ChangeEngine Privacy Statement
This Privacy Statement was updated on March 6, 2024.
Privacy Statement

A. General Information

When does this Privacy Statement apply?
This Privacy Statement applies to information that can be used to identify you (“Personal Data”) and that you provide to ChangeEngine or which is derived from the Personal Data as outlined below.

Who is the Data Controller?
The data controller of is ChangeEngine, 44 Tehama St, San Francisco, CA 94105, United States of America (“ChangeEngine”). Where a registration form is presented on this website, the data controller may vary depending on the actual offering or the purpose of the data collection but it is in any case displayed on the individual registration form’s privacy statement. ChangeEngine’s data protection officer can be reached at

What Personal Data does ChangeEngine collect?
In the normal course of business, ChangeEngine collects Personal Data such as contact information (e.g., name, address, phone number, email address, and your employer) and payment details for customers.

Why does ChangeEngine need your Personal Data?
ChangeEngine requires your personal data to provide you with access to ChangeEngine’s services, to comply with contractual and statutory obligations, including checks required by applicable export laws and to stay in touch with you. Although providing your Personal Data is voluntary, without your Personal Data, ChangeEngine cannot provide you with access to its services.

From what types of third parties does ChangeEngine obtain Personal Data?
In most cases ChangeEngine collects Personal Data from you. ChangeEngine might also obtain Personal Data from third parties, if the applicable national law allows ChangeEngine to do so. ChangeEngine will treat this Personal Data according to this Privacy Statement, plus any additional restrictions imposed by the third party that provided ChangeEngine with it or the applicable national law. These third-party sources include third parties you directed to share your Personal Data with ChangeEngine (e.g. in case of an event where you permit the host of the event to share your registration data with ChangeEngine).

How long will ChangeEngine store my Personal Data?
ChangeEngine will only store your Personal Data for as long as it is required for the performance of contractual obligations, to make its services available to you, for ChangeEngine to comply with its statutory obligations resulting from applicable export laws, and to fulfill the purposes outlined in this Privacy Statement.

ChangeEngine will also retain your Personal Data for additional periods if applicable laws require it.

Who are recipients of your Personal Data and where will it be processed?
Your personal data will be passed on to the following categories of third parties for processing: vicarious agents (e.g., third party service providers for consulting services and other additional related services); other services providers (e.g. for the provision of the website); state agencies and bodies if required by law.

As a global company operating internationally, ChangeEngine has third-party service providers outside of the European Economic Area (the “EEA”) and will transfer your Personal Data to countries outside the EEA. If these transfers are to a country for which the EU Commission has not issued an adequacy decision, ChangeEngine uses the EU standard contractual clauses to contractually require that your Personal Data receives a level of data protection consistent with the EEA. You can obtain a copy of such standard contractual clauses by sending a request to You can also obtain more information from the European Commission on the international dimension of data protection here.

What are your data protection rights?
You can request from ChangeEngine access at any time to information about which Personal Data ChangeEngine processes about you and the correction or deletion of such Personal Data. Please note, however, that ChangeEngine can or will delete your Personal Data only if there is no statutory obligation or prevailing right of ChangeEngine to retain it. Kindly note further that if you request that ChangeEngine deletes your Personal Data, you will not be able to continue to use any ChangeEngine service that requires ChangeEngine’s use of your Personal Data. If you are a ChangeEngine user, you should request that your ChangeEngine account is deleted by your Brand Administrator. To identify your Brand Administrator, please visit here.

If ChangeEngine uses your Personal Data based on your consent or to perform a contract with you, you can further request from ChangeEngine a copy of the Personal Data that you have provided to ChangeEngine. In this case, please follow the instructions detailed below, and specify the information or processing activities to which your request relates, the format in which you would like to receive this information, and whether the Personal Data should be sent to you or another recipient. ChangeEngine will carefully consider your request and discuss with you how it can best fulfill it.

Furthermore, you can request from ChangeEngine that ChangeEngine restricts your Personal Data from any further processing in any of the following events: (i) you state that the Personal Data ChangeEngine has about you is incorrect, subject to the time ChangeEngine requires to check the accuracy of the relevant Personal Data; (ii) there is no legal basis for ChangeEngine processing your Personal Data and you demand that ChangeEngine restricts your Personal Data from further processing; (iii) ChangeEngine no longer requires your Personal Data but you state that you require ChangeEngine to retain such data in order to claim or exercise legal rights or to defend against third party claims; or (iv) in case you object to the processing of your Personal Data by ChangeEngine based on ChangeEngine’s legitimate interest (as further set out below), subject to the time ChangeEngine requires to determine whether it has a prevailing interest or legal obligation in processing the relevant Personal Data.

For individuals within the State of California, USA, you instead have the right:
How can you exercise your data protection rights?
To exercise your data protection rights, please direct your request to Please indicate the following details: your full name, your country and state of residence and the right(s) you wish to exercise. You can also designate another person to submit requests to exercise your data protection rights on your behalf to ChangeEngine.

How will ChangeEngine verify requests to exercise data protection rights?
ChangeEngine will take steps to verify your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise. When feasible, ChangeEngine will match Personal Data provided in your request to exercise your rights with information already maintained by ChangeEngine. This could include matching two or more data points that are already maintained by ChangeEngine.

In accordance with the verification process set forth in the California Consumer Privacy Act (“CCPA”), for deletion requests or for requests related to Personal Data that is considered sensitive or valuable, ChangeEngine will require a more stringent verification process to minimize the harm that might be posed to you by unauthorized access or deletion of your Personal Data. If ChangeEngine must request additional information from you outside of information that is already maintained by ChangeEngine, ChangeEngine will only use it for the purposes of verifying your identity so you can exercise your data protection rights or for security and fraud-prevention purposes.

ChangeEngine will decline to process requests that are manifestly unfounded, excessive, fraudulent, or are not otherwise required by local law.

If you take the view that ChangeEngine is not processing your Personal Data in accordance with the requirements in this Privacy Statement or under applicable EEA data protection laws, you can at any time lodge a complaint with the data protection authority of the EEA country where you live or with the data protection authority of the country or state where ChangeEngine is incorporated.

B. Processing based on a statutory permission

Why does ChangeEngine need to use my Personal Data and on what legal basis is ChangeEngine using it?
Providing the requested services. ChangeEngine requires your Personal Data to deliver services that you order under a contract with ChangeEngine, to establish a contract for goods or services between you and ChangeEngine, and to send you invoices for ordered services. ChangeEngine processes Personal Data to fulfill contractual obligations pursuant to Article 6(1), Subparagraph 1(b) GDPR.

Ensuring compliance. ChangeEngine and its products, technologies, and services are subject to the export laws, trade sanctions, and embargoes (“Export Laws”) of various countries including, without limitation, those of the European Union (“EU”), Germany and of the United States of America. Therefore, You acknowledge that, pursuant to the applicable Export Laws issued by these countries, ChangeEngine is required to:

(a) take measures to prevent persons, entities, and organizations listed on government-issued sanctioned party lists from accessing certain products, technologies, and services through ChangeEngine’s websites or other delivery channels controlled by ChangeEngine. This may include (i) automated checks of any user registration data as set out herein and other information a user provides about his or her identity against applicable sanctioned-party lists; (ii) regular repetition of such checks whenever a sanctioned-party list is updated or when a user updates his or her information; (iii) blocking of access to ChangeEngine’s services and systems in case of a potential match; and (iv) contacting a user to confirm his or her identity in case of a potential match; and

(b) ensure that no individuals from embargoed countries access its services. Therefore, when an existing user logs into a website, app, or cloud service of ChangeEngine from an embargoed country, the user’s registration data and IP address may be used by ChangeEngine to block the user’s access and to log access attempts from embargoed countries.

Any such usage of registration data and IP addresses by ChangeEngine is necessary for ChangeEngine’s compliance with applicable EU Export Laws (Article 6 para. 1 (c) GDPR) and ChangeEngine’s legitimate interest to comply with non-EU Export Laws (Article 6 para. 1 (f) GDPR).

ChangeEngine can use your Personal Data based on its legitimate interest (Article 6 para. 1 lit. f GDPR) as follows:
You can at any time object to ChangeEngine’s use of your Personal Data as set forth above. In this case, ChangeEngine will carefully review your objection and cease further use of the relevant information, subject to ChangeEngine’s compelling legitimate grounds for continued use of the information, which override your interest in objecting, or if ChangeEngine requires the information for the establishment, exercise or defense of legal claims.

Processing under applicable national laws. If the applicable national law allows ChangeEngine to do so, ChangeEngine will use information about you for a business purpose, some of which is Personal Data:

C. Processing based on consent.

In the following cases, ChangeEngine will process your Personal Data if you granted prior consent to the specific proposed processing of your Personal Data (Article 6 para. 1 lit. a GDPR).

Children. This offering is not directed to users below the age of 16 years or equivalent minimum age in the relevant jurisdiction. If you are younger than 16, you cannot register with or use this offering.

U.S. Children’s Privacy. ChangeEngine does not knowingly collect the Personal Data of children under the age of 13. If you are a parent or guardian and believe that ChangeEngine collected information about a child, please contact ChangeEngine as described in this Privacy Statement. ChangeEngine will take steps to delete the information as soon as possible. Given that ChangeEngine services are not directed to users under 16 years of age and in accordance with the disclosure requirements of the CCPA, ChangeEngine does not sell the Personal Data of any minors under 16 years of age.

Marketing. ChangeEngine may use your Personal Data to inform you about ChangeEngine’ latest products, service offers, and events. Any such use of information is based on the consent you grant hereunder. ChangeEngine may use your name, email, and postal address, telephone number, job title, and basic information about your employer (name, address, and industry), as well as an interaction profile based on prior interactions with ChangeEngine (prior purchases, participation in webinars, seminars or events, or the use of (web) services in order to keep you up to date on the latest product announcements, software updates, software upgrades, special offers. In connection with these marketing-related activities, ChangeEngine will provide a hashed user ID to third-party operated social networks or other web offerings (such as Twitter, LinkedIn, Facebook, Instagram or Google) where this information is then matched against the social networks’ data or the web offerings’ own databases in order to display to you more relevant information.

Social media features. ChangeEngine offers social network functionality in various parts of our website and on apps. We give you the opportunity to share and recommend your content in social networks in our online offerings. If you visit our website and use the recommendation features, we pass on the URL to the social network you select where your Personal Data will be then used by the social network according to the social network’s own privacy statement. We recommend that you read the privacy statement of the respective social networks carefully.

Profiles. ChangeEngine offers you the option to use services, including to view tutorials or take trainings, that require you to register and allow you to create a user profile. User profiles provide the option to display personal information about you, including but not limited to your name, photo, address, email, telephone number, personal interests, and skills. Profile data is processed to personalize the interaction with other users to foster the quality of communication and collaboration via such services. The provision of any such information about you as well as the decision to share information with other services is at your free will and based on the consent that you grant.

ChangeEngine Events

Event profiling. If you register for an event, seminar, or webinar of ChangeEngine, ChangeEngine shares basic registration information (your name, company, and email address) with other participants of the same event, seminar, or webinar for the purpose of communication and the exchange of ideas.

Tracking during an event. ChangeEngine requires your Personal Data including any occasion where you allowed your event badge to be scanned, to evaluate behavioral aspects by means of tracking during the relevant event. ChangeEngine might process tracking data in the context of ChangeEngine events for purposes of tracking attendance, determine the attendees’ interests in certain topics, and identify drivers for the attendees’ satisfaction and dissatisfaction to optimize planning and investments for future events. Any such use of information is based on the consent you grant.

Processing Special Categories of Personal Data. When you register for or request access to an event or seminar, ChangeEngine may ask whether you require any accommodations because of your health or dietary restrictions. Any such use of information is based on the consent you grant. Kindly note that if you do not provide ChangeEngine with information regarding what accommodations you require, ChangeEngine will not be able to accommodate for it.

Photograph before or during the event. You may be asked to provide ChangeEngine with your current photograph via e-mail or ChangeEngine could ask to take a picture of you when you arrive at the event. By sending ChangeEngine your photograph or allowing a photo of you to be taken, you acknowledge that ChangeEngine will use your picture for the purposes described in this Privacy Statement.

Withdrawal of consent. You may withdraw your consent for ChangeEngine to process your Personal Data as stated in this Privacy Statement at any time. Once you assert this right, ChangeEngine will not process your Personal Data any longer unless legally required to do so. However, any withdrawal has no effect on past processing by ChangeEngine up to the point in time of your withdrawal.

D. IP Address Collection
When a ChangeEngine’s customer sends a survey to an individual, ChangeEngine may collect IP addresses from survey respondents. The purpose of collecting this information is to prevent and protect against fraud and malicious activity, and to ensure the security of the website, app or cloud service of ChangeEngine.
In accordance with the disclosure requirements under the CCPA, ChangeEngine is exempt from providing a notice to opt-out because it does not and will not sell your Personal Data.

E. Sub-processor List
ChangeEngine currently uses the subprocessors detailed in the Data Processing Addendum, the link can be found below.

F. Cookie Policy
To learn more about how we use these and your choices in relation to these tracking technologies, please refer to our Cookie Policy.

G. Data Retention
Customer data is retained for as long as the account is in active status. Data enters an “expired” state when the account is voluntarily closed. Expired account data will be retained for 30 days. After this period, the account and related data will be removed. Customers that wish to voluntarily close their account should download their data manually or cloud storage prior to closing their account.

If a customer account is involuntarily suspended, then there is a 30 days grace period during which the account will be inaccessible but can be reopened if the customer meets their payment obligations and resolves any terms of service violations.

If a customer wishes to manually backup their data in a suspended account, then they must ensure that their account is brought back to good standing so that the user interface will be available for their use. After 30 days , the suspended account will be closed and the data will enter the “expired” state. It will be permanently removed 30 days thereafter (except when required by law to retain.

View our Data Processing Addendum