Services Privacy Statement

NetSuite Services Privacy Statement

Effective Date: December 11, 2017

In this Services Privacy Statement (“Statement”), NetSuite Inc. and its worldwide subsidiaries (collectively, the “NetSuite Group”, explains how Customer Data is collected, used, maintained, disclosed and transferred by us. As a data processor, we will process all Customer Data strictly on behalf of our customers in accordance with our contractual agreements with them and/or as required or permitted by law.

Customer Data is defined as personal information our customers and their end-users input or upload into the Services (“Customer Data”). It does not include data we collect from visitors to our Websites, nor data we collect about our customers or prospective customers, vendors, service providers, professional advisors, consultants and other third parties otherwise in the course of doing business; for example, to manage our customer’s accounts or communicate with them, or to engage our vendors. Our use of the term Services in this Statement has the same definition as in your applicable Services agreement with us (“Services”).

References in this Statement to “we,” “us” or “our” are references to the NetSuite Group entity defined in your Services agreement with us. Statements referring to “you” or “your” are references to the customer for which we process Customer Data.

If you have any questions regarding this Statement, please email us at, or contact us as described in the “How to Contact Us” section below.


This Statement applies to Customer Data only.


For purposes of clarity, this Statement does not apply to Business Data as defined in the NetSuite Privacy Statement.


Customer Data may be processed by us as a result of customer’s use of the Services when our customers, or their end-users, input or upload information into the Service. For example, customers who use our Enterprise Resource Planning tools may upload Customer Data about themselves or their employees for the purposes of their HR administration and planning.

We act as a data processor with respect to this Customer Data. The use of Customer Data will be limited to the following purposes:

  • To provide and deliver the Services;
  • To prevent or to address any service or technical problems;
  • To respond to a customer’s request or instructions, or to provide customer service or support;
  • For any other purpose as provided for in the Services Agreement between us and the customer, or as otherwise authorized by the customer;
  • In accordance with or as may be required by law.

We only process Customer Data on behalf of our customers and in accordance with their instructions provided in the applicable Services agreement with us. Our customers are responsible as data controllers for ensuring (i) their end-users receive proper notice of customer’s privacy practices, and (ii) Customer Data is obtained in accordance with all applicable laws. Because the Customer Data is under the customer’s control, the customer is responsible for providing appropriate notice and choice to its end users regarding our processing of Customer Data on its behalf. If a customer’s end-user has any questions or concerns related to our handling of Customer Data, the end-user may contact us as described in the How to Contact Us section and we will work with the customer to address the concern.


We do not sell Customer Data to any third-parties; however, we may share Customer Data with third-parties as follows:

  • Within the NetSuite Group of companies consistent with this Statement.
  • Trusted agents, consultants and service providers to perform business related functions such as service providers that help support the Services.


Under certain circumstances, we may be required to disclose Customer Data in response to valid requests by public authorities, including to meet national security or law enforcement requirements.

We may disclose Customer Data if required to do so by law in order to (for example) respond to a subpoena or request from law enforcement, a court or a government agency, or in the good faith belief that such action is necessary (a) to comply with a legal obligation, (b) to protect or defend our rights, interests or property or that of third parties, (c) to prevent or investigate possible wrongdoing in connection with the site or our Services, (d) to act in urgent circumstances to protect the personal safety of users of the site, our Services or the public; or (e) to protect against legal liability.

Where it relates to Customer Data, we will attempt to refer any request for disclosure of personal information by public authorities, including those received for national security or law enforcement reasons, to the customer. We may, where legally obligated to do so, disclose personal information to law enforcement or other government authorities, in which case we will notify our customer of such a request (unless prohibited by law to do so).


We maintain reasonable and appropriate security measures to protect Customer Data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.

While we employ security measures to protect Customer Data in our Services, our customers, and their end users, should only access the Services within a secure environment and take appropriate steps to always ensure that login credentials and passwords are kept safe at all times. You should notify us as soon as possible if you become aware of any misuse of your password or your account, and immediately change your password within the Services.

Cross Border Transfers

NetSuite has been acquired by Oracle. Oracle is a global corporation with operations in over 80 countries and has developed global data security practices designed to ensure that your personal information is appropriately protected. Please note that personal information may be transferred, accessed and stored globally as necessary in accordance with this Statement.

Oracle complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention when a customer and Oracle have agreed by contract that transfers of personal information from the European Economic Area (“EEA”) or Switzerland will be transferred and processed pursuant to the Privacy Shield for the relevant services. When conducting those activities on behalf of its EEA or Swiss customers, Oracle holds and/or processes personal information provided by the EEA or Swiss customer at the direction of the customer. Oracle will then be responsible for ensuring that third parties acting as an agent on our behalf do the same.

Oracle has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Statement and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit

The following entities are covered entities under Oracle’s Privacy Shield self-certification: Delphi Asset Management Corporation; MICROS Fidelio Worldwide LLC; Oracle America, Inc.; Oracle Financial Services Software America, Inc.; Oracle Financial Services Software, Inc.; Oracle International Corporation; Oracle Taiwan LLC; Bronto Software, LLC; Monexa, LLC, NetSuite, Inc.; OrderMotion, Inc. With respect to personal information received or transferred pursuant to the Privacy Shield Framework, Oracle is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission and commits to cooperate with EU data protection authorities.

Dispute Resolution

If you have any complaints regarding our compliance with this Statement, you should first contact us. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information in accordance with this Statement.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.


We retain Customer Data and any other data collected through the Services in accordance with the timeframes set out in the relevant Services Agreements with our customers.


If you have any questions or concerns about the processing of Customer Data, you should contact our customer (the data Controller) directly or read their privacy policy.

Similarly, an individual who seeks to access Customer Data, or to correct, amend, or delete Customer Data that is inaccurate, should direct their query to the customer. If the customer asks us to retrieve, amend or remove the Customer Data, we will do so in accordance with our Services Agreement with them and our Privacy Shield commitments.

Alternatively, if you are a customer and want to find out more about the data security settings on your account, you can refer to your Services agreement or other applicable contractual documents with us, or contact us directly for further information.


If you have any questions regarding this Statement or if you need to request access to or update, change or remove personal information that we control, you can do so by contacting:
Chief Privacy Officer, Oracle Corporation
10 Van de Graaff Drive
Burlington, MA 01803
United States of America


We reserve the right to change, modify, add or remove portions of this Statement from time to time and in our sole discretion, but will alert you that changes have been made by indicating on this Statement the date it was last updated. When you visit this site, you are accepting the current version of this Statement as posted on the site at that time. We recommend that users revisit this Statement on occasion to learn of any changes.