Salesforce, Inc. and/or its affiliated entities (“Salesforce, “we”, “us”, or the “Company”) are responsible for the processing of your Personal Data as described in this Privacy Statement, unless specified otherwise, and act as the controller of such Personal Data. A list of Salesforce’s affiliates can be found in the List of Subsidiaries section of Salesforce’s most recent Form 10-K, available under the SEC Filings tab by selecting the “Annual Filings” filter on the page locatedhere.

This Privacy Statement does not apply to the extent we process Personal Data as a processor or service provider on behalf of our customers, including where we offer to our customers various services through which our customers (or their affiliates): (i) create their own websites and applications running on our platforms; (ii) sell or offer their own products and services; (iii) send electronic communications to others; or (iv) otherwise collect, use, share or process Personal Data via our services.

For detailed privacy information related to a Salesforce customer or a customer affiliate who uses Salesforce services as the controller, please contact our customer directly. We are not responsible for the privacy or data security practices of our customers, which may differ from those explained in this Privacy Statement. For more information, please also see Section 10.3 below.

• AppExchange, which is an online marketplace for on-demand web applications that run on the Salesforce platform and that may be provided by us or by third parties (seehttps://appexchange.salesforce.com/), and

• Tableau’s Extension Gallery (https://extensiongallery.tableau.com) which offers connectors and solutions that provide additional functionality for Tableau, such as dashboard extensions.

When applications, connectors, extensions or other solutions are provided by us and they link to this Privacy Statement, this Privacy Statement applies. When these offerings are provided by third parties, the privacy statement of the relevant third party applies and this Privacy Statement does not.

Our websites and services may contain links to other websites, applications, platforms and services maintained by third parties. Salesforce does not control these and the information practices of those third parties, including the social media platforms that host our branded social media pages, are governed by their own privacy statements. It is recommended that you read the applicable privacy statements carefully to understand their privacy practices.

In some circumstances, we also collect, or our partners provide us with, publicly available information which may contain Personal Data that you have published or that has been made available online. The way in which our partners collect this is detailed in their own privacy statements, available on their websites.

Salesforce may use artificial intelligence to process your Personal Data, including to develop and deploy AI systems. Where artificial intelligence is leveraged, it will only be used where legally permissible, in compliance with this Privacy Statement, and in a manner which is consistent with our commitments and values. More information on Salesforce’s responsible AI practices can be foundhere.

For the avoidance of doubt, this applies where Salesforce processes your Personal Data as a controller. It does not apply to Personal Data you voluntarily submit to our services as an authorised user of a Salesforce customer for which Salesforce always acts as a processor.

We may also use aggregated Usage Data for legitimate internal business purposes, such as to identify additional customer opportunities, and to ensure that we are meeting the demands of our customers and their users. For more information regarding Tableau specifically, please seehere andhere.

4.2 Our use of cookies, web beacons and other tracking technologies on our website and in email communications to you.

We use technologies such as web beacons, pixels, tags, and JavaScript, alone or in conjunction with cookies, to collect information about the use of our websites and how people interact with our emails.

When you visit our websites, we, or an authorized third party, may place a cookie on your device that collects information, including Personal Data, about your online activities over time and across different sites. Cookies allow us to track use, infer browsing preferences, and improve and customize your browsing experience.

We use both session-based and persistent cookies on our websites. Session-based cookies exist only during a single session and disappear from your device when you close your browser or turn off the device. Persistent cookies remain on your device after you close your browser or turn your device off. To change your cookie settings and preferences for one of our websites, navigate to the “Cookie Preferences” link available in any salesforce.com website footer to choose your settings. You can also control the use of cookies on your device, but choosing to disable cookies on your device may limit your ability to use some features on our websites and services.

We also use web beacons and pixels on our websites and in emails. For example, we may place a pixel in a marketing email that notifies us when you click on a link in the email. We use these technologies to operate and improve our websites and marketing emails – please see more details in the “Advertising Cookies” row in the table below. For instructions on how to unsubscribe from our marketing emails, please see Section 10.4 below.

The following describes how we use different categories of cookies and similar technologies, and details your options for managing the data collection settings of these technologies:

•Salesforce affiliates: With affiliates within the Salesforce corporate group and companies that we acquire in the future after they are made part of the Salesforce corporate group, to the extent such sharing of data is necessary to fulfill a request you have submitted via our websites or for customer support, marketing, technical operations, event registration and account management purposes. A list of Salesforce’s affiliates can be found in the List of Subsidiaries section of Salesforce’s most recent Form 10-K, available under the SEC Filings tab by selecting the “Annual Filings” filter on the page locatedhere;

•Event sponsors: If you attend an event or webinar organized by us, or download or access a resource on our website, we may share your Personal Data with the sponsors of the event or the sponsor of the resource. In these circumstances, the processing of your Personal Data will be governed by the relevant sponsors’ privacy statements, which we recommend you read carefully. If required by applicable law, we may seek your consent to such sharing via the registration form. If you do not wish for your Personal Data to be shared, you may choose to not opt-in via the event/webinar registration form, or you can opt-out in accordance with Section 10 below. In the event you choose to opt-in to have your badge scanned by an event sponsor, you are providing your Personal Data directly to the sponsor (not to Salesforce) and the processing of your badge data will be subject to the event sponsor’s privacy policy;

•Partners: With specific partners that offer supplementary services to those provided by Salesforce, such as partners that offer sustainability resources, or that resell Salesforce services, (where required by applicable law, only to the extent you consent to such sharing);

•Customers with whom you are affiliated and/or the applicable partner responsible for access to your services: If you use our services as an authorized user, we may share your Personal Data with your affiliated customer and/or the applicable partner responsible for your access to the services to the extent this is necessary for verifying accounts, activity and Salesforce certifications, investigating suspicious activity, or enforcing our terms and policies;

•Contest and promotion sponsors: With sponsors of contests or promotions for which you register in order to fulfill the contest or promotion;

•Third party networks and websites: With third-party social media networks, advertising networks and websites, so that Salesforce can market and advertise on third party platforms and websites;

•Salesforce-affiliated App Exchange partners: Specifically in relation to the AppExchange website, if you choose to interact with or use third-party tools, we may share your Personal Data with our third party partners who may contact you regarding their products or services in accordance with law or our contractual commitments;

•Professional advisers: In individual instances, we may share your Personal Data with professional advisers acting as service providers, processors, or joint controllers - including, for example, lawyers, bankers, auditors, and insurers who provide professional services to us;

•Third parties involved in a corporate transaction: If we are involved in a merger, reorganization, dissolution or other fundamental corporate change, or sell a website or business unit, or if all or a portion of our business, assets or stock are acquired by a third party. In accordance with applicable laws, we will use reasonable efforts to notify you of any transfer of Personal Data to an unaffiliated third party;

•Third party accounts: In relation to Tableau, if you connect to your third party accounts through our services, we will use that information to authenticate you, enumerate the data sources available to you, download any data you request us to, and download and refresh authentication tokens or persist authentication information such as user names and passwords as necessary to continue to connect to these data; and

•Public authorities: With legal bodies, judicial,public and government authorities, to the extent we are compelled to disclose Personal Data to comply with our legal obligations.

We may also share aggregated Usage Data with Salesforce’s service providers for the purpose of helping Salesforce in such analysis and improvements. Additionally, Salesforce may share Usage Data on an aggregate basis in the normal course of operating our business; for example, we may share information publicly to show trends about the general use of our services.

Anyone using our communities, forums, blogs, or chat rooms on our websites may view any Personal Data or other information you choose to submit and post.

Further, Salesforce commits to comply with theEU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework (collectively, the “DPF”) and certifies its adherence to the DPF Principles as set forth by the U.S. Department of Commerce, including the onward transfer liability provision, regarding the processing of your Personal Data transferred to the U.S. in reliance on the DPF. Salesforce’s commitments under the DPF are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

If you have any questions or concerns regarding our handling of your Personal Data, please contact us using the contact information provided below. Salesforce commits to cooperate and comply with the advice of the panel established by the EU data protection authorities, the UK Information Commissioner’s Office (ICO), the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of your Personal Data received in reliance on the DPF. If neither Salesforce nor these authorities resolve your complaint, you may have the possibility to engage in binding arbitration through the DPF Panel. For more information on this option, please see Annex I of the EU-U.S. Data Privacy Framework Principles (including the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework).

If we process your Personal Data for the purpose of sending you marketing communications, you may manage your receipt of marketing and non-transactional communications from Salesforce by clicking on the “unsubscribe” link located on the bottom of Salesforce marketing emails, by replying or texting ‘STOP’ if you receive Salesforce SMS communications, or by unsubscribinghere.

You may also turn off push notifications on Salesforce apps on your device, or unsubscribe by contacting us using the information in the “Contacting us” Section 13, below.

Please note thatopting out of marketing communications will not stop important business communications related to your current relationship with us, such as service announcements, event registrations, or security information.

10.5 Your preferences for telemarketing communications

If you want your phone number to be added to our internal Do-Not-Call telemarketing register, please contact us by using the information in Section 13 below. Please include your first name, last name, company and the phone number you wish to add to our Do-Not-Call register.

Alternatively, you can always let us know during a telemarketing call that you do not want to be called again for marketing purposes.

Salesforce has appointed aData Protection Officer and, in India, a Grievance Officer. To exercise your rights regarding your Personal Data, or if you have questions regarding this Privacy Statement or our privacy practices please fill outthis form, email us atprivacy@salesforce.com ordatasubjectrequest@salesforce.com, call us at +1-800-931-7365, or write to us at:

Salesforce Data Protection Officer (Salesforce Privacy Team)

415 Mission St, 3rd Floor

San Francisco, CA 94105, USA

When you contact us, please indicate in which country and/or state you reside.

If you have an unresolved concern in respect of our processing of your Personal Data that you believe we have not addressed satisfactorily, you can contact our U.S.-based third party dispute resolution provider (free of charge) athttps://feedback-form.truste.com/watchdog/request.

We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, and you are located in the European Economic Area or the United Kingdom, you have the right to lodge a complaint with the competent supervisory authority. If you work or reside in a country that is a member of the European Union or that is in the EEA, you may find the contact details for your appropriate data protection authority on the followingwebsite.

We participate in both the APEC CBPR and APEC PRP system. If you have an unresolved privacy or data use concern that we have not addressed to your satisfaction, please contact our third party dispute resolution provider (free of charge) athttps://trustarc.com/dispute-resolution/.

If you would like to opt-out of shares using your cookie identifiers, turn on a Global Privacy Control in your web browser or browser extension. Please see the California Privacy Protection Agency’s website athttps://oag.ca.gov/privacy/ccpa for more information on valid Global Privacy Controls. If you would like to opt-out of shares using other identifiers (like email address), please refer to Section 10.2 of this Privacy Statement.

We may need to verify your identity and place of residence before completing your rights request.