Last updated: [August 2025]
Note: The [SAP Business One] is not a stand-alone application, but an interface to provide you an access to log into the backend on-premise system through your mobile device as long as you remain a user authorized by your Company to access the backend on-premise system. Thus, SAP as data controller will normally only collect your Personal Information (e.g., username ID and related password information) for user authentication purposes in the Mobile App to enable your access to the backend on-premise system through your mobile device. This Privacy Statement will neither cover the personal information collected or processed by the backend on-premise system nor cover the personal information processed by SAP as data processor on behalf of data controller.
This Privacy Statement applies to the [SAP Business One mobile app] (“[SAP Business One]”) published and operated by SAP SE, Dietmar Hopp Allee 16, 69190 Walldorf, Germany (“SAP”) for the worldwide market except People's Republic of China (“China”) market.
This Privacy Statement describes how SAP processes the personal information you provide to SAP and the information that SAP collects or generates in the course of operating the [SAP Business One]. “Personal Information” refers to any information relating to an identified or identifiable natural personal, recorded electronically or in other manners, excluding anonymized information.
Your employer, client company, business, institution or other providing entity (“your Company”) may have subscribed to [SAP Business One] as the backend on-premise system (“[On-Premise System]”). [SAP Business One] is used to provide you with a channel to log in and use the backend On-Premise System and allow you to access and use the backend On-Premise System through your mobile device as long as you remain a user authorized by your Company to access the backend On-Premise System. SAP Business One will not collect and process your Personal Information generated during your use of the backend On-Premise System. Regarding how your Personal Information will be collected and processed during your use of the backend On-Premise System will not be subject to this Privacy Statement and you need to contact your Company for more information.
This Privacy Statement will help you understand the following:
I. HOW DOES SAP COLLECT AND PROCESS YOUR PERSONAL INFORMATION?
The [SAP Business One] may collect and process your Personal Information for the following purposes:
(1) Adding a Business Partner Contact Person
To enable this feature, SAP Business One needs access to the contact selected from your address book in order to retrieve the contact's name and phone number.
(2) Uploading Attachments
To use this feature, SAP Business One requires access to your camera or photo gallery so that selected images can be uploaded.
(3) Displaying Business Partner Address on the Map
To support this feature, SAP Business One requests access to your current GPS location in order to display your position on the map. Denying access will not affect the functionality of this feature. The app does not store your location data.
For more detailed description of the types of Personal Information to be collected by SAP, the manner of collection, frequency or timing of collection as well as the impact of refusing to process this type of Personal Information on you, please refer to Appendix I - I. List of Personal Information Collection.
II. HOW DOES SAP USE COOKIE OR OTHER THIRD-PARTY TRACKING TECHNOLOGIES?
SAP doesn't use cookie or third-party tracking technologies in [SAP Business One] and usage analytics or profiling functionalities are not integrated in the application.
III. PROCESSING BASED ON THE LEGAL BASES OTHER THAN “CONSENT”
SAP is allowed by applicable laws to process your Personal Information based on several legal bases. You acknowledge that SAP could process your Personal Information based on one of the following legal bases without the need to obtain consent from you:
V. HOW DOES SAP PROVIDE YOUR PERSONAL INFORMATION TO THIRD PARTIES AND DISCLOSE PUBLICLY YOUR PERSONAL INFORMATION?
(1) Providing your Personal Information to Third Parties
Your Personal Information will be passed on to the following categories of third parties to process you Personal Information:
SAP may engage service providers (“Entrusted Parties”) to process your Personal Information on behalf of SAP. For example, [IT and communication service providers, law firms, accountants, auditors, consultants] These Entrusted Parties are obligated to keep your Personal Information confidential and may only use your Personal Information for the purposes described in this Privacy Statement. SAP will require the Entrusted Parties to strictly abide by our measures and requirements on Personal Information and privacy protection, including but not limited to processing Personal Information according to the relevant agreement between the Entrusted Party and SAP.
(2) Merger and Acquisition
In the event of a merger and acquisition, division, dissolution or declaration of bankruptcy scenario, involving the transfer of Personal Information, SAP will require the new company or organization holding your Personal Information to observe this Privacy Statement, otherwise SAP will require such company or organization to seek your consent again.
(3) Public Disclosure
SAP will not disclose your Personal Information publicly except:
1. Having obtained your explicit consent.
2. Law-based disclosure: if required by applicable law, legal process, legal orders or in accordance with mandatory requirements of a competent authority, SAP may disclose your Personal Information accordingly.
VI. HOW DOES SAP PROTECT YOUR PERSONAL INFORMATION?
1. SAP has employed security measures complying with industry standards to protect the Personal Information SAP collects via the [SAP Business One], to prevent such Personal Information from unauthorized access, public disclosure, use, modifications, damage or loss. SAP will adopt reasonable measures to protect your Personal Information. For example, SAP has used a trusted protection mechanism to protect such Personal Information from attacks and we deploy an access control mechanism to ensure only authorized persons can access such Personal Information.
2. SAP may adopt reasonable measures to ensure irrelevant Personal Information is not collected. SAP only keep your Personal Information within the minimum period required for fulfilling the purposes stated in this Privacy Statement, unless an extension is required or permitted by applicable law.
3. SAP has put in place measures to protect your Personal Information from loss, misuse and unauthorized access. SAP will keep your Personal Information secure using reasonable security measures as appropriate, for example, encryption (e.g., SSL) and anonymization. SAP use the protection mechanisms offered by the mobile operating system inside the application's sandbox environment. Your Personal Information is also protected by application-level encryption based on 256-bit Advanced Encryption Standard (AES) or better method. Further, SAP may make available to your Company certain optional security measures for managing the [SAP Business One] which your Company can deploy at its end, for example, single-sign-on, multi-factor authentication and other mobile device management security features. SAP will continue to improve the technical measures to protect your Personal Information collected by the [SAP Business One].
In the event of a Personal Information security breach, SAP will notify you as required by the applicable laws and regulations. SAP will cooperate with your Company to notify the affected users and handle the event.
VII. HOW CAN YOU EXERCISE YOUR RIGHT TO PROTECT PERSONAL INFORMATION?
In accordance with applicable laws and regulations, you are guaranteed certain rights to your Personal Information.
With respect to the Personal Information under our control, you may contact SAP at https://support.sap.com/en/contact-us.html should you have any questions or concerns regarding such Personal Information. To the extent SAP has retained such information with an identifier that can be connected to you, you have the following rights.
(1) Accessing or requesting a copy of your Personal Information
You have the right to access or request a copy of your Personal Information under our control, except for the exceptions specified in applicable laws and regulations. If you wish to exercise the right to access or request a copy of your Personal Information, you may contact SAP at https://support.sap.com/en/contact-us.html.
If it does not incur a significant cost or cause other significant difficulties for us, upon your written request, SAP can also provide you with a copy of your Personal Information under our control (if any) that is generated during your use of the [SAP Business One]. If you wish to access such Personal Information, please contact us at https://support.sap.com/en/contact-us.html.
(2) Correcting your Personal Information
As the types of Personal Information that SAP collects is very limited, if you discover errors in your Personal Information under SAP's control, you have the right to require SAP to make the correction. You may request a correction by contacting SAP at https://support.sap.com/en/contact-us.html.
(3) Deleting your Personal Information
In the following cases, you may send a request to https://support.sap.com/en/contact-us.html to delete your Personal Information under SAP's control:
1. If SAP's behavior in processing your Personal Information violates applicable laws or regulations;
2. If SAP's behavior in processing your Personal Information violates our agreement with you;
3. If you desist from the use of the [SAP Business One], or you cancel the account;
4. If SAP desists from providing the [SAP Business One] to you, or the retention period has expired.
If you request for deletion, while the retention period provided by any law or administrative rules has not expired, or it is difficult to realize the deletion of Personal Information technically, SAP will cease the processing of Personal Information except for storing and taking necessary security protection measures for such information.
If SAP agrees to your deletion request, SAP will also inform the entities which has obtained such Personal Information from SAP to delete such Personal Information without delay, unless otherwise specified in laws and regulations, or these entities have obtained your separate authorization.
(4) Right to Stop or Restrict
You can request SAP to stop or restrict your Personal Information from further processing in certain circumstances.
(5) Right to Object
You can request not to be subject to a decision based solely on automated processing.
(6) Right to Withdraw Consent
Wherever SAP is processing your Personal Information based on your consent, you may at any time withdraw your consent. After your withdrawal, you can uninstall [SAP Business One] at any time. Upon uninstalling [SAP Business One], [SAP Business One] will not store or process any of your Personal Information on your mobile device. In case SAP is required to retain your Personal Information for legal reasons your Personal Information will be restricted from further processing and only retained for the term allowed by law. However, any withdrawal has no effect on past processing of Personal Information by SAP up to the point in time of your withdrawal.
(7) Canceling your Account
Please note that the [SAP Business One] is used to allow you to access and use the backend On-Premise System through your mobile device, you can log out of [SAP Business One] at any time. Upon logging out of [SAP Business One], [SAP Business One] will not store any of your Personal Information on your mobile device. If you request to cancel your account on the backend On-Premise System, please contact your Company to cancel it, because your Company controls the backend On-Premise System. Please note that you will not be able to access and use the backend On-Premise System after the cancellation of your account.
(8) Right to Lodge a Complaint
If you take the view that SAP is not processing your Personal Information in accordance with the requirements in this Privacy Statement or under applicable data protection laws, you can at any time, to the extent required by applicable law, lodge a complaint with competent data protection authority.
(9) Responding to Your Above Requests
Please submit your request in writing. To ensure security, SAP may need to verify your identity before processing your request. SAP will reply to your request within 15 working days after verification of your identity. If you have any concerns, you may contact SAP at https://support.sap.com/en/contact-us.html.
Generally, SAP will not charge fees to process any reasonable request. But if you submit the same request frequently or your request exceeds a reasonable extent, SAP may charge a fee based on our processing costs as SAP may reasonably determine. Where the requests are repeated without good reasons, or require too many technical measures (e.g. a new system is needed or current practice will be changed fundamentally), or put others' legitimate rights and interests at risk or are very impractical (e.g. require a backup of the Personal Information stored in the tape), SAP reserves the right reject such requests.
In the following cases, in accordance with applicable laws and regulations, SAP is unable to accommodate your request:
1. Directly related to national security and national defense security;
2. Directly related to public security, public health, and major public interests;
3. Directly related to criminal investigation, prosecution, trial, and enforcement of judgments;
4. There is sufficient evidence indicating that you have subjective malicious intentions or abuse your rights;
5. Responding to your request will cause serious damage to the legitimate rights and interests of the data subject or other individuals or organizations;
6. Involving trade secrets.
VIII. PROCESSING PERSONAL INFORMATION OF CHILDREN
The [SAP Business One] and any related websites, products and services are intended for adults. We consider anyone less than 14 years old a child. You represent and warrant that you are an adult and not a child and you will not transmit Personal Information of any child through the [SAP Business One] without the explicit consent of the child's parents or guardians. If SAP discover that SAP has collected Personal Information of children without verifiable consent of their parents or guardians, SAP will find ways to delete such data as soon as possible.
IX. WHERE IS YOUR PERSONAL INFORMATION STORED AND HOW IS IT TRANSFERRED CROSS-BORDER?
The [SAP Business One] will not store your personal information locally, data is stored in backend On-Premise System which is controlled by your Company.
XI. HOW IS THIS PRIVACY STATEMENT UPDATED?
Our Privacy Statement may be updated from time to time. If the updates to the Privacy Statement may essentially impact the rights you are entitled to under this Privacy Statement, the [SAP Business One] will alert you of these updates through a pop-up notice or other prominent methods and obtain your explicit consent to these updates to the Privacy Statement. Without your explicit consent, SAP will not diminish the rights you are entitled to under this Privacy Statement.
XII. HOW MAY YOU CONTACT SAP?
If you have any question, comment or suggestion relating to this Privacy Statement, you can contact SAP at https://support.sap.com/en/contact-us.html. Generally, SAP will strive to reply within 15 working days.
APPENDIX I: LIST OF PERSONAL INFORMATION COLLECTION
|
Services/Functions (Basic Function/Additional Function) |
Manner of collection |
Frequency or timing of collection |
Type of Processed Personal Information |
Impact of refusing to process this type of Personal Information on individuals |
|
Maintain contact information in Business Partner |
Directly provided by the user of the App |
When the user add or change the contact person of the Business Partner |
Contact name, mobile number |
No effect on any function of the app |
|
Access to the camera and/or photo gallery |
Directly provided by the user of the App |
When the user upload the attachment |
Photo |
The user will not be able to choose attachment |