Effective as of July 1, 2023
Asia-Pacific Economic Cooperation (“APEC”)
APEC Cross Border Privacy Rules (“CBPR”) System: Box, Inc.’s privacy practices, described in the Privacy Notice, comply with the APEC CBPR System. The APEC CBPR system provides a framework for organizations to ensure protection of Personal Data transferred among participating APEC eco nomies. More information about the APEC framework can be found at: https://www.apec.org/About-Us/About-APEC/Fact-Sheets/What-is-the-Cross-Border-Privacy-Rules-System.
APEC Privacy Recognition for Processors (“PRP”) System: Box, Inc.’s privacy practices, described in this Privacy Notice, comply with the APEC PRP System . The APEC PRP System provides a framework for data processors to demonstrate their ability to effectively implement a data controller’s privacy requirements . More information about the APEC PRP framework can be found at: http://mddb.apec.org/Documents/2015/ECSG/DPS2/15_ecsg_dps2_007.pdf.
Protecting the privacy rights of Customers is fundamental to the services Box provides. Box has historically offered Customers an overlapping set of legal mechanisms and frameworks for data transfers out of the European Economic Area (EEA).
EU Binding Corporate Rules: Box, Inc., and the Box group of companies seek to maintain its EU BCRs by transferring to a lead supervisory data protection authority located in the EEA. While Box awaits approval of its EU BCRs, Box remains committed to adhering to the principles set-forth in the current BCRs authorized and approved by the European data protection authorities, as will be listed at the European Commission website. We have made Standard Contractual Clauses (SCCs) available to all customers, ensuring a lawful data transfer mechanism when transferring data from the European Economic Area (EEA) to outside of the region. Box EU BCRs are made available below:
EU - U.S. Privacy Shield and Swiss - U.S. Privacy Shield: On July 16, 2020, the Court of Justice of the European Union (CJEU) ruled that the EU - U.S. Privacy Shield and Swiss - U.S. Privacy Shield Framework is no longer a valid data transfer mechanism for transferring personal data from the European Economic Area (EEA) to the United States. Per guidance from the United States Department of Commerce, Box, Inc. will continue to participate and certify its compliance with the EU - U.S. Privacy Shield Framework and the Swiss - U.S. Privacy Shield Framework. For more information about our Privacy Shield certifications, please view the Box EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Notice.
UK Binding Corporate Rules: The EU-UK Trade and Cooperation Agreement marked the end of the United Kingdom’s (UK) transition period to leave the European Union (Brexit) on December 31, 2020. Box, Inc. and its subsidiaries (collectively, "Box") remain committed to maintaining and adhering to a valid data protection framework and transfer mechanism. The UK’s Information Commissioner’s Office (ICO) has listed Box as a certified Processor and Controller of UK Binding Corporate Rules (BCRs) on the ICO website. Box’s UK BCRs are made available below:
As required by the California Consumer Privacy Act of 2018 (“CCPA”), as amended, this California Notice at Collection (the “CA Notice”) supplements the information contained in the Box Privacy Notice. This CA Notice describes how Box, Inc. and its affiliates collects, uses and shares the personal information of California residents (“consumers” or “you”) and how to exercise your rights under the CCPA.
Scope. When we say personal information in this CA Notice, we mean information that identifies, relates to, or could reasonably be linked to you or your household.
The CCPA provides certain exemptions that may apply to Box’s collection of your personal information. These exemptions include personal information that we’ve collected from or about you that is publicly available (as described in Cal. Civ. Code Section 1798.140). As such, this CA Notice and the privacy rights described herein may not apply to you or to all your personal information.
For information relating to Box job applicants, current and former employees, contractors or other Box personnel, please review the Box Personnel Privacy Notice or the Box Candidate Privacy Notice.
Notice at Collection. We may collect personal information about you for a variety of purposes. For example, we may collect the below categories of personal information.
Contact Information that we collect directly from you, which may include your name, email address and phone number.
Commercial Information such as the Box products or services you’ve purchased, obtained or considered.
Internet and other related network activity such as your IP address, session logs and how you interact with our website and applications in accordance with the Box Cookie Notice.
Geolocation Data which may include a subset of your internet and network activity such as your IP address.
Sensitive Personal Information that you provide to us when you register an account, specifically your account log-in information and payment card details.
Other Personal Information such as (1) information you provide to us when you register for Webinars, Demos, Virtual Conferences (2) information you provide when you download our white papers and reports (3) information you provide when you engage with Box’s Community Forums (4) information you provide when you contact us directly through our Box Support portal.
Sources of Personal Information. The sources from which we collect Personal Information are described in the "Collection of Information" section of the Privacy Notice.
Use of Personal Information. We may use your personal information for the following business purposes:
provide, operate, maintain, and improve the Box Services;
communicate with you about services, features, surveys, newsletters, offers, promotions, contests and events, and provide other news or information about Box and our select partners;
personalize and improve the Box Services, and provide Content, features, and/or advertisements that match your interests and preferences or otherwise customize your experiences on the Box Services; or
as otherwise described in the “Use of Information” section of the Box Privacy Notice.
Box does not use or disclose sensitive personal information for purposes other than those permitted purposes under the CCPA.
The Box Services are not directed to individuals under the age of 18 and we do not knowingly collect, “sell”, or “share” personal information from anyone under 18.
Your California Privacy Rights. Subject to verification of your request, you may exercise your privacy rights listed below in relation to the personal information Box has collected about you.
The right to know what personal information Box has collected about you;
The right to delete your personal information;
The right to correct your personal information;
The right to limit the use and disclosure of sensitive personal information;
The right to opt-out of the "sale" or "sharing" of your personal information; and
The right to non-discrimination for exercising your rights.
How To Exercise Your Rights. To exercise your California privacy rights, please contact us at email@example.com. We will promptly verify your request and respond within the applicable time frame of forty-five (45) days. Should we reasonably require additional time beyond the applicable time frame, we will notify you directly. You may also opt-out from the "sale" or "sharing" of your personal information by submitting this email template. To adjust your cookie settings, please click here.
If we are unable to verify your identity as required by CCPA, we reserve the right to not process your request. Upon this determination, we will notify you of our decision along with any rights you may have to appeal the decision. As set forth in CCPA, we are only required to respond to certain rights requests twice in any twelve (12) month period. You may use an authorized agent to submit a request on your behalf, but we may ask your agent to provide information to verify that they have the proper authority to act on your behalf or ask you to verify your identity with us directly.
If you elect to exercise any of your rights, Box will not deny services, provide a different price or rate for our services, or provide a different level of service to you because you exercised such rights.
Prior Collection, Use and Sharing of Information. In connection with providing you the Box Services (the “business purpose”), we may share your personal information to third parties and other entities as described in the Privacy Notice and Subprocessor Notice.
As required by the CCPA, we are obligated to disclose the categories of personal information we’ve collected, the business purpose for the collection and the categories of third parties to whom we’ve disclosed your personal information. The table below sets out our practices over the last twelve (12) months.
Categories of Personal Information
Business Purpose for Collecting Personal Information
Categories of Third Parties to whom Personal Information is Disclosed
Retention of Personal Information. We retain your personal information as described in the "Sharing and Disclosure of Information" section of the Privacy Notice.
Updates to this CA Notice. We may update this CA Notice from time to time. When we make changes to this CA Notice, we will update the “Last Updated” date at the top of the page.
Contact Us. Should you have additional questions about this CA Notice, please contact us at firstname.lastname@example.org.
Other U.S. states
Some U.S. state privacy laws require specific disclosures for state residents and provide certain rights for state residents. Specifically, these state laws include the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CTDPA"), and the Utah Consumer Privacy Act ("UCPA"). This section describes how Box, Inc. and its affiliates collects, uses, and shares the personal data of U.S. state residents and how to exercise your rights under these state privacy laws.
Please note that the rights described in this section will depend on the applicable laws in your state of residence. If applicable, the privacy laws in your state of residence may also provide certain exemptions that apply to Box’s collection of your personal data, including personal data that we’ve collected from or about you that is publicly available. As such, the privacy rights described herein may not apply to you or to all your personal data.
Personal Data We Collect and How We Use It. Box collects certain categories of personal data when you use the Services, including identifiers, commercial information, internet or other related network activity, geolocation data tied to your IP address, and other personal data. A more detailed description of the personal data Box collects and how we use it is provided in the "Collection of Information," and "Use of Information" sections of the Privacy Notice.
For purposes of U.S. state privacy laws, Box does not engage in profiling/automated decision making that produces legal or similarly significant effects.
Sharing of Personal Data. In connection with providing you the Box Services, we may share your personal data to third parties and other entities as described in the Box Privacy Notice and Subprocessor Notice.
Targeted Advertising. Box may collect personal identifiers from you automatically. These identifiers include IP address, device identifiers, advertising ID and other information about your browser or device. We may collect this information via cookies and other tracking technologies and use it to enhance, customize, improve and notify you about our Services. We may also share it with third parties that operate in the advertising ecosystem for "targeted advertising". This is further described in our Privacy Notice and Cookie Notice. Depending on your state of residence and applicable law, sharing digital activity in this manner may also be considered a "sale" of personal data.
Privacy Rights. Depending on the applicable laws in your state of residence, for example if you are a Colorado resident, you may have the right to the following:
request to confirm whether we process your personal data and to access such personal data;
request to correct inaccuracies in your personal data;
request deletion of your personal data, subject to certain exceptions;
request to obtain a copy of your personal data;
request to opt-out of processing of personal data for purposes of targeted-advertising;
request to opt-out of the "sale" of personal data; and
opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects.
You may exercise your right to opt-out of the "sale" of personal data and targeted advertising by submitting this email template or by clicking here. To exercise the other rights listed above, submit a request or appeal denial of a request, please contact email@example.com.
We may need to verify your identity to process your request. If we are unable to verify your identity, we reserve the right to not process your request. If we refuse to take action on a request, we will provide instructions on how you may appeal the decision. We will respond to requests consistent with applicable law.
You may use an authorized agent to submit a request on your behalf, but we may ask your agent to provide information to verify that they have the proper authority to act on your behalf or ask you to verify your identity with us directly. If you elect to exercise any of your rights, Box will not deny services, provide a different price or rate for our services, or provide a different level of service to you because you exercised such rights.