Privacy Notice

Last Updated: 11 March 2026

This notice is provided in accordance with Articles 12, 13, and 14 of the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), and applicable U.S. state privacy laws.

At BeyondTrust, we are committed to safeguarding your privacy and protecting your personal information. This Privacy Notice provides you with the necessary information regarding your privacy rights and our obligations. Here we explain how, why, and when BeyondTrust process your personal data when you use our website, services, or products. This includes any data you provide via our website when you purchase any products or services, request a trial, or register for a marketing event.

It is important that you read this Privacy Notice together with any other notice we may provide on specific occasions when we are processing personal data about you. In this way you can be fully aware of how, why and when we are using your data. This Privacy Notice supplements any other notices and is not intended to override them.

We recommend that you read this Privacy Notice in full to ensure you are fully informed. We have provided links to specific sections below to assist in finding specific information relevant to you.

BeyondTrust processes different categories and types of personal data about you when you navigate our websites or use our services and products. In this section you will find:

• The categories and types of personal data we process about you

• The purpose and the lawful ground for processing your data

• An explanation of how we collect your personal data

We have also included some useful definitions to help you understand this section better.

What is personal data?
Personal data, or personal information, is any information that, either alone or in combination with other information, enables us to identify you. It does not include any data where the identity has been removed (ie anonymous data). Please note that the definition of personal data or personal information may change depending on the applicable law.

What is processing?

Processing means any operation that is performed on your personal data. It can be done manually or by automated means, and it includes the following operations: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available, alignment or combination, restriction, erasure or destruction.

Data You Send to Us

You may provide us with your information by filling in forms or by corresponding with us. This includes personal data you provide when you:

• Apply for our products or services

• Create an account or register as a referral and reseller customer

• Subscribe to our newsletter or other similar services

• Request marketing communications or materials

• Apply for a job

• Enter a contest or respond to a survey, or otherwise provide feedback
  

Data We Collect Automatically

We automatically collect information during your visit to our websites, newsletters, discussion forums and lists and opt-in announcement lists (the "BeyondTrust Network"). We do this via our automatic data collection tools ("Data Collection Tools"), such as cookies, web beacons, embedded web links, and other commonly used tracking technologies.

These Data Collection Tools collect technical and usage data that your browser sends to our websites such as your browser type and language, access times, and the address of the website from which you arrived at the BeyondTrust Network. These Data Collection Tools may also collect information about your IP address, clickstream behavior and product information. When a visitor requests a page from any website within the BeyondTrust Network, our web servers automatically recognize that visitor's domain name and IP address.

We collect and use your IP address and cookie information to better understand your needs and interests to help deliver a consistent and personalized experience on the BeyondTrust Network. We will only use your IP address to the extent necessary to protect our legitimate interests or the legitimate interests of a third party (this may include pursuing legal claims and investigating criminal offences).

You can adjust your cookie preferences here. For more information on our use of cookies and similar tracking technologies, visit our Cookie Notice.

Third Parties and Publicly Available Information

We also collect information from credible third party and commercially available sources. The information we collect from these sources may include your name, phone number, business address, email address, firmographic data, which may be used along with the information we collect when you visit the BeyondTrust Network.

Aggregated Data

We also collect, use, and share aggregated data such as statistical or demographic data for different purposes. Aggregated data may be derived from your personal data but is not considered personal data according to applicable law, as this data does not directly or indirectly reveal your identity, and instead relates to a number of individuals. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Notice.

Special Categories of Personal Data

Special categories of personal data are also called sensitive data. They are personal data that deserve stronger protection because of their sensitive nature. For example, the following are sensitive personal data:

1. Race and ethnic origin
2. Religious or philosophical beliefs
3. Sex life and sexual orientation
4. Political opinions
5. Trade union membership
6. Health information
7. Genetic and biometric data

We do not generally collect any special categories of personal data about you. We also do not collect any information about criminal convictions and offences, except for background checks we perform on job applicants to whom we would like to offer a position. See our Candidate Privacy Notice for more information.

Additional Information

We will only use your personal data for the purposes for which we collected it. However, if we reasonably consider that we need to use it for another reason that is compatible with the original purpose, we may do that. You can contact us if you want an explanation of how the processing for the new purpose is compatible with the original purpose.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do. If we need, we will ask your consent. However, we may process your personal data without your knowledge or consent, where this is required or permitted by law.

We will only share your personal data with external subjects in these circumstances:

Third Party Service Providers

We use service providers to deliver our products, services and customer solutions and to assist us with marketing and other communications. These providers include, for example, payment processors, providers of customer support and live-help services, email service providers, automated data processors, and shipping agents. We require all service providers to keep your personal data confidential, to respect the security of your personal data and treat it in accordance with the law.

Third Party Acquirer

If we sell, transfer, or merge parts of our business or our assets to third parties, we may share your personal data with them. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, the new owners may use your personal data in the same way as set out in this Privacy Notice. If there is such a change in ownership, we will notify you as soon as practicable.

Other Third Parties

We may also share your personal data with external third parties in these cases:

• To comply with any applicable law, regulation, subpoena, or court order.

• To respond to authorized information requests of police and governmental authorities.

• To protect the safety of our employees and third parties on our property.
• To answer lawful access requests by public authorities, including to meet national security or law enforcement requirements (for more information, see our Government & Law Enforcement Request Policy and Transparency Report).
• To help prevent fraud or to enforce or protect our rights and properties.

Third Party Links

Our website includes links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their Privacy Notices. When you leave our website, we encourage you to read the Privacy Notice of each website you visit.

Automated Decision-Making and Profiling

We may use your transactional and usage data to create a profile of your interests for the purpose of recommending relevant products, services, or events (see Direct Marketing Activities above). This profiling does not produce legal effects concerning you or similarly significantly affect you, and you may object to it at any time by contacting our DPO or using our marketing preference centre.

We do not currently make any decisions based solely on automated processing (including profiling) that produce legal effects or similarly significant effects on you. If this changes, we will update this notice and, where required, obtain your explicit consent or ensure another lawful exception applies, and inform you of your right to obtain human intervention, express your point of view, and contest the decision.

We have appropriate physical, technical, and administrative data security measures to protect your personal data. This allows us to prevent unauthorized access, use or disclosure; to maintain data accuracy; and to ensure the appropriate use of your personal data.

However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. In the event of a breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, unless an applicable exception applies.

For more information on our security program and certifications, visit our Security page.

We will only keep your personal data for as long as necessary to fulfil the purposes we collected it for. This includes the purposes of satisfying any legal, accounting, or reporting requirements. We consider different factors to determine the appropriate retention period for personal data. For example, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes of processing and if we can achieve those purposes in other ways, and the applicable legal requirements.

BeyondTrust is an organization based in the US and operating globally. We may transfer your personal data outside of your country of residence or presence to where we or our service providers operate (you can see a list of our affiliates and sub-processors here). No matter where your personal data may be transferred, we will always protect it as described in this Privacy Notice.

When we transfer personal data originating from the EU, the UK, or Switzerland, we use the following transfer mechanisms:

• Adequacy decisions, as adopted by the competent regulators (EU Commission, UK Secretary of State, or Swiss data protection authority); or
• EU Standard Contractual Clauses (SCCs), as amended or recognized by respectively the UK and Swiss regulators.

BeyondTrust carries out transfer impact assessments (TIAs) before transferring EU, UK, or Swiss personal data internationally. We also monitor the circumstances of the transfers, to ensure that the personal data is granted a level of protection substantially equivalent to the one provided under EU, UK, or Swiss law.

Where we transfer personal data originating from other countries, we rely on one of the transfer mechanisms provided by the applicable law in the given country. This may include, among others, an adequacy/equivalence decision, data transfer agreements, or your consent to the transfer.

BeyondTrust complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. BeyondTrust has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. BeyondTrust has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit the Data Privacy Framework website.

BeyondTrust Corporation is the sole U.S. legal entity that processes personal data under the Data Privacy Framework. No additional U.S. subsidiaries or affiliated entities are covered by this certification.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, BeyondTrust commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact BeyondTrust at: [email protected]. EU data subjects may also write to our offices in Paris or Frankfurt, and UK data subjects may write to our Manchester office, using the addresses provided in the 'Who We Are and What We Do' section above.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, BeyondTrust commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to TRUSTe, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit Submit a Report - Watchdog for more information or to file a complaint. These dispute resolution services are provided at no cost to you.

DPF Choice Principle: You have the right to opt out if your personal data received under the Data Privacy Framework is to be (a) disclosed to a third party that is not acting as our agent (i.e., not processing data solely on our behalf and under our instructions), or (b) used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorised by you. To exercise either opt-out right, contact our DPO at [email protected]. Where your personal data includes sensitive data (such as health information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning sex life, or data relating to criminal offences), we will obtain your affirmative express consent (opt-in) before disclosing it to a non-agent third party or using it for a materially different purpose, unless you have already explicitly consented to such processing.

The Federal Trade Commission has jurisdiction over BeyondTrust’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

For complaints regarding EU-U.S. DPF, the UK Extension to the EU-U.S DPF, and Swiss-U.S. DPF compliance not resolved by any of the other DPF mechanisms, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website: Data Privacy Framework.

In certain situations, BeyondTrust may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In the context of onward transfers, BeyondTrust is accountable for the processing of personal data it receives, under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF and subsequently transfers to a third party acting as an agent on its behalf. BeyondTrust remains liable under the EU-U.S. DPF Principles, and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF Principles if the BeyondTrust’s agent processes personal information in a manner inconsistent with the EU-U.S. DPF Principles, and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF Principles, unless the BeyondTrust proves that it is not responsible for the event giving rise to damage.

We do not currently respond to browser-based "do not track" signals or similar mechanisms.

We are a B2B organization directed to adults. Our website, products and services are not intended for use by children. We define "children" as individuals under the age of 16 (the default threshold under GDPR Article 8) or under the applicable age threshold in your jurisdiction (which may be 13 in certain U.S. states under COPPA). We also do not knowingly collect children’s data. If we learn that we collected a child’s personal data, we will delete it as soon as possible. If you become aware that a child has provided us with personal data, contact us at [email protected].

We may update this Privacy Notice to reflect changes to our privacy and security practices or changes in applicable law. If we make any material changes, we will provide notice on our website as soon as practicable and, if possible, before the change becoming effective. We encourage you to periodically review this Privacy Notice for the latest information on how we process your personal data. You can access archived versions of this Privacy Notice and read a summary of the latest changes here.

Email	[email protected]
Address	11695 Johns Creek Parkway, Suite 200, Johns Creek, Georgia 30097. You can also find our global offices in our Contact page.
Telephone	1-877-826-6427

We will process your privacy enquiries as soon as practicable in accordance with our legal requirements and, if appropriate, inform you which measures we have taken.