Track 1 platform and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This document establishes OneLogin's data collection, use, and sharing practices for individuals who access OneLogin's website or use its identity and access management products. The policy authorizes OneLogin to collect personal data including contact information, usage behavior, and device information, and to share such data with affiliates, business partners, and third-party vendors for service delivery, marketing, and analytics purposes. The policy establishes differential data subject rights based on jurisdiction, with EU/EEA and California residents granted specific rights to access, correct, delete, or restrict processing of their personal data through submission to privacy@oneidentity.com.
This document is One Identity's (formerly OneLogin's) privacy policy governing the collection, use, storage, and sharing of personal information from customers, website visitors, and users of One Identity products and services, with GDPR and various international frameworks cited as its legal basis. The policy states that One Identity collects personal data including contact information, usage data, device identifiers, and in some cases sensitive categories, and the terms authorize sharing this data with subsidiaries, affiliates, business partners, and third-party service providers for purposes including marketing, analytics, product improvement, and legal compliance. The policy includes a broad retention clause permitting data to be held 'as long as necessary' for business or legal purposes without specifying fixed retention periods, and asserts data transfers from the EU/EEA to the US and other jurisdictions under mechanisms such as Standard Contractual Clauses; the breadth of these assertions may be subject to evaluation under applicable data protection law. The policy engages GDPR (as a primary framework for EU/EEA users), CCPA/CPRA (for California residents), and references compliance with various country-specific laws; One Identity's dual role as both a data controller for website visitors and a data processor for enterprise customers creates distinct compliance obligations that the document partially addresses but does not fully delineate in all operational contexts.
Institutional analysis available with Compliance
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.
Start Compliance free trial2 important changes detected
3 versions captured · Last updated: May 2026
This expands data sharing scope beyond the previous 'resellers and distributors' provision to include affiliates, vendors, service providers, and business partners, with explicit mention of marketing purposes.
This new provision discloses that OneLogin collects personal information from external data brokers and social media, which represents a significant expansion of data sources not mentioned in the previous version.
This new provision explicitly states marketing email opt-out procedures, providing clearer guidance on how to unsubscribe than was previously available in the 'Legitimate Interests' provision.
This new consolidated provision combines GDPR and CCPA rights in one section, including data portability and consent withdrawal rights not explicitly listed in previous version provisions.
This new provision establishes the mechanism for notifying users of policy changes, which is important for transparency regarding material modifications to privacy practices.
This specific provision about reseller and distributor data sharing was replaced with a broader 'Third-Party Data Sharing' provision that encompasses more categories of recipients without the specific limitation to product/service-related communications.
This provision explicitly mentioning 'legitimate interests' as a legal basis was removed, potentially obscuring the legal justification for marketing communications that was previously disclosed.
This California-specific provision was replaced with a more generic 'GDPR and CCPA' provision, potentially reducing specificity about CCPA/CPRA rights such as the right to opt-out of 'sale or sharing' which are legally distinct under California law.
This provision with specific process details and response time commitment was removed and fragmented into separate provisions, potentially reducing clarity on how to exercise rights and response timelines.
The provision was reframed to explicitly mention the United States as a destination and removed reference to 'adequacy decision' and 'equivalent mechanisms,' instead focusing on the lower level of protection in destination countries.
The provision was simplified and deprioritized, removing specific purposes (analytics, advertising, personalization) and cookie consent tool management details, instead deferring to a separate Cookie Notice.
The provision removed the detailed criteria for determining retention periods (amount, nature, sensitivity, risk of harm) and simplified the language while keeping the core principle.
Monitoring
OneLogin has updated this document before.
Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
Compliance Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Start Compliance free trialCross-platform context
See how other platforms handle California Resident Rights (CCPA/CPRA) and similar clauses.
Compare across platforms →Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.