Depending on where you live, you may have rights to access, correct, delete, or transfer your personal data, or to withdraw consent for how it is used, by contacting One Identity.
This analysis describes what OneLogin's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
These rights allow you to take control of your personal data, but they are jurisdiction-dependent, meaning users outside the EU and California may have more limited enforceable rights under this policy.
The updated policy discloses that OneLogin may record calls with consent and use AI to analyze call transcripts, chat conversations, and sales emails for multiple purposes including follow-up task identification, call summarization, sales analytics, communication effectiveness analysis, and forecast modeling. Under the revised terms, recorded call audio and video may be reviewed for employee training, monitoring, and coaching purposes. The policy also states that OneLogin will save chat and call conversation data to inform future interactions. These practices apply when you communicate with OneLogin via phone calls, chat, email, text, or other teleconference solutions. You should review the updated disclosure to understand how your communication data will be processed and retained.
View change record →The updated policy removes explicit language describing how OneLogin uses AI to analyze customer communications. Previously, the policy stated that call audio and video would be recorded with consent and analyzed using AI to identify follow-up tasks, summarize calls, and conduct sales analytics; that chatbot conversations would be analyzed and saved; and that sales emails would be analyzed to determine communication efficacy and forecast next steps. These specific AI analysis practices are no longer described in the updated policy. The revised language also narrows one stated data use purpose, changing 'answers or services you have asked or licensed' to 'services you have purchased.' No consumer opt-out mechanisms or alternative disclosures are provided in the change text.
View change record →This new consolidated provision combines GDPR and CCPA rights in one section, including data portability and consent withdrawal rights not explicitly listed in previous version provisions.
View full change record →EU/EEA and UK users have comprehensive GDPR-based rights to access, correct, delete, and port their data, and to withdraw consent or object to processing. California residents have similar rights under CCPA/CPRA. Users in other regions should review applicable local law, as the policy conditions these rights on location.
How other platforms handle this
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
OneLogin has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Depending on your location, you may have certain rights regarding your personal information. These may include the right to: request access to your personal information; request correction of your personal information; request erasure of your personal information; object to processing of your personal information; request restriction of processing your personal information; request transfer of your personal information; withdraw consent.— Excerpt from OneLogin's OneLogin Privacy Policy
1) REGULATORY LANDSCAPE: This provision directly implements GDPR Articles 15-22 (rights of data subjects) for EU/EEA users and UK GDPR equivalents for UK users. For California residents, it corresponds to CCPA/CPRA rights including the right to know, delete, correct, and opt out of sale or sharing. The enforcement authorities are EU DPAs, the UK ICO, the California Privacy Protection Agency, and the California Attorney General. The policy's framing of rights as location-dependent is consistent with applicable law but may understate rights available to users in additional jurisdictions with comprehensive privacy laws. 2) GOVERNANCE EXPOSURE: Medium. One Identity must maintain processes to respond to data subject access requests (DSARs) within statutory timeframes (30 days under GDPR, extendable to 60 days; 45 days under CCPA, extendable). Failure to respond adequately creates direct regulatory enforcement risk. The policy does not specify response timelines or the verification process for identity confirmation, which may create friction for users attempting to exercise rights. 3) JURISDICTION FLAGS: EU/EEA users have the strongest enforceable rights framework. California users have CPRA rights including correction and opt-out of sharing, which are newer and more expansive than original CCPA. Users in Brazil (LGPD), Canada (PIPEDA/Bill C-27), Japan, and other jurisdictions with comprehensive privacy laws may also have enforceable rights not fully enumerated in the policy. Organizations with global user bases should assess whether One Identity's rights framework covers all relevant jurisdictions. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers using One Identity as a data processor must ensure their DPA obligates One Identity to assist with DSAR responses under GDPR Article 28(3)(e). If One Identity receives a DSAR relating to data controlled by an enterprise customer, the policy's framework may not clearly delineate how such requests are routed, which creates operational risk for both parties. 5) COMPLIANCE CONSIDERATIONS: Legal teams should verify that One Identity has a documented and operational DSAR intake and response process, including identity verification procedures that balance security with accessibility. The response timeline commitments should be reviewed and compared to statutory requirements in all relevant jurisdictions. If One Identity processes data on behalf of enterprise customers as a processor, DPAs should explicitly address DSAR assistance obligations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
These rights allow you to take control of your personal data, but they are jurisdiction-dependent, meaning users outside the EU and California may have more limited enforceable rights under this policy.
EU/EEA and UK users have comprehensive GDPR-based rights to access, correct, delete, and port their data, and to withdraw consent or object to processing. California residents have similar rights under CCPA/CPRA. Users in other regions should review applicable local law, as the policy conditions these rights on location.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OneLogin.