Box Privacy Notice
Effective as of July 1, 2023, Box, Inc., and its subsidiaries, (collectively, “Box” or “we” or “us” or “our”) have updated our Box Privacy Notice (“Privacy Notice”).
At Box, we respect the privacy rights of users and recognize the importance of protecting your information. We provide a cloud-based content management platform and our products make it easier for people to share ideas, collaborate and help get work done. This Privacy Notice explains how information (including personal data as defined under GDPR) is collected, retained, used, disclosed, and transferred by Box and the available choices you have with regard to your personal information. This Privacy Notice applies to information collected, used or shared by Box when you use or access our websites, products, mobile applications or services (collectively, the "Box Services"), including when you attend a Box event or otherwise interact with us.
If you use the Box Services as part of a business, an entity, or a non-profit (collectively, “Organization”) that has an agreement with Box, then the terms of that agreement between the Organization and Box will supersede the Privacy Notice where the terms overlap.
Changes to This Notice
We may change this Privacy Notice from time to time. If we make any changes, we will revise the date at the top of this Privacy Notice. If there are material changes to this Privacy Notice, we may notify you or your Organization more directly by email or post a notice on Box’s website prior to the changes becoming effective. We encourage you to periodically review our Privacy Notice to stay informed about our data protection practices and the ways you can help protect your privacy.
Box complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) for the transfer of personal data we process on behalf of Organizations in Business Accounts. Box will also certify to a similar Data Privacy Framework that will be adopted by the UK, known as the UK Extension to the EU-U.S DPF, and Switzerland, known as the Swiss-U.S. DPF. For more information about Box Inc’s. Data Privacy Framework certification, please view the Box Data Privacy Framework Notice.
For additional information on Box’s international data transfers and region-specific notices, please refer to our Regional Information page found here, which provides information on the following:
- Asia-Pacific Economic Cooperation (APEC) - Cross Border Privacy Rules (CBPR) & Privacy Recognition for Processors (PRP)
- Controller and Processor Binding Corporate Rules
- U.S. State Privacy Laws
Collection of Information
Box collects information in the following ways:
1. Information You Provide.
We collect the information you directly provide to Box when you visit our websites or register for and/or use the Box Services.
2. Information We Collect Automatically.
We collect information related to your usage of the Box Services and the devices you use to access those Box Services.
3. Information We Collect from Other Sources.
We collect information from third parties where you have provided us with access to information from those third parties.
In some situations, you can decline to provide information to Box when asked for it. If you decline to provide information where Box requires such information to operate the Box Services and fulfill our obligations, you may not be able to use the applicable Box Service(s). Situations where this may occur include:
- Where Box asks you to provide personal information to be able to add features or services to an existing account at your request;
- Where Box asks you to provide personal information to create an account; or
- Where a third-party application on Box asks you to provide information to use their feature or service.
There may be situations where you do not have the ability to decline to provide information. This includes where Box automatically collects personal information through your use of Box Services. For any questions about providing us with your personal information, please contact us at email@example.com
Use of Information
Box uses information collected for the purpose of providing the Box Services. Box will process and transfer information within and to the U.S. and other countries and territories from which Box or its authorized third parties may operate, which may have different privacy laws from your country of residence. For more details please see the Regional Information page.
Sharing and Disclosure of Information
We will not share personal information about you or any Content with any third parties, unless you allow it, as described in this Privacy Notice, or in connection with providing you the Box Services. We may share information with (i) third parties and vendors or other services providers working on our behalf; (ii) the third-party Box integrations or other third-party products that you choose to use while working with the Box Services or (iii) when necessary, to protect the security and safety of our users or when required by law or a legal process.
Your Personal Information Choices
We understand that your personal information is important to you, and that is why you have choices in how your personal information is used and shared. You can exercise your data protection and privacy rights at any time by logging into your Box account and updating your preferences or contacting Box at firstname.lastname@example.org.
For example, you can:
- Update, access, and delete your account information;
- Choose whether you wish to receive promotional and newsletter communications; and
- Choose whether you wish to share personal information with and use Box integrations.
Protection of Personal Information
Box is committed to securing your personal information. We take appropriate technological and organizational measures to help protect your personal information from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. Box complies with applicable data protection, privacy, and security breach notification laws.
Some of the ways in which Box protects your personal information include:
- We encrypt your Content when it is stored at rest in our data centers.
- We protect sensitive information with encryption during transmission over the public Internet.
- We keep the servers on which personal information is stored in a controlled environment with limited access.
- We maintain a wide variety of compliance and security programs.
Our Policy Toward Children
The Box Services are not directed to individuals under the age of 18 and we do not knowingly collect information from anyone under 18. If you become aware that a child has provided us with personal information, please contact us at email@example.com. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information as soon as possible.
Please contact us at firstname.lastname@example.org or at Box Privacy, 900 Jefferson Avenue, Redwood City, CA 94063, United States of America if you:
- Have questions about this Privacy Notice;
- Wish to make a complaint or have a concern about our handling of your personal information; or
- Want to report a possible breach of privacy laws.
Box will respond to your inquiry within 30 days.
To contact Box's Data Protection Officer, please email email@example.com.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.