This Commercial Relationship Privacy Policy (“Commercial Privacy Policy”) describes the collection, use, sharing, and processing of personal information by The Descartes Systems Group Inc. and its affiliates and subsidiaries ("Descartes" or alternatively “we”, “our”, or “us”) in connection with the purposes described below.  For a full list of all Descartes affiliates and subsidiaries, please see the list located on the Supplemental Privacy Information page at https://www.descartes.com/legal/privacy-center/supplemental-privacy-information.

This Commercial Privacy Policy may be changed from time to time by Descartes in order to, amongst other things, account for changing legal requirements or to meet changing business needs.  The most up-to-date version of the Commercial Privacy Policy will always be posted at https://www.descartes.com/legal/privacy-center/commercial-relationship-privacy-policy.  This Commercial Privacy Policy was last updated on September 5, 2024.

Scope of Policy

This Commercial Privacy Policy only applies to the collection, use, sharing, and processing of personal information of customers, suppliers, and vendors of Descartes, including individuals who work for, or on behalf of, such customers, suppliers, and vendors, as well as personal information of third parties but only where the personal information is provided to Descartes directly from the third party and not through any intermediary non-Descartes affiliated entity.

This Commercial Privacy Policy does NOT apply to personal information that is or was:

  • Collected from prospective customers or suppliers while negotiating a commercial contract or agreement.
  • Collected through Descartes’s publicly accessible websites, public forums, and other publicly accessible internet sites maintained by Descartes, excluding any of Descartes ecommerce sites and mobile device applications.
  • Collected from individuals attending offices, conferences, or trade show booths run by the Descartes.
  • Collected from subscribers to Descartes mailing lists, email lists, newsletters, and social media channels and feeds.

Where the personal information is related to third parties and was received by Descartes through a customer (and not directly from the third party itself), the handling of such personal information will be governed by the terms of the Data Processing Attachment which forms part of the commercial agreement between Descartes and that customer.

What we use personal information for

In order to provide you our products or services or to effectively make use of your products or services, we may use personal information for the following reasons:

  • To manage any required billing or invoicing matters, including who and where to direct such matters to;
  • To manage access to the service or product through user access management;
  • To communicate with you when providing or receiving technical support on your request;
  • To allow us to analyze, develop, improve, and optimize the use, functionality, and performance of our sites or products and/or the responsiveness of our staff to potential customer inquiries;
  • To allow us to understand and predict future changes in our customer’s and potential customer’s needs;
  • When required by law or regulation, to identify the specific individual who interacted with a government entity through our products or services, such as by filing a customs report;
  • To verify that there does not exist any conflict of interest, prohibition, or government regulation which restricts us from doing business with you;
  • To provide customers information and updates about new features, bugs, and work arounds for specific products or services; and
  • To provide customers information about other Descartes products or services designed to complement the existing Descartes product or service you have purchased or subscribed to.

What personal information is collected and processed

Personal information is information about an identifiable individual or household. Depending on local law, publicly available information — such as a public directory listing of your name, address, telephone number, email or other electronic address — may not be considered personal information.

The following table provides a list of the categories of personal information that we may collect and process from customers, suppliers, and vendors of Descartes and why we collect it:

Categories of informationExamplesWhy we need that information
IdentifiersLegal name, aliases, date of birth, governmental or national identification number, email address, phone number, or mailing addressTo allow us to uniquely identify every individual accessing our products or services for access management purposes.   To notify you of changes to your account, to notify you of the completion of any scheduled reports or tasks or processes, to provide account reset information if requested, to communication with you regarding account or technical support issues.
Professional or employment related informationName of employer, your role or position with your employer, and any authority delegated to you by your employer for the purpose of interacting with us.To be able to properly receive your instructions, to ensure we apply your instructions to the right customer, and to ensure we can provide evidence of your instructions to your employer / our customer.
Sensitive Personal InformationPrecise geolocation.Where applicable, we collect your precise geolocation in order to provide our logistics tracking services to our customers.

Duration of Processing

Descartes maintains personal information only as long as it is required to fulfill the purpose under which it was gathered, unless required by law to retain for longer periods or other purposes.  Where Descartes determines that personal information is no longer required, we will securely destroy such information as soon as it is commercially reasonable to do so.

Disclosure of Information

As Descartes is a global organization, our network operations span multiple data centers across the world.  Our products and services rely on this interconnected network of data centers to provide you with efficient and resilient experiences.  By providing us your personal information, you consent to us transferring your personal information to the various countries that Descartes operates in.

In some limited circumstances, Descartes may use a third-party data processor to process personal information.  Categories of processing may include the following:

  • to organize and manage customer related information using purpose-built applications;
  • to more efficiently communicate with multiple customers, suppliers, or vendors, and respond to their requests;
  • To provide you with products and services;
  • In the event of a transaction or proposed transaction involving the transfer of all of a portion of the assets of Descartes or one or more of its businesses to another entity, whether an affiliate or a third party, your personal information may be shared in the diligence process or to otherwise facilitate the transaction and may be transferred as part of the transaction; and
  • to provide customers technical support.

All third-parties are required to use industry standard security to protect any data they have access to and may only process the information for the purpose, duration, and in the manner specified by Descartes.  A list of the subprocessors used by Descartes can be found in the Supplemental Privacy Information section (https://www.descartes.com/legal/privacy-center/supplemental-privacy-information).  Descartes is responsible for and remains liable for the handling of personal information provided by Descartes to its subprocessors. Where Descartes transfers personal information, as described above, from the European Union, Switzerland, or United Kingdom to jurisdictions not deemed “adequate” by the European Union Commission (EU), the Federal Council (Switzerland), or the Information Commissioner’s Office (UK) respectively, such transfers will be made subject to safeguards as required by law, including but not limited to Standard Contractual Clauses as approved by the appropriate regulatory authority.

In the event of an emergency or valid court order, we may also share personal information with law enforcement agencies or government regulators if permitted by law to do so.

Your California Privacy Rights

California law provides you with the following rights with respect to your Personal Information:

  • The right to know the categories or specific pieces of personal information we have collected, used, and disclosed about you. 
  • The right to request that we correct any personal information we have collected about you. 
  • The right to request that we delete any personal information we have collected about you. 
  • The right to obtain a copy of personal information we have obtained about you in a portable and, to the extent technically feasible, readily usable format. 
  • The right to limit our use of sensitive personal information.
  • The right not to receive discriminatory treatment for the exercise of privacy rights conferred by your state’s privacy law.

To make any of the above requests to access, correct, delete, or impose limits on the processing of your personal information, please contact us at dsg-privacy@descartes.com or call 1-800-419-8495 with details of your request.  For the purposes of verifying your identity we may ask that you provide us sufficient personal details to allow us to identify you, which may include but may not be limited to your full legal name, your email address, your phone number, and/or your mailing or physical address.  Such information will only be used for the purpose of verifying your identity.

You may also designate an authorized agent to make a request on your behalf by contacting us as described above.

Selling of Personal Information

Descartes does not collect any personal information for the purpose of selling that personal information.  Despite this, some jurisdictions require us to make the following additional statements:

  • We have not sold any personal information in the past twelve months.
  • We do not sell personal information to third parties.
  • We do not disclose your personal information to third parties for their own direct marketing purposes.

Sharing of Personal Information for Cross Context Behavioral Advertising or Targeted Advertising

Descartes does not share personal information with third parties for purposes of cross context behavioral advertising or targeted advertising by Descartes.

Sensitive Personal Information

California residents have the right to request we limit use of sensitive personal information.  Descartes does not use sensitive personal information for any additional purposes that are incompatible with the purposes listed above, unless we provide you with notice of those additional purposes.

Data Retention

We will retain your personal data for as long as needed or permitted in light of the purposes for which it was obtained. The criteria used to determine our retention periods include: (a) the length of time we have an ongoing relationship with our customers and provide services, (b) whether there is a legal obligation to which we are subject, and (c) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).

Additional Contractual Obligations

Further, there may be terms and conditions in our commercial agreements with you that add to our privacy commitment outlined in this document.  If there is a contradiction between this policy and those commercial agreements, the obligations of the commercial agreements will prevail.

Your European / UK Privacy rights

For individuals subject to or otherwise entitled to the protection of European or UK law, under applicable law you may request from us the following:

  • a copy of any of your personal information which we may have;
  • to update or correct any inaccuracies in your personal information that we may have;
  • to request that we limit our use of your personal information, including but not limited to instructing us not using your personal information for a specific purpose;
  • to erase some or all of your personal information that we do not have a legal entitlement to keep; or
  • withdraw any previously provided consent for our use of your personal information.

We will not discriminate against you for exercising your rights conferred by applicable law and as described here.

To make any of the above requests to access, correct, delete, or impose limits on the processing of your personal information, please contact us at dsg-privacy@descartes.com or call 1-800-419-8495 with details of your request.  For the purposes of verifying your identity we may ask that you provide us sufficient personal details to allow us to identify you, which may include but may not be limited to your full legal name, your email address, your phone number, and/or your mailing or physical address.  Such information will only be used for the purpose of verifying your identity.

In addition, while Descartes does not sell personal information to third parties, some jurisdictions still require that we provide you a means to opt out of the sale of your personal information to third parties.

Contacting the Data Protection Officer

Descartes has a global data privacy officer.  If you believe your data has been used in a manner which is not consistent with this Privacy Policy or in contravention of local data privacy laws, want to appeal our decision or inaction regarding your personal information,  request a copy, a deletion, an update or a correction, withdraw your consent, or if you have any questions, comments, or suggestions related to data privacy or this Privacy Policy, please contact our global data privacy officer:

Peter Nguyen, Data Privacy Officer
Mail: 120 Randall Drive, Waterloo, Ontario, Canada, N2V 1C6
Email: dsg-privacy@descartes.com
Telephone:  1-800-419-8495
Fax: 1-519-747-0082

Data Privacy Framework

The following Descartes affiliates or subsidiaries (collectively referred to as “Descartes US”) comply with the  EU-U.S. Data Privacy Framework, UK Extension to the EU-U.S. Data Privacy Framework, and Swiss-U.S. Data Privacy Framework (collectively the “DPF”), as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, Switzerland, and the United Kingdom to the United States:

  • Descartes Insurance Services, Inc.
  • Descartes Systems (USA) LLC
  • Descartes Systems VM LLC
  • Descartes U.S. Holdings, Inc.
  • Descartes Visual Compliance (USA) LLC
  • Green Mile, LLC
  • GroundCloud Safety, LLC
  • MacroPoint LLC
  • NetCHB, LLC
  • Rock Solid Internet Systems, LLC
  • Trans-Soft, LLC
  • VitaDex Solutions, LLC
  • Windigo Logistics, Inc.
  • XPS Ship, LLC
  • XPS Technology LLC

Descartes US has certified to the Department of Commerce that it adheres to the DPF Principles.  If there is any conflict between the terms in this privacy policy and the DPF Principles, the DPF Principles shall govern.  To learn more about the DPF program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

The Federal Trade Commission has jurisdiction over Descartes US’ compliance with DPF.

All Descartes US employees who handle personal information from the European Union, Switzerland, or the United Kingdom are required to comply with the DPF Principles as stated in this policy.

Disputes covered by DPF

In compliance with the DPF Principles, Descartes US commits to resolve complaints about our collection or use of your personal information.  European Union, Swiss, and United Kingdom individuals with inquiries or complaints regarding our DPF policy should first contact the Data Protection Officer using the contact information provided for in the section titled “Contacting the Data Protection Officer”.

Descartes US has further committed to refer unresolved DPF complaints to the ICDR/AAA, an alternative dispute resolution provider located in the United States.  If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact or visit the ICDR/AAA (https://go.adr.org/dpf_irm.html) for more information or to file a complaint.  The services of the ICDR/AAA are provided at no cost to you.

If you are not satisfied with the resolution provided by the ICDR/AAA, under certain conditions you may be able to invoke binding arbitration to address complaints regarding Descartes US’ compliance with DPF.  Further instructions on binding arbitration are available at https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.

Verification of DPF compliance

Descartes US utilizes the self-assessment approach to assure its compliance with its DPF obligations and regularly verifies that this policy is accurate, comprehensive, prominently displayed, completely implemented, and in conformity with DPF requirements.  Descartes US conducts its self-assessment on an annual basis to ensure all relevant privacy practices are followed.

[End of policy.]