Last updated: May 09, 2018
HashiCorp, Inc. (“HashiCorp”, “we”, “us” or “our”) respects the privacy of our users (“data subject”, “user”, “you”, or “your”). This Policy applies to information we collect when you use our website https://www.hashicorp.com (“Site”) including any other media form, media channel, mobile website, or mobile application related or connected thereto provided or officially sponsored by HashiCorp, or any other HashiCorp websites that link to this Policy (collectively, the “Websites”).
Any information relating to an identified or identifiable natural person (“data subject” or “user” or “you”), is considered personal data. An identifiable natural person is anyone who can be directly or indirectly identified, in particular by reference to an identifier such as a name, an identification number, location data, online identifiers, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive Personal Data
This refers to the various categories of personal data identified by European and other data privacy laws as requiring special treatment, including (in some circumstances) the need to obtain explicit consent. These categories comprise personal identity numbers, personal data about your personality and private life, racial or ethnic origin, nationality, political opinions, membership of political parties or movements, religious, philosophical or other similar beliefs, membership of a trade union or profession or trade association, physical or mental health, genetic code, addictions, sexual life, property matters or criminal records (including information about suspected criminal activities).
When you share personal data with us for processing, you become the data subject according to the General Data Protection Regulation, making us the controller responsible for processing.
Controller, Controller Responsible for Processing
The legal person, public authority, agency or other body which determines the purposes and means of processing personal data, whether alone or jointly with others. Where the purposes or means of processing are determined by Union or Member State law or other applicable law, rules or regulations, the controller (or the specific criteria for nominating the controller) may be provided for by the governing authority.
We consider any operation or set of operations performed on any personal data to be processing, whether through automated means or otherwise. Such operations include collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, alignment or combination, restriction, erasure or destruction, and disseminating or otherwise making personal data available.
Restriction of Processing
To limit the processing of personal data in the future, such data may be marked to indicate this restriction of processing.
Any form of automated processing of personal data to evaluate certain personal aspects relating to a natural person is considered profiling. In particular, such processing may be used to analyze or predict aspects concerning that natural person’s performance at work, health and economic situation, personal preferences, interests, reliability, behavior, location or movements.
Processing personal data in a way that prevents that data from being attributed to a specific user without additional information is considered pseudonymization. This process ensures that information required to identify a natural person using pseudonymized data is kept separately, and is subject to both administrative and technical measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
As defined by the General Data Protection Regulation, the processor is a natural or legal person, public authority, agency or other body that processes data on behalf of the controller.
The recipient is any natural or legal person, public authority, agency or other body to which personal data is disclosed, whether a third party or otherwise. Public authorities, however, which may receive personal data in the framework of a particular inquiry (in accordance with Union or Member State law, and other applicable laws, rules, and regulations), are not considered recipients. Processing of personal data by those public authorities must be in compliance with the applicable data protection rules according to the purposes of such processing.
Third parties consist of any natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
We consider consent of a user to be any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of personal data relating to them, either by a statement or by a clear affirmative action.
What tracking technologies do we use?
We use automated website analytics
We partner with selected third party vendors, such as Cloudflare, Google Analytics, Segment, HotJar, and Netlify which may allow tracking technologies and remarketing services on our Websites through the use of first party cookies and third party cookies, to, among other things, analyze and track users’ use of our Websites, determine the popularity of certain content and better understand online activity.
By accessing the Websites, you consent to the collection and use of your information by these third-party vendors. You are encouraged to review their privacy policies and contact them directly for responses to your questions. We do not transfer personal information to these third-party vendors. However, if you do not want any information to be collected and used by tracking technologies, you can visit the third party vendor or Network Advertising Initiative Opt-Out Tool or Digital Advertising Alliance Opt-Out Tool.
Note: You should be aware that getting a new computer, installing a new Internet browser, upgrading an existing browser, or erasing or otherwise altering your Internet browser’s cookies may also clear certain opt-out cookies, plugins or settings.
We use tracking pixels for email updates and newsletters
Our newsletter and emails sent from or on behalf of HashiCorp may contain tracking pixels, or a transparent image embedded in emails to enable log file recording and analysis. We use information collected in this manner to perform statistical analysis of the success or failure of online marketing and customer outreach efforts. Based on the embedded tracking pixel, we may be able to determine if and when an email was opened, and which links in the email were accessed.
Personal data collected using tracking pixels is stored and analyzed by us (and is not shared with third parties) to optimize the delivery of our newsletters and emails, and to improve the relevance of the distributed content. Many email clients and web browsers support functionality to opt out or prevent the use of these tracking mechanisms, however users are entitled to revoke their consent to receiving our newsletter at any time, after which personal data collected in this manner will be deleted by us. We automatically consider a withdrawal or cancellation of subscription to our newsletter as a revocation of your consent.
Here’s our take on Do-Not-Track signals
What data do we collect?
While we try to limit the amount of data about you that we collect, it’s not always avoidable to provide our services to you. To receive services from us, you may be asked to share certain information as a contractual or statutory requirement (e.g., tax regulations). You are not obliged to share any information with us, however refusal to do so may result in any existing or proposed contract to be terminated or otherwise rendered void.
More specifically, information we may collect through the Websites includes:
We may collect personal data
When you access or register with the Websites, or when you choose to participate in other activities related to the Websites like online chat, contact or support, purchases, and subscriptions to services or newsletters, you may be asked to voluntarily share personally identifiable information with us. This information includes details such as your name, shipping address, email address and telephone number, as we as demographic information such as your age, gender, hometown, place of employment and interests. You’re not obligated to provide us with any personal information of any kind, and you are free to change or completely remove any information shared with us at any time, however refusing to do provide requested personal data might prevent you from using certain features of the Websites.
If you choose to register for an account with HashiCorp or on our Websites, it may be possible for you to share personal data with us. Personal data that we ask for will be indicated as such with an explanation of why we are requesting it, and what it will be used for. By registering and providing us with personal data in this manner, you are providing explicit consent for your information to be used in accordance with this Policy.
We may require additional verification of your consent through a double opt-in procedure where we send a confirmation email to the email address provided for legal purposes and to prevent abuse of our services. To make sure we’re sending newsletters to only those who are interested in receiving them, we may periodically send additional confirmation emails to verified subscribers of our newsletter. Other than confirmation emails, we will not send unsolicited email newsletters to an email address without first receiving consent.
We generally don’t seek to collect sensitive personal data through our Websites, but if we do, we will ask you to consent to our proposed uses of the data. We may also collect some sensitive personal data incidentally. By providing us with unsolicited sensitive personal data, you consent to our using the data subject to applicable law as described in this Policy.
You might provide financial data
When you purchase, order, return, exchange or request information about our services from the Websites, you may be asked to share financial data with us related to your payment method. This information may include your valid credit card number, card brand, and expiration date, as well as other details necessary to process your payment information. We store only very limited (if any) financial information that we collect. Otherwise, all financial information is processed and stored by our payment processors, such as Stripe and PayPal. We encourage you to review their privacy policies and contact them directly for responses to your questions.
You might voluntarily share additional data
We automatically collect any information you provide when you voluntarily submit it to us such as your first name, last name, email address, phone number, job title and company name. You may choose to contact us by email or through our Websites for a variety of purposes such as product or company inquiries, customer support inquiries and sales requests. Throughout our Websites, we may also provide the opportunity to register for events or conferences, order or request white papers, or participate in online surveys. When we collect this type of information, we will notify you as to why we are asking for information and how this information will be used. It is completely up to you to choose whether or not you want to provide it.
We also provide the ability to submit job applications to our open job listings. To appropriately respond to your application, we need to collect and process your provided personal data, which may also be carried out electronically. If we begin an employment contract with you, your submitted application data will be stored for the purpose of processing the employment relationship in compliance with legal requirements. With your consent, we may store your application data for up to twelve months for future consideration for employment with us. Otherwise, your application data will automatically be erased six (6) months after notification of the refusal decision, provided that we have no other legitimate interests that require such data such as burden of proof under the Equal Opportunity Act and General Equal Treatment Act.
We do collect some general data
Whenever you (or any other manual or automated system) accesses our Websites, we collect some general data and information about the request and store the relevant details in server or system log files. This data includes details like your IP address, your browser type and version used, your operating system, the time and date you accessed the Websites, and the pages you viewed directly before and after accessing the Websites. Additional detail may be collected or derived from this information for use in the event of an attack on our information technology systems.
We use this information to make sure the content of our Websites is delivered correctly, to optimize our Websites content, marketing and advertisements, to ensure the long-term performance and viability of our information technology systems and Websites, as well as to provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack.
To support these efforts, we analyze anonymously collected data and information statistically, with the aim of increasing the data protection and security of our company, and to maintain an optimal level of protection for the personal data we process. This anonymous data stored separately from all personal data provided by users to protect their privacy and ensure that we do not draw any conclusions about any individual users when analyzing this data.
How long do we keep your data?
We only process and keep any personal data that you share with us for as long as needed to achieve the purpose of storage, as long as consent is maintained, or as long as is granted by the European or other legislators in laws or regulations we are subject to. The exact length of time we keep personal data depends on the respective statutory retention period for that type of information. After that period of time passes, or if storage of personal data is not applicable, personal data is routinely blocked, deleted or erased as long as it is no longer necessary for the fulfillment or initiation of a contract with us.
How do we use your information?
Having accurate information about you helps us provide a smooth, efficient, and customized experience. Generally speaking, we use any information we collect to provide services to you, keep our Websites running smoothly, and protect us legally. More specifically, we may use information collected about you via our Websites to:
Create and manage your account
Contact you about your account or orders
Fulfill and manage purchases, orders, payments and other transactions related to the Websites or HashiCorp
Provide and deliver products and services you request, process transactions, and to send you related information including confirmations and invoices
Send you a newsletter once you successfully subscribe
Respond to your comments, questions and requests and provide customer service
Send you technical notices, updates, security alerts and support and administrative messages
Compile anonymous statistical data for use internally or with third parties
Maintain and improve the efficiency and operation of our Websites and products
Assist with the development of our products and other purposes related to HashiCorp’s business
Monitor and analyze usage and trends to improve your experience with our Websites and products
Process and deliver contest entries and rewards
Assist law enforcement and respond to subpoenas, and to resolve disputes and troubleshoot problems
In accordance with applicable law, information covered by this Policy may be transferred to, and processed in, the United States or any other country in which HashiCorp or its affiliates, subsidiaries or service providers maintain facilities, even if the level of data privacy required in that country is less than that required by the European Union or other jurisdictions. By accessing our Websites or submitting your personal data to us, you consent to such transfers and to the worldwide processing of your personal data.
HashiCorp will not use or share your personal information in ways unrelated to those described above without first notifying you and offering you a choice as to whether or not we may use your personal data in a different manner. We do not use automatic decision-making or profiling, and will not sell your personal data for any purpose.
When do we share your information?
We try not to share your personal information that you’ve shared with us, but it may be necessary to disclose it in certain situations. We will not sell individual information and will share it only as outlined in this Policy.
When you ask us to share it
We display personal testimonials of satisfied customers on our Websites in addition to other endorsements. With your consent, we may post your testimonial along with your name on our Websites. If you wish to update or delete your testimonial, please contact us at firstname.lastname@example.org.
To obey the law or protect rights
If we believe the release of information about you is necessary to respond to legal process, to investigate or remedy potential violations of our policies or fraudulent activities, or when we believe in good faith that disclosure is necessary to protect our rights, property, and safety, we may share your information as permitted or required by any applicable law, rule or regulation, including exchanging information with other entities for fraud protection and credit risk reduction. We will have no duty to notify you of such compliance with local law where applicable.
To support necessary business activities
We may share your information with advertisers and investors for the purpose of conducting general business analysis. Additionally, we may share your personal with third parties necessary to provide you with services you have requested such as our hosting, email service, analytics, customer service, parcel delivery service, event or campaign management providers. These parties are authorized to use your personal data only as necessary to provide these services to us or on our behalf, and it is up to you whether or not you choose to provide it. We may also share your information with such third parties for marketing or remarketing purposes, as permitted by applicable law, rule or regulation. Where possible, we attempt to anonymize or pseudonymize your personal data to limit any potential for direct disclosure.
In the U.S. and other jurisdictions with similar laws, we will only share your personal information if you have not expressed your preference by opting out of having your information shared. In countries that are members of the European Union and all other jurisdictions with similar laws, we will only share your personal information if you have agreed to allow us to share your information with third parties. You have the opportunity to not receive such marketing materials from third parties by updating your subscription preferences.
If you share choose to share it
Our Websites offer publicly accessible blogs or community forums. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them. To request removal of your personal information from our blog or community forum, contact us at email@example.com.
Additionally, certain features on our Websites, specifically those for applying to a job opening at HashiCorp, you may use sign-in services such as LinkedIn or other OpenID providers. These services will authenticate your identity, provide you with the option to share certain personal information (such as your name and email address) with us, and to pre-populate our application form. Services like LinkedIn often give you the option to post information about your activities on our Websites to your profile page to share with others within your network.
We may also partner with other companies that offer products or services related to ours or that host or sponsor related events. In such instances, we may share your information with these business partners if you express interest in such products, services or events if you provide your personal information to event sponsors at their booths or presentations.
Note: In some cases, we may not be able to guarantee the removal of your personal data, in which case we will let you know if we are unable to do so and why.
If you leave the Websites to a third party
Before visiting and providing any information to any third party websites, we encourage you to inform yourself of the privacy policies and practices (if any) of the third party responsible for that website. You should take those steps necessary to protect the privacy of your information as you see fit. We are not responsible for the content or privacy and security practices and policies of any third parties, including other websites, services or applications that may be linked to or from the Websites.
It’s worth noting that we have no authority to manage or control third party solicitations, and are not responsible for the content or actions of third parties with whom you share personal or sensitive data. If you no longer wish to receive correspondence, emails or other communications from any third parties, you are responsible for contacting such third parties directly.
In the event of a merger or acquisition
What are my rights with personal data?
We recognize, under the EU-US and Swiss-US Privacy Shield and the General Data Protection Regulation, that you have certain rights in regards to your personal data. We feel that your privacy and ability to preserve and exercise your rights is very important. You are encouraged to review and understand these rights as they pertain to you and your personal data. These rights include, but are not limited to:
Right to be Informed
Right of Access
Right to Rectification
Right to be Forgotten
Right to Restriction of Processing
Right to Data Portability
Right to Object
Right to Withdraw Consent
In support of these rights, upon request HashiCorp will provide you with information about whether we hold any of your personal data. You may update, correct or delete information about you at any time by contacting us at firstname.lastname@example.org. If you wish to delete or suspend your account, please contact us at email@example.com, but note that we may retain certain information as required by law or for legitimate business purposes. If you have become aware that an account has been created about you without your knowledge or consent, you may contact us at firstname.lastname@example.org to request deletion of that said account.
For your protection, we may only implement requests with respect to the personal information associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. Please allow us a reasonable amount of time to respond to your request.
Note: We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We may also retain cached or archived copies of your information for a certain period of time.
How do you protect my information?
HashiCorp takes reasonable administrative, technical and physical security measures to help protect your personal data from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. We follow generally accepted standards to protect the personal data submitted to us, both during transmission and once it is received, taking into account the nature of such data and the risks involved in processing, and comply with applicable laws and regulations.
While we have taken reasonable steps to secure the personal data you provide to us, please be aware that despite our best efforts, no security measures are perfect or impenetrable, and no method of data transmission can be guaranteed against any interception or other type of misuse. Any information disclosed online is vulnerable to interception and misuse by unauthorized parties. Therefore, we cannot guarantee complete security if you provide personal data via our Websites. To this end, you are free to transfer personal data to us through alternative means as necessary, e.g. by telephone or posted mail.
If you have any questions about security or any reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please contact us at email@example.com.
Where can I get more information?
Policy For Children
Our Websites and products are not intended for, nor designed to attract individuals under the age of eighteen (18). HashiCorp does not knowingly collect personally identifiable information from any person under the age of eighteen.
California Privacy Rights
California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us using the contact information provided below.
If you are under 18 years of age, reside in California, and have a registered account with our Websites, you have the right to request removal of unwanted data that you publicly post on our Websites. To request removal of such data, please contact us using the contact information provided below, and include the email address associated with your account and a statement that you reside in California. We will make sure the data is not publicly displayed on our Websites, but please be aware that the data may not be completely or comprehensively removed from our systems.
Note: HashiCorp does not monitor, recognize, or honor any opt-out or Do-Not-Track (“DNT”) mechanisms including general web browser DNT settings and/or signals at this time.
Notice to All Non-US Residents
Our servers are located in the US. If you are located outside of the US, please be aware that any information provided to us, including personal information, will be transferred from your country of origin to the US. Except in the case of data transfers under the EU-US Privacy Shield, the Swiss-US Privacy Shield, and the General Data Protection Regulation (GDPR), your decision to provide such data to us, or allow us to collect such data through our Websites, constitutes your consent to this data transfer.
Notice for Residents of the European and Swiss Economic Areas
HashiCorp is committed to subjecting all personal data received from European Union (“EU”) member countries and Switzerland, in reliance on the Privacy Shield Framework (“Privacy Shield”), to the Privacy Shield’s applicable Principles. To learn more about the Privacy Shield Framework, and to view our certification page, please visit: https://www.privacyshield.gov
HashiCorp is responsible for the processing of personal data we receive, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on our behalf. HashiCorp complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including, unless we prove that we are not responsible for the event giving rise to the damage, the onward transfer of liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Framework, HashiCorp is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, HashiCorp may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If these processes do not result in a resolution, you may then contact your local data protection authority, the U.S. Department of Commerce, and/or the Federal Trade Commission for assistance. Under certain conditions, more fully described on the Privacy Shield website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may invoke binding arbitration when other dispute resolution procedures have been exhausted and upon written notice to HashiCorp at firstname.lastname@example.org.
Changes to This Policy
℅ Security and Privacy Office
101 Second Street, Suite 575
San Francisco, CA 94105
Phone: +1 (415) 301-3250