Last updated: May 2018
WHAT DATA WE COLLECT
Carbonite’s customers and users voluntarily provide us with data, including data that can be used to identify, either directly or indirectly, an individual (“Personal Data”) when they purchase or use our products and services (together, “Products and Services”) and access our websites or portals (“Websites” or “Portals”).
Data Provided by Users and Customers.
- Name, address, email, telephone number, username and password (collectively "Account Information")
- Credit card, debit card, banking or other payment information
- Information submitted as a result of completing forms on our Websites or Portals, entering a promotion or survey or subscribing to, commenting on or downloading information from our Websites or Portals
- Customer content stored, processed, maintained or transmitted using our Products and Services
- File system information such as stored file folder names, file extensions, file sizes, and the configuration of any device registered for use in connection with the Products and Services, including any hardware delivered as part of the Products and Services (each a "Device")
- Technical information as a result of configuring the Products and Services, including IP addresses, browser-type, device-type, internet service provider, referring or exiting pages, operating system, date and time stamp or clickstream data
- Any other information shared with us directly or indirectly through a customer’s or user’s use of the Products and Services, Websites or Portals
Aggregate Information. To the extent permitted by applicable law, Carbonite may use, process, transfer and store customer and user data in an anonymous (or pseudonymous) and aggregated manner. We may combine such data with other information collected, including information from third-party sources. By using the Products and Services, our customers and users agree that we are permitted to collect, use, share and store anonymized (or pseudonymized) aggregated data collected through the Products and Services for benchmarking, analytics, metrics, research, reporting, machine learning and other legitimate business purposes.
Automated Decisions. To the extent permitted by applicable law, Carbonite may collect data in an automated manner and make and use automated decisions about customers, including using machine learning algorithms, in order to provide or optimize the Products and Services, for security or analytics purposes, to display advertisements and offers based on individual preferences and for any other lawful purpose.
WHY WE USE DATA
Carbonite processes data, including Personal Data, for a variety of purposes, such as:
- With customer or user consent, e.g., to receive marketing materials
- Where the processing is necessary for the performance of a contract, e.g., to facilitate backing-up and restoring data, for archiving purposes, or to provide technical support
- Where necessary to comply with law
- Where the processing is necessary for the purposes of our legitimate interests, taking into account individual interests. Our legitimate interests include providing the Products and Services, internal record-keeping and administrative purposes and to operate, maintain and improve the Websites or Portals
We use certain automatic data collection technologies such as cookies, web beacons, pixel tags and other technologies to collect data, including Personal Data, when users or customers visit the Websites or Portals, use the Products and Services or interact with us, and may share this data with our third-party marketing vendors (including for example, advertising networks and providers of external services like web traffic analysis services and analytics tools). We explain these technologies below.
Cookies. Cookies are small text files placed on a computer by a web server when browsing online and are used to store user preference data so that a web server doesn't have to repeatedly request this information. A user may block cookies by activating the settings on the browser that blocks all or some cookies. However, if a user blocks all cookies (including strictly necessary cookies), a user may not be able to access all or parts of our Websites or Portals. We use the following cookies:
- Strictly Necessary Cookies. These cookies are required for the operation of our Websites and Portals. They include, for example, cookies that enable a customer to log-in to secure areas of our Websites and Portals and use e-commerce.
- Analytical and Performance Cookies. These cookies allow us to recognize and count the number of users visiting our Websites and Portals and see how those users navigate our Websites or Portals. This helps us to improve our Websites and Portals.
- Functionality Cookies. These cookies recognize a user that returns to our Websites or Portals. This enables us to personalize our content, greet the user by name and remember preferences, for example, choice of language or region.
- Targeting Cookies. These cookies record visits to our Websites or Portals and the links followed. We use this information to improve our Websites or Portals and ensure the advertising displayed is relevant to users.
Web Beacons. A web beacon is a small pixel incorporated into a web page or email to keep track of activity on the page or email. A web beacon helps us better manage the content of our Websites by informing us of what content is effective.
Cross-device Tracking. We may use third-party cross-device tracking. For example, a user may use multiple browsers on a single device, or use various devices, which can result in the customer having multiple accounts or profiles across various devices. Cross-device tracking may be used to connect these various accounts or profiles and the corresponding data from different devices.
GLOBAL DATA MANAGEMENT
Carbonite is a global organization. As a result, data collected by us, including Personal Data, may be transferred or accessed by Carbonite’s subsidiaries and affiliates in other countries around the world regardless of a customer or user country of residence. Please note that by using the Products and Services, Websites or Portals or by providing Personal Data to us, customers and users acknowledge and agree that Personal Data may be sent to and processed in countries outside your country of residence, including the U.S. For individuals residing in the European Economic Area (“EEA”), and for Personal Data subject to European data protection laws, this includes transfers outside of the EEA. Some of these countries may not have data protection laws that provide an equivalent level of data protection as the laws in your country of residence, however, we will take steps to ensure Personal Data is handled in accordance with the EU-U.S. and Swiss Privacy Shield Frameworks and/or the General Data Protection Regulation, as applicable.
WHEN AND WHY WE SHARE YOUR PERSONAL DATA
We do not and will not sell Personal Data to marketers or other vendors.
We may share data, including Personal Data, in the following circumstances:
Service Providers. Carbonite may share data, including Personal Data, with our contracted third-party service providers in order to provide and improve our Products and Services, Websites or Portals or to administer surveys and user analysis to better understand user needs and preferences. These third-parties include affiliates and subsidiaries, business partners, payment and delivery services, advertising networks, analytics providers, credit reference agencies, social media companies, email distributors, marketing automation partners, customer survey companies, data storage and hosting partners, IT specialists and product developers.
Legal Purposes. Carbonite may share data, including Personal Data, as necessary to comply with applicable law, court orders, governmental agencies, for the administration of justice, to protect vital interests, to protect the security or integrity of Carbonite’s databases, Products and Services, Websites or Portals, or to take precautions against legal liability.
Sale. In the event of a merger, consolidation, or acquisition of all, substantially all or a portion of Carbonite’s business or assets, Carbonite may share data, including Personal Data. Customers and users acknowledge and agree that data, including encrypted stored data and Personal Data that Carbonite has collected, may be securely shared, disclosed and transferred to such successor or assignee.
RETENTION OF DATA
We may retain data, including Personal Data, for as long as necessary to deliver the Products and Services or as needed for other lawful purposes. We may retain anonymized or pseudonymized, aggregated data indefinitely or to the extent permitted under applicable law.
Subject to applicable data protection laws, customers and users have the following rights with respect to Carbonite’s handling of Personal Data:
- Access. The right to access Personal Data held by Carbonite.
- Opt-Out. The right to object to certain processing of Personal Data (unless Carbonite has overriding compelling grounds to continue processing), including the right to opt-out of receiving direct marketing. We will, however, continue to use Personal Data for the limited purpose of communicating important notices relating to purchases, changes to Products and Services or policies, and other reasons permitted by law.
- Rectification. The right to request correction of Personal Data that is incomplete, incorrect, unnecessary or outdated.
- Right to be Forgotten. The right to request erasure of all Personal Data that is incomplete, incorrect, unnecessary or outdated within a reasonable period of time. Carbonite will do everything possible to erase Personal Data if a user or customer so requests. However, Carbonite will not be able to erase all Personal Data if it is technically impossible due to limitations of existing technology or for legal reasons, such as Carbonite is mandated by applicable law to retain Personal Data.
- Restriction of Processing. The right to request restriction of processing Personal Data for certain reasons, such as the inaccuracy of Personal Data.
- Data Portability. If requested, Carbonite will provide Personal Data in a structured, secure, commonly used and machine-readable format.
- Right to Withdraw Consent. If Personal Data is processed solely based on consent, and not based on any other legal basis, customers can withdraw consent at any time.
- Data Protection Contact. The right to contact the relevant data protection regulator regarding Carbonite’s handling of Personal Data.
To exercise any of the above listed rights, email Carbonite at email@example.com, contact customer support at 1-877-222-5488 or the appropriate geographical telephone number found here, or mail Carbonite, Inc., Two Avenue de Lafayette, Boston, MA 02111, Attn: Privacy. Carbonite will process requests in accordance with applicable law and within a reasonable period of time.
CARBONITE AS A DATA CONTROLLER AND PROCESSOR
DO NOT TRACK
Carbonite belongs to advertising networks that may use browsing history across participating websites to show interest-based advertisements. Currently, our Products and Services do not recognize if a browser sends a "do not track" signal or similar mechanism to indicate the wish not to be tracked or receive interest-based advertisements.
CALIFORNIA PRIVACY RIGHTS
Under California’s "Shine the Light" law, California residents who provide Personal Data in obtaining Products and Services for personal, family or household use are entitled to request and obtain from Carbonite, once per calendar year, information about Personal Data Carbonite has shared, if any, with other businesses for their own direct marketing uses. Carbonite does not currently share your Personal Data with other businesses for their own direct marketing uses. However, if applicable, this information would include the categories of Personal Data and the names and addresses of those businesses with which Carbonite shared Personal Data for the immediately prior calendar year (e.g., requests made in 2018 will receive information regarding 2017 sharing activities). To obtain this information, please send an email to firstname.lastname@example.org with "Request for California Privacy Information" in the subject line, or mail Carbonite, Inc., Two Avenue de Lafayette, Boston, MA 02111 Attn: Privacy.
Carbonite and its global third-party cloud storage providers have reasonable and appropriate technical and organizational security measures in place to protect against unauthorized processing, loss, misuse and alteration of Personal Data under its control, including: (a) pseudonymization (such as where data is separated from identifiers so that linkage to an identity is not possible without additional information that is stored separately) and encryption, (b) ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services used to process Personal Data, and (c) ensuring a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational security measures. Please be advised that we cannot, and we do not believe that anyone can, genuinely guarantee or warrant absolute security of Personal Data disclosed or transmitted via the Internet to us or a third-party. As a result, absent Carbonite’s gross negligence, customers and users agree to not hold Carbonite responsible for the theft, destruction, loss, damage or inadvertent disclosure of Personal Data or other data provided to Carbonite.
The Websites and Portals may contain links to third-party websites that Carbonite does not control or maintain. Carbonite is not responsible for the privacy practices employed by these third-party websites. Carbonite encourages users to read the privacy statements of such other websites before submitting any Personal Data.
Carbonite does not knowingly collect or distribute any Personal Data from children under 13 years old. If a child under 13 has provided Carbonite with Personal Data, the parent or guardian of that child should contact Carbonite immediately at email@example.com to delete this Personal Data.
PRIVACY SHIELD FRAMEWORKS
Dispute Resolution. Disputes within the jurisdiction of the EU-U.S. or Swiss Privacy Shield Frameworks should first be referred to firstname.lastname@example.org. Carbonite has further committed to refer unresolved privacy complaints under the EU-U.S. and Swiss Privacy Shield Principles to JAMS, Carbonite’s independent recourse mechanism. If a timely acknowledgement of a complaint is not received, or if we have not satisfactorily addressed a complaint, please contact or visit the JAMS website at https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS for Privacy Shield complaints are provided at no cost to the complainant. If neither Carbonite nor JAMS resolves the complaint, customers and users may pursue binding arbitration through the Privacy Shield Panel. To learn more about the Privacy Shield Panel, visit here. Carbonite is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. Without prejudice to any other administrative or judicial remedy, customers and users always have the right to lodge a complaint with the relevant data protection supervisory authority in their resident country.