Box Privacy and Cookie Policy

(Last Updated: September 20, 2016)

Box.com (UK) Ltd ("Box", "we", "us" or "our") respects the privacy rights of users and recognise the importance of protecting and handling information collected about you in accordance with both the law and best practice.

This Privacy and Cookie Policy, together with our Terms of Service https://www.box.com/legal/termsofservice/ and any other documents referred to below (“ Privacy Policy”) tells you ("you" or "your") how your personal information is collected, used, stored and disclosed by Box as well as specific choices you can make about your information.

This Privacy Policy applies to information we collect when you use or access our online or mobile services available at www.Box.com ("Site"), products, services or applications (collectively, the “Box Services”), or when you otherwise interact with us.

Please read the following carefully to understand how we will collect, use and protect your personal information.

Changes to This Policy

We may change this Privacy Policy from time to time. If we make any changes, we will notify you by revising the “Last Updated” date at the top of this Privacy Policy. If there are material changes to this Privacy Policy, we will notify you more directly, for example by posting a prominent notice on our homepage or by sending you an email prior to the change becoming effective. We therefore encourage you to review our Privacy Policy whenever you access the Box Services to stay informed about our information practices and the ways you can help protect your privacy.

If you disagree with any changes to this Privacy Policy and do not wish your information to be subject to the revised Privacy Policy, you will need to deactivate with us and stop using the Box Services.

If you have any questions about this Privacy Policy or the information that we hold about you, please contact us as provided in the Contacting Us section below.

Information Collected.

We collect a variety of information to enable us to provide the Box Service, improve our Site and enhance our users' experience of our services, for example, by determining the location of your Internet Service Provider ("ISP") we are able to serve a localised version of our Site (for example enabling contact, language and currency modifications). For more information about the purposes for which we use your information please see the Use of Information section below.

We collect the following information (which may include personal information and/or sensitive personal information):

Information You Provide To Us. We collect information you provide directly to us when you use the Site and when you register for and use the Box Services. Examples include:

• We collect information when you register with Box for an account, create or modify your profile and online account, access and use the Box Services (including but not limited to when you upload, download, collaborate on or share files or other information), participate in any interactive features of the Box Services, participate in a survey, contest, promotion, sweepstakes, activity or event, make a purchase, apply for a job, request customer support, communicate with us via third-party social media sites or otherwise communicate with us.
• The types of information we may collect directly from you include your name, username, email address, postal address, phone number, information about your data storage preferences, employer's name, job title, transactional information (including services purchased or subscribed to and billing address) as well as any contact or other information you choose to provide. We also store the files or other information that you upload or provide to the Box Services ("Content").
• If you are providing information (including personal information) about someone else you confirm that they have appointed you to act for them and consent to the processing of their personal information and that you have informed them of our identity and the purposes (as set out in this Privacy Policy) for which their personal information will be processed.
• The information of third parties such as name, email address, etc. as may be provided in order to enable the functionality and features of the Box Service. For example, if you invite a user to Box, we will collect their email address in order to provide them with an invite to the Box Service in order to collaborate on the Content you designated.

Information We Collect Automatically When you access or use the Box Services, we may automatically collect information about you, including:

• Usage Information: We monitor user activity in connection with the Box Services and may collect information about the applications and features you use, the websites you visit, the sizes and names of the files or folders you upload, download, share or access while using the Box Services, the Content you access and any actions taken in connection with the access and use of your Content in the Box Services.
• Log Information: We log information about you when you access and use the Box Services including your Internet Protocol ("IP") address, access times, browser type and language, ISP, the Web pages that you visit, the Content you use and the URL of the Web page you visited before navigating to the Box Services.
• Device Information: If you access the Box Services from a mobile device, we collect information about the device, including the hardware model, operating system and version, unique device identifiers, mobile network information (as allowed by the mobile network) or platform information (as allowed by the specific platform type). We do not ask for, access, or track any location-based information from your mobile device at any time while downloading or using our mobile application.
• Information Collected by Cookies and Other Tracking Technologies: We use various tracking technologies such as cookies and web beacons to collect information and distinguish you from other users of our Site, which may include saving cookies to your computer or mobile device. This helps us to provide you with a good experience when you browse and use our Box Services and also allows us to improve our Box Services. For more information about how we use cookies and other tracking technologies please see the Cookies section below.
• Local Shared Objects (“LSO”): We use LSOs such as HTML 5 to collect and store information in order to provide certain features on our site. Third parties with whom we partner may also use LSOs in order to provide certain features on our site or to display advertising based upon your Web browsing activity. Various browsers may offer their own management tools for removing HTML5 LSOs.

Information We Collect From Other Sources. We may also obtain information from third parties and combine that with information we collect through the Box Services. For example, we may have access to certain information from a third-party social media service if you create or log into your online account through the service or otherwise provide us with access to information from the service. Any access that we may have to such information from a third-party social media service is in accordance with the authorisation procedures determined by the social media service.

Use of Information.

We may use the information collected through the Box Service for the limited purpose of providing the Box Service and related functionality and services for which Box has been engaged. The information may be used to perform a variety of purposes, including to:

• Provide, operate, maintain and improve the Box Services;
• Enable you to access and use the Box Services, including uploading, downloading, collaborating on and sharing Content and sending emails on your behalf;
• Send you technical notices, updates, security alerts and support and administrative messages;
• Provide and deliver the services and features you request, process and complete transactions, and send you related information, including purchase confirmations and invoices;
• Respond to your comments, questions, and requests and provide customer service and support;
• Communicate with you, where you have agreed or where the law permits, for marketing purposes, including to periodically inform you about services, features, surveys, newsletters, offers, promotions, contests and events, and provide other news or information about Box and our select partners; We will only share your personal information with anyone else for marketing purposes and/or send you promotional materials where this is in accordance with your marketing preferences. For more information about how to change your preferences, and to unsubscribe from promotional materials (including newsletters, marketing messages and email notifications) please see the Your Choices section below.
• Process and deliver contest or sweepstakes entries and rewards;
• Monitor and analyze trends, usage, and activities in connection with the Box Services and for marketing or advertising purposes;
• Investigate and prevent fraudulent transactions, unauthorised access to the Box Services, and other illegal activities;
• Personalise and improve the Box Services, and provide content, features, and/or advertisements that match your interests and preferences or otherwise customise your experience on the Box Services;
• We send you push notifications from time-to-time in order to update you about events or activities related to the Box Services. If you no longer wish to receive these types of communications, you may turn them off at the device level. To ensure you receive proper notifications, we collect certain information about your device such as operating system and user identification information;
• Link or combine with other information we receive from third parties to help understand your needs and provide you with better service;
• Enable you to communicate, collaborate, and share files with users you designate; and
• For other purposes about which we notify you.

Where We Store Your Information

Box is based in the United Kingdom, but we may store and process personal information and content in the United States and other countries through our affiliated US group company Box, Inc. By accessing or using the Box Services or otherwise providing information to us, you consent to the processing and transfer of information in and to the U.S. (where it is stored on our behalf by Box Inc. and its agents) and other countries and territories, which may have different privacy laws from your country of residence.

Box, Inc., and the Box group of companies use Box’s Processor and Controller Global Binding Corporate Rules ("BCRs") as the basis for Box’s approach to global data privacy protection. Box’s Processor BCRs and Controller BCRs were authorized by the European data protection authorities, as will be listed at the European Commission website: http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/bcr_cooperation/index_en.htm. 

Box’s Processor BCRs enable Box to transfer personal data that Box processes on behalf of Customers from European Economic Area ("EEA") countries to non-EEA countries. Box’s Controller BCRs enable Box to transfer personal data within the Box group of companies globally, where Box acts as a data controller. Box’s BCRs will be available at: 

• Box Controller Global Binding Corporate Rules
• Box Processor Global Binding Corporate Rules

If you have any questions about this Privacy Policy, you should first contact us at support@box.com.

APEC Participation

Box, Inc.’s privacy practices, described in this Privacy Policy, comply with the APEC Cross Border Privacy Rules System.  The APEC CBPR system provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies.  More information about the APEC framework can be found at: http://www.apec.org/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/CBPR/CBPR-PoliciesRulesGuidelines.ashx.

U.S. - Swiss Safe Harbor Framework

Box, Inc. complies with the U.S. – Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal data from Switzerland. Box, Inc. has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view Box, Inc.’s certification, please visit http://www.export.gov/safeharbor

EU-U.S. Privacy Shield

Box, Inc. participates in the EU-U.S. Privacy Shield Framework and has certified its compliance with the EU-U.S. Privacy Shield Framework and the EU-U.S. Privacy Shield Principles. For more information about our Privacy Shield certification, please see this Box EU-U.S. Privacy Shield Notice.

Sharing and Disclosure of Information.

We will not share personal information about you or any Content with any third parties except as described in this Privacy Policy or in connection with the Box Services. For example, we may share personal information about you including as follows:

• Vendors, Consultants and Other Service Providers: We may share your information with third-party vendors, consultants and other service providers who are working on our behalf and require access to your information to carry out that work. These service providers are authorized to use your personal information only as necessary to provide services to Box and/or Box Services.
• Corporate Account: If you are an individual Box registered user and the domain of the primary email address associated with your Box account is owned by your employer and was assigned to you as an employee of that organization, and such organization wishes to establish a Box corporate account, then certain information concerning use of your individual account may become accessible to that organization’s administrator including your email address.
• With Your Consent: We may share your information with your consent, including when you choose to use collaboration features in the Box Services that by their nature support sharing with third parties who you choose. Your name, email address, information from your profile and online account (including your photo), and any Content you choose to share will be shared with such third parties, and such third parties may communicate with you (such as by posting comments or emailing you) in connection with your use of the collaboration features of the Box Services. For example, third parties who you invite to collaborate with you as "Editors" using the collaboration features of the Box Services may also modify Content that you have shared, upload documents and photos to Content you have shared, share such Content outside of the Box Services, and provide other third parties with rights to view the Content you have shared.
• Third Party Applications: Box provides you with opportunities to connect with third-party applications or services, such as through our Box One Cloud or Box application partner ecosystem. If you choose to use any such third-party applications or services, we may share information about you including your username and any Content you choose to use in connection with those applications and services, and such third parties may contact you directly as necessary. This Privacy Policy does not apply to your use of such third-party applications and services, and we are not responsible for how those third parties collect, use and disclose your information and Content. We encourage you to review the privacy policies of those third parties before connecting to or using their applications or services to learn more about their information and privacy practices.
• Compliance with Laws: We may disclose your information to a third party if (a) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request, (b) to enforce our agreements, policies and Terms of Service, (c) to protect the security or integrity of the Box Services, (d) to protect Box, our customers or the public from harm or illegal activities, (e) to respond to an emergency which we believe in the good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person or (f) to any other third party with your prior consent.
• Business Transfers: We may disclose your personal information to third parties:
  • In the event that we sell, merge with or buy all or a substantial portion of any business or assets, in which case we may disclose your personal information to the prospective seller, merger partner or buyer of such business or assets; or
  • If Box.com (UK) Limited and/or our other group companies (including our ultimate parent Box Inc.) or substantially all of their assets are acquired by a third party, in which case personal information held by it about its customers will be one of the transferred assets.
• Aggregated or Anonymised Data: We may also share aggregated or anonymised information with third parties that does not directly identify you.
• Our Group: We may disclose your personal information to any member of our group, which means any company which controls, is controlled by or is under common control with Box.

Collaboration and Sharing Features.

The Box Services offers collaboration features or other integrated tools, which allow you to share your Content through the Box Services. As a function of the collaborative nature of the Box Services and based on the permissions and settings you choose, the use of such features enables the sharing of Content with people you want to collaborate with or with the public. You can choose to change your settings at any time for a file or folder through your account. For more information about such collaboration and sharing features, we encourage you to review the information provided on support.box.com

Security.

While no service is completely secure, Box takes reasonable measures to help protect information about you from loss, theft, misuse and unauthorised access, disclosure, alteration and destruction. For example, we encrypt your Content when it is stored in our data centers. In addition, sensitive information such as credit card number and password that we request from you on the Box Services is protected with encryption, such as Secured Socket Layer (SSL) protocol, during transmission over the Internet.

The servers on which personal information is stored are kept in a controlled environment with limited access. While we take reasonable efforts to guard personal information we knowingly collect directly from you, no security system is impenetrable and due to the inherent nature of the Internet as an open global communications vehicle, we cannot guarantee that information, during transmission through the Internet or while stored on our systems or otherwise in our care, will be absolutely safe from intrusion by others, such as hackers. In addition, we cannot guarantee that any passively-collected personal information you choose to include in documents you store on our systems are maintained at levels of protection to meet specific needs or obligations you may have relating to that information.

You may access your account information and our service only through the use of an individual user ID and password. To protect the confidentiality of personal information, you must keep your password confidential and not disclose it to any other person. Please advise us immediately if you believe your password has been misused. In addition, always logout and close your browser when you finish your session. Please note that we will never ask you to disclose your password in an unsolicited phone call or email.

If you have any questions about the security of your personal information, you can contact us at support@box.com.

Cookie Policy.

We use various tracking technologies such as cookies and web beacons to collect information and distinguish you from other users of the Box Services, which may include saving cookies to your computer or mobile device. This helps us to provide you with a good experience when you browse and use our Box Services and also allows us to improve our Box Services. By using the Site and the Box Services you accept the use of cookies, in particular Analytics Cookies, in accordance with this Cookie Policy.

If you do not accept the use of cookies, please follow the below instructions to disable them.

What is a cookie?

Cookies are small data files sent by a website containing information that is stored on your browser or hard drive of your computer.

What is a web beacon?

A web beacon (also known as "tracking pixels") is an electronic image, also called a "gif," that may be used in the Box Services or in emails that help us to deliver cookies, count visits, understand usage and campaign effectiveness and determine whether an email has been opened and acted upon.

How do we use these technologies?

We use cookies and web beacons to help us to improve the Box Services and your experience, customise your experience and preferences, allow you to access and use the Box Services without re-entering your member ID and/or password, understand which areas and features of the Box Services are most popular and count visits.

What cookies do we use?

Below we have provided an overview of the categories of cookies found on our Site, and a description of what those cookies do. Please check back here periodically as we may update this information from time to time:

• Strictly Necessary Cookies
  
  These cookies are strictly necessary to enable the Site and the Box Services available through it to function (for example, to provide secure log-in and payment functionality). Without these cookies, the Site would not operate. These include:
  • Box cookies
 
• Functionality Cookies
  
  These cookies help the Site work the way you expect. Some cookies are necessary to enable you to move around our Site and to use the Services. Without these cookies, we can't provide the Box Services you have asked for, like processing your orders.
  
  We use other cookies to help recognise and remember you when you are logged into the Site so we can remember your settings and preferences, such as your language and region or logged in state. These cookies also may help us provide services you have asked for, such as live chat support and online communities. If these cookies are set by third parties (i.e. a party other than Box) then please note that they may track your browsing activity on non-Box websites.
  
  We also use third parties with whom we partner to provide certain features on our site or to display advertising based upon your Web browsing activity use LSOs such as HTML 5 to collect and store information. Various browsers may offer their own management tools for removing HTML5 LSOs.
  
  As described below, you may disable any of these functional cookies by changing your browser settings; but if you do so, then please note that various functions of the Site may be unavailable to you or may not work the way you want them to.
  • Box cookies
  • Snap Engage
  • Disqus. https://help.disqus.com/customer/portal/articles/466259-privacy-policy
 
• Analytics Cookies
  
  We use analytics tools to help us understand how you use our Site. Such analytics tools do not provide Box with any personal information that reveals your actual identity. They tell us things like how you arrived at the Box Site, if you have visited before, how long you stay on the Site, and which pages on the Site you visited. They can also provide us with general information about where in the world a user may be located. This information helps us understand how people use the Box Services and gives us information about the kind of experience people have on our Site and through the Box Services, all of which helps us to make the Box experience even better.
  
  You may opt out of third party tracking by these cookies by visiting the following pages:
  • Google Analytics - https://tools.google.com/dlpage/gaoptout?hl=en-GB
  • Quantcast - https://www.quantcast.com/opt-out
  • Eloqua - http://www.oracle.com/us/legal/privacy/privacy-policy/index.html#opt-out
 
• Advertising Cookies
  
  We partner with third parties to manage our advertising on other sites. Our third parties may use technologies such as cookies to gather information about your activities on this site and other sites you visit in order to provide you advertising based upon your browsing activities and interests.
  
  You may opt out of third party tracking by these cookies by visiting:
  
  http://www.youronlinechoices.eu/
  
  or each of the the following pages:
  • MediaMath - http://www.mediamath.com/privacy/
  • Taboola - http://www.taboola.com/privacy-policy
  • 33 Across - http://optout.33across.com/
  • App Nexus – http://appnexus.com/platform-policy
  • Google AdSense - http://www.google.com/policies/technologies/ads/
  • Bizo - http://www.bizo.com/opt-out/
  • Adobe - http://www.adobe.com/uk/privacy/opt-out.html

  Your Choices.

  Account Information & Retention. You may update, correct or delete information that we control about you at any time by logging into your online account and modifying your information or by emailing us at support@box.com. We will retain your personal information for the period necessary to fulfill the purposes outlined in this Privacy Policy. If you wish to deactivate your account, please email us at support@box.com, but note that we may retain certain information as required by law or for legitimate business purposes. We may also retain cached or archived copies of information about you for a certain period of time. We will respond to your access request within 30 days. To request removal of your personal information from our blog or testimonials, contact us at the email address listed above. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.

  We will retain your information for as long as your account is active or as needed to provide you services. We will retain and use your information to comply with our legal obligations, resolve disputes and enforce our agreements.

  We will retain personal data we process on behalf of our customers as directed by paying customers. Box will retain this personal information as necessary to comply with legal obligations, resolve disputes, and enforce agreements.

  Upon request, Box will provide you with information about whether we hold, or process on behalf of a third party, any of your personal information that we are aware of. To request this information, contact us at support@box.com.

  Promotional Communications. You can "opt out" of receiving marketing communications from Box. To stop receiving promotional emails (including newsletters) form us follow the opt-out instructions provided in those emails. You may also opt-out of receiving promotional emails and other promotional communications from us at any time by emailing support@box.com with your specific request. If you opt out, we may still send you non-promotional communications, such as security alerts and notices related to your access to or use of the Box Services or those about your online account or our ongoing business relations.

  Cookies/tracking technologies. Most web browsers (such as Internet Explorer, FireFox and Safari) are set to automatically accept cookies as the default setting. If you don’t want to receive cookies or other tracking technologies, you can follow the instructions provided in the section "Cookie Policy" above. Alternatively, you can usually choose to set your browser to remove or reject browser cookies or to prompt you before accepting such a cookie. You can also delete cookies that have already been set. The "Help" function within your browser should tell you how. Alternatively you may wish to visit www.allaboutcookies.org, which contains comprehensive information on how to do this on a wide variety of desktop browsers. Please note that, if you choose to remove or reject browser cookies, this could affect the availability or functionality of the Box Services.

  Single Sign-On

  You can log in to our site using sign-in services such as Facebook Connect or an Open ID provider. These services will authenticate your identity and provide you the option to share certain personal information with us such as your name and email address to pre-populate our sign up form. Services like Facebook Connect give you the option to post information about your activities on this Web site to your profile page to share with others within your network.

  Social Media Features and Widgets.

  Our website includes third party social media features, such as the Facebook Like button and third party widgets, such as the Share This button or interactive mini-programs that run on our site. These features may collect your IP address, which page you are visiting on our site, and set a cookie to enable the feature to function properly. Your interaction with these features are governed by the privacy policy of the third party company providing it.

  Blogs

  Our website offers publicly accessible blogs or community pages. You should be aware that any information you provide in these areas may be read, collected and used by others who access them.

  Testimonials

  We display personal testimonials of satisfied customers on our site in addition to other endorsements. With your consent we may post your testimonial along with your name.

  Links to Third Party Websites.

  We may place links on the Box Services. When you click on a link to a third party website from our website, your activity and use on the linked website is governed by that website's policies, not by those of Box. We encourage you to visit their websites and review their privacy and user policies.

  Our Policy Toward Children.

  The Box Services is not directed to individuals under 13. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal information, please contact us at support@box.com. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information.

  Contacting Us.

  Any questions, comments and requests regarding this Privacy Policy should be addressed to support@box.com.

  If you are a visitor from the European Economic Area and have an individual account with us, then the "data controller" of your personal information is Box.com (UK) Limited, whose address is at 64 North Row, 2nd Floor, London W1K 7LL, United Kingdom.

  Please be aware that where Box provides enterprise services (for example, to a business, university or government department), then the relevant enterprise customer will be the "data controller" and Box will be its "data processor". This means that the relevant enterprise customer is responsible in those cases for ensuring compliance with data protection law, including where we process personal information on its behalf (such as when it or its employees, agents or other data subjects upload documents, images and files to our service). We have in place an enterprise agreement with each enterprise customer that requires us to act only on the relevant customer's instructions and to use appropriate organizational and technical security measures when processing personal information for it.

  Therefore, if you are an employee, agent or data subject of an enterprise customer, the terms of that enterprise’s contract for the Box Services may restrict our collection or use of your personal information further than described in this Privacy Policy alone. Please contact the relevant enterprise for further information and to exercise your data protection rights.