Sage privacy notice

There are some terms we use in this privacy notice to be concise, and this is what they mean:

Solutions means our software products, features, services, and applications, including in the context of a trial.

Websites means Sage.com, any linked pages and any other website controlled by Sage.

You or your means you (the person reading this) or the individual whose personal data is processed by us. 

We, us, our, or Sage means Sage Group plc and its affiliate companies (the Group).  Sage is made up of several group companies across the world.  This privacy notice is issued on behalf of all the Sage entities in the Group and will provide information about each Sage entity's use of personal data. Depending on where you are located, a different Sage company or companies will be processing your personal data. You will find here the list of all relevant Sage companies by region. Please note that other Sage companies may also process your personal data depending on which Sage company you enter a contract with or otherwise engage with as part of your relationship with Sage.

We have appointed a Chief Data Protection Officer for the Group, who is supported by a network of privacy experts, including local Data Protection Officers (“DPOs”). For any privacy related request contact our local privacy experts or DPOs using the contact details provided in Section 16. If in doubt, please contact [email protected].

If you provide us with personal data about someone else, you are responsible for ensuring that you are permitted to share that personal data and comply with any applicable legal obligation.  This may include explaining to that individual why you are collecting their personal data and what you are doing with it and obtaining their consent if relevant under applicable law. We also recommend that you direct them to read this privacy notice.

To the extent permitted under applicable law, we may collect personal data about you and any other individual either directly or indirectly, if that data is provided to us by another party.

We collect your personal data when:
You interact with us directly	This can be through our Websites, Solutions, forms (including where you only complete them partially, in which case we may use your personal data to contact you to remind you to complete any outstanding information and/or for marketing purposes), surveys, competitions, use social media, or contact us by phone, email, chatbots, fax or post.
You use our Websites and Solutions	We may collect your personal data using cookies or similar technologies (as described in our Cookie Policy).
You or your organisation provide(s) services to us	In this context, we may collect basic personal data about you (mainly professional contact details).
Third parties provide us with personal data about you	This can happen where: we work with a business partner that has an existing relationship with you; someone who uses our Solutions, or has interacted with us in another way, has given your personal data to us in line with Section 3 above; you use our Solutions, including services and features incorporated into those Solutions, which may require us to obtain your personal data from a third party from whom you have instructed us to obtain it; you are an employee of a customer of ours, and your employer  provides us with your contact details or other personal data in connection with your use of our Solutions; personal data is provided to us by government agencies or credit reporting agencies; personal data is provided to us by marketing / lead-generation companies, or information service providers (“Prospect data”); or you have a social media account, and that social media company provides us with access to certain personal data for marketing purposes.
In the context of corporate acquisitions	For example, where we acquire a business that had an existing relationship with you.
You participate in events organised by us	This happens where you attend seminars, learning, training or other events organised by Sage virtually or in person, or where you attend our premises for an event.

We collect the following categories of personal data:

1. Contact Information: name, address (business or personal), email address (business or personal), phone number (business or personal);
2. Billing and payment information: payment details, including amounts, frequency, date and time, location, the individual or business making or receiving the payment, transaction history, bank details, business accounts and taxation data, authorised user details, identification details or documents;
3. Online usage, metadata and web information: information on the services you viewed and searched for, response times, errors, duration of access; visit and page interaction (such as scrolling clicks and hovering the mouse over content), username, IP address, browsing time and history, passwords and logging data, device type, time zone, browser plug-in types and versions, social media profile photo or profile information, web log information, device identification number, device type, location information, connection information, operating system and platform;
4. Communication preferences: marketing preferences, areas of interest, preferred contact method and details, correspondence relating to marketing, consent records, business information, such as name and number of employees;
5. Organisation details: place of work, job title and organisation contact information;
6. Physical access data: details of your visit to our premises, CCTV moving or still images and recordings, car registration data, event registration data, dietary requirements, access requirements; images taken when attending Sage events;
7. Voice recordings: where you contact us and speak to us, such as by telephone or other verbal communication platform.
8. Correspondence: where you contact us for any reason (for example, requests for technical or operational support, where you have a question, or where you exercise your data protection rights), we will collect personal data contained in this correspondence;
9. Data processed using Solutions

This only applies to the extent you, your employer, customer or provider are using the Solutions listed below.

• Sage ID: email address, password, phone number;
• Sage payroll and accounting products: limited business details, including name and contact details, business type, where business is registered, payment details, transaction information, invoices, expenses, receipts, payroll ID, payroll information, full name, address, username, Sage ID, data captured through any integrations/specific additional functionality required;
• Sage HR products: limited business details, (including contact details, business type, where business is registered, payment details), other contact details, images, payroll information, appraisals, absence, holidays, disciplinary records, job and salary history, next of kin, dependencies, emergency contacts, bank information, data captured through any integrations/specific additional functionality required;
• Sage Intacct: background checks, beneficiary details, contact details, images,  education and skills, employment information, family information, financial information, government identifiers, ID evidence, other categories, personal identification, recordings, social, travel and expenses, feedback/options, individual share awards data, insurance details, marital status, trade union membership or professional membership, user account information, workplace welfare, data captured through any integrations/specific additional functionality required;
• Sage enterprise resource planning, business automation and inventory planning: company names, registration numbers, addresses, bank details (BIC/IBAN), contact information: names, email addresses, phone numbers, URLs, address, payroll information, employee  names and addresses, personal details, social security number, salary details, bank details,  administration data (names, emails, image, address), authentication details (LDAP login, email), data captured through any integrations/specific additional functionality required, inventory, order and warehouse information;
• Sage Intelligent Time: 
• Data collected from you: any information you voluntarily provide to us, such as manually entered time entry information (including time worked and descriptions of time entries);
• Data collected from your device (“Raw data”): email data (recipient, email address, subject line, date sent, email filing information such as labels, metadata like email record creation and last update date, user id and thread id), calendar data (event location, and date and time, other information about the event including recipients and their email addresses, recurrence of the event, and other metadata like calendar record creation and last update date original start time, event iD and calendar iD, and whether the event is deleted), browsing data (name of active applications, title of window in currently active application, website URL of open browser, device type and operating system, activity data);
• Data generated by Sage Intelligent Time Solution: including predictions about how you spend your time and creation of activity cards you can add to your timesheet; and
• Data exchanged with the Sage Intacct Services and administrative data; when Sage Intelligent Time is linked to Sage Intacct Services, the account administrator’s name, email address and company name is shared with Sage Intelligent Time.

This section describes the purposes for which Sage processes your personal data and the corresponding lawful basis for that processing.

The lawful basis is our legal justification to process your data for the purposes of data privacy laws applicable in the European Economic Area (“EEA”), the United Kingdom and South Africa. The “Lawful basis” column below is not relevant to you if you are located outside these regions.

 

a. To deliver our Solutions

Purpose	Category of individual	Lawful basis
Establishing you as a customer on our systems, providing you with any information or Solutions that you have requested or purchased and sending you updates or service-related communications about these Solutions.	Customers and/or their main contacts, Solutions and Websites users	Performance of our contract with you or our legitimate interests
Managing and administering your account, your billing and payments, and our relationship with you (for example, customer service and support activity, including troubleshooting or managing complaints).	Customers and/or their main contacts, Solutions and Websites users	Performance of our contract with you or our legitimate interests
Providing Sage University Services (facilitating the use of Sage U, processing orders for Solutions, provisioning solutions you have purchased, answering customer service requests, displaying reviews, images and other content and media you submit, maintaining and administering your account).  We share your personal data with Cornerstone, which hosts Sage U on our behalf. Cornerstone is an independent data controller in respect of personal data and processes such personal data pursuant to its own privacy notice hosted at http://sageu.com/legal/.	Customers and/or their main contacts, Solutions and Websites users	Performance of our contract with you or our legitimate interests relating to providing you with services
Provide Solutions involving the use of Artificial Intelligence and Machine Learning; see Section 8 below “Artificial Intelligence and Machine Learning?” and Section 9 below “Sage Network” for more information.	Customers and/or their main contacts, their vendors and customers (or their main contacts), Solutions users	Our legitimate interests relating to providing a service
Create and administer your Sage ID.  If you create a Sage ID to access our Solutions, it is attached and relates to you. If you use it to access your Sage Solution, it will exist regardless of that Solution, and you may be able to use it with another of our Solutions.  Likewise, if your employer uses one of our Solutions and you create a Sage ID to access your payslips online, you will retain that Sage ID regardless of your employment or your employer’s relationship with us. You will create your username which will be an email address of your choice. Data collected within Sage ID is used for audit, access, service improvement, and support purposes, but it is not available for any marketing, surveys or other outreach to you. When you use your Sage ID, Sage will authenticate you by sending the product your personal data in the form of a ‘JWT Token’.  This is a technically necessary piece of information which includes your first name, last name, current email address and a unique ID (which is how we can track users and authenticate users) i.e., this ID will not change, but you might change your Sage ID credentials.  We may also capture the region selected so we can provide the Solution in the appropriate language and our Solutions need this personal data to correctly address you and communicate with you.	Customers and/or their main contact, Solutions users	Our legitimate interest relating to providing a service

 

b. To improve our Solutions and their security

Purpose	Category of individual	Lawful basis
Monitoring, measuring, improving, and protecting our content, Websites, Solutions, and providing you with an enhanced, personalised user experience.	Customers, Solutions and Websites users	Consent (if using cookies) or our legitimate interests
Undertaking internal testing of our Website, Solutions, systems and associated services to test and improve their security, provision and performance.	Customers, Solutions and Websites users	Our legitimate interests
Carry out research and development activities to improve our Solutions (including by seeking and obtaining your feedback) see sections 8 “Artificial Intelligence and Machine Learning?” and 9 “The Sage Network” below for more information.	Customers and/or their main contacts, their vendors and customers (or their main contacts) Solutions and Websites users	Our legitimate interests
Carry out research and development activities to design and develop new Solutions; see sections 8 “Artificial Intelligence and Machine Learning?” and 9 “The Sage Network” below for more information.	Customers and/or their main contacts, their vendors and customers (or their main contacts) Solutions and Websites users	Our legitimate interests
Monitoring and carrying out statistical analysis and benchmarking regarding the use of our Websites, platforms, and Solutions, as permitted by applicable law. See section 7 “Profiling and automated decision making” below for more information.	Customers, Solutions and Websites users	Consent (if using cookies) or our legitimate interests
Maintaining, checking, and improving the security and integrity of our Websites, Solutions, systems, platforms, and communications (and detecting and preventing actual or potential threats to the same).	Customers, Solutions and Websites users	Our legitimate interests or our legal obligations

 

c. To communicate with you or provide marketing

Purpose	Category of individual	Lawful basis
Conducting surveys for customer research, benchmarking, improvement and marketing purposes, which may involve us sharing your personal data with trusted third parties who assist us with these activities.	Customers, Solutions and Websites users, Prospects	Consent (if for marketing purposes) or our legitimate interests
Providing you with any information as required to comply with our legal or regulatory obligations.	Customers and/or their main contact vendors/partners and/or their main contacts	Legal obligation
Sending newsletters to you.	Customers and/or their main contacts, Solutions and Websites users, Prospects	Our legitimate interests if you have requested the newsletter or your consent if not
Posting testimonials or reviews in relation to our Solutions which you have supplied to us.	Customers and/or their main contact, Solutions users	Consent
Sending you electronic direct marketing communications, analysing how you engage with our electronic marketing communications (including whether you open them and click through to access their contents).	Customers and/or their main contacts, Prospects, Solutions and Websites users	Consent
Organising and managing events or contacting you if you have attended a Sage event or an event partnered by Sage. We may share personal data about your attendance with trusted third parties. We, or a trusted third party, may also contact you after an event to get some feedback about the event to help us improve our future events.	Customers and/or their main contact, Prospects Solutions and Websites users	Consent or contract
Delivering joint content and services with third parties with which you have a separate relationship, for example, social media providers including LinkedIn or Instagram.	Customers and/or their main contact, Prospects Solutions and Websites users	Consent
Monitoring and carrying out statistical analysis and benchmarking regarding the use of our Websites, platforms, and Solutions, as permitted by applicable law. See section 7 “Profiling and automated decision making” below for more information.	Customers, Solutions and Websites users	Consent (if using cookies) or our legitimate interests

 

More information on our marketing activities

We may use your personal data to contact you with details about our business, our Solutions or other offers which we feel may be of interest to you or which you have asked for. We may also share your personal data with other companies in our Group and carefully selected third parties so that they (or we) may contact you with information about their products or services which we feel may be of interest to you. We or they may wish to contact you for this purpose by telephone, within a Solution, by post, SMS message or email, or other communication platform.

We will only contact you by email or SMS message in line with your marketing preferences. You can unsubscribe from email marketing using the links provided in the emails we send to you.

 

d. To operate our business

Purpose	Category of individual	Lawful basis
Performing due diligence reviews.	Customers and/or their main contacts, vendors/partners and/or their main contacts	Our legitimate interests or legal obligation
Detecting, preventing, investigating, reporting, or remediating any criminal, illegal or prohibited activities (including fraud and money laundering), or to otherwise protect our legal rights (including liaison with official bodies, regulators, and law enforcement agencies for these purposes).	Customers, Solutions and Websites users, vendors/partners and/or their main contacts	Our legitimate interests
Obtaining legal or other professional advice and establishing, defending, and enforcing our legal rights and obligations in connection with, any legal proceedings (including prospective legal proceedings).	Customers and/or their main contacts, vendors/ partners and/or their main contacts	Our legitimate interests
Managing, planning, and delivering our global business and marketing strategies (including collating management information and recording and reporting on our business development activities).	Customers, Solutions and Websites users	Our legitimate interests
Purchasing, maintaining, and claiming against our insurance policies.	Customers and/or their main contact, vendors partners and/or their main contacts	Our legitimate interests
Training our staff, supporting their learning, development, and performance.	Customers and/or their main contacts, vendors/partners and/or their main contacts	Our legitimate interests
Managing any proposed sale, purchase, restructuring, transfer or merging of any or all part(s) of our business or another business, including to respond to queries from the prospective buyer or merging organisation.	Customers and/or their main contacts, vendors/partners and/or their main contacts	Our legitimate interests
Managing, publicising, and participating in corporate social responsibility and Environmental Social and Governance (ESG) initiatives. For example, we may anonymise and/or aggregate your personal data to create reports or dashboards and share those with trusted third parties or on our Websites, to raise awareness on topics that are important to us, such as supporting the growth of small and medium businesses.	Customers and/or their main contacts, vendors/partners and/or their main contacts	Our legitimate interests
Comparing information for accuracy, to categorise it, and to verify it with our systems or third parties.	Customers, Solutions and Websites users	Our legitimate interests or legal obligation
Complying with any of our legal or regulatory obligations (including our responsibilities under codes of conduct and anti-bribery laws).	Customers and/or their main contacts, Solutions and Websites users, vendors/partners and/or their main contacts	Legal obligation
Complying with instructions, orders and requests from law enforcement agencies, regulatory bodies, supervisory authorities, any court or otherwise as required by law.	Customers and/or their main contacts, Solutions and Websites users, vendors/partners and/or their main contacts	Legal obligation
Monitoring and recording communications with you, including e-mails, webchats and phone and other voice or video conversations (after informing you of the monitoring and/or recording during that call and before the recording starts), for training purposes.	Customers and/or their main contacts, Solutions users	Consent
Protecting our assets, our customers, and their assets, and protecting our employees and other workers from unacceptable behaviour, fraudulent or other harmful communications or actions by using CCTV video surveillance, monitoring and recording in or around our premises.	Customers and/or their main contacts, vendors/partners and/or their main contacts	Our legitimate Interests
Enhancing personal data we collect from you with data we obtain from third parties that are entitled to share that data; for example, data from credit agencies, search information providers or public sources (e.g., for customer due diligence purposes, or to improve accuracy of our records), but in each case as permitted by applicable law. We may also enhance personal data we collect from you with data which we already hold about you in our systems through your use of our Solutions or other interactions with us (including as a free trial) or by combining data where you use a multiple Solutions.	Customers and/or their main contacts, their vendors and customers (or their main contacts) Solutions and Websites users, vendors/partners and/or their main contacts	Our legitimate Interests

 

e. To carry out analytics and digital advertising

Purpose	Category of individual	Lawful basis
Delivering targeted advertising and marketing campaigns (which may include in-Solution messaging) or sharing information with which may be useful to you, based on your use of our Website, Solutions, or any other data we hold about you.	Customers and/or their main contacts, Solutions and Websites users	Consent
Providing you with location-based services, for example, targeted advertising and other personalised content, where we collect geo-location data.	Customers and/or their main contacts, Solutions and Websites users	Consent
Ensuring our advertisements match the potential interest of users, tracking the efficiency of ads and optimising the effectiveness of our campaigns. We use Conversion APIs provided by Meta, Google and LinkedIn. An API is a software intermediary allowing two applications to talk to each other, when using a conversion API, we allow our server to communicate with these third-party servers. Where you consent to “Targeting technologies” on our website, we collect information about your usage of our website from our server logs and share this information with these third parties for the abovementioned purposes. We also share what we call “offline” data, which is information we collected from our interactions with you that took place outside of our website and can help us understanding your entire experience with Sage. This data includes your hashed contact details, as well as information about your organisation and information about your interactions with Sage (e.g. whether you are interested in a product, which product it is, how interested you are). When using the Meta Conversion API, Sage is a joint controller of personal data with Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland (“Meta”) for the purpose of creating, displaying and improving targeted ads.   We have concluded a joint-controllership of personal data agreement with Meta which can be accessed here, to determine the respective responsibilities for compliance with the obligations under the UK and EU General Data Protection Regulations (together “GDPR”) with regard to the joint processing of data.   Under this agreement, Sage and Meta have agreed that Meta would be responsible for enabling data subject rights of individuals with regards to the personal data stored by Meta after the joint processing.   The contact details of Meta can be found here, as well as further information on how Meta processes personal data, including the lawful basis Meta relies on and how individuals can exercise their data subject rights.   You can deactivate this tool by withdrawing your consent to “Targeting technologies”.	Website users	Consent

Profiling

Profiling activities consist of using personal data of individuals to predict their interests and likely behaviours. This is usually carried out using behavioural information and, amongst other uses, helps us to inform our decisions about marketing audiences. This allows us to send the right message to the right audience.

We may use personal data generated when you use our Solutions and Websites to improve them, and give you the best service and experience. This means that we may use personal data (including data collected using cookies and similar technologies) to evaluate and predict your personal preferences and interests. Please note that this is subject to your consent where required by applicable law.

We may conduct profiling activities to:

• support you and personalise the communications we send in relation to our Solutions where permitted by applicable law and in line with your preferences;
• deliver advertising, marketing (including in-Solution messaging) or information which may be useful to you, based on your use of Solutions (considering your preferences as required); and
• provide you with location-based services (for example location relevant content) where we collect geo-location data.

Please be aware that, in connection with the purposes above, we may use the personal data of your customers, suppliers, employees, and other individuals, whose personal data you input into our Websites or Solutions.

Automated decision-making

We do not conduct any automated decision-making with a significant or legal effect, or otherwise, about you or any individuals.

Sage is committed to innovation and is constantly evaluating new ways to improve its Solutions and develop new ones. Using Artificial Intelligence (“AI”) and Machine Learning (“ML”) allows us to improve our Solutions, giving you access to new, functionalities and automated features (e.g. automatic processing of invoices).

What is ML?

ML is a type of AI which uses data and algorithms to recognise patterns, drawing inspiration from the way humans learn. It provides systems the ability to automatically learn and improve from experience, without being explicitly programmed. It usually works with ML models, which are programs trained to recognise patterns in previously unseen data sets.

How do we use ML?

Sage uses ML in some Solutions and may process personal data listed in Section 5(9), “Data processed using Solutions”, to deliver these ML powered services. For the purposes of delivering ML powered services, personal data is generally used for the purpose of:

(1) Building an ML model, and continuously training it

We build and train ML models using data including personal data, so they can perform the task they have been designed to perform. For example, to design a service allowing the automatic processing of invoices, we would create an ML model designed to recognise specific data fields in an invoice and train this ML model on a number of invoices so it can learn where these fields are located and what they are likely to contain. This ML model would then continually be updated and trained based on new invoices. The purpose of this processing is to create an accurate ML model and continuously ensure its accuracy.

(2) Providing the Solution 

Personal data entered in the Solution is consumed by the ML model to deliver the service it has been programmed to deliver. For example, an ML model designed to automatically process invoices would, once trained, be applied to new invoices to automatically recognise fields and populate them into a Sage Solution.

The purpose of our use of AI and ML at Sage is not to make decisions about individuals. Our purpose is to automate manual and time-consuming processes for the benefit of our customers and other parties.

Sage has created a trusted network, the Sage Network, with the purpose of interconnecting our Solutions, as well as our partner solutions. The aim of the Sage Network is to provide additional,  innovative and integrated Solutions to you (the “Sage Network Services”), to help automate your workflows and improve your customer/user experience. For this purpose, data inputted into our Solutions, and listed in in Section 5(9), “Data processed using Solutions”, may be shared with other Solutions and platforms (together the “Sage Network Platform”), to facilitate provision of the Sage Network Services.

Sage is mostly acting on behalf of its customers in the context of the Sage Network (as a data processor under European Union – “EU”- and UK data protection laws), and the processing of personal data to provide Sage Network Services is covered by our Data Protection Agreement.

Data processed in the Sage Network Platform may however be processed by Sage for the following purposes (as a data controller under EU and UK data protection laws):

• To build and feed ML models, as described in section 8, “Artificial Intelligence and Machine Learning” ;
• To provide ML powered services, as described in section 8, “Artificial Intelligence and Machine Learning”;
• To purchase data sets from third parties, in order to improve accuracy of data held in the Sage Network Platform;
• To carry out research and development activities to improve our Solutions based on data ingested by the Sage Network Platform.

Processing of personal data by Sage as a data controller under EU and UK data protection laws in the context of the Sage Network will be carried out in accordance with this privacy notice.

We may obtain personal data through mobile applications that you or your users install on mobile devices to access and use our Websites or Solutions, or which you or your users use to provide other services related to that mobile application (for example, to sync information from our Solution with that mobile application).

These mobile applications may be our own Solutions or be provided by third parties. Where the mobile application is operated by a third party, you must read that third party’s own privacy notice which applies to your use of that third party mobile application. We are not responsible for those third party mobile applications or the use of your personal data by those third parties.

Mobile applications may provide us with personal data related to your use of that mobile application and / or our Websites or Solutions accessed through that mobile application. We may use this personal data to provide and improve the mobile application or our own Website or Solution. For example, activity undertaken within a mobile application may be logged for review.

You can configure application privacy settings on your mobile device, but this may affect the performance the application and the way it interacts with our Websites and Solutions.

We retain personal data about you during and after termination of your relationship with us. This data is held and used for as long as permitted for legal, regulatory, fraud prevention and legitimate business purposes, in accordance with our internal Sage policies. For more information on the retention of personal data, please contact the Sage Privacy Office at [email protected].

Sometimes we may need to share your personal data with third parties.  This will usually be because you have asked us to, we are required to by law, or because a third party integrates with our Solution or provides us or you with a service. You will find in the table below a list of third parties with which we may share your personal data and why.  

Third parties	Reason
Our service providers and agents (including their sub-contractors) or third parties which process personal data on our behalf (e.g., internet service, cloud storage and platform providers, payment processing providers and those organisations we engage to help us send communications to you); third parties with which you request that we share personal data with for your own or their purposes.	Helping us to provide you with the Solutions and information you have requested or which we believe is of interest to you.
Partners, including system implementers, resellers, value-added resellers, independent software vendors and developers.	Allowing partners to provide you the Solutions, services, and information you have requested or which they believe is of interest to you.
Another company within our Group.	Helping us to provide you with the Solutions and information you have requested or which we believe is of interest to you, or in the context of a restructuring.
Third parties used to facilitate payment transactions, for example clearing houses, clearing systems, financial institutions, and transaction beneficiaries.	Helping us to ensure payment for Solutions.
Other parties who may also be controllers of the data we share with them, for example, academic or research organisations.	Research necessary for our own or another organisation’s legitimate interests (e.g., to deliver valuable insights to our customers or enable us to improve the service we offer you).  In these circumstances, we will take additional steps to protect your personal data, for example pseudonymisation, or anonymisation and aggregation prior to sharing the data, to protect your privacy and the confidentiality of your data.
Third parties where you have a relationship with that third party, such as social media providers, partners, and other third parties with which we work and whose products or services we think will interest you in the operation of your business activities.	Marketing and targeting purposes.
Credit reference and fraud prevention agencies; government bodies and departments, regulators and any other third party necessary to meet your or Sage Group’s legal, regulatory, and reporting obligations; law enforcement agencies so that they may detect or prevent crime including fraud or prosecute offenders including statutory or regulatory reporting or the detection or prevention of unlawful acts; any third party in the context of actual or threatened legal proceedings; professional advisors and auditors for the purpose of seeking professional advice or to meet our audit responsibilities.	To comply with applicable laws and regulations and to protect our business.
Another organisation if we sell or buy (or negotiate to sell or buy) any business or assets, another organisation to whom we may transfer our agreement with you.	In the context of an acquisition, sale or restructure.

When we share personal data with third parties which are providing us with services, or providing services to you on our behalf, we always have an agreement in place to ensure protection of your personal data i.e., that it is only used for agreed purposes and in accordance with applicable laws.

More information can be found in our specific cookie policies relating to Websites and Solutions, but it is worth mentioning here that our Website and Solutions may contain technology that enables us to:  

• check specific information from your device or systems directly relevant to your use of our Websites and Solutions against our records to make sure they are being used in accordance with our agreements and to troubleshoot any problems you may be experiencing;  
• obtain information relating to any technical errors or other issues with our Website, and Solutions;  
• comply with our legal or regulatory obligations;  
• collect information about how you use the functions and features of our Website and Solutions; and  
• gather statistical information about the operating system and environment from which you access our Solutions including web traffic data. 

The cookie policy for the Sage.com website can be found here. For those Solutions using cookies and similar technologies, a cookie policy will be made available to you directly in the Solution, usually in the Solution Help Centre.

If you follow a link which takes you away from our Website or Solutions, our privacy notice does not apply when you arrive at your new online destination, and we are not responsible for the handling of your personal data after you have left our Website or Solution. Please read the privacy information of the third party responsible for the new online location which you have linked to.

Data privacy rights differ from one region to another. Please consult the relevant part of Section 16 below dealing with data privacy rights to obtain more information on your local rights.

We will keep your personal data secure by applying appropriate technical and organisational measures against its unauthorised or unlawful access or use and against its accidental loss, destruction, or damage. You can find more information on our technical and organisational security measures on our Trust and Security Hub.

We will do our best to protect your personal data, but we cannot guarantee the security of your personal data while it is being transmitted to our Website or Solutions or to other websites, applications and services via an internet or similar connection. If we have given you (or you have chosen) a password to access certain areas of our Websites or Solutions, please keep this password safe, and when choosing your own password please ensure it is strong and do not use variations of previously used passwords, and with all passwords, do not write them down or leave them accessible to unauthorised persons.

If you believe your personal data has been compromised in connection with your use of Sage Solutions or Websites or otherwise in connection with Sage, please contact us at [email protected].

Key data protection laws

The key data protection laws in the United Kingdom are the UK General Data Protection Regulation (“UK GDPR”), UK Data Protection Act 2018 and the Privacy and Electronic Communications Regulations.

The key data protection laws in the Republic of Ireland are the General Data Protection Regulation, the Data Protection Act 2018 and the S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011.

Controllers and processors

This privacy notice describes our processing of your personal data in our capacity as a “data controller” under applicable law in the UK and the Republic of Ireland. A data controller decides how and why your personal data is processed.  Depending on the country in which you are located, a different Sage company may be the data controller of your personal data. You will find here the list of all Sage affiliate companies, by region.

Where we process personal data on behalf of another individual, for example our customers, partners, or other parties, we do not decide how and why to process that personal data. In those instances, we are a “data processor” under applicable law rather than a data controller. Where we are a data processor of your personal data, we use it in accordance with the data controller’s instructions to us. Those instructions include the terms and conditions applicable to the product or service you or your employer are using, and our Data Processing Agreement here which forms part of those terms.

If we are a data processor of your personal data, then you should also read the relevant data controller’s privacy notice. Make sure that you familiarise yourself with the privacy notice of your own employer, accountant, business, or other organisation that you have a direct relationship with, and which may share your personal data with Sage.

European Union representative

European Union (“EU”) data protection laws require non-EU organisations to have a representative in the EU. The role of the EU representative is to be the point of contact for individuals and authorities for all EU member states.

In the UK, we have appointed Sage Global Services (Ireland) Limited as our EU representative. Sage Global Services (Ireland) Limited’s contact details are:

Number One Central Park
Leopards town
Dublin 18
662898 
Ireland

You can also contact [email protected] if you have any questions about or for our EU representative.

Your data protection rights

If you are based within the UK or the Republic of Ireland, you have the following data protection rights:

• the right to be informed about the processing of your personal data;
• the right to obtain access to your personal data;
• the right to have your personal data rectified or erased, or to place restrictions on processing your personal data;
• the right to object to the processing of your personal data e.g., for direct marketing purposes or where the processing is based on our legitimate interests;
• the right to have any personal data you provided to us electronically returned to you in a structured, commonly used and machine-readable format, or sent directly to another company, where technically feasible (this is known as ‘data portability’);
• where the processing of your personal data is based on your consent, the right to withdraw that consent subject to legal or contractual restrictions;
• the right to object to any decisions based solely on the automated processing of your personal data, including profiling; and
• the right to lodge a complaint with the data protection supervisory authority responsible for data protection matters in your location. For the UK, this is the Information Commissioner’s Office (ICO). For the Republic of Ireland, this is the DataProtection Commissioner (DPC).

Please note that in some circumstances the exercise of the above rights may be limited by legal restrictions and exemptions. If relevant, we will explain this when responding to a request to exercise data protection rights.

If you think we hold any personal data about you which is incorrect or if there are any changes to your personal data, please let us know so that we can keep our records accurate and up to date.

If you wish to exercise your data protection rights as an individual, please access the Individual Rights Request Form on the Trust and Security Hub or contact us at [email protected].

If you do not want us to use your personal data for purposes set out in our privacy notice, we may not be able to provide you with access to all or parts of our Website or Solutions.

International transfer of personal data

Personal data in EU member states and the UK is protected by data protection laws, but other countries do not necessarily protect your personal data in the same way.  You can find a list of countries that the European Commission considers provide an equivalent level of data protection to that which exists within the European Economic Area (EEA) (“Adequate countries”) here.

Our Website and some of our Solutions, or parts of them, may be hosted outside the EEA or UK, which means that we may transfer personal data to third countries which do not have an EU or UK adequacy determination in some circumstances.  In addition, we may use service providers located outside the EEA or UK to help us provide our Websites, Solutions or other services to you and this means that we may transfer your personal data to these regions.

We take steps to ensure that where your personal data is transferred outside of the EEA or the UK, appropriate measures and controls are in place to protect that data in accordance with applicable data protection laws. All Sage Group companies are subject to an internal  Personal Data Protection governance policy and related procedures designed to protect personal data in accordance with EU, EU member state and UK data protection laws. In each case, such transfers are made in accordance with applicable data protection laws and may be based on the use of (i) the European Commission’s Standard Contractual Clauses for transfers of personal data outside the EEA, or (ii) the UK’s International Data Transfer Agreement and/or the European Commission’s Standard Contractual Clauses and/or the UK Addendum for transfers of personal data outside the UK.

For more information on international transfer of personal data, please contact [email protected].

How can you contact us?

If you have any question about this privacy notice, or wish to exercise your data privacy rights as an individual, you can contact our Chief Data Protection Officer at by sending an email to [email protected] or by postal mail at  Sage Group plc, C23 5 & 6 Cobalt Park Way, Cobalt Business Park, Newcastle-Upon-Tyne, Tyne & Wear, NE28 9EJ.