Cookie Statement

This Cookie Statement was updated on January 11, 2024

This Cookie Statement describes how SAP Concur uses cookies and similar technologies to collect and store information when you visit concur.com websites. The Privacy Statement for SAP Concur also applies in addition to this Cookie Statement. This Privacy Statement informs you about the way SAP Concur uses, stores and protects personal data collected. It also informs you of your data protection rights and how to exercise them. We recommend that you read the Privacy Statement.

What are cookies and similar technologies?

Cookies are small files placed on your device (computer, tablet or smartphone). When you access a website, a cookie is placed on your device and it will send information to the party that placed the cookie.

There are other technologies that perform a similar function to cookies. These include web beacons, clear gifs, and social plug-ins. These are often used in conjunction with cookies to help a website owner understand its users better.

What are first party cookies?

SAP Concur’s websites have first party cookies First party cookies are cookies that are specific to the website that created them. These cookies enable SAP Concur to operate an efficient service and to track patterns of user behavior to SAP Concur’s website.

What are third party cookies?

The difference between a first party cookie and a third party cookie relates to who places the cookie on your device. SAP sometimes allows third parties to place Cookies on your device. Third party cookies are placed on your device by a third party (i.e., not by SAP Concur). While SAP Concur allows third parties to access SAP Concur’s website to place a third-party cookie on your device, SAP Concur does not retain control over the information supplied by the cookies, nor does SAP Concur retain access to this information. This information is controlled wholly by that third party according to the respective privacy policy of the third party. For more information about these cookies, please click the “Cookie Preferences” link in the footer of the webpage.

Analytics and Digital Marketing in the United States of America

In the United States, SAP Concur routinely works with third party analytics and digital marketing providers who facilitate and support SAP Concur (and partner) marketing activities including targeted communications. These activities may involve the sharing of limited personal identifiers and contact information, your interests and interactions with SAP Concur, professional/employment information for those specific business purposes. In addition to the above, SAP Concur may also share your personal data with other third parties, or for other business purposes, with your explicit consent. Where required by law, SAP Concur endeavors to recognize common opt-out preference signals at a browser level, and frictionlessly exclude relevant data subjects from marketing cookies and associated tracking.

What is a session and what is a persistent cookie?

Our websites may place session and persistent cookies on your device. Whereas the difference between a first party and third-party cookie relates to the party controlling the initial placement of the cookie on your device, the difference between a session and a persistent cookie relates to the length of time the cookie lasts. Session cookies are cookies that typically last for as long as you are using your browser, or browser session. When you end your browser session, the cookie expires. Persistent cookies, as the name implies, are persistent and will last after you close your browser. This allows for quicker and often more convenient access to our website.

What cookies are used on SAP Concur websites?

SAP Concur wants you to be in a position to make an informed decision for or against the use of cookies which are not strictly necessary for the website’s technical features. If you elect to reject cookies used for advertising, you will be shown advertising that is less targeted to your interests. This will still allow you to use all of the functionality of the website.

When tracking and evaluating the usage behavior of users of the website by means of cookies or similar technologies includes the processing of your personal data, SAP Concur is conducting the processing based on the following legal permissions: (i) GDPR Article 6.I (a) if it is necessary that we ask you for your consent to process your personal data; (ii) GDPR Article 6.I (b) if necessary to fulfill (pre-)contractual obligations with you; (iii) GDPR Article 6.I (f) if necessary to fulfill (pre-)contractual obligations with the company or other legal body you represent as a customer contact (legitimate interest to efficiently perform or manage business operation of SAP Concur); or (iv) or equivalent legal permissions under other relevant national laws, when applicable.

SAP Concur differentiates between Required Cookies that are absolutely necessary for the website’s technical features, Functional Cookies that allow SAP Concur to analyze the site usage, and Advertising Cookies that are used by advertising companies to serve ads relevant to your interests.

Required Cookies

Name

Purpose

Persistent

Lifespan

_csrf

set to prevent CSRF attacks

SESSION

SESSION

_dlt

Sets a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes.

PERSISTENT

1 day

_vapi*

Cookie that contains a session identifier used to authenticate the user and deliver different APIs. Voda

SESSION

SESSION

AKA_A2

Akamai cookie

PERSISTENT

1 hour

akacd_us1

Akamai cookie

SESSION

SESSION

AMCV_3F8B2B31536CFF310A490D4C%40AdobeOrg

Unique visitor IDs used by Experience Cloud Solutions.

PERSISTENT

2 years

AMCVS_3F8B2B31536CFF310A490D4C%40AdobeOrg

Unique visitor IDs used by Experience Cloud Solutions.

SESSION

SESSION

AWSALB

AWS sticky session cookie required for load balancer routing.

PERSISTENT

7 days

AWSALBCORS

For continued stickiness support with CORS use cases after the Chromium update, we are creating additional stickiness cookies for each of these duration-based stickiness features named AWSALBCORS (ALB). See https://docs.aws.amazon.com/elasticloadbalancing/latest/application/sticky-sessions.html for further information.

PERSISTENT

7 days

AWSELB

Elastic Load Balancing creates a cookie, named AWSELB, that is used to map the session to the instance.

SESSION

SESSION

AWSELBCORS

Elastic Load Balancing creates a second stickiness cookie, AWSELBCORS.

SESSION

SESSION

BIGipServerab13web-nginx-app_https

This cookie name is associated with the BIG-IP product suite from company F5. Usually associated with managing sessions on load balanced servers, to ensure user requests are routed consistently to the correct server. The common root is BIGipServer most commonly followed by a domain name, usually the one that it is hosted on, but not always.

SESSION

SESSION

check

functional cookie to check if a class is set for content population

SESSION

SESSION

concur_uuid

Stores a unique id

PERSISTENT

1 year

concurCMS

Used for serving dynamic content in our Drupal CMS

PERSISTENT

1 month

cookietest

functional cookie for testing cookie creation 

SESSION

SESSION

i18n_redirected

use to redirect user based on language

PERSISTENT

1 year

LiSESSIONID

Session management

SESSION

SESSION

mbox

This cookie gives website operators the ability to test which online content and offers are more relevant to visitors.

PERSISTENT

31 minutes

mboxEdgeCluster

Enabling visitors to access the same edge server across the entire session

PERSISTENT

31 minutes

notice_behavior

TrustArc Manages cookie load and visitor’s cookie preferences

SESSION

SESSION

OPTOUTMULTI

save the privacy settings for a visitor for the next time they visit your site. The settings you select in Privacy Manager are saved as parameters in the cookie.

PERSISTENT

3 Months

RT

Akamai cookie

PERSISTENT

7 Days

s_invisit

The cookies identify whether users are using the domain for the first time. This is noted in the cookie as TRUE or FALSE.

PERSISTENT

30 minutes

s_lv

This cookie counts the time elapsed between two visits to the website by a single visitor.

PERSISTENT

3 years

s_lv_s

This cookie stores the time of a user’s last visit to a website.

PERSISTENT

30 minutes

s_nr

This cookie stores the date(s) when you visit the Websites, and whether you are a new or returning visitor.

PERSISTENT

1 month

s_ppn

It contains the previous link that was clicked on by the user, percentage of pages viewed on the previous page, a cookie enabled flag and some more on plugins installed in the browser such as Microsoft Silverlight and Adobe Flash.

PERSISTENT

30 minutes

s_ppv

Stores information on the percentage of the page displayed

SESSION

SESSION

s_ppvl

Stores information on the percentage of the page displayed to you

SESSION

SESSION

s_vnum

Generates a visit number for each user.

PERSISTENT

1 month

SSESS293cc2bd86022fe1fc2f08b5ddb8fe4b

SESSION

SESSION

SSESS3340d4d2d37441859b626dc0b27592d8

SESSION

SESSION

SSESS3446b22852fe913d4d6aaa1983be01f1

SESSION

SESSION

SSESS4e357c88c0fe27f1ab689cae1469b3a8

to provide a responsive website. (Drupal CMS)

SESSION

SESSION

SSESS5abff5080fea0aa9d1eb059fd760d288

SESSION

SESSION

SSESS7b16debf5fbd2ee6ef020251a02abf63

SESSION

SESSION

SSESS7c3456003640b83e630b9ed2d6a9d054

SESSION

SESSION

SSESS8f71957330e6a5854a6c367c7a32a979

SESSION

SESSION

SSESSa0d2dabfc2ab7b769d9bd64355d1f56f

SESSION

SESSION

SSESSa9d05b037e949fa5519d1e78599bc12c

SESSION

SESSION

SSESSac8444cd1d661f6125d4c0c1f34b484d

SESSION

SESSION

SSESSc697e9239316f386c20eab6435f21436

SESSION

SESSION

SSESSdd6a1af016b59e6925afc6b3d9ee94c6

SESSION

SESSION

SSESSdd764d80b00d53242b460c74beb4a243

SESSION

SESSION

SSESSf1e71756597c4da029ba58b7c776dba5

SESSION

SESSION

SSESSf95eb9e2db8e3f357bff5f0b4a3bec61

SESSION

SESSION

SSESSfa0a4c7204a9c7eb8f51939cd953584d

SESSION

SESSION

TAsessionID

Stores the user's cookie consent state for the current domain (TrustArc)

PERSISTENT

30 minutes

test

Functional cookie that is used for adding a testing 

SESSION

SESSION

tfpsi

Registers user behaviour and navigation on the website, and any interaction with active campaigns. This is used for optimizing advertisement and for efficient retargeting. (aquazzura.com)

PERSISTENT

30 minutes

Functional Cookies

Name

Purpose

Persistent

Lifespan

_cnqrLogLater

cookie set to collect non - pii asset information for marketing source attribution  

PERSISTENT

1 year

drift_aid

to store a unique user ID. (drift chat)

PERSISTENT

2 year

drift_campaign_refresh

This is the session identifier token. It is used to tie the visitor on your website with a current website session within the Drift system. This is enables session-specific features, such as popping up a messaging only once during a 30 minute session as to prevent a disruptive experience.

PERSISTENT

30 minutes

driftt_aid

to store a unique user ID. (drift chat)

PERSISTENT

2 year

qs_cid

This stores query string values for channel attribution

PERSISTENT

1 year

qs_cid_last

This stores query string values for channel attribution

SESSION

SESSION

qs_pid

This stores query string values for channel attribution

PERSISTENT

1 year

qs_pid_last

This stores query string values for channel attribution

SESSION

SESSION

TEST_AMCV_COOKIE

gcs-web.com

PERSISTENT

2 year

Advertising Cookies

Name

Purpose

Persistent

Lifespan

__cribnotes_prm

CribNotes / Adways. __cribnotes_prm. measuring the effectiveness of ads. 6 months.

PERSISTENT

6 months

__pdst

to Store and track interaction. (podsites)

PERSISTENT

1 year

__qca

to store and track audience reach for Quantcast.

PERSISTENT

13 months

__utma

This is one of the four main cookies set by the Google Analytics service which enables website owners to track visitor behaviour and measure site performance. This cookie lasts for 2 years by default and distinguishes between users and sessions. It used to calculate new and returning visitor statistics. The cookie is updated every time data is sent to Google Analytics. The lifespan of the cookie can be customised by website owners.

PERSISTENT

2 year

__utmb

This is one of the four main cookies set by the Google Analytics service which enables website owners to track visitor behaviour and measure site performance. This cookie determines new sessions and visits and expires after 30 minutes. The cookie is updated every time data is sent to Google Analytics. Any activity by a user within the 30 minute life span will count as a single visit, even if the user leaves and then returns to the site. A return after 30 minutes will count as a new visit, but a returning visitor.

PERSISTENT

30 minutes

__utmc

This is one of the four main cookies set by the Google Analytics service which enables website owners to track visitor behaviour and measure site performance. It is not used in most sites but is set to enable interoperability with the older version of Google Analytics code known as Urchin.  In this older version this was used in combination with the __utmb cookie to identify new sessions/visits for returning visitors. When used by Google Analytics this is always a Session cookie which is destroyed when the user closes their browser. Where it is seen as a Persistent cookie it is therefore likely to be a different technology setting the cookie.

SESSION

SESSION

__utmz

This is one of the four main cookies set by the Google Analytics service which enables website owners to track visitor behaviour measure of site performance. This cookie identifies the source of traffic to the site – so Google Analytics can tell site owners where visitors came from when arriving on the site. The cookie has a life span of 6 months and is updated every time data is sent to Google Analytics.

PERSISTENT

6 months

_ce.cch

Used to check if cookies can be added. (Crazyegg)

SESSION

SESSION

_ce.gtld

Used to identity the top level domain (Crazyegg)

SESSION

SESSION

_clck

to store a Unique user ID

PERSISTENT

1 year

_clsk

to store and combine pageviews by a user into a single session recording.

PERSISTENT

1 Day

_fbp

to store and track visits across websites. (facebook)

PERSISTENT

3

months

_gcl_au

to store and track conversions. (Google ad sense)

PERSISTENT

3

months

_gcl_aw

to provide ad delivery or retargeting. (Google Ads)

PERSISTENT

3

months

_im_vid

Facebook

PERSISTENT

1

months

_mkto_trk

UUID Key for Marketo

PERSISTENT

2 year

_uetsid

To store and track visits across websites. (Bing Ads)

PERSISTENT

1 Day

_uetvid

To store and track visits across websites. (Bing Ads)

PERSISTENT

13

months

_yjsu_yjad

Added to cookie information and LocalStorage information that are issued and acquired via Display Ads.

PERSISTENT

1 year

aam_uuid

Adobe Audience Manager data management platform uses these cookies to assign a unique ID when a user visits a website.

PERSISTENT

1

months

at_check

internal cookie for checking if adobe target is present

SESSION

SESSION

dmdbase_cdc

This cookie is used to pass only the company name and firmographic attributes of a site visitor into analytics based on the source IP address. It is set using JavaScript.

PERSISTENT

30 minutes

has_js

to provide functions across pages. (Criteo)

SESSION

SESSION

Hm_ck_*

Cookie for website analysis. Generates statistical data about how the visitor uses the website. (Baidu)

SESSION

SESSION

Hm_lpvt_0caa6b39829c526dff4895e5d6b1d5e5

Cookie for website analysis. Generates statistical data about how the visitor uses the website. (Baidu)

SESSION

SESSION

Hm_lvt_0caa6b39829c526dff4895e5d6b1d5e5

Cookie for website analysis. Generates statistical data about how the visitor uses the website. (Baidu)

PERSISTENT

1 year

LithiumVisitor

Replaces VISITOR_BEACON. Khoros currently uses both for backward compatibility. This cookie computes billing visits, registered billing visits, visits, registered visits, and unique visitor’s metrics. The cookie is encrypted and stores when it was first issued, when it was last seen by Khoros, an unique visitor ID (which is unique per visitor’s browser).

PERSISTENT

6 months

ln_or

Used to determine if Oribi analytics can be carried out on a specific domain 

PERSISTENT

1 Day

oribi_cookie_test

To determine if tracking can be enabled on current domain 

SESSION

SESSION

oribili_user_guid

Used to count unique visitors to a website 

PERSISTENT

1 year

outbrain_cid_fetch

Used to retrieve a click id in case of missing outbrain_click_id cookie

PERSISTENT

5 Minutes

QSI_HistorySession

Qualtrics - This cookie is used to determine when the visitor last visited the different subpages on the website.

SESSION

SESSION

s_cc

This cookie allows Adobe Analytics to determine whether cookies are enabled in your browser.

SESSION

SESSION

s_ecid

to Store and track interaction. (Adobe Experience Cloud)

PERSISTENT

2 year

s_hc

Third-party Adobe Analytics cookie that governs hits

SESSION

SESSION

s_ht

Third-party Adobe Analytics cookie that governs hits.

SESSION

SESSION

utag_main

This cookie name is associated with the Tealium data platform and is used for web analytics.

PERSISTENT

1 year

VISITOR_BEACON

Computes billing visits, registered billing visits, visits, registered visits, and unique visitor’s metrics. The cookie is encrypted and stores, when it was first issued, when it was last seen by Khoros, the user ID, and its own unique ID.

PERSISTENT

6 months

wcs_bt

These cookies are used to display relevant advertising to visitors. (Naver)

PERSISTENT

13 months

How can you manage and delete Cookies?

SAP Concur provides you with the option to adjust your preferences for Functional and Advertising Cookies when such cookies are placed on your device by the website. In such a case, you can access preferences at any time by clicking on the “Cookie Preferences” link in the footer of the webpage.

You can also block and delete cookies by changing your browser settings. To manage cookies using your browser settings, most browsers allow you to refuse or accept all cookies or only to accept certain types of cookies. The process for the management and deletion of cookies can be found in the help function integrated in your browser.

If you wish to limit the use of cookies, you may not be able to use all the interactive functions of our website.

What are social plug-ins?

A social plug-in embedded on a website allows you to share content on a third party social media provider’s website. You can recognize social plug-ins as buttons displayed on website pages that feature the logo of the social media provider; e.g., for the Facebook page plug-in, you can recognize the button by a white "f" on a black background.

SAP Concur does not have influence or control over the processing of personal data on the social media provider’s website, and the social plug-in remains active until you deactivate it or delete your cookies. Please refer to the privacy and cookie statement or policy of the respective social media provider for more information about the social media provider’s data protection and privacy policies.

On which legal basis does SAP Concur makes social plug-ins available?

SAP Concur uses social plug-ins on its websites on the basis of its legitimate interest to make SAP Concur visible on social media pursuant to Article 6 (1) lit. f DSGVO or the applicable national law.

How do social plug-ins on SAP Concur websites work?

If you see one of the social plug-ins and you want to use one of these social plug-ins, click on the respective social plug-in to establish a direct connection to the server of the respective social media provider and you will be redirected to that social media provider's website.

If you have a user account on the social media provider and are logged in at the time you activate the social plug-in, the social media provider can associate your visit to SAP Concur’s websites with your user account. In this situation, data transmissions can also take place that are initiated and controlled by the respective social media provider. Your connection to a social media provider, the data transfers taking place between the network and your system, and your interactions on that platform are governed solely by the privacy and cookie statement or policy of that social media provider. Personal data may also reach providers in countries outside the European Economic Area that may not guarantee an "adequate level of protection" for the processing of personal data in accordance with EU standards. If you do not want to share any data with the social media provider in connection with an SAP website, do not click on the social media plug-in on SAP Concur’s website.

What are Media Plug-ins?

A Media plug-in embedded on a website allows you to watch remote content from a third party media provider’s website. You can recognize media plug-ins as views displayed on website pages; e.g., for YouTube, you can recognize the media plugin by a video showing the play button.

How do media plug-ins on SAP Concur websites work?

If you want to use one of content of these media plug-ins, click on the play-symbol within the media plug-in to establish a direct connection to the server of the respective media provider. The stream of the media will be redirected from the media provider to your browser.

If you have a user account on the media provider and are logged in at the time you activate the media plug-in, the media provider can associate your visit to SAP Concur’s websites with your user account. In this situation, data transmissions can also take place that are initiated and controlled by the respective media provider. Your connection to a media provider, the data transfers taking place between the network and your system, and your interactions on that platform are governed solely by the privacy and cookie statement or policy of that media provider. Personal Data may also reach providers in countries outside the European Economic Area that may not guarantee an "adequate level of protection" for the processing of Personal Data in accordance with EU standards. If you do not want to share any data with the media provider in connection with SAP’s website, do not click on the media plug-in on SAP Concur’s website.

On which legal basis does SAP Concur makes media plug-ins available?

SAP Concur uses media plug-ins on its websites on the basis of its legitimate interest to make remote content visible to the user according to Article 6 (1) lit. f GDPR or the applicable national law.

Use of YouTube Video: This website contains a plugin from YouTube, belonging to Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, US). We use the YouTube No-Cookies function, i.e. we have activated extended data protection, videos are not accessed via youtube.com, but via youtube-nocookie.com, which, according to the provider, only starts storing user information when the video is played. As soon as you start playing an embedded video by clicking on it, the IP address, in particular, which of our web site you have visited is communicated. However, this information cannot be assigned to you if you are not permanently logged in to YouTube or another Google service when you call up the page. SAP Concur does not have influence or control over the processing of personal data on the media provider’s website, and the media plug-in remains active until you deactivate it or delete your cookies.