We, at Varonis Systems, Inc. and its wholly-owned subsidiaries (collectively, “we” or “the “Company”), are committed to protect the privacy of our business partners who are licensed to use our software (“the “Software”) on their internal network (“you” or “Client”) and our Client’s end users which have access to any of the data resources monitored by our Software (“End Users”).
What information do we collect?
We collect two types of information when you or your End Users are using our Software:
- The first type of information is individually identifiable information, namely information that identifies an individual or may with reasonable effort identify an individual (“Personal Information”), which includes the following:
- Feedback: When you allow us (or our trusted third party service providers) to receive your End Users’ feedback and rating with regard to Software (“Feedback”), we may gather Personal Information which may include the following: email address of the End User, End User’s full name, End User’s IP address, and the Client’s email. In addition, we may collect Personal Information which your End User voluntarily shares with us when he sends us Feedback (e.g., identifying content, images; etc.).
- The second type of information is unidentified and non-identifiable information pertaining to you or to your End Users, which may be made available or gathered via your use of the Software (“Non-Personal Information”). We are not aware of the identity of the user from which the Non-Personal Information was collected.
- Non-Personal Information which is being collected may include usernames, directory names, server names, share names, file names, configurations, logs related to Software and Client (e.g. event logs), browsing events and technical information transmitted by your device or your End Users’ devices, including certain software and hardware information (e.g., the type of browser and operating system the device uses, language preference, access time and the domain name from which you or your End Users are linked to the Software; etc.).
- In addition, when you allow us (or our trusted third party service providers) to receive your End Users’ Feedback with regard to Software, we may gather Non-Personal Information which may include the following: Feedback rating, Feedback tags, Feedback text, browser type and language, operating system, viewport of the screen, page URL on which the Feedback has been given, screenshot of the screen on which Feedback was provided (with all textual strings redacted), and our clients.
Please note that when the Software is deployed by our Clients, it analyzes unstructured data that is stored on the Clients’ platforms. The Clients maintain sole ownership of this data and determine their own policies regarding the storage, access, deletion, sharing and retention of this data. This data is hosted and stored only on the Clients’ servers (not on the Company’s servers).
How do we use the information we collect?
We use the Personal Information for legitimate business purposes only, such as:
- To identify and authenticate End Users’ access to the Software;
- To obtain End Users’ Feedback with regard to the Software;
- To improve our Software;
- To support and troubleshoot our Software and to respond to queries; and
- To investigate violations and enforce our policies, and as required by law, regulation or other governmental authority, or to comply with a subpoena or similar legal process or respond to a governmental request.
We use the Personal Information only to the extent required and while maintaining your right to privacy.
With whom we share the information we collect?
We may transfer or disclose Personal Information to our subsidiaries and other affiliated companies. In addition, Client’s and End User’s Personal Information may be disclosed to other trusted third party service providers or partners for the purpose of: (i) storing Personal Information on our behalf (e.g., cloud computing service providers); (ii) assisting us with our business operations and Software and improving it (e.g., processing and analyzing End Users’ Feedback); and (iii) performing research, technical diagnostics and analytics with regard to the Software.
Since we operate globally, it may be necessary to transfer Personal Information to countries outside the European Union. The data protection and other laws of these countries may not be as comprehensive as those in the European Union − in these instances, we will take steps to ensure that a similar level of protection is given to Personal Information. You hereby consent to the transfer of your and your End Users’ Personal Information to countries outside the European Union.
Third party collection of information
Our policy only addresses the use and disclosure of information we collect from you and from your End Users through the Software. To the extent that you or your End Users disclose your information to other parties through the Software, different rules may apply to their use or disclosure of the information disclosed to them.
How long do we retain the information we collect?
At any time, you or your End Users may request to change, update, correct errors or delete Personal Information by emailing us at firstname.lastname@example.org
Please note that unless you instruct us otherwise we retain the information we collect for as long as needed to provide our services and to comply with our legal obligations, resolve disputes and enforce our agreements.
The Company has an archiving process that determines the period during which the information is available. After the archiving period is reached, the information is archived, and Client can restore it once needed. Our default retention policy is 180 days, but Client can adjust the archive policy to its needs.
We may rectify, replenish or remove incomplete or inaccurate information, at any time and at our own discretion.
How do we safeguard and transfer your information?
We are committed to making reasonable efforts, in accordance with market best practices, to ensure the security, confidentially and integrity of the Personal Information. We take great care in implementing and maintaining the security of the Software and the Personal Information. Access to the Personal Information is based on the ‘least to know’ concept together with role-based access control systems, ensuring only authorized access to the Personal Information. We employ market best practice security measures to ensure the safety of your End Users’ Personal Information and prevent unauthorized use of any such information. Although we take steps to safeguard such information, we cannot be responsible for the acts of those who gain unauthorized access or abuse our Software, and we make no warranty, express, implied or otherwise, that we will prevent such access. If a password is used to help protect your accounts and Personal Information, it is your responsibility to keep your password confidential.
What are your rights?
You may contact us at email@example.com any time and request:
- To access, delete, change or update any personal data relating to you (for example, if you believe that your Personal Information is incorrect, you may ask to have it corrected);
- That we will cease any further use of your Personal Information or delete your information (for example, you may ask that we stop using or sharing your Personal Information with third parties).
If you wish to raise a complaint on how we have handled your Personal Information, you may contact us at the addresses indicated below.
The Software is not designated to End Users under the age of 18. In the event that we become aware that End Users under the age of 18 have shared any information, we will discard such information. If you have any reason to believe that a minor has shared any information with us, please contact us at firstname.lastname@example.org.
How to contact us
Data Protection Officer: Mr. Gilad Raz, CIO & VP of Technical Services
If you are unsatisfied with our response, you can reach out to the applicable data protection authority for the Company affiliates for the purpose of the EU General Data Protection Regulations: the Data Protection Commissioner in Ireland: Telephone: +353 (0)761 104 800; E-mail: email@example.com; Postal Address: Canal House, Station Road, Portarlington R32 AP23 Co. Laois R32 AP23, Ireland