ChangeEngine Privacy Statement
This Privacy Statement was updated on March 12, 2026.
Privacy Statement
A. General Information
When does this Privacy Statement apply?
This Privacy Statement applies to information that can be used to identify you (“Personal Data”) and that you provide to ChangeEngine or which is derived from the Personal Data as outlined below.
Who is the Data Controller?
The data controller of www.changeengine.com is ChangeEngine, 44 Tehama St, San Francisco, CA 94105, United States of America (“ChangeEngine”). Where a registration form is presented on this website, the data controller may vary depending on the actual offering or the purpose of the data collection but it is in any case displayed on the individual registration form’s privacy statement. ChangeEngine’s data protection officer can be reached at dpo@changeengine.com.
What Personal Data does ChangeEngine collect?
In the normal course of business, ChangeEngine collects Personal Data such as contact information (e.g., name, address, phone number, email address, and your employer) and payment details for customers.
Why does ChangeEngine need your Personal Data?
ChangeEngine requires your personal data to provide you with access to ChangeEngine’s services, to comply with contractual and statutory obligations, including checks required by applicable export laws and to stay in touch with you. Although providing your Personal Data is voluntary, without your Personal Data, ChangeEngine cannot provide you with access to its services.
From what types of third parties does ChangeEngine obtain Personal Data?
In most cases ChangeEngine collects Personal Data from you. ChangeEngine might also obtain Personal Data from third parties, if the applicable national law allows ChangeEngine to do so. ChangeEngine will treat this Personal Data according to this Privacy Statement, plus any additional restrictions imposed by the third party that provided ChangeEngine with it or the applicable national law.
How long will ChangeEngine store my Personal Data?
ChangeEngine will only store your Personal Data for as long as it is required for the performance of contractual obligations, to make its services available to you, for ChangeEngine to comply with its statutory obligations resulting from applicable export laws, and to fulfill the purposes outlined in this Privacy Statement.
ChangeEngine will also retain your Personal Data for additional periods if applicable laws require it.
Who are recipients of your Personal Data and where will it be processed?
Your personal data will be passed on to the following categories of third parties for processing: vicarious agents (e.g., third party service providers for consulting services and other additional related services); other services providers (e.g. for the provision of the website); state agencies and bodies if required by law.
As a global company operating internationally, ChangeEngine has third-party service providers outside of the European Economic Area (the “EEA”) and will transfer your Personal Data to countries outside the EEA. If these transfers are to a country for which the EU Commission has not issued an adequacy decision, ChangeEngine uses the EU standard contractual clauses to contractually require that your Personal Data receives a level of data protection consistent with the EEA. You can obtain a copy of such standard contractual clauses by sending a request to dpo@changeengine.com. You can also obtain more information from the European Commission on the international dimension of data protection here.
What are your data protection rights?
You can request from ChangeEngine access at any time to information about which Personal Data ChangeEngine processes about you and the correction or deletion of such Personal Data. Please note, however, that ChangeEngine can or will delete your Personal Data only if there is no statutory obligation or prevailing right of ChangeEngine to retain it. Kindly note further that if you request that ChangeEngine deletes your Personal Data, you will not be able to continue to use any ChangeEngine service that requires ChangeEngine’s use of your Personal Data. If you are a ChangeEngine user, you should request that your ChangeEngine account is deleted by your Brand Administrator. To identify your Brand Administrator, please visit here.
You can further request from ChangeEngine a copy of the Personal Data that you have provided to ChangeEngine. In this case, please follow the instructions detailed below, and specify the information or processing activities to which your request relates, the format in which you would like to receive this information, and whether the Personal Data should be sent to you or another recipient. ChangeEngine will carefully consider your request and discuss with you how it can best fulfill it.
Furthermore, you can request from ChangeEngine that ChangeEngine restricts your Personal Data from any further processing in any of the following events: (i) you state that the Personal Data ChangeEngine has about you is incorrect, subject to the time ChangeEngine requires to check the accuracy of the relevant Personal Data; (ii) there is no legal basis for ChangeEngine processing your Personal Data and you demand that ChangeEngine restricts your Personal Data from further processing; (iii) ChangeEngine no longer requires your Personal Data but you state that you require ChangeEngine to retain such data in order to claim or exercise legal rights or to defend against third party claims; or (iv) in case you object to the processing of your Personal Data by ChangeEngine based on ChangeEngine’s legitimate interest (as further set out below), subject to the time ChangeEngine requires to determine whether it has a prevailing interest or legal obligation in processing the relevant Personal Data.
For individuals within the State of California, USA, you instead have the right:
- to request from ChangeEngine access to your Personal Data that ChangeEngine collects, uses, discloses, or sells (if applicable) about you;
- to request that ChangeEngine delete Personal Data about you;
- to opt-out of the sale of Personal Data, if applicable;
- to non-discriminatory treatment for exercise of any of your data protection rights;
- in case of request from ChangeEngine for access to your Personal Data, for such information to be portable, if possible, in a readily usable format that allows you to transmit this information to another recipient without hindrance.
Your rights and preferences as a data subject - subject to the GDPR and applicable law’s limitations, the rights afforded to you as a data subject are:
- RIGHT TO BE INFORMED : You have a right to be informed about the manner in which any of your personal data is collected or used which we have endeavored to do by way of this Policy.
- RIGHT OF ACCESS : You have a right to access the personal data you have provided by requesting us to provide you with the same.
- RIGHT TO RECTIFICATION : You have a right to request us to amend or update your personal data if it is inaccurate or incomplete.
- RIGHT TO ERASURE : You have a right to request us to delete your personal data.
- RIGHT TO RESTRICT : You have a right to request us to temporarily or permanently stop processing all or some of your personal data.
- RIGHT TO OBJECT : You have a right, at any time, to object to our processing of your personal data under certain circumstances. You have an absolute right to object to us processing your personal data for the purposes of direct marketing.
- RIGHT TO DATA PORTABILITY : You have a right to request us to provide you with a copy of your personal data in electronic format and you can transmit that personal data for using another third-party’s product/service.
- RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISION-MAKING : You have a right to not be subject to a decision based solely on automated decision making, including profiling.
In case you want to exercise the rights set out above you can contact our Grievance Officer.
The name and contact details of our Grievance Officer, who you may contact if you have any concerns, complaints or feedback pertaining to this Policy, are as follows:
ADDRESS: Change Engine Inc., ChangeEngine, 44 Tehama St, San Francisco, CA 94105, United States of America
EMAIL: dpo@changeengine.com
How can you exercise your data protection rights?
To exercise your data protection rights, please direct your request to dpo@changeengine.com. Please indicate the following details: your full name, your country and state of residence and the right(s) you wish to exercise. You can also designate another person to submit requests to exercise your data protection rights on your behalf to ChangeEngine.
How will ChangeEngine verify requests to exercise data protection rights?
ChangeEngine will take steps to verify your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise. When feasible, ChangeEngine will match Personal Data provided in your request to exercise your rights with information already maintained by ChangeEngine. This could include matching two or more data points that are already maintained by ChangeEngine.
In accordance with the verification process set forth in the California Consumer Privacy Act (“CCPA”), for deletion requests or for requests related to Personal Data that is considered sensitive or valuable, ChangeEngine will require a more stringent verification process to minimize the harm that might be posed to you by unauthorized access or deletion of your Personal Data. If ChangeEngine must request additional information from you outside of information that is already maintained by ChangeEngine, ChangeEngine will only use it for the purposes of verifying your identity so you can exercise your data protection rights or for security and fraud-prevention purposes.
ChangeEngine will decline to process requests that are manifestly unfounded, excessive, fraudulent, or are not otherwise required by local law.
If you take the view that ChangeEngine is not processing your Personal Data in accordance with the requirements in this Privacy Statement or under applicable EEA data protection laws, you can at any time lodge a complaint with the data protection authority of the EEA country where you live or with the data protection authority of the country or state where ChangeEngine is incorporated.
B. Processing based on a statutory permission
Why does ChangeEngine need to use my Personal Data and on what legal basis is ChangeEngine using it?Providing the requested services. ChangeEngine requires your Personal Data to deliver services that you order under a contract with ChangeEngine, to establish a contract for goods or services between you and ChangeEngine, and to send you invoices for ordered services. ChangeEngine processes Personal Data to fulfill contractual obligations pursuant to Article 6(1), Subparagraph 1(b) GDPR.
Ensuring compliance. ChangeEngine and its products, technologies, and services are subject to the export laws, trade sanctions, and embargoes (“Export Laws”) of various countries including, without limitation, those of the European Union (“EU”), Germany and of the United States of America. Therefore, You acknowledge that, pursuant to the applicable Export Laws issued by these countries, ChangeEngine is required to:
(a) take measures to prevent persons, entities, and organizations listed on government-issued sanctioned party lists from accessing certain products, technologies, and services through ChangeEngine’s websites or other delivery channels controlled by ChangeEngine. This may include (i) automated checks of any user registration data as set out herein and other information a user provides about his or her identity against applicable sanctioned-party lists; (ii) regular repetition of such checks whenever a sanctioned-party list is updated or when a user updates his or her information; (iii) blocking of access to ChangeEngine’s services and systems in case of a potential match; and (iv) contacting a user to confirm his or her identity in case of a potential match; and
(b) ensure that no individuals from embargoed countries access its services. Therefore, when an existing user logs into a website, app, or cloud service of ChangeEngine from an embargoed country, the user’s registration data and IP address may be used by ChangeEngine to block the user’s access and to log access attempts from embargoed countries.
Any such usage of registration data and IP addresses by ChangeEngine is necessary for ChangeEngine’s compliance with applicable EU Export Laws (Article 6 para. 1 (c) GDPR) and ChangeEngine’s legitimate interest to comply with non-EU Export Laws (Article 6 para. 1 (f) GDPR).
ChangeEngine can use your Personal Data based on its legitimate interest (Article 6 para. 1 lit. f GDPR) as follows:
- Fraud and Legal Claims. If required, ChangeEngine will use your Personal Data for the purposes of preventing or prosecuting criminal activities such as fraud and to assert or defend against legal claims.
- Contract performance. If you purchase or intend to purchase goods or services from ChangeEngine on behalf of a corporate customer or otherwise be the nominated contact person for the business relationship between a corporate customer (a “Customer Contact”) and ChangeEngine, ChangeEngine will use your Personal Data for this purpose. This includes, for the avoidance of doubt, such steps which are required for establishing the relevant business relationship. In case that an existing Customer Contact informs ChangeEngine that You are their replacement, ChangeEngine will, from the point in time of such notification, consider You to be the relevant Customer Contact for the respective customer until you object as further set out below.
- Creation of anonymized data sets. ChangeEngine will anonymize Personal Data provided under this Privacy Statement to create anonymized data sets, which will then be used to improve its and its affiliates’ products and services.
You can at any time object to ChangeEngine’s use of your Personal Data as set forth above. In this case, ChangeEngine will carefully review your objection and cease further use of the relevant information, subject to ChangeEngine’s compelling legitimate grounds for continued use of the information, which override your interest in objecting, or if ChangeEngine requires the information for the establishment, exercise or defense of legal claims.
Processing under applicable national laws. If the applicable national law allows ChangeEngine to do so, ChangeEngine will use information about you for a business purpose, some of which is Personal Data:
- To plan and host events
- To host online forums or webinars
- To contact you to discuss further your interest in ChangeEngine services and offerings
- To help ChangeEngine create, develop, operate, deliver, and improve ChangeEngine services, products, content, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by ChangeEngine
- To provide more personalized information to you
- For loss prevention
- For account and network security purposes
- For internal purposes such as auditing, analysis, and research to improve ChangeEngine’s products or services
- To verify your identity and determine appropriate services
- To assert or defend against legal claims
- To detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, and to prosecute those responsible for that activity
- To debug to identify and repair errors that impair existing intended functionality
- Short-term, transient use, provided the personal information is not disclosed to a third party and is not used to build a profile about you or otherwise alter your individual experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction
- Undertaking internal research for technological development and demonstration
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by ChangeEngine.
All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties, excluding aggregators and providers of the Text Message services.
C. Data Protection Addendum
See DPA link below.
D. IP Address CollectionWhen a ChangeEngine’s customer sends a survey to an individual, ChangeEngine may collect IP addresses from survey respondents. The purpose of collecting this information is to prevent and protect against fraud and malicious activity, and to ensure the security of the website, app or cloud service of ChangeEngine.
In accordance with the disclosure requirements under the CCPA, ChangeEngine is exempt from providing a notice to opt-out because it does not and will not sell your Personal Data.
E. Sub-processor ListChangeEngine currently uses the sub-processors detailed in the Data Processing Addendum, the link can be found below.
F. Cookie Policy
To learn more about how we use these and your choices in relation to these tracking technologies, please refer to our
Cookie Policy.
G. Data Retention
Customer data is retained for as long as the account is in active status. Data enters an “expired” state when the account is voluntarily closed. Expired account data will be retained for 30 days. After this period, the account and related data will be removed. Customers that wish to voluntarily close their account should download their data manually or cloud storage prior to closing their account.
If a customer account is involuntarily suspended, then there is a 30 days grace period during which the account will be inaccessible but can be reopened if the customer meets their payment obligations and resolves any terms of service violations.
If a customer wishes to manually backup their data in a suspended account, then they must ensure that their account is brought back to good standing so that the user interface will be available for their use. After 30 days , the suspended account will be closed and the data will enter the “expired” state. It will be permanently removed 30 days thereafter (except when required by law to retain.
View our Data Processing Addendum
