Effective September 8, 2023
1. Who “we” are
When we say “ZeroFox,” “we,” “us” or “our” in this Policy, we are referring to ZeroFox, Inc., a Delaware (US) corporation, however this Policy also applies to our affiliated companies, including ZeroFox UK Ltd (organized under the laws of England and Wales) and ZeroFox Chile SpA (organized under the laws of Chile).
2. Who “you” are
When we say “you,” we are referring to a customer, to a visitor to our Sites or to a participant at a ZeroFox event or activity, such as conference attendee. A “customer” is an asset or organization that has acquired a subscription to ZeroFox for Business Services (“business customer”), or an individual that has acquired a subscription to ZeroFox for Everyone Services.
3. Scope of Policy
In addition to describing our practices for collecting, using and disclosing personal information, this Policy describes the rights individuals have to control the use of their personal information. When we say “personal information” in this Policy we are referring to any information relating to an identified or identifiable natural person, which may include the individual’s name, identification number, location data, email address, social media handle or other online identifier. If you use the Services through a business customer (like your employer), the terms of the customer’s contract for the Services may restrict our collection or use of your personal information more than what is described in this Policy.
4. Changes to Policy
We may change this Policy from time to time. The most recent version of the Policy is reflected by the date at the top of this Policy. All updates and amendments are effective immediately upon notice, which we may give by any means, including by posting a revised version of this Policy or other notice on the Site. We encourage you to review this Policy often to stay informed of changes that may affect you. Your continued use of the Sites or Services signifies your ongoing acknowledgment of this Policy.
5. Contacting us
Please contact us with any questions or comments about this Policy, including questions around how we process your personal information. You can reach us by postal mail at ZeroFox, Inc., Attn: Privacy, 1834 S Charles St, Baltimore, MD 21230 USA.
The following paragraphs 6 through 10 describe the personal information we collect.
6. Information you provide to us
When you register for or use the Services, modify your Services account, consult with our customer support or success teams, send us an email, participate in any interactive features of the Sites or Services, participate in a survey, participate in a contest, participate in a ZeroFox activity or event, apply for a job, integrate the Services with another website or service, or communicate with us in any way, you are voluntarily giving us information that we collect. The types of personal information we may collect directly from you include your first name, last name, picture, employer name, job title, industry, username, email address, phone number, physical address, social media handle and IP address. In cases where we ask you for certain information, for example when completing a form requesting a whitepaper, we will tell you what information is required. If you are a customer, we also store the information that you provide to the Services, which in the case of a business customer includes the information types listed above with respect to the business customer’s personnel.
7. Information collected for and by our customers
If you are a customer using the Services, you may process personal information that you have collected from your own personnel (if a business customer) or other individuals. You are responsible for making sure that you have appropriate permission for us to collect and process information about those individuals. If you are an employee or contractor of one of our business customers, please contact that business customer directly to update or delete your information. If you contact us, we will provide notice to our business customer of your request. If you are an EU resident, please refer to paragraph 23 for additional detail.
8. Information we collect from your use of Services
We receive information about how and when you use the Services, store it in log files or other types of files associated with your account, and link it to other information we collect about you. This information includes, for example, your IP address, time, date, browser used, and actions you have taken within the application. This type of information helps us to improve our Services for both you and for all of our users.
9. Information we collect automatically
- We use pixel tags on our Sites and in our emails. When we send emails, we may track behavior such as who opened the emails and who clicked the links. This allows us to measure the performance of our email campaigns and to improve our features for specific segments of customers. To do this, we include pixel tags (also referred to as web beacons, clear gifs, and single-pixel gifs), in emails we send. Pixel tags allow us to collect information about when you open the email, your IP address, your browser or email client type, and other similar details.
- Please note that “do not track” is a standard that is currently under development. Because it is not yet finalized, while some features of our Site and Services may have the ability to monitor or following do not track browser requests, we do not commit to following any do not track browser requests, but do adhere to the standards in this Policy.
10. Information from other sources
From time to time we may obtain personal information about you (or in the case of business customers, your personnel) from third party sources, such as public databases, social media platforms, third party data providers and our joint marketing partners. We take steps to ensure that such third parties are legally permitted or required to disclose such information to us. We use this information, alone or in combination with other information (including personal information) we collect, to enhance our ability to provide relevant marketing and content to you and to develop and provide you with more relevant products features, and services.
11. YouTube API services
12. How we use information
We may use and disclose personal information described in this Policy only to:
- provide, operate, maintain and support the Services;
- send system alert messages, for example, we may inform you of temporary or permanent changes to our Services, such as planned outages, new features, version updates, releases, abuse warnings and changes to this Policy;
- communicate with customers (and business customers’ personnel) about their accounts and provide customer support, training and other requested services;
- bill and collect money owed to us by customers, including sending emails, invoices, receipts, notices of delinquency and alerting customers if a different credit card number is needed (we use third parties for secure credit card transaction processing, and we send billing information to those third parties to process your orders and credit card payments);
- enforce compliance with our Acceptable Use Policy, our other agreements with a customer, and/or applicable law, which may include tools and algorithms that help us prevent violations;
- protect the rights and safety of our customers and third parties, as well as our own;
- respond to lawful requests by public authorities, including to meet national security or law enforcement requirements;
- meet legal requirements, including complying with court orders, valid discovery requests, valid subpoenas, and other appropriate legal mechanisms;prosecute and defend a court, arbitration, or similar legal proceeding;
- provide information to our professional advisors and representatives, such as attorneys and accountants, to help us comply with legal, accounting or security requirements;
- in the case of personal information of our employees, perform human resources activities such as onboarding, training and payroll;
- improve our products, technology and Services, including for example, aggregating information from your use of the Services or visits to our Sites and sharing this information with third parties to improve the Services and Sites;
- send you informational and promotional content in accordance with your marketing preferences (provided you have not unsubscribed from promotional emails);
- promote use of our Services to you and others, for example to suggest additional features of our Services that you might consider using (again, provided you have not unsubscribed from promotional emails);
- process and deliver contest or sweepstakes entries and awards;
- transfer your information in the case of a sale, merger, consolidation, liquidation, reorganization, or acquisition, provided that (1) any acquirer will be subject to our obligations under this Policy, including your rights to access and choice and (2) we will notify you of the change either by sending you an email or posting a notice on the Sites; and
- link or combine personal information with other information we collect or obtain about you (such as information we source from our third party partners), to serve you specifically, such as to deliver Services according to your preferences or restrictions, or for advertising or targeting purposes in accordance with this Policy. (Any combination of personal information with other information is treated as personal information under this Policy.)
13. Sharing information within our group and with our service providers
We are headquartered in the United States and operate internationally. For example, certain personal information described in this Policy may be shared with our affiliated companies, ZeroFox UK Ltd, ZeroFox Chile SpA and ZeroFox India Pvt Ltd, and consequently accessible to our personnel in the United Kingdom, Chile, and India, respectively. We also share personal information described in this Policy with third-party vendors and service providers who are working on our behalf and require access to your information to carry out that work. For example, ZeroFox currently uses cloud services from Amazon Web Services and Google for the infrastructure of its cloud-hosted Services. These service providers are authorized to use your personal information only as necessary to provide services to ZeroFox and/or the Services and are bound to contractual obligations to maintain the confidentiality of your information. Many of these service providers, like us, are headquartered in the United States and operate internationally. Accordingly, you should be aware that your personal information may be processed in countries other than your country of residence, and that those countries may have different privacy and data protection laws than where you reside.
14. Safeguarding personal information
We take reasonable and appropriate measures to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in the processing and the nature of the personal information. However, no means of processing of personal information is 100% secure and while we comply with our legal obligations, we cannot guarantee absolute security.
15. Information changes and retention
If you are a customer, you may update, correct or delete personal information about you (or your personnel, if a business customer) by logging into your online account and modifying your information or by emailing us. We will retain personal information that we process on behalf of our customers for as long as the customer’s account is active and as may otherwise be appropriate to fulfill the purposes outlined in this Policy, for example to comply with legal obligations, resolve disputes, prevent abuse and enforce agreements.
16. Social media
(This paragraph applies to our public Sites, not the features or functionality of the Services.) Our Sites may include social media features. These features on our Sites may collect information about your IP address and which page you are visiting on our Site, and they may set a cookie to make sure the features function properly. Additional information on cookies set by social media providers is provided in our Cookie Statement. Social media features and widgets are either hosted by a third party or hosted directly on our Site. We also maintain presences on social media platforms. Any information, communications, or materials you submit to us via a social media platform is done at your own risk without any expectation of privacy. We cannot control the actions of other users of these platforms or the actions of the platforms themselves. Your interactions with those features and platforms are governed by the privacy policies of the companies that provide them.
17. Community forums and blogs
We may have public blogs or other forums on our Sites from time to time. Any information you include in a comment on a public blog may be read, collected and used by anyone. To request removal of your personal information from our blogs or testimonials, contact us at the email address listed above. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.
18. Links to third-party sites and services
Our Sites and Services include links to, or integrations with, other sites and services whose privacy practices may be different from ours. If you submit personal information to any of those sites or services, your information is governed by their privacy policies.
19. Individuals under the age of 18
Neither the Sites nor the Services are intended for use by individuals under 18 years of age. No one under age 18 may provide any information on or through the Sites or the Services. We do not knowingly collect personal information of individuals under 18. If a parent or guardian becomes aware that his or her child, who is under 18, has provided us with information, he or she should contact us.
20. Notice for California residents
California Civil Code section 1798.83 permits California residents to request certain information regarding our disclosure of personal information to third parties. To make such a request, please contacts us as provided in paragraph 5.
Notices for European Union Residents
21. Transfers of personal information from the European Union to the United States
As noted above, we, and many of our service providers, are headquartered in the United States and operate internationally. In addition to ensuring those providers are bound by restrictions on use and disclosure of personal information, our agreements with them also reflect the legal mechanisms in place to ensure the transfer of personal information is in compliance with European data protection law, typically EU-U.S. Data Privacy Framework or standard contractual clauses (also known as model clauses).
22. EU Data Processing Addendum
We are committed to only processing personal information in compliance with applicable privacy and data protection law, which may include the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”). Our business customers processing the personal information of EU residents may request our personal data processing addendum which incorporates the standard contractual clauses, in addition to (or instead of, as applicable) relying on ZeroFox’s EU-U.S. Data Privacy Framework (discussed in paragraph 27 below).
23. Controllers, processors and your GDPR rights
Under the GDPR, a “processor” is a person or asset that processes personal information on behalf of the controller, and the “controller” is the person or asset that determines how and why personal information is processed. This distinction recognizes that not all persons or assets involved in the processing of personal information have the same degree of responsibility. In that vein, controllers are typically primarily responsible for managing EU residents’ exercises of their rights under GDPR (“data subject rights”). Data subject rights include, among others, an individual’s right to access, correct, restrict processing of and/or delete his or her personal information.
24. Our role as a processor for business customers
In the case of our business customers, the Services are intended to be used and managed by the business customer. In general, we are collecting and processing personal information in connection with a business customer’s use of the Services on behalf of that customer. In that case, the business customer is acting as the controller and ZeroFox is acting as a processor according to the business customer’s instructions. If you are an EU resident and believe ZeroFox is processing your personal information on behalf of a business customer, and you would like to exercise your data subject rights, please start by contacting the business customer.
25. Our role as a processor for individual customers
If you are an individual EU customer using ZeroFox for Everyone Services, you are the controller of the personal information that you process through our Services. Individual customers may access, correct, restrict processing of and delete that personal information through the functionality of the Services. If you have additional questions, please contact us as provided in paragraph 5.
26. Our role as a controller
In other cases, such as personal information used by ZeroFox for management of a customer’s account, invoicing and marketing, ZeroFox will be the controller with respect to personal information. If you are an EU resident, in situations where we are the controller of your personal information and you would like to exercise your data subject rights, please contact us as provided in paragraph 5.
27. Legal bases for processing
The GDPR requires that personal information be processed lawfully and outlines specific legal bases for processing. We describe in paragraphs 6 through 10 above the personal information we may collect, and in paragraph 11 how we may use it. The legal bases under the GDPR for those uses depends on the personal information collected and the context of its collection. ZeroFox has determined a basis for each use, including:
- performing a contract, or taking steps linked to a contract, such as providing the Services to you if you are an individual customer;
- subject to our interests not being overridden by your interests and fundamental rights and freedoms, pursuing legitimate interests in the conduct of our business, such as processing the data of our EU employees;
- processing your personal information where you have provided consent, such as when you submit an online form with your contact information on our Site requesting that we get in touch with you with information on our Services; and
- complying with legal obligations, such as responding to lawful requests by public authorities.
28. Data Privacy Framework
As noted, ZeroFox participates in and has certified its compliance with the EU-U.S. Data Privacy Framework (“DPF”).
- We are committed to subjecting all personal information received from EU member countries and the United Kingdom, in reliance on the DPF, to DPF Principles. To learn more about the DPF, and to view, visit the U.S. Department of Commerce’s Data Privacy Framework website, where the Department also maintains a list of all Data Privacy Framework participants.
- With respect to personal data received or transferred pursuant to the DPF, we are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
- If you have an unresolved privacy or data use concern that we have not addressed timely or satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. Under certain conditions, more fully described at U.S. Department of Commerce’s Data Privacy Framework website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
29. HR Data
This Policy also reflects the principles under which ZeroFox manages the processing of personal information that it receives from its employees in the EU in support of its human resources operations. ZeroFox has committed to cooperate with EU data protection authorities with regard to unresolved EU-U.S. Data Privacy Framework complaints concerning human resources data transferred from the EU in the context of the employment relationship.
30. Inquiries and Complaints
In compliance with the EU-U.S. Data Privacy Framework, we are committed to resolving complaints about our collection or use of EU residents’ personal information. For inquiries or complaints regarding this Policy, we request that EU residents first contact ZeroFox as provided in paragraph 5. You may also approach your local data protection authority (referred to under the GDPR as your supervisory authority) which can provide further information about your rights and our obligations in relation to your personal information.
Individuals and data protection supervisory authorities in the EU and the UK may contact our data protection representatives according to Articles 27 EU and UK GDPR:
- EU: DP-Dock GmbH,
Attn: ZeroFox Inc., Ballindamm 39, 20095 Hamburg, Germany
- UK: DP Data Protection Services UK Ltd.,
Attn: ZeroFox Inc., 16 Great Queen Street, Covent Garden, London, WC2B 5AH, United Kingdom
CCPA Data Processing Addendum
This PRIVACY NOTICE FOR CALIFORNIA RESIDENTS supplements the information contained in the Privacy Statement of ZeroFox, Inc. (“ZeroFox”) and its subsidiaries (collectively, “we,” “us,” or “our”) and applies solely to visitors, users, and others who reside in the State of California (“consumers” or “you”). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and other California privacy laws. Any terms defined in the CCPA have the same meaning when used in this notice.
31. Information We Collect.
We may collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:
|A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers.
|Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories
Personal information does not include:
- Publicly available information from government records.
- De-identified or aggregated consumer information.
- Information excluded from the CCPA’s scope, like:
- health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
- personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.
We obtain the categories of information listed above from the following categories of sources:
- Directly from our Customers or their agents. For example, from documents that our Customers provide to us related to the services we are providing to them.
- Indirectly from our Customers or their agents. For example, through information we collect from our Customers in the course of providing services to them.
- Directly and indirectly from activity on our website. For example, from submissions through our website portal or website usage details collected automatically.
- From third parties that interact with us in connection with the services we perform. For example, from our partners that engage ZeroFox to provide services to their customers.
32. Use of Personal Information
We may use or disclose the personal information we collect for one or more of the following business purposes:
- To fulfill or meet the reason for which the information is provided. For example, if you provide us with personal information in order for us to provide our services, we will use that information to maintain the service for you.
- To provide you with information, products or services that you request from us.
- To provide you with email alerts, event registrations and other notices concerning our products or services, or events or news, that may be of interest to you.
- To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collections.
- To improve our website and present its contents to you.
- For testing, research, analysis and product development.
- As necessary or appropriate to protect the rights, property or safety of us, our customers or others.
- To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
- As described to you when collecting your personal information or as otherwise set forth herein.
- To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us is among the assets transferred.
We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
33. Sharing Personal Information
We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.
In the preceding twelve (12) months, we have disclosed the following categories of personal information to provide services:
Category A: Identifiers.
We disclose your personal information for a business purpose to the following categories of third parties:
- Our affiliates.
- Service providers.
- Third parties to whom you or your agents authorize us to disclose your personal information in connection with products or services we provide to you.
Personal Information Sales
In the preceding twelve (12) months, we have not sold, rented, or traded any personal information.
34. Your Rights and Choices
The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.
Access to Specific Information and Data Portability Rights
You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
- The categories of personal information we collected about you.
- The categories of sources for the personal information we collected about you.
- Our business or commercial purpose for collecting or selling that personal information.
- The categories of third parties with whom we share that personal information.
- The specific pieces of personal information we collected about you (also called a data portability request).
- If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
- sales, identifying the personal information categories that each category of recipient purchased; and
- disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
Deletion Request Rights
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service providers to:
- Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech and ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
35. Exercising Access, Data Portability, and Deletion Rights
To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:
Calling us at 1.855.936.9369
Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
36. Response Timing and Format
We will respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one asset to another asset without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
38. Changes to Our Privacy Notice
We reserve the right to amend this privacy notice at our discretion and at any time. When we make changes to this privacy notice, we will notify you by email or through a notice on our website homepage.
39. Contact Information
If you have any questions or comments about this notice, our Privacy Statement, the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:
Address: 1834 S. Charles St. Baltimore, MD 21230