Last updated January 1, 2020*
This New Relic Services Privacy Notice (“Services Privacy Notice”) covers our collection, use, and disclosure of the Customer Data (as defined below) and Systems Operations Data (as defined below) by the New Relic product services (together the “Services”), such as through New Relic APM, New Relic Browser, New Relic Mobile, New Relic Synthetics, New Relic Infrastructure, New Relic Insights, New Relic Logs, New Relic Serverless, New Relic One, and the New Relic Developer Program, that are licensed and used by New Relic’s customers and their users (collectively, “you,” “your,” or “customer”). For purposes of this Services Privacy Notice, “Personal Data” means any information relating to an identified or identifiable individual, including, for example, ‘personal information’ as defined under the California Consumer Privacy Act (“CCPA”), name, phone number, postal code or zip code, Device ID, User ID, IP address and email address.
This Services Privacy Notice does not cover:
Personal Data processed pursuant to the General Privacy Notice, such as Personal Data collected through: our websites, such as www.newrelic.com, status.newrelic.com, learn.newrelic.com, and any other New Relic website (together the “Sites”); product feedback or surveys; the sales and provisioning process; and in connection with New Relic events, sales and marketing activities.
Links to any other website or location are for convenience only and do not imply New Relic’s our endorsement of such other website or location or its contents.
We recommend that customers and users read the entire Services Privacy Notice. If a customer or user has any questions about this Services Privacy Notice please contact us using the information in Section 6 (How to Contact Us.).
1. Who We Are
Throughout this Services Privacy Notice ‘we’, ‘us’, ‘our’ and ‘ours’ refer to New Relic.
New Relic, Inc. is a Delaware corporation headquartered at 188 Spear Street, Suite 1200, San Francisco, CA 94105. New Relic, Inc. has offices, subsidiaries and affiliated companies (“New Relic Group”) all around the world (New Relic, Inc. and the New Relic Group are together referred to as “New Relic”, unless specifically stated otherwise).
For more information about New Relic, please see the “About Us” section of our Site.
2. Information we collect as a Processor/Service Provider: Customer Data
a. Collection of Customer Data (a.k.a. Performance Data). Customer may use the Services to send New Relic data, such as: (i) when our software (e.g. agents, software development kits (SDKs), etc.) is deployed in our customers' applications, websites, and infrastructure, (ii) from synthetic monitors (which simulate transactions and actions carried out by users) or cloud integration, or (iii) when sent to our data collection systems (e.g. application programming interface (API), which allows the transmission of data between applications) for processing, which is made available in customer’s account (“Customer Data”).
Customer Data is subject to the restrictions set forth in the documentation and the underlying agreement between New Relic and its customer (“Customer Agreement”). Any Personal Data written to file in a New Relic account is configured by the user of the software (agents, APIs, SDKs, queries, etc.) that New Relic makes available in connection with the Services, or as a result of the customer’s end system configurations.
b. Use of Customer Data. Customer is the data controller/business owner of the Customer Data. New Relic is the processor/service provider of the Customer Data. New Relic only collects and processes Personal Data within Customer Data upon lawful documented instructions of its customer, including: (a) those set forth in the Customer Agreement, (b) an applicable executed data protection addendum, (c) customer’s use and configuration of the Services, or (d) as otherwise necessary to provide the Services (i.e. testing and applying new product and system versions, patches, updates, upgrades, and resolving bugs and other issues reported to New Relic) (together the “Business Purpose”).
New Relic may aggregate or de-identify Customer Data across multiple accounts and use this data to improve or enhance engagement of our Services or to create and publish (subject to the confidentiality restrictions in the Customer Agreement) industry benchmarks or comparative application performance metrics.
c. Disclosure of Customer Data. To the extent New Relic provides third party sub-processors with access to Customer Data in order to assist in the provision of the Services, such sub-processors shall be subject to the same data protection and security obligations as New Relic under the Customer Agreement or applicable executed Data Protection Addendum, as applicable. Provided that a customer signs up for notifications at https://newrelic.com/NR-legal-signup-datasubprocessors, New Relic shall provide notice of any new sub-processors. After being notified, customer will have ten (10) business days to notify New Relic in writing of any reasonable objection it has to the new sub-processor(s). Failure to notify New Relic within this time frame will be deemed approval of the new sub-processor(s).
If another company acquires our company or our assets, that company will gain custody of the Customer Data collected by it and us and will assume the rights and obligations regarding the Customer Data as described in this Services Privacy Notice. Except as provided in the preceding sentence, New Relic does not sell Personal Data submitted as Customer Data for processing pursuant to the Customer Agreement.
d. Retention of Personal Data within Customer Data.
To the extent We process Personal Data within Customer Data, we retain Personal Data in accordance with the retention period in the Customer Agreement.
e. Data Subject Rights.
If Personal Data pertaining to you as an individual has been submitted to the Services as part of Customer Data by or on behalf of a customer and you wish to exercise any data protection rights you may have in respect of that data under applicable law, including (as applicable) the right to access, port, correct, amend, or delete such data, please inquire with the relevant customer directly.
If a customer of New Relic needs assistance in responding to a data subject request relating to Personal Data contained in customer's Customer Data, please see our documentation on how to submit a request for assistance to New Relic.
f. Security and Confidentiality. New Relic has implemented and will maintain appropriate technical and organizational measures designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data. These measures, which are generally aligned with NIST 800-53 standard, govern all areas of security applicable to the Services, including physical access, system access, data access, transmission, input, security, oversight, and enforcement.
New Relic employees are required to maintain the confidentiality of Customer Data, employee’s obligations include written confidentiality agreements, regular training on information security and privacy, and compliance with New Relic policies concerning protection of confidential information.
Additional details regarding the specific security measures that apply to the Services are available for review here.
3. Information we collect as a Controller/Business Owner: Systems Operations Data
a. Types of Systems Operations Data We Receive.
“Systems Operations Data” is data that relates to the use and operation of our Services and the systems and networks these Services run on, and includes log files, event files, and other trace and diagnostic files, as well as statistical, aggregated data, and Personal Data (such as user name, user ID, etc.).
b. Use of Systems Operations Data.
We collect Systems Operations Data for business and commercial purposes, such as the following:
to help keep our Services secure, including for security monitoring, identity management, and to investigate and prevent potential fraud and illegal activities involving our Services, systems and networks;
to administer our Service, including backup disaster recovery plans and policies;
for research and development purposes, including to analyze, develop, improve and optimize our Services;
to increase engagement and adoption of our Services (e.g. by providing in Service training and suggestions);
to tailor how we present the Services to users; and
to comply with applicable laws and regulations and to operate our business, including to comply with legally mandated reporting, disclosure or other legal requests; for mergers and acquisitions; finance and accounting; legal and business consulting; and in context of dispute resolution.
For Systems Operations Data that is subject to the GDPR (ie.either collected in the EEA and/or relating to persons located in the EEA), our legal basis of processing such information is our legitimate interest in performing, improving, maintaining, and securing our Services and operating our business in an efficient and appropriate manner. Personal Data may also be processed to comply with legal obligations.
c. Sharing Systems Operations Data.
We disclose Systems Operations Data to the following categories of recipients for our business purposes:
to third-party services providers that support our business and operations;
to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect vital interests of any other person;
to an actual or potential buyer (and its agents and advisers) in connection with any actual or proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use such Personal Data only for the purposes disclosed in this Services Privacy Notice;
to any other person with appropriate consent to the disclosure or as allowed by applicable data protection law.
Additionally, where the Services are made available to you through a company (e.g. by New Relic as a business to your employer as a business), New Relic may share certain Personal Data in Systems Operations Data with such company for their business or commercial purposes, such as determining utilization of the Services by their employees.
Except as otherwise stated in this Services Privacy Notice, we do not sell Personal Data.
d. Retention of Personal Data within Systems Operations Data.
We retain Personal Data where we have an ongoing legitimate business need to do so (for example, to provide a user with a service that was requested or to comply with applicable legal, tax or accounting requirements).
When we have no ongoing legitimate business need to process such Personal Data, we will either delete or anonymise it or, if this is not possible (for example, because the Personal Data has been stored in backup archives), then we will securely store such Personal Data and isolate it from any further processing until deletion is possible.
If you have questions about or need further information concerning the retention of your Personal Data, please see Section 6 (How to Contact Us).
e. Your Choices and Data Protections Rights for Systems Operations Data.
i. User Choices. To the extent provided under applicable laws, users may request to access, correct, update or delete Personal Data contained within Systems Operations Data in certain cases, or otherwise exercise their choices with regards to such Personal Data by submitting request to: PersonalDataRequests@NewRelic.com.
ii. Data Protection Rights for EEA persons
If you are a person located in the EEA, you have the following data protection rights under EU data protection laws:
You have the right to to find out if we use your Personal Data, or to access, correct, update or request deletion of your Personal Data.
You can object to processing of your Personal Data when that processing is based on our legitimate business interests, ask us to restrict processing of your Personal Data or request portability of your Personal Data.
Similarly, if we have collected and processed your Personal Data on the basis of your consent, then you have the right to withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Data conducted in reliance on lawful processing grounds other than consent.
You have the right to complain to a data protection authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority.
If you are an EEA person and would like to make any of these requests, please submit your request to PersonalDataRequests@NewRelic.com.
iii. Data Protection Rights For California Residents
If you are a California resident you have the following data protection rights:
You can request that we disclose to you certain Personal Data we collect, disclose for a business purpose and sell about you.
You have the right to request the deletion of certain Personal Data we collect from you.
You can obtain from us once a year, free of charge, certain information about the Personal Data (if any) we disclosed to third parties for direct marketing purposes in the preceding calendar year. If applicable, this information would include a list of the categories of Personal Data that was shared and the names and addresses of all third parties with which we shared information in the immediately preceding calendar year.
You have the right to opt-out of the sale of your personal information.
You have a right not to be discriminated against based on exercising your data protection rights, and we do not discriminate against any individual for doing so.
If you are a California resident and would like to make any of these requests, please submit your request to PersonalDataRequests@NewRelic.com.
We respond to all requests without delay and in accordance with applicable data protection laws. We may need to ask you additional clarifying questions in order to accurately respond to your request and to verify you are making the request in respect of your own Personal Data.
f. Security of Your Personal Data.
New Relic is committed to protecting the security of Personal Data within Systems Operations Data. We use appropriate technical and organisational measures to protect these Personal Data from unauthorized access, use, or disclosure. Despite these measures, New Relic cannot fully eliminate security risks associated with these Personal Data and mistakes and security breaches may happen. If there are any questions about security on our Site or Services, please contact us using the details provided under Section 6 (How to Contact Us).
4. International Data Transfers
Your Personal Data may be transferred to, and processed in, countries other than the country in which you are located. These countries may have data protection laws that are different to the laws of your country.
Specifically, if you are located in the EEA, you should note that your Personal Data will be accessed by New Relic staff or suppliers, transferred, and/or stored outside the EEA, including to the US and other countries which have different data protection laws.
However, we have taken appropriate safeguards to require that your Personal Data will remain protected in accordance with this Services Privacy Notice and as required by applicable data protection law. These include implementing an adequate method of transfer, such as the European Commission’s Standard Contractual Clauses or Privacy Shield, for transfers of Personal Data with our third party service providers and partners, further details of which can be provided upon request. We also participate and comply with the EU-US and Swiss-US Privacy Shield Frameworks. Please click here to read our Privacy Shield Notice.
5. Communications and Notifications to Customers and Users.
a. Legal Requirements. New Relic may access Customer Data and Personal Data contained in Systems Operations Data as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect or defend our rights or property of New Relic or users of the Services, protect the safety of others, to investigate fraud, or respond to government requests, including public and government authorities outside a user’s country of residence, for national security and/or law enforcement purposes.
b. Changes to this Services Privacy Notice. This Services Privacy Notice is subject to occasional revision, and if we make any substantial changes in the way we use Personal Data, we will take appropriate measures to inform our customers, consistent with the significance of the changes we make. We will obtain consent to any material Services Privacy Notice changes if and where this is required by applicable data protection laws.
The date of the most recent update to this Services Privacy Notice can be found by checking the “last updated” date displayed at the top of this Services Privacy Notice.
6. How to Contact Us
If you have questions about how your Personal Data is collected, stored, shared, used, or to exercise any data data rights, please contact our Data Protection Officer (“DPO”) as follows.
Email inquiries may be addressed to: Privacy@newrelic.com.
Written inquiries may be addressed to:
Attn: Legal Data Subject Request
New Relic, Inc.
188 Spear Street
San Francisco, CA 94105
In addition, if you are a person located inside Germany, Ireland, or UK you can contact:
Robert Niedermeier (our external DPO)
D-85579 Neubiberg / München
Requests that do not include confidential or sensitive content can also be sent by email to our external DPO at: firstname.lastname@example.org.
For any complaints regarding our compliance with our privacy and security practices, please contact New Relic first. New Relic will investigate and attempt to resolve any complaints and disputes regarding our privacy practices.
The data controller/business owner of your Personal Data within Systems Operations Data for all countries that New Relic does business is New Relic, Inc., unless you have contracted directly with New Relic, K.K. in Japan, in which case New Relic, K.K. is the data controller/business owner.
*Updated on January 1, 2020 to incorporate the requirements of the California Consumer Privacy Act.