Effective Date: September 22, 2020
Purpose of this privacy notice
This privacy notice aims to provide you with the necessary information regarding your rights and our obligations, and explains how, why and when BeyondTrust processes your personal data through your use of our website, including any data you may provide through our website when you purchase any products or services or request a trial. Our website is not intended for children and we do not knowingly collect data relating to children. It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting, disclosing, transferring, securing, or processing personal data about you so that you are fully aware of how, why and when we are using your data. This privacy notice supplements any other notices and is not intended to override them.
Who we are
BeyondTrust (referred to as “BeyondTrust”, “we”, “us” or “our”) is a controller of the personal data it collects and is responsible for such personal data. BeyondTrust gathers and processes your personal data in accordance with this privacy notice and in compliance with the relevant data protection regulations and laws, including, if applicable, the General Data Protection Regulation (“GDPR”). BeyondTrust’s principal office is at 11695 Johns Creek Parkway, Suite 200, Johns Creek, Georgia 30097 and we are a US corporation registered in Delaware. We have appointed a designated Data Protection Officer who is responsible for overseeing questions in relation to this privacy notice and the processing of your personal data by us. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact our Data Protection Officer, Martin Willoughby, or GDPR Representative, Valerie Moulden, by email at firstname.lastname@example.org or by telephone at 1-877-826-6427. You have the right to make a complaint at any time to the relevant supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority, so please contact us in the first instance.
EU-U.S. Privacy Shield Framework
BeyondTrust recognizes that the European Union (“EU”) and Switzerland have established strict protections regarding the handling of EU and Swiss personal data, including requirements to provide adequate protection for EU and Swiss personal data transferred outside of the EU or Switzerland (as applicable). To provide adequate protection for EU and Swiss personal data received in the US, BeyondTrust participates in and has self-certified its compliance with the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks administered by the US Department of Commerce (“Privacy Shield”). We are committed to processing all personal data received from the EU and Switzerland, in reliance on the relevant Privacy Shield and in accordance with the principles required under the applicable Privacy Shield. We comply with the Privacy Shield Principles of: Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability for personal data from the EU and Switzerland.
BeyondTrust is responsible for the processing of data it receives, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. BeyondTrust complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions. For the purposes of enforcing compliance with the Privacy Shield, BeyondTrust is subject to investigatory and enforcement authority of the U.S. Federal Trade Commission and in certain situations, we may be required to disclose EU or Swiss personal data in response to lawful requests by US public authorities, including, for example, to comply with national security or law enforcement requirements. To learn more about the Privacy Shield, and to view our certification, visit the U.S. Department of Commerce's Privacy Shield List, https://www.privacyshield.gov/.
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy notices. When you leave our website, we encourage you to read the privacy notice of each website you visit.
1. What information are we collecting and for what purpose?
We may collect, use, store and transfer different kinds of personal data about you when you perform different activities on our website, which we have grouped together follows:
a. General access to our website
Every time you visit our website, our system automatically collects data and information from the computer system or device that you are using to access our website (further information is provided in the Data Collection Tools section below). The following types of data may be collected:
Technical data, including:
· Information about your browser type and version;
· Your operating system and platform and other technology on the devices you use to access our website;
· Your Internet service provider;
· The internet protocol (“IP”) address for your device; and
· Date and time you access our website as well as time zone settings and location.
Usage data, including:
· Information about how you use our website, products and services;
· Details of websites from which you have accessed our website; and
· Details of websites you access from our website (for example, where you click on a link from our website).
Marketing and communications data, including:
· Your preferences in receiving marketing from us and our third parties and your communication preferences.
The storage of some of the above information, such as the technical data (including IP addresses), by our systems is necessary to enable the website to be delivered to your device and it is essential that we keep this information for the duration of your session on our website. The above information is also stored in the log files of our system, and we have measures in place to ensure that this data is not stored together with other personal data of the user. Under the GDPR, our lawful basis for processing this information is that is it necessary for our legitimate interests for running our business, to identify types of customers for our products and services, providing you information on our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy.
b. Inquiries, Online Trials, Demos etc.
When you inquire about or order products or services either through our website or other methods of communication, we may ask you to provide personal data in order to complete these transactions and provide the relevant products and services to you. The types of personal data you provide to us in connection with this may include:
Contact information, including:
· Your full name;
· Your address;
· A contact telephone number; and
· An email address.
Identity data, including:
· Your user IDs or username; and
· Your password.
Finance and transaction data, including:
· Your product and service preferences;
· Your bank account information;
· Your payment card information; and
· Your billing address (some of this information may be collected through our payment services provider’s website).
We store this data in our central customer database solely for the purposes of the fulfilment of your inquiries, fulfilment and processing of contracts (including payment processing and, if applicable, credit assessment) and for our own advertising purposes (please see below for further information). Payment card information is used only for processing payments, processing a decision as to whether to offer credit and fraud prevention, we do not use it for any other purpose and will not be kept longer than necessary for performing this processing, unless you ask us to retain your credit card information for future purchases. Under the GDPR, our (and our third party payment provider’s) lawful basis for the processing this contact information, identity data and finance and transactional data is that it is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with products or services). In this case, we may have to cancel a product or service you have with us but we will try to notify you if this is the case at the time.
c. Marketing, advertising and subscriptions (Newsletters, Mailings)
You can subscribe to our free newsletter service through our website. When registering for the newsletter, you may provide us with personal data when you complete the online form. We may also ask you about your marketing preferences when you purchase any products or services. In addition, we may automatically collect personal data upon your registration. The types of personal data you provide to us or we collect in connection with this may include:
Contact information, including:
· Your full name; and
· An email address.
Transaction data, including:
· Details of products and services you have purchased or trialed from us;
· Details of products and services in which you have expressed an interest.
Marketing and communications data, including:
· Your preferences in receiving marketing from us and third parties; and
· Your communication preferences.
Technical data, including:
· Your IP address; and
· Date and time of your registration.
We would like to keep you informed about new products, our services and interesting events and therefore, we use your personal data to recommend certain of our products, services or events that may be of interest to you by email or post. To provide more relevant information to you, we may process data relating to your purchase history. We will only use your data for our own marketing and advertising purposes and do not transfer any personal data to third parties for marketing purposes.
If you purchase, take a trial of, or express interest in any of our products or services through our website, we may also send you a newsletter to the contact details you provide. Our newsletter will only advertise our products or services that are similar to those that you have purchased, trialed or in which you have expressed interest, you have not opted out of receiving that marketing.
If you do not purchase or trial any of our products or services, but wish to subscribe to our newsletter, we ask you to consent to us processing your personal data for these purposes and we reference this privacy notice during the registration process. None of this personal data is passed on to third parties and will be used exclusively for the purposes of sending you our newsletter.
You have the right to withdraw your consent and stop receiving these newsletters at any time by contacting us (using the details set out in this privacy notice) or using our subscription manager https://www.beyondtrust.com/forms/manage-subscriptions. We partner with third party advertising networks to display advertising on our website or to manage our advertising on other sites. Our advertising network providers may collect information about your activities on our website and other websites to provide targeted advertising based on your interests. Further details about how your data is used is set out in the Behavioral Targeting/Re-Targeting section below. Under GDPR, where we have asked for your consent to provide the above marketing to you, our lawful basis for processing this information is that you have given your consent to the processing for these specific purposes. Where we have not requested your consent for the above marketing, our lawful basis for the processing this information is that, this processing is necessary for our legitimate interests to study how customers use our products or services, to develop them, to grow our business and to inform our marketing strategy.
d. Partner Relationship Management
We utilize Salesforce.com (a processing platform) as a Partner Relationship Management (PRM) tool. We use this to give our referral and reseller partners access to our sales and marketing materials, as well as to allow them to submit leads for deal registration and to view their existing sales opportunities with us. We collect the following information through this processing platform:
Contact information, including:
· Full name;
· Telephone number;
· Job title;
· Address; and
· Email address.
Under the GDPR, our lawful basis for the processing this contact information is that it is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract. Further, it necessary for our legitimate interests for running our business, and for providing you information on our products and services.
e. Job Applications
Individuals may submit job applications through our website. If you decide to apply for a job through our website, you may need to provide the following information through the process:
Contact information, including:
· Full name;
· Home address;
· Personal email; and
· Home and/or mobile telephone number.
Identity data, including:
· Education and other information on your resume/CV.
We may need to process the contact information to discuss and process the application and/or to inform you of the outcome.
We may need to process this identity data you provide, together with information from third party sources to perform verifications and other checks, for example, ensuring you have the right to work in the relevant location, our lawful basis for processing this information is that such processing is necessary for compliance with our legal obligations. We may also need to process the identity data information to verify information on your resume/CV such as qualifications and employment history and our lawful basis for processing this information is that is it necessary for our legitimate interests for running our business and preventing fraud.
Under GDPR, our lawful basis for the processing of the information you provide as part of your application for a job at BeyondTrust is that such processing is necessary in order to take steps at your request prior to entering into a contract with you. We would also process this and further information in accordance with our legitimate interests in deciding whether to appoint you to a role.
f. Surveys or Contests
From time-to-time we may provide you the opportunity to participate in contests or surveys on our site. If you participate, we will request certain personal data from you. Participation in these surveys or contests is completely voluntary. The information we request typically includes:
Contact information, such as:
· Full name
· Telephone number
· Email address
Profile data, including:
· Your interests, preferences, feedback and survey responses
We use may use a third party service provider to conduct these surveys or contests; we place restrictions on that third party service provider from using your personal data for any purpose other than conducting the survey or contest. We will not share the personal data you provide through a contest or survey with other third parties unless we notify you of this in advance. Under GDPR, our lawful basis for the processing information provided for surveys is that such processing is necessary for our legitimate interests to study how customers use our products and services, to develop them and grow our business. Our lawful basis for information provided for contests is consent.
Additional information about the data we process.
We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity and relates to a number of individuals. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us using the details set out in this privacy notice. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so and will seek your consent where required. Please note that we may process your personal data without your knowledge or consent, where this is required or permitted by law.
2. How is your personal data collected?
We use different methods to collect data from and about you including through:
a. Direct interactions
You may provide us with your information by filling in forms or by corresponding with us. This includes personal data you provide when you:
· Apply for our products or services
· Create an account or register as a referral and reseller customer
· Subscribe to our newsletter or other services
· Request marketing to be sent to you
· Apply for a job
· Enter a contest or responding to a survey, or otherwise provide feedback.
b. Data Collection Tools
In addition to the information you provide to us, we may also automatically collect information during your visit to our website, newsletters, discussion forums and lists and opt-in announcement lists owned and operated by us (the "BeyondTrust Network") through our automatic data collection tools ("Data Collection Tools"), which include cookies, Web beacons, embedded Web links, and other commonly used information gathering tools.
These Data Collection Tools collect certain standard information that your browser sends to our website such as your browser type and language, access times, and the address of the website from which you arrived at the BeyondTrust Network. These Data Collection Tools may also collect information about your IP address, clickstream behavior and product information. When a visitor requests a page from any website within the BeyondTrust Network, our web servers automatically recognize that visitor's domain name and IP address.
We collect and use your IP address and cookie information to better understand your needs and interests to help deliver a consistent and personalized experience on the BeyondTrust Network. We will only use your IP address to the extent necessary to protect our legitimate interests or the legitimate interests of a third party (this may include pursuing legal claims and investigating criminal offences).
(1) Language settings
(2) Log-in information
(3) Cookie Preferences
(1) Entered search terms
(2) Frequency of page views
(3) Use of website functions
ii) What are embedded web links and how do we use them?
Some emails we send may use links designed to lead you to a relevant area on our website. The redirection system allows us to change the destination URL of these links, if necessary, and to determine the effectiveness of our marketing initiatives. These web links may also allow us to determine whether you have clicked a link in an email, and this information about your interaction may be connected to your personal data. If you do not want us to collect information about the links that you click, you can: (1) change your choice about how you receive communications from us (i.e. choose a text-based version of the message where available); or (2) choose not to click on links in an email that we send to you.
iii) Behavioral Targeting/ Re-Targeting
iv) Social Media Widgets
c. Third parties or other publicly available sources
3. Will we disclose the information we collect to outside third parties?
We will not share your personal data to others except as described in this privacy notice. We share your personal data in the following ways:
a. Third party suppliers and service providers
We retain service providers and suppliers to deliver our products, services and customer solutions and to assist us with marketing and other communications. These providers and suppliers include, for example, payment processors, providers of customer support and live-help services, email service providers, automated data processors, and shipping agents. We require all third party suppliers and service providers to keep your personal data confidential, to respect the security of your personal data and treat it in accordance with the law. We do not allow our third party suppliers and service providers to use your personal data for their own purposes and we only permit them to process your personal data for specified purposes, such as carrying out the services they are performing for us, and in accordance with our instructions.
b. Transfers within Relayware
Personal data from a partner organization that is submitted to Relayware is subsequently sync with our Salesforce instance (salesforce.com). If an individual within a partner organization is classified as the “primary contact” that individual would be provided with administrative access to enable them to manage the accounts of all the individuals within their organization (i.e. if an employee departs the organization, the primary contact can disable their account, etc.). The primary contact can also view other employees within the organization’s leads and opportunities that are submitted to us. No personal data is transferred between partner organizations and primary contacts cannot, view or interact with personal data or leads from other BeyondTrust partner organizations. Each individual within an organization must agree to the Terms and Conditions upon registering with Relayware. If they do not agree to sharing their personal data in accordance with such Terms and Conditions, they should not access to the Relayware portal.
c. Third party acquirer
We may share your personal data with third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice. In the event of such change in ownership, we will try to notify you via email and/or a prominent notice on our website as soon as practicable for us to do so.
d. Other third parties
Except as described in this privacy notice, we will not share your personal data with non-BeyondTrust third parties without your permission, unless to: (i) comply with any applicable law, regulation, subpoena, or court order; (ii) respond to authorized information requests of police and governmental authorities; (iii) protect the personal safety of our employees and third parties on our property; (iv) in certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; or (v) help prevent fraud or to enforce or protect our rights and properties.
4. How do I select privacy preferences?
Email and other communications
You may opt out of receiving email and other communications from us at any time by using one of the following methods: (1) select the email "opt out" or "unsubscribe" link, or follow the opt-out instructions included in each email communication; or (2) contact us using the details set out in this privacy notice. When contacting us, please ensure that you provide us with sufficient information to deal with your request, including your name, email and/or postal address (as applicable), and specific information about the communications that you no longer wish to receive.
If you do not want us to place cookies, you may choose to opt-out by changing your browser settings. Most web browsers will automatically accept cookies but you can choose to accept all, accept some, or reject cookies through your browser's privacy settings. Please note that, rejecting all cookies means that you may not be able to take full advantage of all our website's features. Each browser is different, so check the "Help" menu of your browser to learn how to change your cookie preferences. For more information generally on cookies, including how to disable them, please refer to aboutcookies.org. You will also find details on how to delete cookies from your device.
5. How do we keep your personal information secure?
To prevent unauthorized access or disclosure, to maintain data accuracy, and to ensure the appropriate use of the information, we have put in place appropriate physical, technical and administrative procedures to safeguard the information we process. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee the absolute security of your personal data. We have put in place procedures to deal with any suspected personal data breach and will notify you and/or any applicable supervisory authority of a breach where we are legally required to do so. If you have any questions about security on our website, you can contact us at email@example.com.
6. Duration of Data Storage
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us at firstname.lastname@example.org.
7. Notification of Privacy Notice Changes
We may update this privacy notice to reflect changes to our privacy and information security practices. If we make any material changes to this privacy notice, we will try to notify you by email (sent to the e-mail address specified in your account) or by providing notice on our website as soon as practicable and, if possible, prior to the change becoming effective. We encourage you to periodically review this privacy notice for the latest information on our privacy and information security practices.
8. Your Rights
Under certain circumstances, you may have various rights under applicable data protection laws in relation to your personal data, these rights may include:
a. Request access to your personal data
You may request access to your personal data, this is known as a data subject access request or “SAR”. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
b. Objection against advertising
You may object to the use of your personal data for advertising purposes at any time by contacting us at email@example.com
c. Withdrawal of consent
Where we are relying on your consent to process your personal data, you can withdraw such consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. Please note, however, that if you withdraw your consent, we may not be able to provide certain products or services to you, we will advise you if this is the case.
d. Request correction of your personal data
You have the right to request the correction of any of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new personal data that you provide to us.
e. Request erasure of your personal data
This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your personal data unlawfully or where we are required to erase your personal data to comply with applicable law. Please be aware that we may not always be able to comply with your request for erasure for specific legal reasons, which will be notified to you, if applicable.
f. Right of objection of processing of your personal data
Where we are relying on a legitimate interest and there is something about your particular situation at any time that makes you want to object to our processing of your personal data on this ground as you feel it impacts on your fundamental rights and freedoms, you may request that we stop processing your personal data in this way. If you file an objection, we will no longer process your personal data in this way, unless we can demonstrate that we have compelling legitimate grounds to process your personal data in such a way, which outweigh your rights and freedoms.
g. Request restriction of processing of your personal data
This right enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the accuracy of your personal data; (b) where our use of your personal data is unlawful but you do not want us to erase it; (c) where you need us to hold your personal data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our processing of your personal data but we need to verify whether we have overriding legitimate grounds to use it.
h. Request the transfer of your personal data
This right enables you to ask us to transfer your personal data to you or to a third party. We will provide to you, or the third party, your personal data in a structured, commonly used, machine-readable format. Please be aware that this right only applies to automated personal data that you have originally provided to us to process with your consent or to perform a contract with you. You will not usually have to pay a fee to access your personal data or to exercise any of your other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data or to exercise any of your other rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
9. Transmission of Data to Other Countries
We and many of our third party suppliers and service providers are based outside of Switzerland and the EU (as applicable), for example in the United States, where privacy laws may be less stringent than the laws in your country and where the government, courts or law enforcement may be able to access your information. Whenever your personal data is processed outside the EU, we ensure that a similar degree of protection is afforded to it by ensuring at least one of the safeguards permitted by applicable law is implements. We process your personal data in accordance with the Privacy Shield as set out above. Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of Switzerland or the EU (as applicable).
10. Your duty to inform us of changes
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
11. Contact Us
The entity that is responsible for processing the personal data collected through our website is BeyondTrust, our address for correspondence in connection with this privacy notice is: Data Protection Officer, 11695 Johns Creek Parkway, Suite 200, Johns Creek, Georgia 30097. You can also contact us via e-mail at firstname.lastname@example.org or by telephone at1-877-826-6427. We will process your enquiries are soon as practicable in accordance with our legal requirements and, if appropriate, inform you which measures we have taken. If you have any unresolved concerns relating to your privacy or our data use that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedbackform.truste.com/watchdog/request. Under certain conditions, that are more fully described on the Privacy Shield website, https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.