1. Oracle Legal

Oracle Facilities and Physical Security Privacy Policy

1. Introduction

This Oracle Facilities and Physical Security Privacy Policy (also referred to as the “Privacy Policy”) provides information on the collection, use, and sharing (collectively referred to as “processing” or “process”) of personal information by Oracle Corporation and its affiliates (“Oracle”, “we” or “us”) as part of our safety and security measures for Oracle-managed campuses, facilities, or data centers (“Facilities”) as well as Oracle networks and systems.

This Privacy Policy was last updated on March 5, 2026. However, the Privacy Policy can change over time, for example to comply with legal requirements or to meet changing business, safety, and security needs. The most up-to-date version can be found on this website. In case there is an important change that we want to highlight to you, we will also inform you in another appropriate way (for example via a statement of changes on our website).

As used in this Privacy Policy, “personal information” or “personal data” means information that relates to an identified individual or to an identifiable individual. Please refer to Section 3 below for more detailed information on specific pieces of personal information we process.

2. Scope

This Privacy Policy applies to the processing of personal information about you by Oracle as a controller for the purposes specified in Section 4. This Privacy Policy does not apply to the following activities:

  • Personal information collected by Oracle during in-person meetings at Oracle Facilities or at Oracle events related to marketing and sales activities. Oracle may collect your personal information in connection with in-person marketing and sales activities, including events at Oracle Facilities. Please refer to Oracle’s General Privacy Policy for information on how Oracle processes personal information related to these activities, available at https://www.oracle.com/legal/privacy/privacy-policy.
  • Personal information collected about you by Oracle customers. Oracle customers are responsible for their own personal information, Biometric Data, and facial recognition data collection and processing practices, including when customers use Oracle products or services to process such personal information. You are encouraged to review the relevant privacy policy of the company who collected your information from you. Please consult that company directly if you have any further questions about its use of personal information.
  • Personal information processed by Oracle to provide Cloud, Technical Support, Consulting/ACS or other services to Oracle customers. “Services personal information” is personal information processed by Oracle on behalf of a customer in order to provide and perform contracted services. If you are an Oracle customer and Oracle is processing personal information or Biometric Data on behalf of your company, please refer to the Services Privacy Policy for information on how Oracle processes services personal information, available at https://www.oracle.com/legal/privacy/services-privacy-policy/.

3. Which categories and specific pieces of personal information about you do we process?

Oracle may collect and process personal information you provided directly when you visit an Oracle Facility or access Oracle networks or systems, and indirectly, including from security footage at such locations (described in further detail below).

Categories and specific pieces of personal information that Oracle may collect and process, include:

Identifying Information for Visits
Your name, company name, email address(es), and telephone number(s); date, time and purpose of visit; and log data pertaining to areas accessed during your visits (collectively, “Visit Information”). Oracle may collect and process additional pieces of personal information such as government issued identification and photos, where additional onsite policies may apply.

Biometric Data
“Biometric Data” which means any information based on an individual’s unique physiological, biological or behavioral characteristics, that can be used to identify an individual. Biometric Data includes similar terms defined by applicable law (such as “Biometric Information” and “Biometric Identifier”). Biometric Data includes retina or iris scans, fingerprints, voiceprints, and scans of hand, palm, or face geometry. Such data may be collected from you when you visit an Oracle Facility or when you repeatedly access Oracle networks and systems for the Security Purposes defined in Section 4.

Images, Photos, Video Footage from Security Cameras, or other footage
Oracle may collect and process images, photos, and video footage from security camera systems (including CCTV), or other footage relating to security and safety incidents involving Oracle employees, customers, contractors, and visitors to Oracle Facilities.

Inclusion of specific pieces of information in the lists above does not, by itself, mean that the information will always be considered “personal information” or “biometric data” under applicable federal, state, or local law.

4. Why and how do we use personal information about you?

We may use personal information for the following business purposes:

  • To manage and maintain an identity verification and authentication program for access to Oracle Facilities or Oracle networks and systems;
  • To prevent, detect, investigate, or respond to security incidents, identity theft, impersonation, fraud, harassment, malicious or deceptive activities, or any other illegal activities, involving Oracle personnel, visitors, or Oracle Facilities or networks and systems.
  • To improve or monitor workplace safety and security, and help ensure the safety and security of our employees, personnel and visitors of Oracle Facilities (bullets 1-3 are collectively referred to as the “Security Purposes”); and
  • To comply with Oracle’s legal obligations, applicable laws and regulations, and to operate our business.

In certain Oracle Facilities, Oracle may use Campus Safety Facial Recognition Technology (“FR Technology”) in furtherance of the Security Purposes, above.

Oracle’s FR Technology uses a combination of security video feeds and stored facial recognition templates to better protect certain areas within Oracle Facilities. Oracle’s FR Technology works by comparing live facial templates of individuals on security videos against stored facial templates of certain individuals (e.g., Oracle employees or contractors who work in certain Facilities and known unauthorized persons). “Templates” are numerical representations (or number strings) created by the FR Technology, generated by converting a mapping of various points on an individual’s face into a numeric representation. For certain individuals, a stored Template may be created from a photo (e.g., a photo taken to specifically enroll someone in the FR Technology system or a from an Oracle issued security badge photo) (“stored templates”). When Oracle uses FR Technology, live video feeds from security cameras are sent to Oracle’s FR Technology systems to create live templates (“live templates”), which are compared against stored templates in real time to determine if unauthorized individuals are detected.

When FR Technology is in use, Oracle will post notices notifying visitors with a link to this Privacy Policy at the entrances to these Facilities. As of the date of this Privacy Policy, the FR Technology in scope is only being used in Facilities in the following state(s): California.

5. For what period do we retain personal information about you?

Oracle maintains personal information for the following retention periods unless required by law:

  • Visit Information is retained for one year from the date of your visit, except where maintaining such information is needed for stated Security Purposes;
  • For Biometric Data processed by Oracle’s FR Technology, a live template generated from security camera footage for matching purposes is deleted in near real-time once the matching analysis is completed;
  • For Oracle employees and contractors, Biometric Data will be deleted within 45 days of the termination of the employment/contractor relationship with Oracle except where maintaining such information is needed for stated Security Purposes;
  • For visitors to Oracle Facilities, Biometric Data will be deleted within 45 days of your visit except where maintaining such information is needed for stated Security Purposes; and
  • Images, photos, and video footage captured by security cameras in relation to security and safety incidents are retained for a period of 90 days or as long as the investigation related to the incident remains open.

Oracle will delete Biometric Data in accordance with these retention periods.

6. What is our basis for processing personal information about you?

For personal information collected about you in the EU/EEA, the UK and other relevant jurisdictions, our basis for processing is the following:

  • We rely on our legitimate interest in processing Visit Information in order to arrange for visits to Oracle Facilities, as well as for the Security Purposes.
  • For processing Biometric Data for identity verification and authentication to access Oracle Facilities, networks and systems, we rely on your consent.
  • We rely on our legitimate interest in processing personal information from security camera systems for the Security Purposes.
  • To comply with legal obligations, applicable laws and regulations, and to comply with a subpoena or other legal process.

7. When and how can we disclose personal information about you?

We may disclose personal information with the following third parties for a business purpose:

  • Third-party service providers (for example, information technology and related infrastructure provision, auditing, security, and other similar service providers) so those service providers may perform services and business functions on behalf of Oracle;
  • Certain Oracle customers who own or operate systems in Oracle Facilities, pursuant to contracts requiring disclosure of such information for Security Purposes;
  • Relevant third parties in the event of a reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings); and
  • As required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to government requests, including public and government authorities outside your country of residence, for national security and/or law enforcement purposes.

When third parties are given access to personal information, we will take appropriate contractual, technical and organizational measures designed to ensure that personal information is processed only to the extent that such processing is necessary, consistent with this Privacy Policy, and in accordance with applicable law.

8. How is personal information about you secured and what is Oracle’s Incident Response Protocol?

Oracle has implemented appropriate technical, physical and organizational measures designed to protect personal information from accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, as well as all other forms of unlawful processing.

Oracle promptly evaluates and responds to incidents that create suspicion of or indicate unauthorized access to or handling of your personal information, including Biometric Data. If Oracle becomes aware and determines that an incident involving personal information qualifies as a breach of security leading to the misappropriation or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal information transmitted, stored or otherwise processed on Oracle systems that compromises the security, confidentiality or integrity of such personal information, Oracle will report such breach to you without undue delay in a manner consistent with applicable law. As information regarding the breach is collected or otherwise reasonably becomes available to Oracle and to the extent permitted by law, Oracle will provide you with additional relevant information concerning the breach reasonably known or available to Oracle.

9. What are your privacy rights?

You can exercise your privacy rights in accordance with applicable laws as specified on our Privacy Choices page, or by filling out our inquiry form. You may have certain privacy rights, subject to applicable law in your jurisdiction, in respect of the information we process about you:

  • Opt-out of our use of your personal information
    You may withdraw consent you have previously provided for the processing of personal information about you.
  • Delete personal information
    You can ask us to erase or delete all or some of the personal information about you.
  • Change or correct personal information
    You can edit some of the personal information about you by. You can also ask us to change, update or fix personal information about you in certain cases, particularly if it is inaccurate.
  • Object to, or limit or restrict use of personal information
    You can ask us to stop using all or some of the personal information about you (for example, if we have no legal right to keep using it) or to limit our use of it (for example, if the personal information about you is inaccurate).
  • Right to access and/or have your information provided to you
    You can also ask us for a copy of personal information about you and can ask for a copy of personal information about you provided in machine readable form if you reside in the EU, California or other jurisdiction that provides you this right as a matter of law.

If you are authorized to make an access or deletion request on behalf of a data subject, please reach out to us via the inquiry form and indicate that you are an authorized agent. We will provide you with instructions on how to submit a request as an authorized agent on behalf of a data subject.

In the event you have previously created an account for a certain Oracle portal, you can access and manage your personal information stored in these portals (i) by clicking the links and following the corresponding instructions, and (ii) taking the actions within each portal with regards to your personal information, such as updating your contact details, deleting certain entries or records, or downloading a copy of your profile. Please note that these actions are available to the extent permitted by each portal’s functionality.

If your inquiry relates to your company’s service account or support of Oracle products or services, please note the Oracle Privacy team cannot delete, correct, or access service account data or terminate your contracted Oracle product or service account. Please go to the Contact Oracle page for resources and contact information to administer service account data.

10. What are my rights as a California Resident?

You can exercise your privacy rights in accordance with applicable laws by filling out our inquiry form. Under the California Consumer Privacy Act (CCPA), as amended, California residents may request that we:

  • 1. disclose to you the following information:
    • the categories and specific pieces of personal information we collected about you (see Section 3);
    • the categories of sources from which we collected such personal information (see Section 3);
    • the business purpose for collecting personal information about you (see Section 4); and
    • the categories of third parties to whom we disclosed personal information (see Section 7).
  • 2. delete personal information we collected from you or correct inaccurate personal information about you (see Section 9); or
  • 3. opt-out of any future sale of personal information about you.

Note, Oracle does not sell or share your personal information, as those terms are defined under the CCPA, under this Privacy Policy.

We will respond to your request consistent with applicable law and related exceptions. If you are an authorized agent making an access or deletion request on behalf of a Californian resident, please reach out to us via the inquiry form and indicate that you are an authorized agent. We will provide you with instructions on how to submit a request as an authorized agent on behalf of a Californian resident.

If you are a California resident, you may obtain information about exercising your rights, as described above, by contacting us at 1-800-633-0748. For information on the CCPA requests Oracle received, complied with, or denied for the previous calendar year, please visit Oracle’s Annual Consumer Privacy Reporting page, available here.

11. Data Protection Officer

Oracle has appointed a Global Data Protection Officer. If you believe your personal information has been used in a way that is not consistent with the Privacy Policy or your choices, or if you have further questions, comments or suggestions related to this Privacy Policy, please contact the Global Data Protection Officer by filling out an inquiry form.

Written inquiries to the Global Data Protection Officer may be addressed to:

Oracle Corporation
Global Data Protection Officer
Willis Tower
233 South Wacker Drive
45th Floor
Chicago, IL 60606
U.S.A.

For personal information collected about you in the EU/EEA or other relevant regions, the EU Data Protection Officer can be contacted by filling out an inquiry form and selecting “Contact Oracle’s external EU DPO” in the dropdown menu. Written inquiries may be addressed to:

Robert Niedermeier
Hauptstraße 4
D-85579 Neubiberg / München
Germany

For personal information collected from individuals INSIDE Brazil, written inquiries to the Brazilian Data Protection Officer may be addressed to:

Alexandre Sarte
Rua Dr. Jose Aureo Bustamante, 455
Vila São Francisco
São Paulo, BR

12. Filing a complaint

If you have any complaints regarding our compliance with this Privacy Policy, please contact us. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information in accordance with this Privacy Policy and in accordance with applicable law. You also have the right to file a complaint with a competent data protection authority (see Contact information for Data Protection Authorities and Country Specific Disclosures).

13. Oracle Corporate Headquarters

Oracle’s corporate headquarters are located at:
2300 Oracle Way
Austin, TX 78741
USA
Tel: +1.737.867.1000

Get started


Privacy Inquiries

Contact Oracle's Privacy Team regarding a marketing privacy-related question, comment, or issue.

Submit a request