Privacy Policy


Ivalua is committed to protecting and respecting your privacy. 

This privacy policy (“Policy”) establishes the standards for collecting, using, disclosing, storing, securing, sharing, transferring or otherwise Processing Personal Data you submit to Ivalua when accessing and using Ivalua website (“Website”)  and/or using and accessing the Ivalua products and services (collectively “Ivalua Services”).  

If you use the Ivalua Services as part of a business or an entity that has an agreement in place with Ivalua, then the terms of that agreement between your Organization and Ivalua will supersede this Policy. 

This Policy does not apply to any third-party websites and apps, including any linked to the Ivalua Services and/or website.

Ivalua is committed to the following privacy principles: 

Fairness. Ivalua Processes Personal Data in a lawful, legitimate and transparent manner. 

Purpose limitation. Ivalua only collects Personal Data for a specific, explicit and legitimate purpose.  

Data Minimization. Ivalua Processes Personal Data that is relevant, adequate and limited in consideration of the purpose for which such Personal Data is Processed. 

Integrity and security. As a data controller, Ivalua keeps Personal Data accurate, complete and up to date as is reasonably necessary for the purpose for which it is Processed. As a data controller and a Data Processor, Ivalua implements appropriate organizational and technical measures to safeguard Personal Data against unauthorized or unlawful Processing and accidental loss, destruction or damage. 

Accountability. Ivalua has in place appropriate governance, policies, processes and controls to be able to demonstrate that its Processing of Personal Data is in accordance with this Policy and data protection laws applicable to Ivalua.

Who we share Personal Data with

We do not sell your Personal Data to third parties. 

We may disclose your Personal Data to the following categories of recipients:

  • to our group companies, third party services providers and partners who provide data processing services to us (for example, to support the delivery of, provide functionality on, or help to enhance the security of our Website), or who otherwise process Personal Data for purposes that are described in this Policy or notified to you when we collect your Personal Data;
  • to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
  • to an actual or potential buyer (and its agents and advisers) in connection with any actual or proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this Policy; and 
  • to any other person with your consent to the disclosure.


When you visit Ivalua’s website, Ivalua stores certain information about your browser, the operating system, and your IP address.

If you use a registration form, Ivalua will collect the information you provide to Ivalua such as your first and last name, corporate email address, telephone number, location (country, state, city), company name, job title, department, current relationship with Ivalua and your company’s industry.

Ivalua does not resell neither your Personal Data nor your Personal Information. 

Ivalua uses Cookies on its website. By using Ivalua’s website, you accept the use of Cookies in accordance with this notice.  If you do not accept the use of Cookies, you have the ability to manage your cookies settings and/or change your browser settings so that Cookies from this Website cannot be placed on your computer or mobile device. Please note that some Cookies are required for the Website to work and cannot be disabled. 

A Cookie is a small date file stored on your computer or mobile device when visiting a website. 

First-party cookies are those set by Ivalua when visiting our Website.  Third-party cookies are cookies set by a domain other than Ivalua’s when visiting our Website. 

Persistent cookies remain on your device for the period of time specified in the cookie. They are activated each time you visit our Website. You can delete them from your device at any time. 

Session cookies allow us to link your actions during a browser session. A browser session starts when you open the browser window and finish when you close the browser window. Session cookies are created temporarily. Once you close the browser, all sessions cookies are deleted. 

Required cookies are necessary to enable the basic features of this site to function, such as providing secure log-in or remembering how far you are through an order. Required cookies cannot be disabled.

Functional cookies allow us to analyse your use of the site to evaluate and improve our performance. They may also be used to provide a better customer experience on this site. For example, remembering your log-in details, saving what is in your shopping cart, or providing us information on how our Website is used.  

Personalization cookies are used to personalize your experience on our Website. We may share this information with advertisers or use it to better understand your interests. For example,  Personalization cookies may be used to share data with advertisers so that the ads you see are more relevant to you, allow you to share certain pages with social networks, or allow you to post comments on our site. 

Expiry of Cookies.  Cookies have a limited lifetime, after which they will be unusable and automatically deleted.  The lifetime of each cookie is defined within each cookie. 

List of Cookies.  

Name Purpose Lifetime
TrustArcCookiesAccepted This cookie appears when the user accepts cookies from TrustArc Website.  This cookie does not collect personal data. 12 Months
CookieMessageShown This cookie is used to avoid showing the cookie acceptance message to the user constantly on each request. This cookie does not collect personal data. 12 Months
n/m|7/A77e370r This cookie is essential and contains the user’s session ID. This cookie does not collect personal data about the user. Session
ASP.NET Sessionid This cookie is essential and contains the user’s session ID. This cookie does not collect personal data about the user. This cookie is deleted when you close your browser.  For further information, visit Session

Children's Information

Ivalua does not knowingly collect or store information from children under the age of 16, unless permitted by law. We will delete any information we may have inadvertently received from a child under 16 upon notice.  If you have reason to believe that a child under the age of 16 has provided Personal Data to Ivalua through our Website, please contact us and we will endeavor to delete that information from our databases.

Use of Ivalua Services

Specific provisions where Data Subjects Personal Data Processing is protected under the GDPR. 

This section applies to the Processing of Personal Data when you use our Services (where we act as a processor of your Personal Data and/or when you create an account to use our Services on behalf of your Organization,).

The categories of Personal Data that we process is described in the personal data protection agreement (DPA) we have in place with your Organization or the organization you’re a supplier for, and that has collected your Personal Data in the first place (“your  Organization”). Personal Data is collected by your Organization and Processed by Ivalua in accordance with the DPA in place with your Organization. 

We process your Personal Data for the purposes and on the legal bases identified in the following where we act as a processor of your Personal Data:

  • Contract performance where we have entered into a contract for your Organization’s use of our Services and in order to provide general business and technical support and maintenance services via our ECS (Extranet Customer Support). 

  • Legitimate interest is the legal basis for processing the following:
  • For security purposes such as investigations of suspicious activity or for compliance purposes (such as investigating fraud or misuse of Ivalua Services);
  • For other purposes that may arise from time to time in accordance with applicable data protection laws.

We share your Personal Data within our organization for the purposes set out in the section above and in accordance with the DPA in place with your Organization.

When using our Services, an Account Admin is the person responsible for owning the product or service and delivering the service to the members of his/her respective Organization. When you or your Account Admin uploads information (such as business email address) into Ivalua Services, you and/or the Account Admin acknowledge that is has been done at the discretion of the Organization that you or your Account Admin represent. In this scenario, the Account Admin’s Organization is the controller of the Personal Data and Ivalua acts as a processor of the Personal Data. Ivalua is legally bound by the applicable terms for the Ivalua Services purchased, such as the Ivalua contract terms, other applicable agreements for services between Ivalua and your Organization, and/or DPA to only process data as authorized by the agreement(s) and upon the instruction of the controller. If you have any detailed questions regarding these agreements, please contact your Account Admin or your Organization DPO or Privacy contacts directly within your Organization. 

As an Account Admin, your Personal Data will be used to communicate with you for support purposes or to follow up on requests made by you or another user of Ivalua Services in accordance with the contract terms within your Organization.

In relation to the use of Ivalua Services, you shall exercise your data subject rights directly within your Organization. Any direct request we shall receive will be redirected to your Organization as your Organization collects your Personal in the first place as a data controller for the use of the Ivalua Services. 

Additional information for California residents

In the preceding 12 months, we have collected the following categories of Personal Information, as defined by the California Consumer Privacy Act (‘CCPA’):

  • Identifiers such as a real name, alias, postal address, Internet Protocol address, email address, account name;
  • Characteristics of protected classifications under state or federal law, such as age or gender;
  • Commercial Information, including records of products or services purchased from us;
  • Internet or electronic network activity information, including activity on our Website and pages accessed;

We do not provide services, or other items of value, as consideration for your Organization or the Personal Information of Authorized users in accordance with the CCPA.

You are responsible for ensuring your compliance with the requirements of the CCPA in your use of Ivalua Services and your own processing of personal information.

Here are a few things that Ivalua will NOT do with Personal Information in the scope of acting as a service provider, as defined by CCPA. Ivalua will not sell, rent, or otherwise disclose your Personal Information to third parties in exchange for money or something else of value. Ivalua does not disclose your Personal Information to non-affiliated companies for their direct marketing purposes without your consent. Ivalua does not use your information outside the scope of the agreement(s) for services that we have with you.

Subject to certain limitations, the CCPA provides California consumers the right to request to know more details about the categories or specific pieces of Personal Information we collect (including how we use and disclose this personal information), to delete their personal information, to opt out of any “sales” that may be occurring, and to not be discriminated against for exercising these rights.

California consumers may make a request pursuant to their rights under the CCPA by contacting us at Please note that to protect your information, we may need to verify your identity before processing your request. We will verify your request using the information associated with your account, including your email address. 

Under the CCPA, you may exercise these rights yourself or you may designate an authorized agent to make these requests on your behalf. We may request that your authorized agent have written permission from you to make requests on your behalf and may need to verify your authorized agent’s identity.

Transfers outside the EEA

Use of our Website. The Website is provided and hosted in the United States. If you are resident in or a visitor from the European Economic Area (“EEA”), UK or Switzerland, we protect your Personal Data when it is transferred outside of the EEA, UK or Switzerland by processing it in a territory which the European Commission has determined provides an adequate level of protection for personal information; or otherwise implementing appropriate safeguards to protect your personal information, including through the use of Standard Contractual Clauses (according to EU Commission Decision 87/2010/EC or any future replacement) or another lawful transfer mechanism approved by the European Commission.
Use of Ivalua Services. Ivalua operates at a global scale and may transfer Personal Data to (or access Personal Data from) countries outside the European Economic Area (“EEA”); UK or Switzerland. We protect your personal Data when it is transferred outside of the EEA, UK or Switzerland by processing it in a territory which the European Commission has determined provides an adequate level of protection for personal information; or otherwise implementing appropriate safeguards to protect your personal information, including through the use of Standard Contractual Clauses (according to EU Commission Decision 87/2010/EC or any future replacement) or another lawful transfer mechanism approved by the European Commission.

Contact us

To exercise your rights or if you have any questions regarding this Policy, you can contact the Ivalua’ Privacy Team at any time by email:

Alternatively, you can contact us in writing at: Ivalua Privacy Team, 102, avenue de Paris, 91300 Massy – France

Changes to this Privacy Policy

Ivalua also monitors periodically its compliance with this Policy on an ongoing basis. Ivalua periodically verifies that this Policy continues to conform to the applicable data protection laws and is being complied with. This Policy was last reviewed in November 2020.

Effective Date: December 1st, 2020


Authorized Users means Organization’s employees, affiliates’ employees, consultants and third-party’s employees, individual contractors accessing the Ivalua Services on your Organization’s behalf pursuant to the contract terms in place with your Organization.  

CCPA means the California Consumer Privacy Act.

EEA means European Economic Area – includes EU member states and three European Free Trade Association states (Iceland, Liechtenstein, and Norway).

GDPR means the Regulation (EU) 2016 / 679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and all laws and regulations giving binding legal effect to them in an EEA country, together with any successor or replacement legislation and regulation.

Ivalua means Ivalua SAS and its affiliates. 

Personal Data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Process/ Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, storage, structuring, organisation, adaptation, or alteration, retrieval, consultations, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction.