Privacy Policy

Last updated: May 2018

Carbonite, Inc. and its affiliates and subsidiaries (collectively “Carbonite”) respect the privacy of our customers and users. Please take time to read this Privacy Policy (“Privacy Policy”) as we believe it is important for our customers and users to understand how we collect, process and use personal data.  

By using the Products and Services, Websites or Portals, you consent to the data we collect and how we use and share it in accordance with this Privacy Policy.  If you do not agree with the data we collect and how we use and share it, you should not use the Products and Services, Websites or Portals. 

WHAT DATA WE COLLECT  

Carbonite’s customers and users voluntarily provide us with data, including data that can be used to identify, either directly or indirectly, an individual (“Personal Data”) when they purchase or use our products and services (together, “Products and Services”) and access our websites or portals (“Websites” or “Portals”). 

Data Provided by Users and Customers.

  • Name, address, email, telephone number, username and password (collectively "Account Information")
  • Credit card, debit card, banking or other payment information
  • Information submitted as a result of completing forms on our Websites or Portals, entering a promotion or survey or subscribing to, commenting on or downloading information from our Websites or Portals
  • Customer content stored, processed, maintained or transmitted using our Products and Services
  • File system information such as stored file folder names, file extensions, file sizes, and the configuration of any device registered for use in connection with the Products and Services, including any hardware delivered as part of the Products and Services (each a "Device")
  • Technical information as a result of configuring the Products and Services, including IP addresses, browser-type, device-type, internet service provider, referring or exiting pages, operating system, date and time stamp or clickstream data
  • Any other information shared with us directly or indirectly through a customer’s or user’s use of the Products and Services, Websites or Portals

Aggregate Information. To the extent permitted by applicable law, Carbonite may use, process, transfer and store customer and user data in an anonymous (or pseudonymous) and aggregated manner. We may combine such data with other information collected, including information from third-party sources. By using the Products and Services, our customers and users agree that we are permitted to collect, use, share and store anonymized (or pseudonymized) aggregated data collected through the Products and Services for benchmarking, analytics, metrics, research, reporting, machine learning and other legitimate business purposes.

Automated Decisions. To the extent permitted by applicable law, Carbonite may collect data in an automated manner and make and use automated decisions about customers, including using machine learning algorithms, in order to provide or optimize the Products and Services, for security or analytics purposes, to display advertisements and offers based on individual preferences and for any other lawful purpose.

WHY WE USE DATA

Carbonite processes data, including Personal Data, for a variety of purposes, such as: 

  • With customer or user consent, e.g., to receive marketing materials
  • Where the processing is necessary for the performance of a contract, e.g., to facilitate backing-up and restoring data, for archiving purposes, or to provide technical support
  • Where necessary to comply with law
  • Where the processing is necessary for the purposes of our legitimate interests, taking into account individual interests. Our legitimate interests include providing the Products and Services, internal record-keeping and administrative purposes and to operate, maintain and improve the Websites or Portals

HOW WE USE COOKIES AND OTHER TECHNOLOGIES

We use certain automatic data collection technologies such as cookies, web beacons, pixel tags and other technologies to collect data, including Personal Data, when users or customers visit the Websites or Portals, use the Products and Services or interact with us, and may share this data with our third-party marketing vendors (including for example, advertising networks and providers of external services like web traffic analysis services and analytics tools). We explain these technologies below.

Cookies. Cookies are small text files placed on a computer by a web server when browsing online and are used to store user preference data so that a web server doesn't have to repeatedly request this information. A user may block cookies by activating the settings on the browser that blocks all or some cookies. However, if a user blocks all cookies (including strictly necessary cookies), a user may not be able to access all or parts of our Websites or Portals. We use the following cookies: 

  • Strictly Necessary Cookies. These cookies are required for the operation of our Websites and Portals. They include, for example, cookies that enable a customer to log-in to secure areas of our Websites and Portals and use e-commerce.
  • Analytical and Performance Cookies. These cookies allow us to recognize and count the number of users visiting our Websites and Portals and see how those users navigate our Websites or Portals. This helps us to improve our Websites and Portals.
  • Functionality Cookies. These cookies recognize a user that returns to our Websites or Portals. This enables us to personalize our content, greet the user by name and remember preferences, for example, choice of language or region.
  • Targeting Cookies. These cookies record visits to our Websites or Portals and the links followed. We use this information to improve our Websites or Portals and ensure the advertising displayed is relevant to users.

Web Beacons. A web beacon is a small pixel incorporated into a web page or email to keep track of activity on the page or email.  A web beacon helps us better manage the content of our Websites by informing us of what content is effective. 

Cross-device Tracking. We may use third-party cross-device tracking. For example, a user may use multiple browsers on a single device, or use various devices, which can result in the customer having multiple accounts or profiles across various devices. Cross-device tracking may be used to connect these various accounts or profiles and the corresponding data from different devices.

GLOBAL DATA MANAGEMENT

Carbonite is a global organization. As a result, data collected by us, including Personal Data, may be transferred or accessed by Carbonite’s subsidiaries and affiliates in other countries around the world regardless of a customer or user country of residence.  Please note that by using the Products and Services, Websites or Portals or by providing Personal Data to us, customers and users acknowledge and agree that Personal Data may be sent to and processed in countries outside your country of residence, including the U.S.  For individuals residing in the European Economic Area (“EEA”), and for Personal Data subject to European data protection laws, this includes transfers outside of the EEA. Some of these countries may not have data protection laws that provide an equivalent level of data protection as the laws in your country of residence, however, we will take steps to ensure Personal Data is handled in accordance with the EU-U.S. and Swiss Privacy Shield Frameworks and/or the General Data Protection Regulation, as applicable.

WHEN AND WHY WE SHARE YOUR PERSONAL DATA

We do not and will not sell Personal Data to marketers or other vendors. 

We may share data, including Personal Data, in the following circumstances:

Service Providers. Carbonite may share data, including Personal Data, with our contracted third-party service providers in order to provide and improve our Products and Services, Websites or Portals or to administer surveys and user analysis to better understand user needs and preferences. These third-parties include affiliates and subsidiaries, business partners, payment and delivery services, advertising networks, analytics providers, credit reference agencies, social media companies, email distributors, marketing automation partners, customer survey companies, data storage and hosting partners, IT specialists and product developers.

Legal Purposes. Carbonite may share data, including Personal Data, as necessary to comply with applicable law, court orders, governmental agencies, for the administration of justice, to protect vital interests, to protect the security or integrity of Carbonite’s databases, Products and Services, Websites or Portals, or to take precautions against legal liability.

Sale. In the event of a merger, consolidation, or acquisition of all, substantially all or a portion of Carbonite’s business or assets, Carbonite may share data, including Personal Data. Customers and users acknowledge and agree that data, including encrypted stored data and Personal Data that Carbonite has collected, may be securely shared, disclosed and transferred to such successor or assignee. 

RETENTION OF DATA

We may retain data, including Personal Data, for as long as necessary to deliver the Products and Services or as needed for other lawful purposes. We may retain anonymized or pseudonymized, aggregated data indefinitely or to the extent permitted under applicable law.

YOUR RIGHTS

Subject to applicable data protection laws, customers and users have the following rights with respect to Carbonite’s handling of Personal Data:

  • Access. The right to access Personal Data held by Carbonite.
  • Opt-Out. The right to object to certain processing of Personal Data (unless Carbonite has overriding compelling grounds to continue processing), including the right to opt-out of receiving direct marketing. We will, however, continue to use Personal Data for the limited purpose of communicating important notices relating to purchases, changes to Products and Services or policies, and other reasons permitted by law.
  • Rectification. The right to request correction of Personal Data that is incomplete, incorrect, unnecessary or outdated.
  • Right to be Forgotten. The right to request erasure of all Personal Data that is incomplete, incorrect, unnecessary or outdated within a reasonable period of time. Carbonite will do everything possible to erase Personal Data if a user or customer so requests. However, Carbonite will not be able to erase all Personal Data if it is technically impossible due to limitations of existing technology or for legal reasons, such as Carbonite is mandated by applicable law to retain Personal Data.
  • Restriction of Processing. The right to request restriction of processing Personal Data for certain reasons, such as the inaccuracy of Personal Data.
  • Data Portability. If requested, Carbonite will provide Personal Data in a structured, secure, commonly used and machine-readable format.
  • Right to Withdraw Consent. If Personal Data is processed solely based on consent, and not based on any other legal basis, customers can withdraw consent at any time.
  • Data Protection Contact. The right to contact the relevant data protection regulator regarding Carbonite’s handling of Personal Data.

To exercise any of the above listed rights, email Carbonite at privacy@carbonite.com, contact customer support at 1-877-222-5488 or the appropriate geographical telephone number found here, or mail Carbonite, Inc., Two Avenue de Lafayette, Boston, MA 02111, Attn: Privacy. Carbonite will process requests in accordance with applicable law and within a reasonable period of time.

CARBONITE AS A DATA CONTROLLER AND PROCESSOR

Carbonite, Inc. acts as a data controller when we collect and process Personal Data for Carbonite’s legitimate interests, such as analyzing user interaction with our Websites or processing a customer credit card payment. Carbonite, Inc. acts as a data processor when we provide Products and Services to our customers, such as remote troubleshooting technical support. When acting as a data processor, Carbonite will only process Personal Data in accordance with customer instructions and this Privacy Policy. Carbonite, Inc.'s affiliates or subsidiaries may also act as data controllers or processors to the extent customers purchase Products and Services from those entities or Personal Data is shared with those entities.

DO NOT TRACK

Carbonite belongs to advertising networks that may use browsing history across participating websites to show interest-based advertisements. Currently, our Products and Services do not recognize if a browser sends a "do not track" signal or similar mechanism to indicate the wish not to be tracked or receive interest-based advertisements.

CALIFORNIA PRIVACY RIGHTS

Under California’s "Shine the Light" law, California residents who provide Personal Data in obtaining Products and Services for personal, family or household use are entitled to request and obtain from Carbonite, once per calendar year, information about Personal Data Carbonite has shared, if any, with other businesses for their own direct marketing uses. Carbonite does not currently share your Personal Data with other businesses for their own direct marketing uses. However, if applicable, this information would include the categories of Personal Data and the names and addresses of those businesses with which Carbonite shared Personal Data for the immediately prior calendar year (e.g., requests made in 2018 will receive information regarding 2017 sharing activities). To obtain this information, please send an email to privacy@carbonite.com with "Request for California Privacy Information" in the subject line, or mail Carbonite, Inc., Two Avenue de Lafayette, Boston, MA 02111 Attn: Privacy.

SECURITY

Carbonite and its global third-party cloud storage providers have reasonable and appropriate technical and organizational security measures in place to protect against unauthorized processing, loss, misuse and alteration of Personal Data under its control, including: (a) pseudonymization (such as where data is separated from identifiers so that linkage to an identity is not possible without additional information that is stored separately) and encryption, (b) ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services used to process Personal Data, and (c) ensuring a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational security measures. Please be advised that we cannot, and we do not believe that anyone can, genuinely guarantee or warrant absolute security of Personal Data disclosed or transmitted via the Internet to us or a third-party. As a result, absent Carbonite’s gross negligence, customers and users agree to not hold Carbonite responsible for the theft, destruction, loss, damage or inadvertent disclosure of Personal Data or other data provided to Carbonite.

LINKING 

The Websites and Portals may contain links to third-party websites that Carbonite does not control or maintain. Carbonite is not responsible for the privacy practices employed by these third-party websites. Carbonite encourages users to read the privacy statements of such other websites before submitting any Personal Data.

REGARDING CHILDREN

Carbonite does not knowingly collect or distribute any Personal Data from children under 13 years old. If a child under 13 has provided Carbonite with Personal Data, the parent or guardian of that child should contact Carbonite immediately at privacy@carbonite.com to delete this Personal Data.

PRIVACY SHIELD FRAMEWORKS

EU-U.S. Privacy Shield. Carbonite has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Privacy Shield Framework and its Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, Recourse, Enforcement and Liability. Carbonite's certification under the Privacy Shield applies to all Personal Data subject to this Privacy Policy and transferred from the EEA to the U.S.  Carbonite is responsible for the processing of Personal Data it receives and subsequently transfers to a third-party acting as an agent on its behalf. Carbonite complies with the EU-U.S. Privacy Shield Principles for all onward transfers of Personal Data from the EEA, including the onward transfer liability provisions.

U.S.-Swiss Privacy Shield. Carbonite has certified to the U.S. Department of Commerce that it adheres to the U.S.-Swiss Privacy Shield Framework and its Principles of Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement. Carbonite's certification under the Privacy Shield applies to all Personal Data subject to this Privacy Policy and transferred from Switzerland to the U.S.  Carbonite is responsible for the processing of Personal Data it receives and subsequently transfers to a third-party acting as an agent on its behalf. Carbonite complies with the U.S.-Swiss Privacy Shield Principles for all onward transfers of Personal Data from Switzerland, including the onward transfer liability provisions.

Dispute Resolution. Disputes within the jurisdiction of the EU-U.S. or Swiss Privacy Shield Frameworks should first be referred to privacy@carbonite.com. Carbonite has further committed to refer unresolved privacy complaints under the EU-U.S. and Swiss Privacy Shield Principles to JAMS, Carbonite’s independent recourse mechanism. If a timely acknowledgement of a complaint is not received, or if we have not satisfactorily addressed a complaint, please contact or visit the JAMS website at https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS for Privacy Shield complaints are provided at no cost to the complainant. If neither Carbonite nor JAMS resolves the complaint, customers and users may pursue binding arbitration through the Privacy Shield Panel. To learn more about the Privacy Shield Panel, visit here. Carbonite is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.  Without prejudice to any other administrative or judicial remedy, customers and users always have the right to lodge a complaint with the relevant data protection supervisory authority in their resident country.

Conflict. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. or Swiss Privacy Shield Principles, the Privacy Shield Principles shall govern according to jurisdiction. To learn more about the Privacy Shield program, and to view our certifications, please visit https://www.privacyshield.gov/.

DISPUTE RESOLUTION

Customers and users agree that any dispute or claim against Carbonite will be resolved by binding arbitration, rather than in court. Such disputes and claims shall be referred to and finally determined by arbitration in accordance with JAMS Streamlined Arbitration Rules and Procedures. By using the Products and Services or accessing the Websites or Portals, customers and users agree to not participate in or seek to recover monetary or other relief in any lawsuit filed against Carbonite alleging class, collective and/or representative claims. Instead, by agreeing to arbitration, customers and users may bring claims against Carbonite in an individual arbitration proceeding. Claims of more than one individual cannot be arbitrated or consolidated with those of any other individual. Customers and users acknowledge the advisement to consult with an attorney in deciding whether to accept this Privacy Policy prior to using the Products and Services, Websites or Portals including this arbitration agreement. If any provision of this Privacy Policy is held to be invalid, the remaining provisions shall not be affected.

CHANGES TO CARBONITE'S PRIVACY POLICY

As laws and best practices evolve, this Privacy Policy may change. Carbonite will provide email notification to customers and users if changes to the Privacy Policy are material. Continued use of the Products and Services after modification constitutes acceptance to the Privacy Policy, as modified. We encourage periodic review of the Privacy Policy for the latest information on our privacy practices.    

CONTACT CARBONITE

For questions related to this Privacy Policy generally, please email privacy@carbonite.com. To contact Carbonite’s Data Privacy Officer, or for questions related specifically to the EU-U.S. or Swiss Privacy Shield Frameworks or the General Data Protection Regulation, please email DPO@carbonite.com.

Carbonite (UK) Limited is Carbonite's representative in the European Union for data protection matters pursuant to Article 27 of the General Data Protection Regulation of the European Union. Carbonite (UK) Limited can be contacted at:
Carbonite (UK) Limited
Unit 1 The Triangle
Wildwood Drive
Worcester WR5 2QX
England United Kingdom