Privacy Policy for the Sage Intacct Services

Coffee Break Demo

Put your feet up and enjoy this live Q&A

Learn how Sage Intacct helps you drive improved business performance — throughout your entire organization.

30 minute demo | Daily 9:00 am PT / Noon ET

Effective Date: January 31, 2022

This policy describes how Sage Intacct, Inc. and its subsidiaries collect and handle personal information that customers provide through or in conjunction with the Sage Intacct products and services that link to this policy (“Sage Intacct Services”). It also describes your rights regarding use, access and correction of your personal information. The Privacy Policy of the Sage Intelligent Time timekeeping services (the “Timekeeping Services”) describes collection and handling of customer-provided personal information within those services.

The Sage Intacct Services are operated by Sage Intacct, Inc. and its subsidiaries. Sage Intacct, Inc. is a subsidiary of Sage Group plc, a UK-headquartered publicly traded company. Sister companies of Sage Intacct within the Sage group administer sales and customer relationship management for customers of the Sage Intacct Services in certain territories: Sage Software Australia Pty Ltd for customers in Australia, Sage Software Canada Limited for certain customers in Canada, and Sage (UK) Ltd for customers in the United Kingdom and Ireland. The operations of these sister companies are governed by the general privacy notice of the Sage group, available here.

This policy does not apply to information collected through the Sage Intacct corporate website, ( outside the operation of the Sage Intacct Services, and the Sage Group plc corporate website ( Our Website Privacy Policy describes our practices with respect to information collected from the Sage Intacct corporate website, and the Sage Privacy Notice describes Sage’s practices with respect to information collected from websites linking to that Privacy Notice. If you are considering applying for a job with Sage Intacct, currently work for Sage Intacct, or have worked for Sage Intacct, then the Sage Group plc HR Privacy Notice applies to information we collect or collected as a part of those relationships.

This policy refers to Sage Intacct, Inc. and its subsidiaries as “we,” “us” and “our.” References to “you” and “your” are to the controllers of the data input into the Sage Intacct Services. This generally is our customers, the companies and organizations that have subscribed to the Sage Intacct Services, and their users. In some cases, this may be our partners with respect to data provided by them in the course of their use of the Sage Intacct Services. If you are an individual whose data is controlled by a customer or partner of ours and input into the Sage Intacct Services by that customer or partner, please direct your privacy-related inquiries to them. You can find further details in “Your Responsibilities and Rights” below.

Information Provided by You

You provide us with several kinds of information: Customer Data, Administrative Data, and Billing Data.

Customer Data is the information submitted into the Sage Intacct Services when you use the Sage Intacct Services, when the Sage Intacct Services interoperate with third party applications, or when you receive customer support. This includes accounting information, transactions (for example, with suppliers or customers), bank account information and other financial information, as well as information derived by the operation of the Sage Intacct Services from those submissions at your instruction, such as reports. Customer Data may be submitted directly by you or indirectly through our partners.

Our system processes and stores Customer Data strictly on your behalf in order to provide you the Sage Intacct Services and as otherwise provided in our agreement with you. We restrict our employees’ access to Customer Data in production and backup environments to (1) support, client services and technical staff, who with your permission may have access to your Customer Data to provide customer support, technical troubleshooting, error fixing and professional services, and (2) a limited number of operations personnel, who may have controlled access to Customer Data for troubleshooting and system maintenance. We use Customer Data as your processor to provide you the Sage Intacct Services and to address customer support requests and technical problems. We will not use Customer Data for our own purposes without your consent, unless we are required to do so by applicable law. Please see your agreement(s) for further details.

The Privacy Policy of the Timekeeping Services describes collection and handling of Customer Data in the Timekeeping Services.

Administrative Data is information you provide during sign-up, purchase or administration of the Sage Intacct Services. This includes (i) company name, address, email and phone number, and (ii) individual users’ names, job titles, emails, phone numbers and account credentials.

We collect, store and use Administrative Data as a controller in the context of providing our products and services to you, including to perform our contractual obligations to you and/or for our legitimate business interests. Specifically, we use Administrative Data to provide the Sage Intacct Services to you, administer your account, administer your subscriptions and renewals and contact you to discuss your subscription needs, provide customer support and professional services, keep a record of our dealings with you, notify you of changes, updates and availability of the Sage Intacct Services, understand your experience using the Sage Intacct Services (for example, by sending you surveys), conduct research, improve the Sage Intacct Services, plan and host events, contact you with marketing communications, notify you of new product offerings, and identify and prevent fraud.

The Privacy Policy of the Timekeeping Services describes collection and handling of Administrative Data in the Timekeeping Services.

Billing Data is financial qualification and billing information you provide as our customer when you purchase, subscribe to, renew or expand the Sage Intacct Services. This includes company name (and in some cases the name of a contact person for billing matters), billing address, credit card information, financial checks (business credit references), and other financial data.

We use Billing Data as a controller in the context of providing our products and services to you, including to enter into a contract with you and/or for our legitimate business interests: to process or collect payment for your transactions with us, keep a record of our dealings with you, and prevent fraud. We store Billing Data for use in your future transactions with us.

If you do not wish to provide Administrative Data and/or Billing Data to us, we will not able to provide the Sage Intacct Services to you or administer them for your account with us.

Information Collected by Us

In relation to the use of the Sage Intacct Services, we collect the following information for our legitimate business purposes:

Cookies and similar technologies: Cookies are small data files that websites associate with visitors to facilitate the proper, efficient or secure operation of the website. The Sage Intacct Services use the following types of cookies:

Session Identification (Required)These cookies are required to access the Sage Intacct Services and for secure operation of the Sage Intacct Services. When a user logs in, a cookie with encrypted information tied to the user account is placed onto the browser. These cookies allow us to identify the user when he/she is logged in to perform online requests. One required cookie is also used to prevent the same user from logging into the Sage Intacct Services from multiple browsers at the same time.When browser is closed, or in some cases on the earliest of session timeout, user logout or when browser is closed.
Persistent User IdentificationThese cookies allow the Sage Intacct Services to remember information a user has entered such as username, company name, and trusted device for 2-step verification. The Sage Intacct Services place these cookies onto the browser when a user selects “remember me” tick box (opt in).Some of these cookies expire in 90 days and others in 1 year.
Non-Persistent User IdentificationThe Sage Intacct Services place these cookies onto the browser during user login. These cookies allow temporary identification of the user for various functional purposes such as verification of single sign-on (SSO) login, enablement of the “collaborate” feature, and keeping track of SSO.In 5 minutes.
FunctionalThis cookie is placed to keep track of printed invoice record.On the earliest of session timeout, user logout or when browser is closed.
User Interface FunctionalityThese cookies enable various user interface features (such as arranging components on the dashboard) by providing information about the browser screen’s width and height or keeping track of current selected menu in the user interface.Some of these cookies expire immediately and others expire in 2 minutes.
Integration FunctionalityThe Sage Intacct Services use these cookies to remember the user session during the cloud storage authentication.In 5 minutes.
Data Import FunctionalityThe Sage Intacct Services use these cookies to remember the user's last import settings. The next time a user imports data, the previous data import options are populated for the user in the user interface.In 1 year.
PerformanceThe Sage Intacct Services use these cookies to measure the client response time to improve the performance and user experience.In 2 seconds.
InfrastructureThese cookies are used by infrastructure components such as load balancer and content delivery network (CDN) and do not collect any customer or user specific information.When user closes the browser.
MaintenanceThese cookies are placed to show the system maintenance message page.When user closes the browser.
CDNThese cookies are used to track session state, store origin server IP to facilitate CDN service, and for testing purposes.Some of these cookies expire immediately and others expire in 1 year.
Web SecurityThese cookies are used to detect malicious visitors to our website and minimize blocking legitimate users.In up to 7 days.
Media PlaybackThese cookies enable viewing of videos and other media content related to product functionality. These cookies do not collect any customer or user specific information.In 1 hour.
Pendo CookiesWe use Pendo to provide help and guidance within the product. These cookies allow us to display these guides in the product at the right time. These cookies collect information in a way that does not identify anyone. The Pendo privacy policy is available here.In up to 100 days.

The cookies above are essential for the proper operation of the Sage Intacct Services; without them, the Sage Intacct Services will lack major functionality. We do not provide an opt out for cookies identified as “Required” in the table above. In your browser, you can opt out of or delete the other cookies. We do not recommend opting out of cookies, as this will adversely impact the functionality of, and your access to, the Sage Intacct Services and the Sage Intacct Services may not operate as intended without these cookies.

In addition, we use Google Analytics for certain pages on our product website. If you look for them in your browser, they all begin with “_ut” or “_ga”. Google Analytics helps us understand how often users visit our product website and what pages they visit. We use this information to analyze how our website is used and for website and product development and improvement. We have set the Google analytics tool to anonymise IP addresses. The cookies collect information in an anonymous form, including the number of visitors to the Sage Intacct website, where visitors have come to the website from and the pages they visited. You can opt out of Google Analytics across all sites by using this tool.

IP Addresses: We collect the Internet Protocol (IP) address of the computer used to access the Sage Intacct Services. We use IP addresses for added security of the Sage Intacct Services, to optimize the delivery and/or performance of the Sage Intacct Services, and to monitor compliance with export and sanctions laws and our related internal policies. A security feature of the Sage Intacct Services allows a customer’s administrator to review the list of IP addresses from which the customer’s Sage Intacct account has been accessed.

Statistical and Usage Data: When you use the Sage Intacct Services, we may collect statistical information (metadata), such as server log files, usage patterns and frequency, and volume and value of transactions. That statistical information does not include Customer Data. We may use this statistical information for product improvement and billing. In addition, features of the Sage Intacct Services collect audit trail data, which includes records of each user’s manipulation of Customer Data (for example, creation, editing, reporting, deletion) and, if you subscribe for advanced audit trail functionality, further includes each user’s viewing of, and access to, specific objects containing Customer Data.

Product Development Data: If our agreements with you permit us, we may use elements of Customer Data internally for product research, development and innovation. Unless otherwise agreed by you, personal data contained in Customer Data in a personally identifiable form will only be used as described in the “Information Provided by You – Customer Data” disclosures above.

Aggregate Data: If Statistical and Usage Data is used by us for any other purposes, we aggregate this data in a way that does not identify or otherwise permit the identification of you or any of your users. We may use and disclose Aggregate Data for training, quality assurance, product development, marketing, promotion, statistical analysis, market analysis, financial analysis, benchmarking and other business purposes.

Do Not Track signals: Some browsers contain features that signal that the user does not want to be tracked, known as “Do Not Track” or DNT. The Sage Intacct Services currently do not respond to those signals.

Third-Party Provided Data: We partner with third parties (for example, payment service providers) who provide products and services within, or related to, the Sage Intacct Services. These third parties may provide us with your Customer Data or Billing Data. We treat this information in the same manner as we treat Customer Data and Billing Data that you provide directly to us.

Audio and Video Information: With your knowledge and consent, we may record phone or video conversations with our professional services or support personnel that include your voice and likeness. We use this information to provide you and the business that you represent implementation services, customer support, to assess the compliance, quality and effectiveness of our customer support program, to collect feedback on our products, and for training purposes.

Sage Intacct Community

The Sage Intacct Community is a community forum where customers and partners may share information about the Sage Intacct Services. You should be aware that any information you provide in the Community may be read, collected, and used by others who access the Community. To request removal of your personal information from the Community, contact us as described in “Further Information” below.

Data Retention

We retain Customer Data for the duration of your subscription to the Sage Intacct Services. After your subscription expires, we retain Customer Data for at least 90 days and may store it for up to an additional 90 days. Customer Data may be retained beyond that period in data backups, which may be stored for up to 5 years. We retain Customer Data as necessary to exercise our rights and obligations under our agreement with you, comply with our legal obligations, or resolve disputes.

We keep Administrative Data and Billing Data as part of our business and accounting records for the duration of your relationship with us and thereafter for so long as necessary for our legitimate business purposes. We retain credit cardholder data for no longer than 90 days from the card expiration date. We do not store card-verification code or value (CVV).

Please, refer to the table above for information on cookie expiration. We currently do not delete on a set schedule IP addresses, Statistical Data, Product Development Data, Aggregate Data and call recordings.

Disclosure of Information

We will disclose your information to third parties only as directed by you, as described in your agreements with us and in this policy, or as required by law.

  • When you authorize third-party access to the Sage Intacct Services, or use our API or third-party applications accessed through the Sage Intacct Service, you may disclose Customer Data to third parties. That use is under your control, in that it is a disclosure initiated and directed by you.
  • The Sage Intacct Services may enable you to use services provided by third parties, such as supplier payments processing. In addition, you may authorize the use of third-party service providers, such as implementers or application providers. If you subscribe for any of those services, we may disclose necessary Customer Data, Administrative Data and/or Billing Data to the third-party service provider to enable its services to you. That data will be governed by the respective third-party provider’s privacy policy/notice and service terms.
  • We may contract with other companies to provide services or functionality on our behalf. If we do so, we may share Customer Data and/or Administrative Data with those providers to the extent necessary for their engagement. In such cases, we will require those providers to maintain the confidentiality of your information and to use it only for the purposes of their engagement by us. Disclosures to those third parties are covered by the provisions in this policy in the “Your Responsibilities and Rights” section and our agreement(s) with you.
  • We may store Customer Data and backups in facilities provided by third parties. These third parties do not have the right to access that data.
  • We may disclose Administrative Data to third-party providers of products and services within, or related to, the Sage Intacct Services for billing and for administering the Sage Intacct Services and those third-party products and services.
  • We may disclose Administrative Data to companies within the Sage group in the context of our providing our products and services to you for customer relationship management, customer support, product compatibility and improvements, and to provide you with any information, applications, products or services that you have requested.
  • We may, in accordance with applicable law, share Administrative Data for marketing purposes with our partners and other third parties whose products or services we think may interest you in the operation of your business activities.
  • We may disclose Billing Data to payment processors to complete our transactions with you and to payment processors and other third parties to prevent fraud or for collections.
  • Aggregate Data does not identify you or your users and, therefore, we may disclose it to third parties as appropriate to support our business needs.
  • We also may disclose your information if we believe in good faith that it is necessary to (1) respond, in accordance with applicable law, to a court order or request by government authorities or comply with any law, regulation, legal process, administrative or other government proceeding, (2) protect against misuse or unauthorized use of the Sage Intacct Services, (3) prevent or address fraud; (4) enforce our rights, policies and agreements or defend ourselves in legal or government proceedings; or (5) protect our rights, property or safety, or those of third parties.
  • Unless we are prohibited from doing so by law, we will, where appropriate, notify you of any request to disclose your Customer Data to the authorities or any other party and, where appropriate, refer such requests directly to you.
  • We may transfer some or all of our assets, including data, in connection with a merger, acquisition, or sale of assets, or if we dissolve, reorganize our business, or cease operating as a going concern (for example, in the event of insolvency or bankruptcy).

Information Security

We maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of your Customer Data that are consistent with industry standards. You can learn more about our Information Security Management Program here.

Information Location and Transfers

Generally, we store Customer Data, Administrative Data and Billing Data in the United States. Production and backup Customer Data of Australian customers is stored in Australia. A copy of Production Data of Australian customers participating in a customer preview will be transferred to the United States and stored for a three (3) week preview period. Production and backup Customer Data of Canadian customers is stored in Canada, and production and backup Customer Data of UK and South Africa customers is stored in Ireland. We synchronize Customer Data for disaster recovery purposes for all customers to our servers in Sacramento, California. In each case where data is transferred outside the UK or EEA (which means all the European Union countries plus Norway, Iceland and Liechtenstein), such transfers are made in accordance with the requirements of the General Data Protection Regulation (GDPR), the UKGDPR and associated laws. Appropriate safeguards are put in place for the transfer, like the European Commission’s Standard Model Clauses for transfers of personal data outside the EEA.

Customer Data stored in AI/ML (artificial intelligence/machine learning) applications and modules, such as the Timekeeping Services, is processed in the United States.

As part of our global operations, Sage Intacct colleagues or colleagues from companies in the Sage group may access information from other locations outside the United States. All Sage group companies are subject to Sage group data protection policies designed to protect data in accordance with applicable data protection laws.

If you do not want your personal data to be transferred outside the EEA you should not use our website, applications or services.

Your Responsibilities and Rights

We are a processor of Customer Data, which is controlled by you, our customers. You are responsible for complying with all data protection laws and regulations applicable to you as a user of the Sage Intacct Service and controller of Customer Data. We have no direct relationship with the individuals whose personal data we process as part of Customer Data. We acknowledge that the individuals have the right to access their personal information. An individual who seeks access/port, or who seeks to correct, amend, or delete inaccurate data, or who wishes to restrict or object to processing of Customer Data, should direct his or her query to you, our customer (the controller). If requested to remove the data, we will respond to the individual within reasonable timeframe and direct the request to you, our customer.

Upon request, we will provide individuals with information about whether we hold any of their personal information in Administrative Data or Billing Data. If you (as a customer) want to edit and/or change any Administrative Data or Billing Data (other than company ID or user ID, which cannot be changed without creating a new account and/or new user), you can do so at any time by using your company ID, user ID, and password to access your account. Please contact Sage Intacct support via the Sage Intacct Communities page for further instructions about deleting or deactivating your Sage Intacct account.

You can opt out from our marketing messages by clicking on the “unsubscribe” link included in them or by contacting your Sage Intacct account manager. That opt out will not extend to transactional or relationship messages. If you wish to opt out from us sharing Administrative Data with third parties for marketing purposes, please contact your Sage Intacct account manager.

Individual Rights

As an individual, you have the following rights pursuant to laws that may apply to you or us, such as the General Data Protection Regulation (GDPR):

  • to be told how your information is used and obtain access to your information;
  • to have your information rectified or erased or place restrictions on processing your information;
  • to object to the processing of your information (e.g. for direct marketing purposes or where our use is based on legitimate interests);
  • to have the digital information you provided and which we process on the basis of your consent or a contract with you returned to you in a structured, commonly used and machine-readable format, or sent directly to another company, where technically feasible (“data portability”);
  • not to be subject to a decision based on the automated processing of your personal data, including profiling;
  • where processing of your information is based on your consent, to withdraw that consent at any time;
  • to file a complaint with the applicable supervisory authority responsible for data protection matters.

If the California Consumer Privacy Act (CCPA), applies to you as an individual (“consumer” under the CCPA), you have the following rights, if you submit a verifiable consumer request:

  • To receive disclosure of:
    • the categories of personal information that we have collected about you;
    • the categories of sources of the personal information we have collected about you;
    • the business or commercial purpose for our collecting of personal information about you;
    • the categories of third parties with whom we share your personal information, including categories of third parties to whom we sell personal information or disclose personal information for a business purpose; and
    • the specific pieces of personal information that we have collected about you.
  • To request deletion of your personal information by us, subject to the exceptions provided by the CCPA;
  • To be free of discrimination on the basis of having exercised your rights under the CCPA.

Please see “Administrative Data,” “Billing Data” and “Information Collected by Us” above for a description of the specific pieces of personal information we may collect about individuals and the business and/or commercial purposes for which the personal information is used. The personal information we collect falls into the following categories under the CCPA’s definition of “personal information”:

  • personal identifiers (e.g., name, email, etc.),
  • professional information (e.g., title),
  • audio and visual information (e.g., when we record a telephone call) and
  • internet activity information of users (e.g., via the audit trail functionality of the Sage Intacct services).
We obtain this data either directly from you, or from the administrator of your company’s Sage Intacct account who gives you access to the Sage Intacct Services, or from your interaction with the Sage Intacct Services. We do not sell consumers’ personal information. In the preceding 12 months, we have disclosed for a business purpose the following categories of personal information: personal identifiers (e.g., name, email, etc.), professional information (e.g., title), and internet activity information of users (e.g., via the audit trail functionality of the Sage Intacct services). Please refer to “Disclosure of Information” above.

You may submit requests pursuant to this paragraph using the means described in “Further Information” below.

EU-U.S. Privacy Shield

Although the EU-U.S. Privacy Shield Framework is no longer a legal basis for transfer of personal data from the EEA or the UK, Sage Intacct, Inc. participates in, and has certified the Sage Intacct Services’ compliance with, the EU-U.S. Privacy Shield Framework, and is committed to adhere to its Principles with respect to all personal data received in the Sage Intacct core ERP services from the EEA or the UK in reliance on the Privacy Shield. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield Website. The Privacy Shield List contains a list of companies certified under the EU-U.S. Privacy Shield Framework.

Sage Intacct, Inc. is responsible for the processing of personal data it receives under the Privacy Shield Framework and subsequently transfers to a third party acting as an agent on its behalf. It complies with the Privacy Shield Principles, including the onward transfer liability provisions, for all onward transfers of personal data from the EEA or UK.

With respect to personal data received or transferred pursuant to the Privacy Shield Framework, Sage Intacct, Inc. is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, it may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. If you have an unresolved privacy or data use concern that Sage Intacct, Inc. has not addressed satisfactorily, please contact its U.S.-based third party dispute resolution provider (free of charge) here. Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

Changes to This Policy

We may update this policy to reflect changes to our information practices. If we make any material changes, we will notify you by email (sent to the email address of your Sage Intacct subscription representative on record with us) or by a notice posted in the Sage Intacct Services prior to the change becoming effective. We encourage you to periodically review this page for the latest information about our privacy practices.

Further Information

If you have any questions about how we handle your information, the contents of this policy, your rights under local law, how to update your records or how to obtain a copy of the information that we hold about you, please write to privacy.intacct[@], or by telephone to Sage Intacct’s customer support staff at 877-704-3700 (US), or via postal mail to Sage Intacct, Inc., 300 Park Avenue, Suite 1400, San Jose, CA, 95110, USA. If you wish to exercise your rights under the CCPA, you may also complete the form available here.


A copy of this privacy policy marked to show changes over the prior version is available here.