BIGID PRIVACY NOTICE
Last Updated: June 13, 2023
This Privacy Notice (or “Notice”) describes the information that BigID, Inc. (“BigID”, “our”, “we”, or “us”) may collect, use, and disclose about you when you visit our websites www.bigid.com, www.smallid.com, and university.bigid.com (“Website”); sign up or attend our events, webinars, and newsletters; register for a demonstration or trial of our product; use our on-premise solution or one of our cloud hosted product offerings either as a Customer or as a limited user; and any other use of our product, platform, or applications (collectively, the “Services”).
BigID is committed to the responsible collection and use of Personal Information. This Notice governs the collection, use, and disclosure of any Personal Information that is provided to us by Customers or users (“You”) as part of our Services.
If you have questions about anything in this Notice, please contact us at [email protected].
This Notice Covers Our Privacy Practices On:
- Safeguarding Information
- Our Use of Information Technologies
- Managing Your Preferences
- Use of Services By Minors
- International Transfers
- Residents in the EEA, UK, and Switzerland
- US Data Privacy Laws
- Updates to this Notice
- Contact Us Information
Customers & Customer Data: BigID is a service provider/data processor for the companies that use our platform. We refer to such companies as “BigID Customers”, and to the content and information submitted by those companies as “Customer Data” in this Notice.
Where BigID collects or processes Customer Data, it generally does so on behalf of a BigID Customer. If you are using the Services by invitation or on behalf of a Customer (for example, your employer) that Customer determines its own policies regarding storage, access, modification, deletion, sharing, and retention of Customer Data that may apply to your use of the Services. Please check with the Customer about the policies and settings it has in place.
|Type of Information Collected||Description|
|Personal Information||When setting up new Customers for the BigID platform, we collect Personal Information, such as name and email address, to provide them with the Services. The types of information we may collect directly from our customers and their users include: names, usernames, email addresses, postal addresses, phone numbers, job titles, transactional information (including Services purchased), as well as any contact details or other information they choose to provide us or upload to our systems in connection with the Services.|
|Administrative & Support Data||BigID collects information about the use and access of our Services, which may include administrative and support communications with us, messages, persons, features, content, and links you interact with, and the third party integrations you use (if any).|
|Payment Information||BigID, and/or its affiliates, consultants, vendors, and third party payment processors may collect and store billing addresses and when our Customers purchase the Services.|
|Third Party Integrations||If you integrate a third party service when using the Services, we will connect that third party service to the BigID platform. The third party provider of the integration may share certain information about your partnership with BigID.|
|Additional Data||Customers may choose to use one of our additional compliance service offerings, such as our Privacy Portal or BigID.me. The data processed through these offerings is treated as Personal Information, which is subject to the restrictions set forth in the underlying agreement between BigID and the Customer (“Customer Agreement”).|
|Employment Information||If you apply for an open position with us, BigID will collect employment application information, such as your resume, LinkedIn profile, cover letter, and online portfolio.|
|BigID University & BigID On-Demand Lab Services||When accessing the BigID University Website or the BigID Sandboxes offered through our On-Demand Lab Services, we may collect certain information about your general usage data, such as website clicks, mouse movements, interactions with flows, and potentially, browser types. We do not collect users’ names, emails, or IP addresses when interacting with either the BigID University Website or BigID On-Demand Lab Services.|
|Developer Community||When a Customer or user participates in our Developer Community, BigID may collect an email address, a photo, domain details, user name for the individual participating, and other similar information. BigID may also collect commercial contact info, such as a mailing address, as well as information about the individual’s device.|
|User Feedback||While using the Services or attending one of our events, you may be asked to provide feedback (e.g., in the software directly, following a webinar, or after receiving help from our support team).|
|Non-Personal Information||We may collect information that does not reveal your specific identity (“Non-Personal Information”), such as: (a) browser and device information, (b) information collected through cookies, pixel tags, and other technologies; (c) demographic information; and (d) aggregated information. If we are required to treat Non-Personal Information as Personal Information under the applicable law, then we may process it for the purposes of which we collect, use, and disclose Personal Information as detailed in this Notice. For more information, see our Cookies and Similar Technologies Notice.|
Website, Demo Registration, & Events:
BigID may collect information from you when you join one of our virtual or in person events, or sign up for promotional newsletters. More details are below:
|Personal Information||We collect Personal Information that you choose to provide or send us, such as when you register for a BigID webinar or submit an online form to “Request a Demo” of our Services. We also keep a record of any correspondence that you send when you contact us through the Website.|
|Device Information||BigID collects certain information related to your device when you visit our Website, such as your device’s IP address in an encrypted format, the referring website, the pages your device visited, and the time that your device visited our Website. We consider this to be “Non-Personal Information” as defined above.|
|Marketing & Promotions||We may collect information on preferences for receiving marketing communications and details about how you engage with us.|
|Information From Other Sources||We may collect information made available to us through third-party platforms, online databases or directories, and other means. We specify that data sourced from these third parties must be legitimately obtained. Please note that this information may be governed by the privacy statement of the third party.|
|Information Collected by Cookies & Similar Technologies||We use various technologies to collect information, which may include saving cookies to users’ computers. For more information, see our Cookies and Similar Technologies Notice.|
We use your information for the following purposes, or as otherwise described to you at the time of collection.
Customer Data: BigID may access and use Customer Data as reasonably necessary in accordance with the Customer’s instructions to:
|Use/Purpose of Processing Customer Data||Description|
|Administer & Operate the Services||We may access and use Customer Data to (a) provide, operate, maintain, enhance, administer, and improve the Customer’s use and configuration of BigID’s Services; (b) to prevent or address service, security, and technical issues in connection with a Customer support matter; (c) to respond to Services-related or employment-related requests, questions, and feedback; and (d) as set forth in the Customer Agreement or as expressly permitted in writing by the Customer.|
|Legitimate Business Purposes||Customer Data may be used for legitimate business purposes, such as data analysis; audits; developing new products; identifying usage trends; determining the effectiveness of our promotional campaigns; and operating and expanding our Service activities.|
|Benchmarking||BigID may aggregate and anonymize Customer Data across multiple accounts and use this data to improve or enhance engagement of our Services, or to create and publish (subject to the confidentiality restrictions in the Customer Agreement) industry benchmarks or comparative performance metrics.|
|Communications||We use Customer Data to manage and communicate with you regarding our Services, including by sending you Services announcements, technical notices, updates, security alerts, and support and administrative messages.|
|Legal & Compliance Purposes||Customer Data may be used as required by law or as permitted by a lawful data request (e.g., subpoena).|
|Security, Fraud Prevention, & Compliance||We may use information as we believe appropriate to (a) investigate or prevent violation of the law or our Terms of Services; (b) secure the Services; (c) protect our, your, or others’ rights, privacy, safety, or property; (d) conduct fraud monitoring and prevention activities; and (e) protect, investigate, and deter against fraudulent, harmful, unauthorized, unethical, or illegal activity.|
|Responses for Information||If you contact us with a problem or question, we will use your information to respond in a timely and effective manner.|
|Non-Personal Information||We may use Non-Personal Information for any purpose, except where we are required to do so otherwise under applicable law. For more information, see our Cookies and Similar Technologies Notice.|
Website, Demo Registration, & Events: We may use the information we collect from our Website, Demo Registration, and Events in the following ways:
|Use/Purpose of Collected Information Data||Description|
|Marketing Communications||We may send you BigID-related marketing communications that we believe may be of interest to you if you request information from us, use the Services, or participate in our surveys, promotions, and events.|
|Advertising||We and our partners may tailor ads based on your interests and website browsing history or conduct retargeted advertising. See our Use of Information Technologies section below for more details.|
|Testimonials & User Generated Content||In some cases, we may ask for your consent to collect, use, or share your personal information, such as when you let us post your testimonials or endorsements in the Services. Please be aware that whenever you voluntarily disclose personal information online, the information becomes public and can be collected and used by others. We have no control over, and take no responsibility for, the use, storage, or dissemination of such publicly disclosed personal information. By posting personal information online in public forums, you may receive unsolicited messages from other parties.|
BigID does not rent or sell Personal Information. We only share information as described in this Notice under the following limited circumstances.
Customer Data: BigID may share Customer Data in accordance with our agreement with the Customer and the Customer’s instructions, including:
|Service Providers & Vendors||We may share your Personal Information with our third party Service Providers and Vendors in order to administer and provide the Services on our behalf, or provide other services such as marketing, billing, data analysis, customer service, email delivery, auditing, and other services. To view our current list of Service Providers please visit: https://bigid.com/sub-processors/.|
|Affiliates||We may engage with affiliates or consultants to process Customer Data for uses consistent with this Notice. To view our current list of Affiliates please visit: https://bigid.com/sub-processors/.|
|Integrations||BigID may, acting on our Customer’s behalf, share Customer Data with the provider of an integration added by the Customer. BigID is not responsible for the provider of an integration that may collect, use, and share Customer Data.|
|Compliance with Laws & Law Enforcement; Protection & Safety||We may disclose information as we believe appropriate to government or law enforcement officials or private parties (a) for the security, compliance, fraud prevention, and safety purposes described above; (b) as required by law, lawful requests, or legal process, such as to respond to subpoenas or requests from government authorities; (c) where permitted by law in connection with any legal investigation; and (d) to take legal action or defend legal claims.|
|Business Transfers & Structure Changes||If we engage in a merger, acquisition, bankruptcy, dissolution, financing, reorganization or a similar transaction or proceeding, some or all of BigID’s financing and/or assets may be included as part of that transaction or proceeding.|
|Non-Personal Information||We may disclose Non-Personal Information for any purpose, except where we are required to do so otherwise under applicable law. For more information, see our Cookies and Similar Technologies Notice.|
Website, Demo Registration, & Events:
|Event Sponsors||When you register for, or attend an event or webinar organized by BigID, we may share your contact details (such as your name, email address, company name, and phone number) with the event sponsor. If you’d like to opt-out of sharing your information with sponsors, you can always do so by unsubscribing in one of our emails, visiting our Privacy Portal, or by emailing us at [email protected].|
|Third Party Sites & Services||This Notice does not address, and we are not responsible for, the privacy, information, or other practices of any third parties, including any third party operating any site or service to which the Website links. The inclusion of a link on the Website does not imply endorsement of the linked site or service by us or by our affiliates.|
We seek to use reasonable organizational, technical, and administrative measures to protect Personal Information within our organization. As a matter of policy, we do not disclose details regarding our security measures.
Be advised, no security safeguards or standards are guaranteed to provide 100% security. You should always use appropriate self-protection measures and practice safe browsing on all websites. For more information, the National Cybersecurity Alliance provides comprehensive information on how to Stay Safe Online.
OUR USE OF INFORMATION TECHNOLOGIES
The following section describes various types of technologies we use when you interact with us online and through our Services:
|Type of Information Technologies||Description of Use|
|Cookies||User Centrics Consent Tool. BigID uses “User Centrics” as our cookie consent tool, which you can utilize to customize your cookie preferences. When you visit our website for the first time, a cookie consent banner will pop up and ask you to customize your cookie preferences. Please note that Required Cookies cannot be disabled and if you opt-out of Functional Cookies, certain functionality of our websites may be impacted.
To learn more about the types of cookies we use please see our Cookies and Similar Technologies Notice.
|Global Privacy Control (GPC)||GPC is a technical specification that you can use to inform websites of your privacy preferences in regards to ad trackers. To set up GPC, you can visit the Global Privacy Control page. If you do choose to set up GPC, we will automatically turn off all non-required cookies on BigID’s websites for you. Please note that this may impact the functionality of our websites.|
|Website Optimization Services||BigID shares data with Google Analytics, and to understand and optimize website performance and enhance site usability. This runs in the background of our Website, analyzing site usage information and then returning reports to us through an encrypted connection. These services are required to maintain data securely and confidentially.
If you would like to opt-out of Google Analytics on a per browser basis, please Click Here to download the Google Analytics opt-out browser add-on. For more information on Google Analytics, Click Here.
|Social Media Widgets||Our Services may include social media features, such as the Facebook “like” button, and widgets, such as the “share this” button. These features may collect your information and track your use of the Services. These social media features are either hosted by a third party or hosted directly in the Services. Your interactions with these features are governed by the privacy notice of the company providing such functionality. You can manage your preferences for many of these advertising programs through the links provided below:|
|Social Network & New Tech Advertising Programs||BigID has relationships with several social networks and new tech companies. These companies have specific Interest-Based Ads programs that match people who have shown interest in BigID through our website or other services with their platforms (such as LinkedIn and Twitter features). This matching allows us to deliver relevant, interest-based ads on those companies’ networks. You can manage your preferences for many of these advertising programs through the links provided below:|
|Do Not Track||BigID does not currently recognize and process Do Not Track signals from different web browsers. You can manage your preferences for tracking across sites in the Interest-Based or Online Behavioral Advertising section above. For more information on Do Not Track please visit https://allaboutdnt.com/|
You may opt out of certain marketing communications, withdraw previously provided consent for posted testimonials, or choose not to share your information where required in the Services by using the following provided mechanisms:
|Type of Preference||Description of Use|
|Marketing Communications||You may opt out of marketing-related emails by following the opt-out prompt in the email. You may continue to receive Services-related and other non-marketing emails.|
|Testimonials||If you consented to post a testimonial to our Website, but wish to update or delete it, please contact us at [email protected].|
|Choosing Not to Share Your Information||If you do not provide information indicated as required or mandatory within the Services, or that is otherwise necessary to provide a requested service or feature within the Services, that portion or all of the Services may be unavailable to you.|
USE OF OUR SERVICES BY MINORS
|Category of Minor||Policy on Category of Minor|
|Information on Children Under 13||The Children’s Online Privacy Protection Act (“COPPA”) imposes requirements on sites that collect personal information about children under 13 years old (e.g., name, address, email address, Social Security number, etc.). Our current policy is not to collect any personal information on any person under 13 years old. If this policy changes, we will revise this portion of our Notice and will comply with the requirements of the COPPA, which includes providing notice and choice to each child’s parent or guardian before collecting any personal information.|
|Information on Users 13-17||Our Services are offered to Customers and Users who are of the age 18 years and above. No programs, events, services, or offerings are intended for children under the age of 18.|
The Services are controlled and operated by us from the United States and are not intended to subject us to the laws or jurisdiction of any state, country, or territory other than that of the United States. Your Personal Information may be stored and processed in any country where we have facilities or in which we engage service providers, and by using the Services, you consent to the transfer of information to countries outside of your country of residence, including the United States. In certain circumstances, courts, law enforcement agencies, regulatory agencies, or security authorities in those other countries may be entitled to access your Personal Information.
RESIDENTS IN THE EEA, UK, & SWITZERLAND
Personal Information: References to “personal information” in this Privacy Notice are equivalent to “personal data” governed by European data protection legislation.
EU Representative: For purposes of European data protection legislation, and except when acting as a processor on behalf of our Customers, BigID is the controller of your personal information covered by this Notice. You can contact us and our Data Protection Officer using the contact details listed in the Contact Us section below. Our EU representative is:
101-109 Rue Jean Jaurès, Levallois-Perret, France, 92300
Email: [email protected]
UK Representative: For purposes of United Kingdom data protection legislation, and except when acting as a processor on behalf of our Customers, BigID is the controller of your personal information covered by this Notice. You can contact us and our Data Protection Officer using the contact details listed in the Contact Us section below. Our UK representative is:
1 Chapel Street, Warwick, CV34 4HL
Email: [email protected]
Swiss Representative: For purposes of Swiss data protection legislation, and except when acting as a processor on behalf of our Customers, BigID is the controller of your personal information covered by this Notice. You can contact us and our Data Protection Officer using the contact details listed in the Contact Us section below. Our Swiss representative is:
Lowenstrasse 22, 8001 Zürich, Switzerland
Email: [email protected]
Legal bases for processing: We only use your personal information as permitted by law. We are required to inform you of the legal bases of our processing of your personal information, which are described in the table below. If you have questions about the legal basis of how we process your personal information, contact us at [email protected].
|Purpose of Processing Data||Legal bases that supports the processing purpose|
|We may need to process your data to provide our Services. This often happens when you enter a contract with us and we need to use your personal information to provide the Services you requested, or to carry out tasks that you request prior to providing the Services.||Performance of a contract; Legitimate interests.|
|We may need to process your data to send you marketing communications or advertisements. We consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal information for our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).||Legitimate interests.|
|We may need to process your data for security, compliance, fraud prevention and safety reasons.||Legitimate interests.|
|We may need to process your data to establish a claim, exercise legal action, or defend against legal claims.||Legitimate interests.|
|We may need to process your data to comply with the law.||Legal Obligations.|
|We may process your data when you provide consent. Where we rely on your consent, you have the right to withdraw it anytime in the manner indicated in the Services or by contacting us at [email protected].||Consent.|
Use for New Purposes: We may use your Personal Information for reasons not described in this Notice where permitted by law and the reason is compatible with the purpose for which we collected it. If we need to use your Personal Information for an unrelated purpose, we will notify you and explain the applicable legal basis.
Retention: We will only retain your Personal Information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal information, we consider the volume, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your Personal Information, the purposes for which we process your Personal Information, and whether we can achieve those purposes through other means, and the applicable legal requirements.
Your Rights: European data protection laws give you certain rights regarding your Personal Information. You may ask us to take the following actions in relation to your Personal Information that we hold:
|Data Subject Rights||Description|
|Withdraw||Stop sending you direct marketing communications. You may continue to receive Services-related and other non-marketing communications.|
|Access||Provide you with information about our processing of your Personal Information and give you access to your Personal Information.|
|Rectify||Update or correct inaccuracies in your Personal Information.|
|Erasure||Delete your Personal Information.|
|Data Portability||Transfer a machine-readable copy of your Personal Information to you or a third party of your choice.|
|Restrict||Restrict the processing of your Personal Information.|
|Object||Object to our reliance on legitimate interests as the basis of our processing of your Personal Information that impacts your rights.|
You can submit these requests through our Privacy Portal, or to our postal address below:
641 Avenue of the Americas, Front 2
New York, NY 10011
Attention: Privacy Officer
We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your personal information or response to your requests regarding your personal information, you may contact us or submit a complaint to the data protection regulator in your jurisdiction.
US DATA PRIVACY LAWS
Consumers who are also residents of either California, Colorado, Virginia, or Utah may exercise certain rights over their personal data by visiting the BigID Privacy Center and submitting a request that corresponds to the appropriate prompt displayed on the webpage.
The California Consumer Privacy Act of 2018 (“CCPA”), as amended by the newly enacted California Privacy Rights Act of 2020 (“CPRA”) and any implementing regulations, requires us to provide California residents additional information, which we address in this section.
For information on the categories of personal information we have collected from California residents in the last 12 months, please refer to our above sections on Collection, Use, and Disclosure.
For information on the types of information we collect, the sources of that collected information, the purposes for collecting information, and the categories of third parties with whom we share that information, please refer to our above sections on Collection, Use, and Disclosure.
California residents are granted additional rights under the CCPA, as amended by CPRA, and its implementing regulations, which include the right to opt out of any sales or sharing of your personal information, to request access to and information on our data practices, and to request deletion or correction of your personal information, as well as the right not to be discriminated against for exercising your privacy rights. Please note that BigID does not use or disclose sensitive personal information except to provide you the Services or as otherwise permitted by the CCPA/CPRA.
You or your authorized agent can submit a request by visiting our Privacy Center and following the prompts on the screen. Should you submit a request, BigID will verify your identity/authorized agent identity by internally reviewing the requested identity if you are the consumer or the signed paperwork if you are an authorized agent. If you have questions or concerns about this Notice, please contact us at: [email protected].
California Employee Applicant and Employee Data. Whether you are applying for a position at BigID or are a current or former employee, you are entitled to request access to and information on our data practices, and to request deletion or correction of your personal information by following the steps listed in the paragraph above. For up to date information on the types of data we process about you and how we protect it, please see our California Employee Privacy Notice.
CONNECTICUT, COLORADO, & VIRGINIA RESIDENTS
Pursuant to the Virginia Consumer Data Protection Act (“VCDPA”) on January 1, 2023, the Connecticut Data Privacy and Online Monitoring Act (“CTDPA”) and the Colorado Consumer Privacy Act (“ColCPA”) and its implementing rules on July 1, 2023, BigID is required to provide residents of Connecticut, Colorado, or Virginia further information, which we address in this section. For details about the categories of information we collect and process, and the purposes for processing those categories of information, please refer to our above sections on Collection, Use, and Disclosure.
Residents of Connecticut, Colorado, and Virginia are granted additional rights under their respective state privacy laws, which include the right to request confirmation of and provide access to processed personal data, to request deletion or correction of personal data obtained about or provided by you, to request and obtain a portable copy of your personal data, and to opt out of the processing of your personal data for the purposes of targeted advertising, sales, or profiling in furtherance of decisions that may produce legal or similarly significant effects. Residents from those states also have a right not to be discriminated against for exercising any of these privacy rights. You can submit a request by visiting our Privacy Center and following the prompts on the screen.
Please note that BigID does not “sell” personal information as the term is defined under the CTDPA, ColCPA, and VCDPA. BigID also does not use or disclose sensitive personal information except to provide you the Services or as otherwise permitted by those laws.
You may appeal an unprocessed or denied request by emailing us at [email protected]. We will have 60 days (or 45 days, with an option to extend for an additional 60 days under the ColCPA) after receiving your request to explain why we have or have not processed your request. If you are not satisfied with our decision, then you may consult the following information, based on your state of residence, to contact the appropriate state Attorney General’s Office:
For Connecticut residents:
Connecticut residents may contact the Connecticut Attorney General’s Office by calling the Consumer Assistance Unit at (860) 808-5440, or by filing a complaint on their website.
For Colorado residents:
Colorado residents may contact the Colorado Attorney General’s Office by calling (720) 508-6000, or by filing a complaint on their website.
For Virginia residents:
Virginia residents may contact the Virginia Attorney General’s Office by calling the Consumer Protection Hotline at 1-800-552-9963 if calling from Virginia, or (804) 786-2042 if calling from the Richmond area or from outside Virginia, or by filing a complaint on their website.
Beginning December 31, 2023, the Utah Consumer Privacy Act (“UCPA”) requires us to provide Utah residents additional information, which we address in this section. For information on the categories of information we collect and process, and the purposes for processing those categories of information, please refer to our above sections on Collection, Use, and Disclosure.
Utah residents are granted additional rights under the UCPA, which include the right to request confirmation of and provide access to processed personal data, to request deletion of personal data provided by you, to request and obtain a portable copy of your personal data, and to opt out of the processing of your personal data for the purposes of selling or targeted advertising. BigID may also not discriminate against Utah residents for exercising any of these privacy rights by denying a good or service, charging a different price or rate for a good or service, or providing the consumer a different quality level of a good or service. You can submit a request by visiting our Privacy Center and following the prompts on the screen.
Please note that BigID does not “sell” personal information as the term is defined under the UCPA. BigID also does not use or disclose sensitive personal information except to provide you the Services or as otherwise permitted by the UCPA.
UPDATES TO THIS NOTICE
We may periodically review and update this Notice to ensure it complies with applicable laws and covers any changes to our policies or business. Any changes or updates we make will become effective once we post the revised Notice on the Website. The date at the top of the page indicates when this Notice was last revised.
We encourage you to please review this page regularly for the latest information on our privacy practices. Your use of the Services following these changes means that you accept the revised Notice.
If you have any questions or concerns about this Notice, please contact us at:
641 Avenue of the Americas, Front 2
New York, NY 10011
Attention: Privacy Officer
Email: [email protected]