Box Privacy Notice
Last Updated: May 22, 2018
Data privacy is important to the Box group of companies which includes Box, Inc., Box.com (UK) Ltd and their affiliates (“Box”). This Privacy Notice ("Privacy Notice") explains how information is collected, used and disclosed by Box and applies to information collected when you use or access our online or mobile websites (such as www.box.com), products, services or applications (collectively, the "Box Services"), or when you attend a Box event or otherwise interact with us. We respect the privacy rights of users and recognize the importance of protecting information collected about you. If you use the Box Services as part of an entity or organization that has an agreement with Box (like your employer or a university), the terms of that organization’s contract for the Box Services may restrict our collection or use of your information more than what is described in this Privacy Notice. .
Please read the following carefully to understand how we will collect, use and maintain your personal information. It also describes your choices regarding use, access and correction of your personal information.
Changes to This Notice
We may change this Privacy Notice from time to time. If we make any changes, we will notify you by revising the "Last Updated" date at the top of this Privacy Notice and, in some cases, we may provide you with additional notice (such as adding a statement to our homepage or sending you an email notification). If there are material changes to this Privacy Notice, we will notify you more directly by email or means of a notice on the home page prior to the change becoming effective. We encourage you to review our Privacy Notice whenever you access the Box Services to stay informed about our information practices and the ways you can help protect your privacy.
If you disagree with any changes to this Privacy Notice and do not wish your information to be subject to the revised Privacy Notice, you will need to deactivate with us and stop using the Box Services. Your use of any of the Box Services after the posting of such changes shall constitute your consent to such changes.
We may collect certain user information (including personal information and/or sensitive personal information) in the following ways:
Information You Provide To Us. We collect information you provide directly to us including when you visit one of our websites, register for and/or use one of the Box Services.
- For example, we collect information when you register with Box for an account, create or modify your profile and online account, access and use the Box Services (including but not limited to when you upload, download, collaborate on or share files or other information), participate in any interactive features of the Box Services, participate in a survey, contest, promotion, sweepstakes, activity or event, make a purchase, apply for a job, request customer support, or communicate with us via third-party social media sites
- The types of information we may collect directly from you include your name, username, email address, your picture, postal address, phone number, information about your data storage preferences, employer’s name, job title, transactional information (including services purchased or subscribed to and billing address) as well as any contact or other information you choose to provide. Please be aware that the information you choose to provide in your Box profile may reveal or identify information that is not expressly stated (for example, if you choose to provide your picture, your picture may reveal your gender. We also store the files or other information that you upload or provide to the Box Services ("Content") in order to be able to provide you with the features and functionality of the Box Service.
- The information of third parties such as name, email address, etc. as may be provided to enable the functionality and features of the Box Service. For example, if you invite a user to Box, we will collect their email address in order to provide them with an invite to the Box Service in order to collaborate on the Content you designated.
Information We Collect Automatically When You Use the Box Services. When you access or use the Box Services, we may automatically collect information about you, including:
- Usage Information: We monitor user activity in connection with the Box Services and may collect information about the applications and features you use, the websites you visit, the sizes and names of the files or folders you upload, download, share or access while using the Box Services, the Content you access and any actions taken in connection with the access and use of your Content in the Box Services.
- Log Information: We log information about you when you access and use the Box Services including your Internet Protocol ("IP") address, access times, browser type and language, Internet Service Provider ("ISP"), the Web pages that you visit, the Content you use and the URL of the Web page you visited before navigating to the Box Services.
- Device Information: If you access the Box Services from a mobile device, we collect information about the device, including the hardware model, operating system and version, unique device identifiers, mobile network information (as allowed by the mobile network) or platform information (as allowed by the specific platform type). We may ask for or access your location based information from your mobile device with your consent through our mobile apps. You can enable or disable this functionality in the Box mobile application settings. If you experience an error or crash in any of the Box Services, we may collect data (using first or third party products) and logs from your device including information such as your device’s Internet Protocol (“IP”) address, device name, operating system version, application configuration(s), the time and date, and other statistics.
- Information Collected by Cookies and Other Tracking Technologies: We (including service providers who are working on our behalf) use various technologies to collect information, which may include saving cookies to your computer or mobile device. Cookies are small data files stored on your hard drive or in device memory that help us to improve the Box Services and your experience, customize your experience and preferences, allow you to access and use the Box Services without re-entering your member ID and/or password, understand which areas and features of the Box Services are most popular and count visits. We may also collect information using web beacons (also known as "tracking pixels"). Web beacons are electronic images (also called "gifs") that may be used in the Box Services or in emails that help us to deliver cookies, count visits, understand usage and campaign effectiveness and determine whether an email has been opened and acted upon. For more information about cookies and how to disable them, please see "Your Choices" below.
- Third Party clear gifs: Our third party partners employ clear gifs (a.k.a. Web Beacons/Web Bugs), images, and scripts that help them better manage content on our website. We do not tie the information gathered to our Customers’ or Users’ personal information.
- Local Shared Objects (“LSO”): We use LSOs such as HTML 5 to collect and store information in order to provide certain features on our website. Third parties with whom we partner may also use LSOs in order to provide certain features on our website or to display advertising based upon your Web browsing activity. Various browsers may offer their own management tools for removing HTML5 LSOs.
- Google AdSense: We use Google AdSense to publish ads on this website. When you view or click on an ad a cookie will be set to help better provide advertisements that may be of interest to you on this and other websites. You may opt-out of the use of this cookie by visiting Google’s Advertising and Privacy page: http://www.google.com/privacy_ads.html
- Advertising Cookies: We partner with third parties to manage our advertising on other websites. Our third parties may use tracking technologies such as cookies to gather information about your activities on this website and other websites you visit in order to provide you advertising based upon your browsing activities and interests.
You may opt out of behaviorally targeted ads anytime by deleting your browser's cookies. In addition, you may opt-out of interest-based advertising from some third-party partners by visiting http://preferences-mgr.truste.com/, http://www.youronlinechoices.eu, or the third-party provider’s websites.
Please note that opting-out will only prevent targeted ads so you may continue to see generic (non-targeted ads) after you opt-out.
Do Not Track. Some browsers offer a “do not track” (“DNT”) option. Because no common industry or legal standard for DNT has been adopted by industry groups, technology companies or regulators, we do not respond to DNT signals. We will make efforts to continue to monitor developments around DNT browser technology and the implementation of a standard.
Information We Collect From Other Sources. We may also obtain information from third parties and combine that with information we collect through the Box Services. For example, we may have access to certain information from a third-party social media service if you create or log into your online account through the service or otherwise provide us with access to information from the service. Any access that we may have to such information from a third-party social media service is in accordance with the privacy notice and authorization procedures determined by the social media service. We protect data obtained from third parties according to the practices described in this policy, plus any additional restrictions imposed by the source of the data.
Use of Information
We may use the information collected for the limited purpose of providing the Box Service and related functionality and services, as described in this Privacy Notice and as permitted by applicable laws. These limited purposes include circumstances where it is necessary to provide or fulfill Services requested by or for you or where you have given us your express consent.
The information may be used to perform a variety of purposes, including to:
Provide, operate, maintain and improve the Box Services;
Enable you to access and use the Box Services, including uploading, downloading, collaborating on and sharing Content and sending emails on your behalf;
Send you technical notices, updates, security alerts and support and administrative messages;
Provide and deliver the services and features you request, process and complete transactions, and send you related information, including purchase confirmations and invoices;
- Respond to your comments, questions, and requests and provide customer service and support;
- Communicate with you about services, features, surveys, newsletters, offers, promotions, contests and events, and provide other news or information about Box and our select partners;
- Process and deliver contest or sweepstakes entries and rewards;
- Monitor and analyze trends, usage, and activities in connection with the Box Services and for marketing or advertising purposes;
- Investigate and prevent fraudulent transactions, unauthorized access to the Box Services, and other illegal activities;
- Personalize and improve the Box Services, and provide content, features, and/or advertisements that match your interests and preferences or otherwise customize your experience on the Box Services;
- Send you push notifications from time-to-time in order to update you about events or activities related to the Box Services. If you no longer wish to receive these types of communications, you may turn them off at the device level. To ensure you receive proper notifications, we collect certain information about your device such as operating system and user identification information;
- Link or combine with other information we receive from third parties to help understand your needs and provide you with better service;
- Enable you to communicate, collaborate, and share files with users you designate; and
- For other purposes about which we will provide you with prior notice as described in the "Changes to This Notice" section
By accessing or using the Box Services or otherwise providing information to us, you consent to the processing and transfer of information in and to the U.S. and other countries and territories, which may have different privacy laws from your country of residence.
Sharing and Disclosure of Information.
We will not share personal information about you or any Content with any third parties except as described in this Privacy Notice or in connection with the Box Services. For example, we may share personal information about you including as follows:
- Vendors, Consultants and Other Service Providers: We may share your information with third-party vendors, consultants and other service providers who are working on our behalf and require access to your information to carry out that work, such as to process billing, provide customer support, etc. These service providers are authorized to use your personal information only as necessary to provide services to Box and/or Box Services
In some cases, we may share your information with third-party vendors to understand which areas and features of the Box Services are most popular and/or to improve the overall effectiveness of Box's Services and features.
- Corporate Account: If you are an individual Box registered user and the domain of the primary email address associated with your Box account is owned by your employer and was assigned to you as an employee of that organization, and such organization wishes to establish a Box corporate account, then certain information concerning past use of your individual account may become accessible to that organization’s administrator including your email address.
- For Collaboration: We may share your information, including when you choose to use collaboration features in the Box Services that by their nature support sharing with third parties who you choose. Your name, email address, information from your profile and online account (including your photo), and any Content you choose to share will be shared with such third parties, and such third parties may communicate with you (such as by posting comments or emailing you) in connection with your use of the collaboration features of the Box Services. For example, third parties who you invite to collaborate with you as “Editors” using the collaboration features of the Box Services may also modify Content that you have shared, upload documents and photos to Content you have shared, share such Content outside of the Box Services, and provide other third parties with rights to view the Content you have shared.
- Third Party Applications: Box provides you with opportunities to connect with third-party applications or services, such as through our Box One Cloud or Box application partner ecosystem. If you choose to use any such third-party applications or services, we may share information about you including your username and any Content you choose to use in connection with those applications and services, and such third parties may contact you directly as necessary. This Privacy Notice does not apply to your use of such third-party applications and services, and we are not responsible for how those third parties collect, use and disclose your information and Content. We encourage you to review the privacy policies of those third parties before connecting to or using their applications or services to learn more about their information and privacy practices.
- Compliance with Laws: We may disclose your information to a third party if (a) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request, (b) to enforce our agreements, policies and Terms of Service, (c) to protect the security or integrity of the Box Services, (d) to protect Box, our customers or the public from harm or illegal activities, (e) to respond to an emergency which we believe in the good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person or (f) to any other third party with your prior consent.
- Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
- Aggregated or Anonymized Data: We may also share aggregated or anonymized information with third parties that does not directly identify you.
Collaboration and Sharing Features
The Box Services offers collaboration features or other integrated tools, which allow you to share your Content through the Box Services. As a function of the collaborative nature of the Box Services and based on the permissions and settings you choose, the use of such features enables the sharing of Content with people you want to collaborate with or with the public. You can choose to change your settings at any time for a file or folder through your account. For more information about such collaboration and sharing features, we encourage you to review the information provided on support.box.com.
Binding Corporate Rules
Box, Inc., and the Box group of companies use Box’s Processor and Controller Global Binding Corporate Rules ("BCRs") as the basis for Box’s approach to global data privacy protection. Box’s Processor BCRs and Controller BCRs were authorized by the European data protection authorities, as will be listed at the European Commission website: http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/bcr_cooperation/index_en.htm.
Box’s Processor BCRs enable Box to transfer personal data that Box processes on behalf of Customers from European Economic Area ("EEA") countries to non-EEA countries. Box’s Controller BCRs enable Box to transfer personal data within the Box group of companies globally, where Box acts as a data controller. Box’s BCRs will be available at:
Box, Inc.’s privacy practices, described in this Privacy Notice, comply with the APEC Cross Border Privacy Rules System. The APEC CBPR system provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies. More information about the APEC framework can be found at: http://www.apec.org/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/CBPR/CBPR-PoliciesRulesGuidelines.ashx.
EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield
Box, Inc. participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. For more information about our Privacy Shield certifications, please see this Box EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Notice.
While no service is completely secure, Box takes reasonable measures to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. For example, we encrypt your Content when it is stored in our data centers. In addition, sensitive information such as credit card number and password that we request from you on the Box Services is protected with encryption, such as Secured Socket Layer (SSL) protocol, during transmission over the Internet.
The servers on which personal information is stored are kept in a controlled environment with limited access. While we take reasonable efforts to guard personal information we knowingly collect directly from you, no security system is impenetrable. In addition, we cannot guarantee that any passively-collected personal information you choose to include in documents you store on our systems are maintained at levels of protection to meet specific needs or obligations you may have relating to that information.
You may access your account information and our service only through the use of an individual user ID and password. To protect the confidentiality of personal information, you must keep your password confidential and not disclose it to any other person. Please advise us immediately if you believe your password has been misused. In addition, always logout and close your browser when you finish your session. Please note that we will never ask you to disclose your password in an unsolicited phone call or email.
If you have any questions about the security of your personal information, you can contact us at email@example.com.
Account Information & Retention. You may update, correct or delete information about you at any time by logging into your online account and modifying your information or by emailing us at firstname.lastname@example.org. We will retain your personal information for the period necessary to fulfill the purposes outlined in this Privacy Notice. If you wish to deactivate your account, please email us at email@example.com, but note that we may retain certain information as required by law or for legitimate business purposes. We may also retain cached or archived copies of information about you for a certain period of time. We will respond to your access request within 30 days.
We will retain your information for as long as your account is active or as needed to provide you services. We will retain and use your information to comply with our legal obligations, resolve disputes and enforce our agreements.
We will retain personal data we process on behalf of our customers as directed by paying customers. Box will retain this personal information as necessary to comply with legal obligations, resolve disputes, and enforce agreements.
Upon request, Box will provide you with information about whether we hold, or process on behalf of a third party, any of your personal information that we are aware of. To request this information, contact us at firstname.lastname@example.org.
Promotional and Newsletter Communications. You may opt out of receiving promotional and newsletter emails from Box by following the opt-out instructions provided in those emails. You may also opt-out of receiving promotional emails and other promotional communications from us at any time by emailing email@example.com with your specific request. If you opt out, we may still send you non-promotional communications, such as security alerts and notices related to your access to or use of the Box Services or those about your online account or our ongoing business relations.
Cookies. Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove or reject browser cookies or to prompt you before accepting such a cookie. Please note that, if you choose to remove or reject browser cookies, this could affect the availability or functionality of the Box Services.
California Residents. Under California law, California Residents who have an established business relationship with Box may choose to opt out of Box’s disclosure of personal information about them to third parties for direct marketing purposes. If you choose to opt-out at any time after granting approval email firstname.lastname@example.org.
You can log in to our website using sign-in services such as Facebook Connect or an Open ID provider. These services will authenticate your identity and provide you the option to share certain personal information with us such as your name and email address to pre-populate our sign up form. Services like Facebook Connect give you the option to post information about your activities on this website to your profile page to share with others within your network.
Social Media Features and Widgets
The Box Services may include social media features. These features may collect your IP address, which page you are visiting on our website, and may set a cookie to enable the feature to function properly. Social media features are either hosted by a third party or hosted directly on a Box Service. Your interactions with these features are governed by the privacy notice of the company providing it.
Community Forums and Blogs
Our website offers publicly accessible blogs or community forums. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them.
To request removal of your personal information from our blog or testimonials, contact us at the email address listed above. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.
We display personal testimonials of satisfied customers on our website in addition to other endorsements. With your consent we may post your testimonial along with your name.
Links to Third Party Websites
We may place links on the Box Services. When you click on a link to a third party website from our website, your activity and use on the linked website is governed by that website’s policies, not by those of Box. We encourage you to visit their websites and review their privacy and user policies.
Our Policy Toward Children
The Box Services is not directed to individuals under 18. We do not knowingly collect personal information from children under the age of 18. If you become aware that a child has provided us with personal information, please contact us at email@example.com. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information..
Any questions about this Privacy Notice should be addressed to firstname.lastname@example.org or to Box Privacy, 900 Jefferson Avenue, Redwood City, CA 94063, United States of America.
Box has appointed Crispen Maung as Box’s Data Protection Officer (DPO). If you would like to contact Box’s DPO, please reach out to email@example.com and we will respond to your request accordingly.
If you have a concern about our handling of your personal information, please get in contact with us first using the details in the ‘Contacting Us' section of this Privacy Notice.
If you believe Box processes your personal data under reliance of the EU - U.S. Privacy Shield Framework or Swiss - U.S. Privacy Shield Framework and have inquiries and concerns that you would like to discuss with us, please contact us using the details in the "Contacting Us" section of this Privacy Notice.
Box will respond to your inquiry within 45 days. If, after contacting us, we fail to adequately address your concern please contact our U.S. – based third -party dispute resolution provider at no cost, at https://feedback-form.truste.com/watchdog/request. Under certain conditions, more fully described on the Privacy Shield website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
If you are in the EEA or Switzerland and feel we have not dealt with your concerns and that we are failing to meet our legal obligations, you can report this to your local data protection regulator or the Information Commissioner's Office ("ICO") in the United Kingdom. More information on reporting a concern to the ICO can be found at https://ico.org.uk.