About This Privacy Notice

This Privacy Notice explains how members of the SUSE Group process personal data when you interact with us, including how we collect, use, share, and protect it.

Scope

This Privacy Notice applies when SUSE Group companies process personal data in connection with:

• our websites and digital properties, our products, services, platforms, and applications, business, community, partner, event, recruitment, or professional interactions.

It applies where a SUSE Group company determines the purposes and means of processing your personal data.

Some SUSE-branded websites, services, or community projects are operated by third parties or independent open-source communities. In those cases, the relevant third party or community acts as the controller and their own privacy notice applies.

Where a SUSE Group company processes personal data on behalf of another organization, that processing is governed by the instructions and privacy notice of that organization.

Definitions

• Personal Data: data or information relating to an identified or identifiable individual.

• Services: SUSE websites, products, platforms, applications, events, and other offerings provided by SUSE.

• Partners: third parties working with us, such as resellers, distributors, technology partners, sponsors, or marketing partners.

Changes to This Notice

This version of the Privacy Notice is effective as of 10.02.2026.

We may update it from time to time. We encourage you to review it periodically.

Table of Contents

0. Who Is the Controller and How to Contact Us

Who is responsible for handling your personal data and how you can contact SUSE or its Data Protection Officer.

I. What Data Do We Process, Why, and on Which Legal Basis?

What personal data we collect, the purposes for using it, and the legal reasons that allow us to process it.

II. Data Retention

How long we keep your personal data and what determines retention periods.

III. Data Sharing, Processors, and Transfers to Third Countries

Who we share your data with, the types of service providers we use, and how we protect data when it is transferred internationally.

IV. Data Security

How we protect your personal data through technical and organisational security measures.

V. Your Rights and How to Exercise Them

Your privacy rights (such as access, deletion, and correction) and how to use them.

VI. Contact Details

How to reach us for privacy-related questions, requests, or complaints.

VII. Other Information

Additional important details, including use of third-party links, business-to-business context, and data obtained from external sources.

0. Who Is the Controller and How to Contact Us

Controller

The controller is the SUSE Group company responsible for the relevant processing activity.

For your convenience, you can always use the following SUSE entity as your main contact for all privacy-related matters:

SUSE Software Solutions Germany GmbH
Frankenstraße 146
90461 Nürnberg
Germany

Depending on your location or interaction, another SUSE Group company may act as controller and will be identified in the relevant context. Where we rely on legitimate interests, we have assessed that these interests are not overridden by your rights and freedoms. You may request further information about this assessment.

Where required by law, a local representative may be appointed and identified separately.

Data Protection Officer

SUSE has appointed a Data Protection Officer.

Contact: privacy@suse.com

Requests may be shared internally to ensure appropriate handling.

Supervisory Authority (Where Applicable)

You may have the right to contact or lodge a complaint with a competent data protection or privacy authority. Details are provided in “Your Rights and How to Exercise Them.”

I. What Data Do We Process, Why, and on Which Legal Basis?

1. Global interpretative clause

When the GDPR (Regulation (EU) 2016/679) applies, we process personal data only on the specific legal basis that applies to each purpose, as defined in Article 6 GDPR.
Each processing activity described in this Privacy Notice is linked to one primary legal basis, which governs that processing.

References in this Privacy Notice to “other lawful grounds under applicable law” apply only where laws other than the GDPR are relevant (for example, local privacy laws outside the EU). These references do not replace or weaken the GDPR legal bases where the GDPR applies.

Where the GDPR applies, SUSE Group companies rely on the following legal bases under Article 6 GDPR, depending on the purpose of the processing:

• Consent (Article 6(1)(a))
  Where individuals have freely chosen to allow the processing of their personal data.

• Contract (Article 6(1)(b))
  Where processing is necessary to provide products or services, manage accounts, offer support, or handle recruitment and employment relationships.

• Legal Obligation (Article 6(1)(c))
  Where processing is required to comply with applicable laws, such as accounting, tax, employment, or regulatory requirements.

• Legitimate Interests (Article 6(1)(f))
  Where processing is necessary to operate and protect our business, including securing systems, preventing fraud, managing business relationships, and supporting internal operations, provided these interests do not override the rights and freedoms of individuals.

2. Website & Digital Experiences (including cookies)

2.1 Website access, security & log data

PURPOSE	DESCRIPTION	PROCESSED DATA	LEGAL BASIS
Website operation, security, and availability	To enable access to our websites, ensure their technical stability, prevent misuse, detect errors, and protect against security incidents.	IP address, date and time of access, browser and device information, operating system, request metadata, error and performance logs.	Our legitimate interests in operating, securing, and maintaining our digital services, or other lawful grounds available under applicable law.

Log and security data is processed automatically when you access our websites. We use monitoring and error-reporting service providers to help identify technical issues and security risks. Such data is retained for a limited period in accordance with our internal retention schedules, unless a longer retention is required to investigate security incidents or to comply with legal obligations.

2.2 Cookies and similar technologies

You can manage your cookie preferences at any time through our cookie banner or settings. Blocking or deleting cookies may affect the availability or functionality of certain website features. Further details about the specific cookies we use, their purposes, and their retention periods are provided in our separate Cookie Policy.

2.3 Anti-bot and abuse prevention (e.g. CAPTCHA)

Anti-bot and abuse prevention services operate automatically in the background and help us distinguish legitimate users from automated or malicious traffic. Depending on the service configuration, data may be processed in different regions. Where required, we apply contractual and other safeguards to protect personal data during international transfers. This processing does not involve automated decisions that produce legal or similarly significant effects on individuals.

2.4 Website chat and live chat features

Chat features allow free-text entry, meaning that any information you choose to include in your messages will be processed. You should avoid sharing unnecessary personal data and must not include sensitive or special categories of personal data. Chat records may be retained for a limited period for quality assurance, training, and compliance purposes in line with our retention schedules.

2.5 AI-Powered Assistant (including documentation support)

We may use third-party service providers to host, operate, and support the AI-powered assistant (including documentation-related functionality). These providers act as processors on our behalf under appropriate contractual, security, and data-protection obligations. The assistant allows free-text input. Please do not include unnecessary personal data, confidential information, or sensitive or special categories of personal data. Any information you include may be processed to generate a response and to operate and improve the service.

3. Accounts, Customer Portals, Communities & Support

3.1 Account registration and authentication (including identity and access management)

Account-related data is processed throughout the lifecycle of your account. Certain security and access logs may be retained for a limited period after account termination to meet legal obligations, resolve disputes, or investigate security incidents. If required data is not provided, account creation or access to certain services may not be possible.

In limited cases, identity and access management services may be shared with affiliated projects to enable authentication and access, and SUSE may retain controlled access to physical infrastructure hosting such services for operational and security purposes.

3.2 Customer support

Support systems are intended to process only the data necessary to resolve your request. Where you upload technical logs, error reports, or telemetry data, you should ensure that these do not contain personal data unless specifically requested. Support tickets and related records are retained in accordance with contractual requirements and applicable retention periods. Diagnostic files are typically deleted after the issue has been resolved, unless a longer retention is required for follow-up, legal obligations, or security purposes.

Customer support may also include consulting services, premium or enhanced support offerings, customer success management activities, and customer training necessary for effective use of our products and services.

3.3 Community forums, bug trackers, and feature request platforms

PURPOSE	DESCRIPTION	PROCESSED DATA	LEGAL BASIS
Operating community platforms and collaboration tools	To enable participation in forums, bug trackers, and feature request platforms, facilitate collaboration and knowledge sharing, and protect these platforms against abuse.	Account details, posts, comments, uploaded content, usernames, IP address, timestamps, and moderation or abuse-prevention metadata.	Performance of a contract where participation is linked to an account, our legitimate interests in operating and protecting community platforms, or other lawful grounds available under applicable law.

Content you post on community platforms may be publicly visible and searchable depending on the platform settings. If you delete your account, your posts or contributions may remain available where this is necessary to preserve the integrity, continuity, and usefulness of the platform, but they may be anonymised or disassociated from your account where feasible. Technical and moderation-related data may be retained for a limited period to prevent abuse and ensure platform security.

4. Sales, Marketing, and Partner Activities

4.1 Marketing communications (including newsletters)

We process personal data for the purpose of sending marketing communications, including newsletters and other communications about our products, services, events, and updates. For this purpose, we process contact details such as name and email address, as well as marketing preferences, subscription status, and interaction data with communications (for example whether a message was opened or clicked).
The legal basis for this processing is your consent to receive marketing communications. In certain situations, we may also rely on our legitimate interests, particularly in offering similar goods and services with which we have already provided you, maintaining records of consent, preventing misuse, ensuring system security, or other lawful grounds available under applicable law.
We use a confirmation process (such as a double opt-in) to verify your subscription and prevent misuse of contact details. Marketing emails may include tracking technologies such as pixels or similar tools that help us understand whether a message was delivered, opened, or interacted with, and to improve the relevance and effectiveness of our communications. You can withdraw your consent at any time by using the unsubscribe link in our messages or by adjusting your preferences in our preference center. Withdrawal of consent does not affect the lawfulness of communications sent before withdrawal.

4.2 Lead management and sales operations

Personal data used for lead management may be collected directly from you, for example when you complete a form or interact with us, or indirectly from business partners, event organisers, public sources, or data providers where permitted by law. In some cases, we may combine information from different sources or use enrichment and intent data to better understand business needs and tailor our outreach. You can unsubscribe to sales-related communications at any time, and we will respect your preferences in accordance with applicable law. 

This may include limited profiling activities, such as evaluating inferred interests, engagement indicators, or business needs, solely to qualify potential customers and tailor sales outreach, without producing legal or similarly significant effects.

Where contractually required, we may process contact and account-related data to conduct subscription verification and compliance audits and to communicate with customers regarding such verifications.

4.3 Partner campaigns and partner lead-sharing

Your personal data is shared with partners only where you actively opt in to such sharing, for example by selecting a partner option in a form or event registration. If you do not opt in, your data will not be disclosed to partners for their own marketing purposes. When you consent to partner sharing, the partner may contact you directly and will act as an independent controller of your data. You can withdraw your consent to partner sharing at any time, which will stop future disclosures, but will not affect processing that has already taken place based on your prior consent.

5. Careers and Talent Community

For recruitment-related processing, the controller of your personal data is the SUSE entity that is offering the role and managing the hiring process. Other SUSE group entities may support the recruitment process as processors.

5.1 Job applications

Certain fields in the application process are required to evaluate your application and to comply with legal or organisational requirements. If required information is not provided, we may not be able to process your application or consider you for a role. Applicant data is retained for a defined period after the recruitment process ends to comply with legal obligations and to establish, exercise, or defend legal claims. Where legally permitted, retention may be extended based on our legitimate interest in managing recruitment processes, or if you agree to remain under consideration for future opportunities.

Where permitted by applicable law and relevant to the role, this processing may include background or reference checks conducted as part of the recruitment process.

5.2 Talent community and job alerts

We process personal data for the purpose of maintaining a talent community and sending job alerts. This allows us to keep your profile on record and inform you about relevant job opportunities, events, or updates that you have requested. For this purpose, we process contact details, professional profile information, job preferences, and communication history. The legal basis for this processing is your consent, or other lawful grounds available under applicable law.

5.3 Careers chatbot and job recommendations

The careers chatbot and recommendation features may use limited profiling techniques, such as matching your browsing behaviour or profile information with available roles, to suggest potentially relevant opportunities. These features are designed to support and inform you and do not involve automated decision-making that produces legal or similarly significant effects. You remain free to apply for any position regardless of recommendations, and you can stop using chatbot features or withdraw consent at any time through available controls or settings.

6. Events and Conferences (including SUSECON)

We may use third-party service providers to support event registration, communication, and event delivery, including online platforms and mobile applications. Participation in directories, networking features, or sponsor interactions is optional and controlled by your selections during registration or within the event tools. Event-related data is retained for the duration of the event lifecycle and for a limited period thereafter to support follow-up communications, accounting, and legal obligations.

This also includes learning and development activities, such as individual and leadership development programs, cultural and engagement initiatives, and internal or partner-related training.

7. Visitors at SUSE premises (CCTV)

CCTV systems are used only in designated areas and are signposted in accordance with local requirements. Access to recordings is restricted to authorised personnel on a need-to-know basis. Recordings are retained for a defined period, typically 10 days, depending on location and local requirements, unless an incident is identified that requires longer retention for investigation or legal purposes. Recordings may be disclosed to law enforcement authorities where required or permitted by law.

8. Multimedia and content production

Where required, multimedia content is created based on a release, consent, or contractual agreement that defines how the content may be used. Content may be published on websites, social media, or third-party platforms and may be accessible globally. Multimedia materials and related records may be retained for archival, historical, or legal purposes. While you may have the right to withdraw consent where applicable, withdrawal may not be feasible for content that has already been published, distributed, or incorporated into materials that cannot reasonably be recalled or modified.

9. Internal Corporate Operations 

This section describes how SUSE Group companies process personal data in the course of internal corporate, operational, and governance activities. These processing activities are necessary to ensure lawful operation, organisational continuity, security, and compliance with applicable legal and regulatory obligations.

9.1 Finance and accounting

Financial and accounting data is retained in accordance with statutory retention requirements under applicable accounting, tax, and corporate laws. Access is restricted to authorised personnel and service providers acting under appropriate confidentiality and data protection obligations.

9.2 IT operations and IT service management (ITSM)

IT operational data is processed to the extent necessary for security, availability, troubleshooting, and compliance. Logs and records are retained for limited periods unless extended retention is required for security investigations or legal obligations.

Where applicable, support and operational activities may involve processing technical data to secure customer environments and workloads, including containerized workloads, and to investigate, prevent, or remediate security issues.

9.3 Compliance, audits, and investigations

Access to compliance and investigation data is strictly limited and subject to confidentiality requirements. Data may be disclosed to regulators, courts, or external advisors where required or permitted by law.

Compliance activities may further include export control and sanctions compliance, merger and acquisition-related due diligence, and the management and protection of intellectual property rights.

9.4 Procurement and vendor management

Vendor-related personal data is processed in accordance with contractual arrangements and retained for the duration of the business relationship and applicable statutory periods.

This processing may also include responding to customer or partner security and privacy questionnaires and conducting supplier security and privacy reviews.

9.5 Business continuity and crisis management

Business continuity data is used only for preparedness, response, and recovery activities and retained in accordance with internal policies and applicable legal requirements.

9.6 Facilities and workplace management

Facilities-related data is processed only as necessary to ensure safety, security, and operational efficiency and is retained for defined periods in line with legal and organisational requirements.

This may also include the administration and management of real estate and lease agreements related to office locations and facilities.

 

II. Data Retention

We keep personal data only for as long as needed for the purposes described in this Privacy Notice, including to operate our services, manage relationships, meet legal and accounting requirements, and to establish, exercise, or defend legal claims. Retention periods differ depending on the type of record, the context in which it was created, and applicable local requirements.

We determine retention using a combination of (1) a retention trigger (for example, “when you were last active,” “when a matter is resolved,” or “when a contract ends”) and (2) a retention period (a defined number of months or years after that trigger). We maintain these rules in an internal record retention schedule and apply them consistently across systems. 

1. Examples of how retention works

Retention periods vary depending on the specific purpose, legal requirements, and local laws. You may request information about the exact retention period applicable to a specific processing activity by contacting us using the details provided in this Privacy Notice.

2. Legal and exceptions

If we are required to preserve data due to a legal hold, regulatory request, audit, investigation, or dispute, we will keep the relevant data for as long as needed for that purpose. Once the hold is lifted, we apply the normal retention rule and securely delete or anonymise the data

III. Data Sharing, Processors, and Transfers to Third Countries

1. With whom we share personal data 

We share personal data only where necessary for the purposes described in this Privacy Notice and in accordance with applicable law. Depending on the context, this may include sharing with the following recipients:

Within the SUSE Group
Personal data may be shared between SUSE group companies for internal administrative purposes, to provide our products and services, to manage customer and business relationships, to support recruitment and employment processes, and to ensure security, compliance, and business continuity. Each SUSE group company processes personal data in accordance with this Privacy Notice and applicable internal governance rules, acting either as a controller or as a processor depending on the activity.

Service providers and processors
We use external service providers to support our business operations and to deliver our services. These providers process personal data on our behalf and under our instructions, subject to contractual confidentiality, security, and data protection obligations.

Partners
We share personal data with business partners only where you have directed us to do so or have provided your consent, for example in connection with partner campaigns, events, or joint offerings. In such cases, partners may act as independent controllers and will process your data in accordance with their own privacy notices.

Legal, compliance, and transactional disclosures
We may disclose personal data where required or permitted by law, including to courts, regulators, law enforcement authorities, or professional advisers. Personal data may also be disclosed in connection with corporate transactions such as mergers, acquisitions, restructurings, or asset sales, subject to appropriate safeguards.

2. Categories of processors we use

Instead of listing every individual tool or vendor, we group our processors into functional categories. Depending on the services you use or interact with, we may use processors in the following categories:

• Data centre, hosting, and content delivery providers, supporting cloud infrastructure and system availability

• Identity and access management providers, supporting authentication, authorisation, and account security

• Customer support and service management providers, enabling customer assistance, ticketing, and issue resolution

• Customer relationship management, sales, and marketing automation providers, supporting communications, lead management, and campaigns

• Analytics, monitoring, and recording providers, helping us understand usage, performance, and system reliability

• Survey, feedback, and research providers, used to collect feedback and conduct research

• Event registration, engagement, and virtual event providers, supporting conferences, webinars, and related activities

• Payment processing and order fulfilment providers, where applicable for transactions, billing, and invoicing

• Communication and collaboration providers, such as email, messaging, and productivity platforms

• Business operations and enterprise service platform providers, supporting internal administration and management

• Legal, tax, accounting, audit, and professional advisory service providers, supporting compliance and corporate obligations

• Recruitment, talent management, and applicant verification providers, supporting hiring and recruitment activities

• Information security providers, supporting threat detection, prevention, and incident response

3. Transfers to third countries

We operate internationally and, as a result, personal data may be transferred to, stored in, or accessed from countries other than the country in which it was originally collected. These transfers are necessary to support global business operations, including the use of cloud services, international teams, service providers, and cross-border collaboration.

How we assess international data transfers

When we transfer personal data internationally, we assess transfers in two steps.

First, we ensure that the processing itself is lawful under applicable data protection laws. Depending on the context, this may be based on your consent, the performance of a contract, compliance with legal obligations, the protection of vital interests, or our legitimate interests.

Second, where personal data is transferred to a country that does not provide the same level of data protection as your home country, we ensure that appropriate protections are in place for the transfer itself.

Transfers to countries with an adequate level of protection

Some countries are formally recognised as providing an adequate level of data protection under applicable law. Where such recognition exists, personal data may be transferred to those countries without additional transfer safeguards.

Transfers based on recognised transfer mechanisms and safeguards

Where a country is not recognised as providing an adequate level of protection, we rely on appropriate safeguards to protect personal data. These safeguards may include:

• standard contractual clauses approved for international data transfers,

• internal data transfer arrangements within our corporate group,

• contractual commitments to security and confidentiality, and

• other legally recognised transfer mechanisms.

You may request further information about the safeguards we use by contacting us using the details provided in this Privacy Notice.

EU-U.S., UK-U.S., and Swiss-U.S. Data Privacy Frameworks

Where applicable, transfers of personal data to the United States may be based on participation in the Data Privacy Framework (DPF) program, including:

• the EU-U.S. Data Privacy Framework,

• the UK Extension to the EU-U.S. Data Privacy Framework, and

• the Swiss-U.S. Data Privacy Framework.

These frameworks were developed to facilitate transatlantic data flows by providing certified U.S. organisations with a recognised mechanism for receiving personal data from the European Union, the United Kingdom (and Gibraltar), and Switzerland. Where we rely on these frameworks, transfers are limited to organisations that have committed to comply with the applicable framework requirements.

Supplementary protection measures

In addition to transfer mechanisms, we apply technical and organisational measures to protect personal data during international transfers. These measures may include encryption, access controls, segregation of data, logging, and internal policies governing access and use.

Exceptional situations

In limited circumstances, personal data may be transferred internationally without the safeguards described above where this is permitted by law, for example:

• where you have explicitly consented to the transfer,

• where the transfer is necessary to perform or conclude a contract with you,

• where the transfer is required for important public interest reasons, or

• where the transfer is necessary to establish, exercise, or defend legal claims.

Where we rely on such exceptions, we do so restrictively and only where legally permitted.

IV. Data Security

We use appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit and at rest, audit logging, and monitoring. These measures are designed to safeguard the confidentiality, integrity, and availability of personal data and are applied proportionately based on risk.

Our security and privacy management program is supported by recognised certifications, including ISO/IEC 27001:2022 and ISO/IEC 27701:2019. Further details about our security certifications are available at:
https://www.suse.com/support/security/certifications/

We also maintain incident response processes to detect and manage security incidents and, where required by law, to notify relevant authorities and affected individuals.

 

V. Your Rights and How to Exercise Them

1. Your rights

Depending on applicable data protection laws, you may have the following rights in relation to your personal data:

• Right of access – to obtain confirmation of whether we process personal data about you and to receive a copy of that data, together with information about how it is used.

• Right to rectification – to request correction of inaccurate or incomplete personal data.

• Right to erasure – to request deletion of personal data in certain circumstances.

• Right to restriction of processing – to request that we limit how we use your personal data in specific situations.

• Right to data portability – to receive certain personal data you have provided to us in a structured, commonly used, and machine-readable format, and to have it transmitted to another controller where technically feasible.

• Right to object – to object to processing based on our legitimate interests or carried out in the public interest, including profiling, where applicable.

• Right to withdraw consent – where we process personal data based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the consent was withdrawn.

• Right to opt out of marketing – you may opt out of marketing communications at any time by using the unsubscribe link in our emails, adjusting your account preferences, or contacting us directly.

• Rights related to automated decision-making – you have the right not to be subject to decisions based solely on automated processing that have legal or similarly significant effects on you. We do not carry out such automated decision-making in a way that produces significant effects.

We do not carry out automated decision-making based solely on automated processing that produces legal or similarly significant effects on individuals. In limited contexts, we may use profiling to personalise communications, recommendations, or information, but such profiling does not determine access to services, contractual outcomes, or employment decisions.

Right to lodge a complaint

If you have concerns about how we process your personal data, we encourage you to contact us first so we can address the issue. You also have the right to lodge a complaint with a competent data protection authority, including the authority responsible for data protection in your place of residence or work.

2. Your rights under California Consumer Privacy Act of 2018 ("CCPA")

Depending on applicable law, California residents may have the following rights:

• Right to notice – to be informed about the categories of personal information we collect, the purposes for which it is used, and how it is shared.

• Right of access – to request information about the personal information we collect about you, including the purposes of processing and categories of recipients.

• Right to correction – to request correction of inaccurate personal information we maintain about you.

• Right to limit use of sensitive personal information – to direct us to limit the use of sensitive personal information to permitted purposes, such as providing requested services.

• Right to opt out of sale or sharing – to request that we do not sell or share your personal information, including through browser- or device-based opt-out signals where applicable. We do not intentionally sell personal information; however, certain cookie-based processing may be considered a “sale” or “sharing” under applicable law.

• Right to deletion – to request deletion of certain personal information we have collected and processed about you, subject to legal exceptions.

• Right to non-discrimination – to receive equal service and treatment even if you exercise your CCPA rights.

3. Your rights under the Personal Information Protection and Electronic Documents Act (PIPEDA)

Depending on applicable law, individuals in Canada may have the following rights:

• Right to notice – to be informed about how your personal information is collected, used, and disclosed.

• Right of access – to request confirmation of whether we hold personal information about you and to access such information.

• Right to challenge accuracy – to request correction of personal information that is inaccurate, incomplete, or outdated.

• Right to challenge compliance – to raise concerns about our compliance with applicable privacy principles and to have those concerns investigated and addressed.

4. Your rights under the Québec Act Respecting the Protection of Personal Information in the Private Sector

Depending on applicable law, individuals in Québec may have the following rights:

• Right to information and notice – to be informed about how your personal information is used, including where it may be communicated outside of Québec, and about our governance policies and practices.

• Right related to automated decision-making – to be informed when a decision concerning you is made exclusively through automated processing and, upon request, to receive information about:

• the personal information used,

• the reasons and main factors leading to the decision, and

• your right to have the personal information corrected.

• Right to submit observations – to provide comments or observations regarding an automated decision by contacting us through our designated channels.

• Right to request information about processing – to request details about the personal information we collect about you and how it is used.

• Right of access – to obtain confirmation that we hold personal information about you and to receive a copy of that information.

• Right to rectification – to request correction of personal information that is inaccurate, incomplete, or not authorised by law to be collected, used, or retained.

• Right to data portability – to receive certain computerized personal information in a structured, commonly used, and technological format and to have it transmitted to another organisation where applicable.

• Right to erasure or de-indexing – to request that we stop disseminating personal information or de-index content where dissemination is unlawful or causes serious harm to reputation or privacy.

• Right to withdraw consent – to withdraw consent to the use of your personal information at any time, subject to legal or contractual restrictions.

 

VI. Contact Details

Controller
The relevant controller is the SUSE entity responsible for the specific processing activity, as described in this Privacy Notice.

Data Protection Officer
You can contact our Data Protection Officer for privacy-related questions or requests via our privacy web form or by email at privacy@suse.com.

Privacy contact and web form
To request access to or deletion of your personal data, please use our Data Subject Request Form.

Supervisory authorities
Where permitted by applicable data protection law, you have the right to lodge a complaint with a competent data protection authority if you believe that your data protection rights have been infringed.

Where the GDPR applies, and as the main establishment and primary controller of the SUSE Group is located in Germany, the lead supervisory authority is:

         Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
         Promenade 18
         91504 Ansbach
         Germany

You may also, in accordance with applicable law, contact the data protection authority in your country of residence, place of work, or where the alleged infringement occurred.
Contact details for supervisory authorities are publicly available through national authority websites.

 

VII. Other Information

1. Business-to-business use and children’s data

Our products, services, websites, and digital experiences are intended for business-to-business (B2B) use only and are not directed at consumers in general. They are intended for use by professionals acting on behalf of organisations and by individuals aged 18 years or older. We do not knowingly collect or process personal data relating to children. If we become aware that personal data of a child has been collected unintentionally, we will take appropriate steps to delete it.

2. Third-party links and independent controllers

Our websites and services may contain links to third-party websites, services, or platforms. These third parties operate independently from us and process personal data in accordance with their own privacy notices. We are not responsible for the privacy practices or content of third-party sites.

3. Personal Data Obtained from Third Parties

In some cases, we obtain personal data indirectly, meaning not directly from you.

Categories of personal data
Depending on the context, this may include:

• contact and professional details (such as name, business email address, job title, company affiliation),

• event-related or campaign-related interaction data,

• business relationship and lead information, and

• publicly available professional information.

Sources of personal data
We may obtain such data from:

• our business partners, resellers, distributors, or joint marketing partners,

• event organisers or conference platforms,

• publicly accessible sources (such as professional networking sites or company websites), and

• third-party data providers, where permitted by applicable law.

Purposes and legal bases
We process indirectly obtained personal data for the purposes described in this Privacy Notice, including business communications, partner activities, event management, and sales or marketing operations. The applicable legal bases are set out in the relevant sections of this notice.

Timing of this notice
Where personal data is not collected directly from you, we provide this information:

1. at the time of first communication with you, or

2. within a reasonable period after obtaining the data, unless an exemption applies under applicable law.

Further information
Additional details about the processing of indirectly obtained personal data, including retention periods, recipients, international transfers, and your rights, are described in this Privacy Notice.

 

 

The CCPA Categories of Personal Information We Share for a “Business Purpose”

 

While we do not sell your personal information, we may share it to support our own operational purposes in providing services to you. These operational purposes, known as “business purposes” under the CCPA, are described below. In addition, we may share personal information at your direction, such as when you choose to communicate with other members through our services.

 

• Auditing Interactions

We may share the types of personal information listed above with partners, service providers and related companies, in order to audit interactions and transactions, such as to count or verify the positioning and quality of ad impressions.

 

• Security Purposes

In order to secure our Services, including to detect, prevent and investigate security incidents or violations of applicable laws, we may share the types of personal information listed above with our partners, service providers, law enforcement and related companies.

 

• Service Improvements

In order to improve our services (such as to identify bugs, repair errors or ensure that services function as intended) or conduct internal research and analysis to improve our technology, we may share the types of personal information listed above with our partners, service providers and related companies

 

• Service Providers and Other Notified Purposes

We may share personal information with Service Providers, as defined by the CCPA, in order to have them perform services specified by a written contract or with others for a notified purpose permitted by the CCPA (e.g., to respond to law enforcement requests).

 

19. Data Subject Web Form

To request access to or deletion of your personal data, please use our GDPR Web Form.