Effective May 25, 2018 through July 5, 2020 (view current version)
1. Who “we” are
When we say “ZeroFox,” “we,” “us” or “our” in this Policy, we are referring to ZeroFox, Inc., a Delaware (US) corporation, however this Policy also applies to our affiliated companies, including ZeroFox UK Ltd (organized under the laws of England and Wales) and ZeroFox Chile SpA (organized under the laws of Chile).
2. Who “you” are
When we say “you,” we are referring to a customer, to a visitor to our Sites or to a participant at a ZeroFox event or activity, such as conference attendee. A “customer” is an entity or organization that has acquired a subscription to ZeroFox for Business Services (“business customer”), or an individual that has acquired a subscription to ZeroFox for Everyone Services.
3. Scope of Policy
In addition to describing our practices for collecting, using and disclosing personal information, this Policy describes the rights individuals have to control the use of their personal information. When we say “personal information” in this Policy we are referring to any information relating to an identified or identifiable natural person, which may include the individual’s name, identification number, location data, email address, social media handle or other online identifier. If you use the Services through a business customer (like your employer), the terms of the customer’s contract for the Services may restrict our collection or use of your personal information more than what is described in this Policy.
4. Changes to Policy
We may change this Policy from time to time. The most recent version of the Policy is reflected by the date at the top of this Policy. All updates and amendments are effective immediately upon notice, which we may give by any means, including by posting a revised version of this Policy or other notice on the Site. We encourage you to review this Policy often to stay informed of changes that may affect you. Your continued use of the Sites or Services signifies your ongoing acknowledgment of this Policy.
5. Contacting us
Please contact us with any questions or comments about this Policy, including questions around how we process your personal information. You can reach us by email at [email protected] or by postal mail at ZeroFox, Inc., Attn: Privacy, 1834 S Charles St, Baltimore, MD 21230 USA.
The following paragraphs 6 through 10 describe the personal information we collect.
6. Information you provide to us
When you register for or use the Services, modify your Services account, consult with our customer support or success teams, send us an email, participate in any interactive features of the Sites or Services, participate in a survey, participate in a contest, participate in a ZeroFox activity or event, apply for a job, integrate the Services with another website or service, or communicate with us in any way, you are voluntarily giving us information that we collect. The types of personal information we may collect directly from you include your first name, last name, picture, employer name, job title, industry, username, email address, phone number, physical address, social media handle and IP address. In cases where we ask you for certain information, for example when completing a form requesting a whitepaper, we will tell you what information is required. If you are a customer, we also store the information that you provide to the Services, which in the case of a business customer includes the information types listed above with respect to the business customer’s personnel.
7. Information collected for and by our customers
If you are a customer using the Services, you may process personal information that you have collected from your own personnel (if a business customer) or other individuals. You are responsible for making sure that you have appropriate permission for us to collect and process information about those individuals. If you are an employee or contractor of one of our business customers, please contact that business customer directly to update or delete your information. If you contact us, we will provide notice to our business customer of your request. If you are an EU resident, please refer to paragraph 23 for additional detail.
8. Information we collect from your use of Services
We receive information about how and when you use the Services, store it in log files or other types of files associated with your account, and link it to other information we collect about you. This information includes, for example, your IP address, time, date, browser used, and actions you have taken within the application. This type of information helps us to improve our Services for both you and for all of our users.
9. Information we collect automatically
- We use pixel tags on our Sites and in our emails. When we send emails, we may track behavior such as who opened the emails and who clicked the links. This allows us to measure the performance of our email campaigns and to improve our features for specific segments of customers. To do this, we include pixel tags (also referred to as web beacons, clear gifs, and single-pixel gifs), in emails we send. Pixel tags allow us to collect information about when you open the email, your IP address, your browser or email client type, and other similar details.
- Please note that “do not track” is a standard that is currently under development. Because it is not yet finalized, while some features of our Site and Services may have the ability to monitor or following do not track browser requests, we do not commit to following any do not track browser requests, but do adhere to the standards in this Policy.
10. Information from other sources
From time to time we may obtain personal information about you (or in the case of business customers, your personnel) from third party sources, such as public databases, social media platforms, third party data providers and our joint marketing partners. We take steps to ensure that such third parties are legally permitted or required to disclose such information to us. We use this information, alone or in combination with other information (including personal information) we collect, to enhance our ability to provide relevant marketing and content to you and to develop and provide you with more relevant products features, and services.
11. How we use information
We may use and disclose personal information described in this Policy only to:
- provide, operate, maintain and support the Services;
- send system alert messages, for example, we may inform you of temporary or permanent changes to our Services, such as planned outages, new features, version updates, releases, abuse warnings and changes to this Policy;
- communicate with customers (and business customers’ personnel) about their accounts and provide customer support, training and other requested services;
- bill and collect money owed to us by customers, including sending emails, invoices, receipts, notices of delinquency and alerting customers if a different credit card number is needed (we use third parties for secure credit card transaction processing, and we send billing information to those third parties to process your orders and credit card payments);
- enforce compliance with our Acceptable Use Policy, our other agreements with a customer, and/or applicable law, which may include tools and algorithms that help us prevent violations;
- protect the rights and safety of our customers and third parties, as well as our own;
- respond to lawful requests by public authorities, including to meet national security or law enforcement requirements;
- meet legal requirements, including complying with court orders, valid discovery requests, valid subpoenas, and other appropriate legal mechanisms;prosecute and defend a court, arbitration, or similar legal proceeding;
- provide information to our professional advisors and representatives, such as attorneys and accountants, to help us comply with legal, accounting or security requirements;
- in the case of personal information of our employees, perform human resources activities such as onboarding, training and payroll;
- improve our products, technology and Services, including for example, aggregating information from your use of the Services or visits to our Sites and sharing this information with third parties to improve the Services and Sites;
- send you informational and promotional content in accordance with your marketing preferences (provided you have not unsubscribed from promotional emails);
- promote use of our Services to you and others, for example to suggest additional features of our Services that you might consider using (again, provided you have not unsubscribed from promotional emails);
- process and deliver contest or sweepstakes entries and awards;
- transfer your information in the case of a sale, merger, consolidation, liquidation, reorganization, or acquisition, provided that (1) any acquirer will be subject to our obligations under this Policy, including your rights to access and choice and (2) we will notify you of the change either by sending you an email or posting a notice on the Sites; and
- link or combine personal information with other information we collect or obtain about you (such as information we source from our third party partners), to serve you specifically, such as to deliver Services according to your preferences or restrictions, or for advertising or targeting purposes in accordance with this Policy. (Any combination of personal information with other information is treated as personal information under this Policy.)
12. Sharing information within our group and with our service providers
We are headquartered in the United States and operate internationally. For example, certain personal information described in this Policy may be shared with our affiliated companies, ZeroFox UK Ltd and ZeroFox Chile SpA, and consequently accessible to our personnel in the United Kingdom and Chile, respectively. We also share personal information described in this Policy with third-party vendors and service providers who are working on our behalf and require access to your information to carry out that work. For example, ZeroFox currently uses cloud services from Amazon Web Services and Google for the infrastructure of its cloud-hosted Services. These service providers are authorized to use your personal information only as necessary to provide services to ZeroFox and/or the Services and are bound to contractual obligations to maintain the confidentiality of your information. Many of these service providers, like us, are headquartered in the United States and operate internationally. Accordingly, you should be aware that your personal information may be processed in countries other than your country of residence, and that those countries may have different privacy and data protection laws than where you reside.
13. Safeguarding personal information
We take reasonable and appropriate measures to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in the processing and the nature of the personal information. However, no means of processing of personal information is 100% secure and while we comply with our legal obligations, we cannot guarantee absolute security.
14. Information changes and retention
If you are a customer, you may update, correct or delete personal information about you (or your personnel, if a business customer) by logging into your online account and modifying your information or by emailing us. We will retain personal information that we process on behalf of our customers for as long as the customer’s account is active and as may otherwise be appropriate to fulfill the purposes outlined in this Policy, for example to comply with legal obligations, resolve disputes, prevent abuse and enforce agreements.
15. Social media
(This paragraph applies to our public Sites, not the features or functionality of the Services.) Our Sites may include social media features. These features on our Sites may collect information about your IP address and which page you are visiting on our Site, and they may set a cookie to make sure the features function properly. Additional information on cookies set by social media providers is provided in our Cookie Statement. Social media features and widgets are either hosted by a third party or hosted directly on our Site. We also maintain presences on social media platforms. Any information, communications, or materials you submit to us via a social media platform is done at your own risk without any expectation of privacy. We cannot control the actions of other users of these platforms or the actions of the platforms themselves. Your interactions with those features and platforms are governed by the privacy policies of the companies that provide them.
16. Community forums and blogs
We may have public blogs or other forums on our Sites from time to time. Any information you include in a comment on a public blog may be read, collected and used by anyone. To request removal of your personal information from our blogs or testimonials, contact us at the email address listed above. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.
17. Links to third-party sites and services
Our Sites and Services include links to, or integrations with, other sites and services whose privacy practices may be different from ours. If you submit personal information to any of those sites or services, your information is governed by their privacy policies.
18. Individuals under the age of 18
Neither the Sites nor the Services are intended for use by individuals under 18 years of age. No one under age 18 may provide any information on or through the Sites or the Services. We do not knowingly collect personal information of individuals under 18. If a parent or guardian becomes aware that his or her child, who is under 18, has provided us with information, he or she should contact us.
19. Notice for California residents
California Civil Code section 1798.83 permits California residents to request certain information regarding our disclosure of personal information to third parties. To make such a request, please contacts us as provided in paragraph 5.
Notices for European Union Residents
20. Transfers of personal information from the European Union to the United States
As noted above, we, and many of our service providers, are headquartered in the United States and operate internationally. In addition to ensuring those providers are bound by restrictions on use and disclosure of personal information, our agreements with them also reflect the legal mechanisms in place to ensure the transfer of personal information is in compliance with European data protection law, typically EU-U.S. Privacy Shield certification or standard contractual clauses (also known as model clauses).
21. EU Data Processing Addendum
We are committed to only processing personal information in compliance with applicable privacy and data protection law, which may include the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”). Our business customers processing the personal information of EU residents may request our personal data processing addendum which incorporates the standard contractual clauses, in addition to (or instead of, as applicable) relying on ZeroFox’s EU-U.S. Privacy Shield certification (discussed in paragraph 27 below).
22. Controllers, processors and your GDPR rights
Under the GDPR, a “processor” is a person or entity that processes personal information on behalf of the controller, and the “controller” is the person or entity that determines how and why personal information is processed. This distinction recognizes that not all persons or entities involved in the processing of personal information have the same degree of responsibility. In that vein, controllers are typically primarily responsible for managing EU residents’ exercises of their rights under GDPR (“data subject rights”). Data subject rights include, among others, an individual’s right to access, correct, restrict processing of and/or delete his or her personal information.
23. Our role as a processor for business customers
In the case of our business customers, the Services are intended to be used and managed by the business customer. In general, we are collecting and processing personal information in connection with a business customer’s use of the Services on behalf of that customer. In that case, the business customer is acting as the controller and ZeroFox is acting as a processor according to the business customer’s instructions. If you are an EU resident and believe ZeroFox is processing your personal information on behalf of a business customer, and you would like to exercise your data subject rights, please start by contacting the business customer.
24. Our role as a processor for individual customers
If you are an individual EU customer using ZeroFox for Everyone Services, you are the controller of the personal information that you process through our Services. Individual customers may access, correct, restrict processing of and delete that personal information through the functionality of the Services. If you have additional questions, please contact us as provided in paragraph 5.
25. Our role as a controller
In other cases, such as personal information used by ZeroFox for management of a customer’s account, invoicing and marketing, ZeroFox will be the controller with respect to personal information. If you are an EU resident, in situations where we are the controller of your personal information and you would like to exercise your data subject rights, please contact us as provided in paragraph 5.
26. Legal bases for processing
The GDPR requires that personal information be processed lawfully and outlines specific legal bases for processing. We describe in paragraphs 6 through 10 above the personal information we may collect, and in paragraph 11 how we may use it. The legal bases under the GDPR for those uses depends on the personal information collected and the context of its collection. ZeroFox has determined a basis for each use, including:
- performing a contract, or taking steps linked to a contract, such as providing the Services to you if you are an individual customer;
- subject to our interests not being overridden by your interests and fundamental rights and freedoms, pursuing legitimate interests in the conduct of our business, such as processing the data of our EU employees;
- processing your personal information where you have provided consent, such as when you submit an online form with your contact information on our Site requesting that we get in touch with you with information on our Services; and
- complying with legal obligations, such as responding to lawful requests by public authorities.
27. Privacy Shield
As noted, ZeroFox participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (“Privacy Shield”).
- We are committed to subjecting all personal information received from EU member countries and the United Kingdom and/or Switzerland, in reliance on the Privacy Shield, to Privacy Shield Principles. To learn more about the Privacy Shield, and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield website, where the Department also maintains a list of all Privacy Shield participants.
- ZeroFox is responsible for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. We comply with the Privacy Shield for all onward transfers of personal data from the EU, United Kingdom and/or Switzerland, including the onward transfer liability provisions.
- With respect to personal data received or transferred pursuant to the Privacy Shield, we are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
- If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form. truste.com/watchdog/request. Under certain conditions, more fully described at U.S. Department of Commerce’s Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
28. HR Data
This Policy also reflects the principles under which ZeroFox manages the processing of personal information that it receives from its employees in the EU in support of its human resources operations. ZeroFox has committed to cooperate with EU data protection authorities with regard to unresolved EU-U.S. Privacy Shield complaints concerning human resources data transferred from the EU in the context of the employment relationship.
29. Inquiries and Complaints
In compliance with the EU-U.S. Privacy Shield, we are committed to resolving complaints about our collection or use of EU residents’ personal information. For inquiries or complaints regarding this Policy, we request that EU residents first contact ZeroFox as provided in paragraph 5. You may also approach your local data protection authority (referred to under the GDPR as your supervisory authority) which can provide further information about your rights and our obligations in relation to your personal information.