Effective: July 2, 2019

BLACKLINE PRIVACY STATEMENT

BlackLine Systems, Inc., 21300 Victory Blvd 12th Floor, Woodland Hills, CA 91367 and its affiliates (“BlackLine”) are committed to protecting the privacy of visitors to BlackLine’s public web site at www.blackline.com (“Public Website”) and its facilities, and of customers using BlackLine’s hosted service web site, whether through any of our mobile apps or otherwise (“Hosted Service”), and has established this privacy statement (“Statement”) to inform you of BlackLine’s information gathering and dissemination policies and practices regarding use of the Public Website and/or the Hosted Service.

With respect to Personal Data collected on the Public Website, BlackLine is the controller, and may act as a joint controller with its EU affiliates for the Personal Data of EU customers and prospects. BlackLine is the processor of the Personal Data collected in connection with our offering of the Hosted Service.

EU-US AND SWISS-US PRIVACY SHIELD FRAMEWORK

BlackLine participates in the EU-US and Swiss-US Privacy Shield Framework established by the U.S. Department of Commerce and European Commission regarding the collection, use and retention of personal data, as that term is defined in the Privacy Shield Framework ("Personal Data"), from EU member countries and Switzerland. BlackLine has certified that it adheres to the relevant Privacy Shield Principles. BlackLine’s participation in the EU-US Privacy Shield applies to all Personal Data that is subject to this Statement and is received from the European Union and the European Economic Area. BlackLine’s participation in the Swiss-US Privacy Shield applies to all Personal Data that is subject to this Statement and is received from Switzerland.

BlackLine remains responsible for any Personal Data that is shared under the Onward Transfer Principle, as defined in the Privacy Shield Principles, with third parties for external processing on its behalf, as described in the “Sharing of Information Collected” sections below. In addition, as part of BlackLine’s participation in the Privacy Shield Framework, it has designated JAMS as its ADR provider for resolving disputes under the EU-U.S. Privacy Shield and the Swiss-US Privacy Shield. For more information on JAMS as an ADR provider and the procedure for filing complaints, please see www.jamsadr.com/eu-us-privacy-shield and the Dispute Resolution section set forth below.

BlackLine is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”) with respect to Personal Data received or transferred pursuant to the Privacy Shield Framework.

We inform you that parts of your Personal Data may be transferred from the EU or Switzerland to the US in accordance with the EU-US Privacy Shield or Swiss-US Privacy Shield safeguards, as applicable.

Further information related to the EU-US Privacy Shield and Swiss-US Privacy Shield is available at https://www.privacyshield.gov.

PUBLIC WEBSITE INFORMATION COLLECTION

Information Collected

As you navigate the Public Website, BlackLine may collect information such as your Internet Protocol address, Web browser information and your actions while on the Public Website. This information will be collected, if at all, through the use of commonly-used information-gathering tools, such as cookies and web beacons. Standing alone, this information does not directly identify you personally. When expressing interest in BlackLine’s products or services, you may have the option to provide contact information such as your name, organization name, address, e-mail address, phone number, number of employees or annual company revenue. You may also have the option of engaging in a “live chat” or other form of interactive communication, during which BlackLine may collect a record of information disclosed by you. Providing this optional information is voluntary on your part, and in the absence of providing such information you remain anonymous to BlackLine.

Use of Information Collected

We use your information, including your Personal Data, for the following purposes:

  • To provide our Public Website and other services to you, to communicate with you about your use of our Public Website and services, to diagnose technical problems, to respond to your inquiries and for other customer service purposes.
  • To tailor the content and information that we may send or display to you, to offer location customization, and personalized help and instructions, and to otherwise personalize your experiences while using the Public Website.
  • For marketing and promotional purposes. For example, we may use your Personal Data, such as your e-mail address and other optional information you provide, to send you news and newsletters, special offers, services, promotions, partners, events or promotions or to otherwise contact you about products or information we think may interest you. We only process your Personal Data for such purposes where you give us your consent. For example, consent can be given by opting-in to receiving direct marketing communications; in jurisdictions where this is sufficient, consent can be given by not opting-out of receiving such communications.
  • To better understand how users access and use our Public Website, both on an aggregated and individualized basis, in order to improve our Public Website and services and respond to user desires and preferences, and for other research and analytical purposes.

Automated Decision Making

We may use automated decision making to display or send recommendations and personalized offers to you based on your Personal Data, which may include your browsing history, geographic location, employer, job title, and other non-sensitive data.

In cases where information has been limited to a certain area through automated decision making based on your Personal Data, we will present you with the option to view more general information outside of that area that has not been limited.

Sharing of Information Collected

BlackLine will not share your information, including Personal Data, with third parties, except as follows:

  • Affiliates. We may disclose the information we collect from you to our affiliates or subsidiaries; however, if we do so, their use and disclosure of your Personal Data will be subject to this Statement.
  • Vendors, Service Providers, Contractors and Agents. We may disclose the information we collect from you to third party vendors, service providers, contractors or agents who perform functions on our behalf, provided they agree to the principles in this Statement.
  • Business Transfers. If we are acquired by or merged with another company, if substantially all of our assets are transferred to another company, or as part of a bankruptcy proceeding, we may transfer the information we have collected from you to the other company.
  • In Response to Legal Process. We also may disclose the information we collect from you in order to comply with the law, a judicial proceeding, court order, or other legal process, such as in response to a court order or a subpoena or to meet national security or law enforcement requirements.
  • To Protect Us and Others. We also may disclose the information we collect from you where we believe it is necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of this Statement, or as evidence in litigation in which BlackLine is involved.
  • Aggregate and De-Identified Information. We may share aggregate or de-identified information about users with third parties for marketing, advertising, research or similar purposes.

Third Party Links

The Public Website may contain links to other web sites or third party applications such as Facebook, Twitter, LinkedIn or YouTube. BlackLine is not responsible for the privacy practices or the content of these other web sites or applications, and we advise you to refer to the policy statement of these third parties to understand how they collect and use information.

HOSTED SERVICE INFORMATION COLLECTION

BlackLine also collects information, including Personal Data, from users of the Hosted Service (“User Information”). Access to the Hosted Service is subject to the terms and conditions of a Master Subscription Agreement or similar agreement between BlackLine and the party or entity that has subscribed to the Hosted Service. Any User Information provided through the Hosted Service will be subject to this Statement, unless otherwise specified in the Master Subscription Agreement.

Information Collected

BlackLine collects the following User Information in connection with the Hosted Service:

  • Information required to use the Hosted Service, currently a name and email address.
  • User profile information voluntarily provided by users, for example a phone number or profile picture.
  • BlackLine receives financial information from its customers which may include Personal Data.

Use of Information Collected

BlackLine uses User Information for the sole purpose of providing and improving your experience of the Hosted Service, maintaining security, and diagnosing technical problems as further described in its Master Subscription Agreement.

Sharing of Information

BlackLine will not share User Information with third parties without, except as follows:

  • Affiliates. We may disclose the User Information we collect to our affiliates or subsidiaries; however, if we do so, their use and disclosure of your Personal Data will be subject to this Statement.
  • Business Transfers. If we are acquired by or merged with another company, if substantially all of our assets are transferred to another company, or as part of a bankruptcy proceeding, we may transfer the User Information we have collected to the other company.
  • In Response to Legal Process. We also may disclose User Information we collect from you in order to comply with the law, a judicial proceeding, court order, or other legal process, such as in response to a court order or a subpoena or to meet national security or law enforcement requirements.
  • To Protect Us and Others. We also may disclose the User Information we collect where we believe it is necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of a Master Subscription Agreement or this Statement, or as evidence in litigation in which BlackLine is involved.
  • Necessary to provide the Hosted Services. We may disclose User Information to sub-processors necessary to provide the Hosted Services as disclosed and consented to you in a data processing agreement or otherwise.

FACILITY VISITOR INFORMATION COLLECTION

If you visit our offices, you may be required to register as a visitor and to provide your name, email address, and company name. We use this information for security reasons, to register visitors to our offices and to manage non-disclosure agreements that visitors may be required to sign, to the extent such processing is necessary for our legitimate interest in protecting our offices and our confidential information against unauthorized access.

COOKIES

Regarding our use of Cookies, please follow this link to our cookies policy here

GENERAL PROVISIONS APPLICABLE TO ALL CUSTOMERS AND VISITORS

We process your Personal Data on the following legal bases:

  • Performance of a contract - The use of your personal information may be necessary to perform the agreement that you have with us (for example, the Hosted Service);
  • Legitimate interests - We may use your Personal Information for our legitimate interests to improve our products and services and the content on our Public Website or Hosted Service (for example to manage our network, improve the service, and better tailor the features, performance and support of the service);
  • Consent - We will rely on your consent to use (i) technical information such as cookie data; and (ii) your personal information for marketing purposes when requested;
  • Legal obligation - to comply with our legal obligations.

Retention and Storage of Information Collected

In accordance with the data minimization and purpose limitation principles, BlackLine will store your Personal Data as long reasonably necessary and only for as long as required to fulfill the purposes the relevant purposes of processing your Personal Data. If we process your Personal Data for various purposes, it will be erased automatically, or saved in a format which does not allow any direct conclusions to be drawn as to your identity as soon as the last specific purpose has been fulfilled.

How to Exercise your Rights on the Use of your Personal Data

If you wish to access, verify, correct, update or delete the Personal Data you have provided to BlackLine via the Public Website, or to restrict our use or object to our use of any of your Personal Data and to give directives on the fate of their Personal Data after death, please contact us by sending an e-mail to: PrivacyRequest@blackline.comor by regular mail addressed to BlackLine Systems, Inc., Attn: Security Administrator, 21300 Victory Blvd., 12th Floor, Woodland Hills, CA 91367

If you reside in the European Union, you also have the right to withdraw your consent, where the processing of your Personal Data is based on your consent and to lodge a complaint with your national supervisory authority. You also have the right to data portability, at your request, we will provide your Personal Data to you in a portable machine-readable format so that you can provide to another controller.

Please note that we may be required (by applicable law or otherwise) to keep your Personal Data and not delete it (or to keep your information for a certain time, in which case we will comply with your deletion request only after we have fulfilled such requirements). In certain situations, we might be unable to provide you with information on all of your Personal data due to statutory provisions. Should we be forced to deny your request for information in such case, we will at the same state the reasons for denial.

BlackLine will respond to any of your request within at most thirty (30) days from the date of your request.

BlackLine offers its visitors and customers a means to choose how we may use Personal Data provided. If, at any time after providing Personal Data, you change your mind about receiving information from us or about sharing your information with third parties, send a request specifying your new choice to: PrivacyRequest@blackline.com

Sensitive Information

We will not intentionally collect or process, and do not want you to provide, any Personal Data revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. We will not process any genetic data, biometric data, data concerning your medical or health condition and data concerning your sex life or sexual orientation.

Children’s Online Privacy Protection

Neither the Public Website nor the Hosted Service are designed for or directed to children under the age of 13, and we will not intentionally collect or maintain information about anyone under the age of 13. Where children are at least 13 years old and below the age of 16, we will collect or process information about them with the consent or the authorization of the holder of parental responsibility over the child.

If we become aware that we have unknowingly collected Personal Data from a child under the age of 13, or under the age of 16 without the consent or the authorization of the holder of the parental responsibility, we will make reasonable efforts to delete such information from our records.

Security

The Public Website and Hosted Service have security measures in place to help protect against the loss, misuse, and alteration of information and data under our control. When our Public Website or Hosted Service is accessed using Internet Explorer 11, or recent versions of Firefox or Chrome Transport Layer Security (TLS) is employed to encrypt all communications and to help ensure data confidentiality. Hosted Service uses authentication mechanisms to help ensure that information and data is safe and secure. BlackLine hosts the Public Website and Hosted Service in a secure environment that uses firewalls, intrusion detection, anti-malware, and other advanced technology to prevent interference or access from intruders. To ensure an appropriate level of security, BlackLine has implemented technical and organizational measures which are audited on a regular basis. In that respect, BlackLine has been granted the ISO/IEC 27001 certification and has completed the Service Organization Control 1 and 2. These safeguards help prevent unauthorized access, maintain data accuracy and ensure the appropriate use of information and data.

In addition, BlackLine ensures that the recipients of your Personal Data comply with the above security standards.

Verification

BlackLine utilizes the self-assessment approach to assure its compliance with this Statement. BlackLine regularly verifies that the Statement is accurate, comprehensive, prominently displayed, completely implemented and in conformity with the EU-US Privacy Shield and Swiss-US Privacy Shield and conducts its self-assessment on an annual basis to ensure all relevant privacy practices are followed. Appropriate employee training is in place and internal procedures for periodically conducting objective reviews of compliance are in place. A statement verifying this self-assessment is signed by a corporate officer or other authorized representative at least once a year.

Changes to this Privacy Statement

BlackLine reserves the right to change this Privacy Statement as reasonably necessary or advisable to accommodate changes to the law, technology or circumstances, and will use reasonable efforts to provide notification of the material changes at least thirty (30) business days prior to the changes taking effect.

Contacting BlackLine

Questions regarding this Statement or the practices of the Hosted Service or Public Website should be directed to BlackLine’s Security Administrator by e-mailing such questions to PrivacyRequest@blackline.com or by regular mail addressed to BlackLine Systems, Inc., Attn: Security Administrator, 21300 Victory Blvd., 12th Floor, Woodland Hills, CA 91367.

Disputes/Arbitration

BlackLine will attempt to investigate and promptly resolve any disputes or complaint regarding the interpretation or compliance with this Statement. You can submit a dispute or complaint to us as set forth in the section entitled Contacting BlackLine above. As part of BlackLine’s participation in the Privacy Shield Framework, it has designated JAMS as its ADR provider for resolving disputes under the EU-U.S. Privacy Shield and Swiss-US Privacy Shield. For more information on JAMS as an ADR provider and the procedure for filing complaints, please see www.jamsadr.com/eu-us-privacy-shield. Under certain conditions, more fully described on the Privacy Shield website (https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint), you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

Your California Privacy Rights

California law permits residents of California to request certain details about what personal information a company shares with third parties for the third parties’ direct marketing purposes. BlackLine does not share your information with third parties for the third parties’ own and independent direct marketing purposes. If you have any questions about what personal information BlackLine may share with third parties that are not already answered in this Statement, please contact BlackLine at: PrivacyRequest@blackline.com.

Do Not Track Requests

Certain web browsers have incorporated “Do Not Track” feature. This feature, when turned on, sends a preference to the websites you visit indicating that you do not wish to be tracked. Those sites (or the third-party content on those sites) may continue to engage in activities you might view as tracking even though you have expressed this preference, depending on the sites’ privacy practices. Because there is not yet a commonly-accepted standard on how to interpret the Do Not Track requests, BlackLine does not currently respond to the browser Do Not Track requests on its websites or online services.

Contact Us