as defined in the Agreement) of Customer established within the EEA and Switzerland or the United Kingdom that have licensed the Service. For the purpose of the Standard Contractual Clauses the aforementioned entities shall be deemed “Data Exporters”. 
    • Privacy Shield Frameworks 
      • If the Services provided by Conga to you are within the scope of Privacy Shield, Conga complies with the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the European Union and the United Kingdom and/or Switzerland to the United States in reliance on Privacy Shield. Conga has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/list and search for “AppExtremes, LLC dba Conga” or “Apttus Corporation”. 
      • Conga is responsible for the processing of personal data it receives, under the Privacy Shield Framework, and subsequently transfers to a third-party acting as an agent on its behalf. Conga complies with the Privacy Shield Principles for all onward transfers of personal data from the EU or Switzerland, including the onward transfer liability provisions. With respect to personal data received or transferred pursuant to the Privacy Shield Framework, Conga is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Conga may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. 
      • In compliance with the Privacy Shield Principles, Conga commits to resolve complaints about our collection or use of your Personal Information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Conga’s Privacy Office using the information in the How to Contact Us section below. 
      • Conga has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS are provided at no cost to you. 
      • Additionally, Conga commits to cooperate with the EU Data Protection Authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner’s authority (as applicable) and comply with the advice given by such authorities with regard to human resources or other data transferred from the EU and Switzerland. Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted. 
  • How do we secure information?

    We use appropriate technical and organizational measures to protect the Personal Information that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your Personal Information. If you have any questions about security on our Web site, you can contact us at [email protected]

  • How long do we keep information?

    Except as otherwise permitted or required by applicable law or regulatory requirements, we may retain your Personal Information only for as long as we believe it is necessary to fulfill the purposes for which the Personal Information was collected (including, for meeting any legal, accounting, or other reporting requirements or obligations). 

  • Your rights as a data subject

    You may request to access, rectify, or update your inaccurate or out-of-date Personal Information by contacting our Privacy Office at [email protected]. If you are from certain territories (such as the EEA), you may have the right to exercise additional rights available to you under applicable laws, including; the right to request erasure of your Personal Information, restriction of processing as it applies to you, object to processing and the right to data portability. You may always object to the use of your Personal Information for direct marketing purposes or withdraw any consent previously granted for a specific purpose at no cost to you. You may also have the right to lodge a complaint with a supervisory authority. 

    To update your email preferences please navigate to Conga’s Email Preference Center where you can amend your email subscription settings or unsubscribe. 

  • How do we use cookies and other tracking?

    We use cookies on our website and in marketing emails to help us manage and improve our websites, your browsing experience, and the materials or information that we send to our Customers, Prospects, Visitors, and Attendees. For more information on Tracking Technologies, Cookies, Advertising, and Choices please visit our Cookie Policy

  • Do we collect information from children?

    Our Services are not designed for and are not marketed to people under the age of 16 (“minors”). We do not knowingly collect or ask for information from minors. We do not knowingly allow minors to use our Services. Please contact our Privacy Office if you believe we might have information from or about a minor. 

  • How to contact us

    To exercise your rights regarding your Personal Information, or if you have questions regarding this Privacy Statement or our privacy practices, you may contact us by completing this form, or by mail at any of the addresses listed below: 

    Conga (global headquarters)
    1400 Fashion Island Blvd
    Suite 400
    San Mateo, CA 94404
    United States

    We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, and you are located in the EEA, you have the right to lodge a complaint with the appropriate supervisory authority. 

  • When will this notice be updated?

    We invite you to regularly visit this Privacy Policy in order to acquaint yourself with the latest, updated version of the Privacy Policy, so that you may remain constantly informed on how collect and use Personal Data. 

    If you have any questions or suggestions regarding our privacy policy, please contact us at [email protected] or via postal mail at P.O. Box 7839 Broomfield, CO 80021.