Privacy Supplement

Esri Products & Services Privacy Statement Supplement

Revised December 11, 2024

Your privacy is important to us. This Products & Services Privacy Statement Supplement applies to the Environmental Systems Research Institute, Inc. and its affiliate Esri Global, Inc. (collectively “Esri”) products, services and related offerings that display or link to this Products & Services Privacy Statement Supplement (the “Products & Services”). Esri established this Products & Services Privacy Statement Supplement in order to clarify that the use of information to which it may be provided access in order to deliver Product & Services is more limited than the use of information covered by the general Esri Privacy Statement

Esri participates in and has certified its compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and, as applicable the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries, the United Kingdom and Switzerland. Esri is subject to the investigatory and enforcement powers of the Federal Trade Commission. Esri has certified that it adheres to the DPF Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the terms in this Supplement and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the DPF program, please visit https://www.dataprivacyframework.gov/s/, and to view Esri’s certification, please visit https://www.dataprivacyframework.gov/s/participant-search.

Esri is responsible for the processing of personal data it receives, under the Data Privacy Framework, and subsequent transfers to a third party acting as an agent on its behalf. Esri complies with the DPF Principles for all onward transfers of personal data from the EU, the United Kingdom and Switzerland, including the onward transfer liability provisions.

Esri also commits to the EU Standard Contractual Clauses and supplementary measures identified in its pre-signed Data Processing Addendum and the UK Addendum.

Key offerings that fall within the scope of Products & Services include: ArcGIS Online, Esri Managed Cloud Services, Customer Support, and Professional Service engagements. Customers who utilize organization (cost-based) accounts of Products & Services, such as ArcGIS Online, expect a higher level of privacy assurance which is reflected in this Products & Services Privacy Statement Supplement, whereas consumers of public accounts are provided the privacy assurance level of the Esri Privacy Statement. Esri’s marketing sites and other public websites are governed by the general Esri Privacy Statement.

The datasets within the scope of Products & Services can be broken down into four main areas: Customer data, Administrator data, Payment data, and Support data as described below.

Customer Data

Customer Data consists of all data including text, sound, video, or image files, and software, that are provided to Esri by, or on behalf of, you or your end users through the use of Esri Products & Services. Esri treats Customer Data as confidential in accordance with the terms of your orders for Products & Services.

Customer Data will be used only to provide customer the Products & Services including purposes compatible with providing those services. For example, we may use Customer Data to provide a personalized experience, improve service reliability, combat spam or other malware, or improve features and functionality of the Products & Services. Esri will not use Customer Data or derive information from it for any advertising or similar commercial purposes. If Esri processes de-identified data, we will maintain such information in a de-identified state and will not try to re-identify the data, except as permitted under applicable law. Customer Data is not Administrator Data, Payment Data, or Support Data.

You have the choice to access your information and Customer Data and to correct, control or delete your information and Customer Data in our Products & Services by logging in to your account and making the appropriate changes. For more information about the features and functionality that enable you to control Customer Data, please review documentation specific to the Products & Services available through Trust.ArcGIS.com.

Administrator Data

This is information the customer provides about itself typically as part of marketing, sales, or contractual interactions with Esri, including for example its name, address, billing information, and some employee contact information. Esri may also collect other information about the customer and some employees, for example through its web sites, as part of that interaction. All of that information is Administrator Data, and is treated according to Esri’s general Privacy Statement.

In contrast, having contracted with Esri for ArcGIS Online or other Products & Services, when the customer provides Esri access to its production, development or test environment, which may include personal information about its employees, customers, partners or suppliers (collectively “end users”), this is considered Customer Data and treated under the supplementary obligations of this Products & Services Privacy Statement Supplement.

Payment Data

Esri stores no payment instrument number information (e.g. credit card) within their systems for Products & Services. Esri utilizes a third party provider which has been audited by a Payment Card Industry Standard certified auditor to ensure your information remains secure. Payment information is transmitted directly to the provider via HTTPS for secure transmission so that payment data is never transmitted or stored by Esri Products & Services.

Support Data

Support Data is the information we collect when you contact or engage Esri for technical support. It includes information you submit in a support request or provide when you run an automated troubleshooter. It may also include information about hardware, software, and other details gathered related to the support incident, such as contact or authentication information, chat session personalization, information about the condition of the machine and the application when the fault occurred and during diagnostics, system and registry data about software installations and hardware configurations, and error-tracking files. In addition to using Support Data to resolve your support incident, we use Support Data to operate, improve and personalize the products and services we offer.

Support may be provided through phone, email, or online chat. With your permission, we may use Remote Access (“RA”) to temporarily navigate your machine or, for certain Products & Services, you may add a support professional as an authorized user for a limited duration to view diagnostic data in order to resolve a support incident. Phone conversations, online chat sessions, or RA sessions with support professionals may be recorded and/or monitored. Support Data is subject to this Products & Services Privacy Statement Supplement.

Cookie Technologies

Esri may use cookies (small text files placed on a device’s hard disk by a web service) or similar technologies to provide Products & Services. For example, cookies and similar technologies such as web beacons may be used to store a user’s preferences and settings, to gather web analytics, to authenticate users, and to detect fraud. In addition to the cookies Esri may set when you visit Esri Products & Services sites, third parties that we have hired to provide certain services on our behalf, such as site analytics, may also set cookies when you visit Esri sites. To learn more about how to control cookies and similar technologies, please see your Internet browser’s documentation. Choices you make regarding the use of cookies may impact your use of the Products & Services. Please be aware that many of our products and services require cookies when non-anonymous access is required.

On-Premises / Local Software

Some Products & Services may require, or may be enhanced by, the installation of local software (e.g., agents, device management applications) on a device.

By default, local software may transmit the following which they can opt-out of (i) data, which may include Customer Data, from a device or appliance to or from the Products & Services; or (ii) logs or error reports to Esri for troubleshooting purposes; (iii) data collected about the use and performance of the local software or the Products & Services that may be transmitted to Esri and analyzed to improve the quality, security, and integrity of the products and services we offer. For additional information on what is collected and sent, please review the Esri User Experience Improvement Program FAQ’s.

Online Services and Data Location

Online Services are the subset of Esri Products & Services hosted by Esri, typically within a cloud infrastructure provider. Many Esri Online Services such as ArcGIS Online are intended for use by organizations. If you use an email address provided by an organization you are affiliated with, such as an employer or school, to access the Online Services, the owner of the domain associated with your email address may: (i) control and administer your Online Services account and (ii) access and process your data, including the contents of your communications and files. Your use of the Online Services may be subject to your organization’s policies, if any. If your organization is administering your use of the Esri Online Services, please direct your privacy inquiries to your administrator. Esri is not responsible for the privacy or security practices of our customers, which may differ from those set forth in this Products & Services Privacy Statement Supplement.

Customer Data that Esri Online Services process on your behalf may be transferred to, and stored and processed in, the United States or any other country in which Esri or its affiliates or subcontractors maintain facilities. You appoint Esri to perform any such transfer of Customer Data to any such country and to store and process Customer Data in order to provide the Online Services.

Esri Managed Cloud Service’s Advanced Plus offering only stores Customer Data in the contiguous United States. Upon purchase of a new ArcGIS Online organization, a customer can specify to store their data and services in the EU region or the contiguous United States. Please visit Trust.ArcGIS.com or consult your agreement(s) for details.

Use of Subcontractors and Third Parties

Esri may hire subcontractors to provide services on its behalf. Any such subcontractors will be permitted to obtain data from the Products & Services only to deliver the services Esri has retained them to provide and have agreed not to use data for any other purpose.

Esri’s Products & Services may enable you to purchase, subscribe to, or use services, software, and content from companies other than Esri (“Third Party Offerings”). If you choose to purchase, subscribe to, or use a Third Party Offering, we may provide the third party with your Administrator Data. Subject to your contact preferences, the third party may use your Administrator Data to send you promotional communications. Use of that information and your use of a Third Party Offering will be governed by the third party’s privacy statement and policies.

In the context of an onward transfer, Esri will remain responsible for the processing of personal information it receives under the DPF Principles and subsequently transfers to a third party acting as an agent on our behalf. Esri shall remain liable under the DPF Principles if our third-party agent processes such personal information in a manner inconsistent with the DPF Principles, unless Esri can prove that it is not responsible for the event giving rise to the damage.

Disclosure of Data

Esri will not disclose Customer Data to law enforcement unless required by law. Should law enforcement contact Esri with a demand for Customer Data, Esri will attempt to redirect the law enforcement agency to request that data directly from you. If compelled to disclose Customer Data to law enforcement, then Esri will promptly notify you and provide you a copy of the demand unless legally prohibited from doing so.

Upon receipt of any other third-party request for Customer Data (such as requests from customer’s end users), Esri will promptly notify you unless prohibited by law. If Esri is not required by law to disclose the Customer Data, Esri will reject the request. If the request is valid and Esri could be compelled to disclose the requested information, Esri will attempt to redirect the third party to request the Customer Data from you.

Except as customer directs, Esri will not provide any third party: (1) direct, indirect, blanket or unfettered access to Customer Data; (2) the encryption keys used to secure Customer Data or the ability to break such encryption; or (3) any kind of access to Customer Data if Esri is aware that such data is used for purposes other than those stated in the request.

In support of the above, Esri may provide your basic contact information to the third party.

Esri will not disclose Customer Data, Administrator Data, Payment Data or Support Data outside of Esri or its controlled subsidiaries and affiliates except (1) as you direct, (2) with permission from an end user, (3) as described in this Products & Services Privacy Statement Supplement or in your agreement(s) with Esri, or (4) in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may share Administrator Data with third parties for purposes of fraud prevention.

Subject to limited exceptions, you may opt out of Esri disclosing your personal information to a third party or using it for a purpose materially different from the purpose for which it was originally collected or authorized by you. To opt-out, please contact privacy@esri.com.

StoryMaps

Esri’s Privacy Statement and Privacy Supplement detail how we treat your personal data with some differences noted below. Please also visit Esri's Privacy Overview Page for more information about cookies, accounts, and marketing communications.

How are StoryMaps different?

Your StoryMaps Account is owned by you as an individual, therefore all references to “organizations” in Esri’s Privacy Statement and Privacy Supplement refer to individual StoryMaps Accounts. References to ArcGIS Online, My Esri, Esri Community, Enterprise, Esri Access, Professional Services Engagements, and the Esri User Conference do not apply to StoryMaps. References to Esri blogs and forums apply to the StoryMaps Community.

Accounts

All accounts are created and updated on the StoryMaps site. Accounts are used to access the StoryMaps Community and mobile application. The profile you create will be publicly accessible.

Marketing Communications

We use your information to deliver the content you care about. If you submit personal information, Esri or your local Esri distributor may contact you or send you marketing information, newsletters, or promotions about StoryMaps. To change which communications you receive or to unsubscribe, go to your notification settings. You may also unsubscribe by following the unsubscribe instructions contained in the emails you receive.

Security

Esri is committed to helping protect the security of your information. We have implemented and will maintain appropriate technical and organizational measures intended to protect your information against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction.

For more information about the security of Esri Products & Services, please visit Trust.ArcGIS.com or contact Esri’s Software Security & Privacy Team at SoftwareSecurity@Esri.com.

Privacy Statement Updates

We may change this Product & Services Privacy Statement Supplement from time to time. If and/or when Esri makes changes to this supplement, the updated version will be posted in place of this supplement. If we make any material changes, we will notify you by means of an announcement here and on https://trust.arcgis.com prior to the change becoming effective. We encourage you to visit https://trust.arcgis.com periodically.

Contacting Us

For more information about Esri’s Product and Services information practices, please visit Trust.ArcGIS.com.

If you have questions or complaints regarding our privacy practices or policy, please contact us at privacy@esri.com, or 380 New York Street, Redlands, CA 92373 USA, and identify the issue as such in your communication to Esri. Esri will respond within 45 days.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

If neither Esri nor our dispute resolution provider resolves your complaint satisfactorily, you may explore invoking binding arbitration through the Data Privacy Framework Panel, which is more fully described in ANNEX I of the Data Privacy Framework Principles.

For information regarding Esri’s general privacy practices please review the Esri Privacy Statement at https://www.esri.com/en-us/privacy/privacy-statements/privacy-statement.

Questions or concerns regarding privacy issues?

Send an email to privacy@esri.com

Start my message