Box Privacy Notice
Effective as of July 1, 2023, Box, Inc., and its subsidiaries, (collectively, “Box” or “we” or “us” or “our”) have updated our Box Privacy Notice (“Privacy Notice”).
At Box, we respect the privacy rights of users and recognize the importance of protecting your information. We provide a cloud-based content management platform and our products make it easier for people to share ideas, collaborate and help get work done. This Privacy Notice explains how information (including personal data as defined under GDPR) is collected, retained, used, disclosed, and transferred by Box and the available choices you have with regard to your personal information. This Privacy Notice applies to information collected, used or shared by Box when you use or access our websites, products, mobile applications or services (collectively, the "Box Services"), including when you attend a Box event or otherwise interact with us.
If you use the Box Services as part of a business, an entity, or a non-profit (collectively, “Organization”) that has an agreement with Box, then the terms of that agreement between the Organization and Box will supersede the Privacy Notice where the terms overlap.
Changes to This Notice
We may change this Privacy Notice from time to time. If we make any changes, we will revise the date at the top of this Privacy Notice. If there are material changes to this Privacy Notice, we may notify you or your Organization more directly by email or post a notice on Box’s website prior to the changes becoming effective. We encourage you to periodically review our Privacy Notice to stay informed about our data protection practices and the ways you can help protect your privacy.
Box complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) for the transfer of personal data we process on behalf of Organizations in Business Accounts. Box will also certify to a similar Data Privacy Framework that will be adopted by the UK, known as the UK Extension to the EU-U.S DPF, and Switzerland, known as the Swiss-U.S. DPF. For more information about Box Inc’s. Data Privacy Framework certification, please view the Box Data Privacy Framework Notice.
For additional information on Box’s international data transfers and region-specific notices, please refer to our Regional Information page found here, which provides information on the following:
- Asia-Pacific Economic Cooperation (APEC) - Cross Border Privacy Rules (CBPR) & Privacy Recognition for Processors (PRP)
- Controller and Processor Binding Corporate Rules
- U.S. State Privacy Laws
Collection of Information
Box collects information in the following ways:
1. Information You Provide.
We collect the information you directly provide to Box when you visit our websites or register for and/or use the Box Services.
2. Information We Collect Automatically.
We collect information related to your usage of the Box Services and the devices you use to access those Box Services.
3. Information We Collect from Other Sources.
We collect information from third parties where you have provided us with access to information from those third parties.
In some situations, you can decline to provide information to Box when asked for it. If you decline to provide information where Box requires such information to operate the Box Services and fulfill our obligations, you may not be able to use the applicable Box Service(s). Situations where this may occur include:
- Where Box asks you to provide personal information to be able to add features or services to an existing account at your request;
- Where Box asks you to provide personal information to create an account; or
- Where a third-party application on Box asks you to provide information to use their feature or service.
There may be situations where you do not have the ability to decline to provide information. This includes where Box automatically collects personal information through your use of Box Services. For any questions about providing us with your personal information, please contact us at email@example.com
We collect certain information in the following ways:
Information You Provide
- We collect information directly from you when you: Register with Box for an account, create or modify your profile and account, access and use the Box Services (including but not limited to when you upload, download, collaborate on or share files or other information), use features of the Box Services, participate in a survey, contest, promotion, sweepstakes, activity or event, make a purchase, request customer support, or communicate with us via third-party social media. We also store the files or other information that you upload or provide to the Box Services (“Content”) in order to provide you with the Box Services.
- The types of information we may collect directly from you include:
- Your name;
- User name;
- Email address;
- Your picture;
- Postal address;
- Phone number;
- Information about your data storage preferences;
- Employer’s name;
- Job title;
- Transactional information (including services purchased or subscribed to and billing address); as well as
- Any contact or other information you choose to provide.
- We also collect the information of third parties you provide to enable the use of certain functionality and features of the Box Service. For example, if you invite a user into the Box Service, we will collect the email address you provide in order to invite that user to collaborate on the Content you shared.
Information We Collect Automatically
Information We Collect Through Your Use of the Box Services
- Usage Information: We monitor user activity in connection with the Box Services and collect information about the applications and features you use, the Box websites you visit, the sizes and names of the files or folders you upload, download, share, or access while using the Box Services, the Content you access, and any actions taken in connection with the access and use of your information and Content in the Box Services.
- Log Information: We log information about you when you access and use the Box Services, including: Your Internet Protocol ("IP") address, access times, browser type and language, Internet Service Provider ("ISP"), the Box web pages that you visit, the Content you use, and the URL of the web page you visited before navigating to one of the Box Services.
- Device Information:We collect information about any device (e.g., computers, mobile devices, etc.) used to access Box Services, including: The hardware model, operating system and version, unique device identifiers, mobile network information, or platform information. If you experience an error or crash in any of the Box Services, we may collect information (using first or third-party products) and logs from your device including information such as your device’s IP address, device name, operating system version, application configuration(s), the time and date, and other statistics. We collect your location-based information from your mobile device, with your consent, through our mobile apps to enable certain features and functionality. You can enable or disable this functionality in the Box mobile application settings.
Information Collected by Cookies and Similar Tracking Technologies: We (and the service providers working on our behalf) use various technologies to collect information. This may include saving cookies to your computer or mobile device. For information on what cookies are, which ones we use, why we use them, and how you can manage their use, please see our Cookie Notice.
Information We Collect from Other Sources
- We may also obtain information from third party applications and combine that with other information we collect through the Box Services. Any access or restrictions that we may have to such information from such a third party is in accordance with the privacy notice and authorization procedures determined by that third party.
Use of Information
Box uses information collected for the purpose of providing the Box Services. Box will process and transfer information within and to the U.S. and other countries and territories from which Box or its authorized third parties may operate, which may have different privacy laws from your country of residence. For more details please see the Regional Information page.
Your information may be used to perform a variety of purposes, such as:
- Provide, operate, maintain, and improve the Box Services;
- Enable you to access and use the Box Services, including uploading, downloading, collaborating on and sharing Content, and sending emails on your behalf;
- Send you technical notices, updates, security alerts, and support and administrative messages;
- Provide and deliver the services and features you request, process and complete transactions and send you related information, including purchase confirmations and invoices;
- Respond to your comments, questions, and requests, and provide customer service and support;
- Communicate with you about services, features, surveys, newsletters, offers, promotions, contests and events, and provide commercial content, other news, or information about Box and our select partners (including but not limited to via email, SMS text messaging, and/or in-app messaging);
- Process and deliver contest or sweepstakes entries and rewards;
- Monitor and analyze trends, usage, and activities in connection with the Box Services and for sales, marketing or advertising purposes;
- Investigate and prevent fraudulent transactions, unauthorized access to the Box Services, and other illegal activities;
- Personalize and improve the Box Services, and provide Content, features, and/or advertisements that match your interests and preferences or otherwise customize your experience on the Box Services;
- Send you push notifications from time-to-time in order to update you about events or activities related to the Box Services. If you no longer wish to receive these types of communications, you may turn them off at the device level. To ensure you receive proper notifications, we collect certain information about your device such as operating system and user identification information;
- Link or combine with other information we receive from third parties to help understand your needs and provide you with better service; and
- Enable you to collaborate on and share files with users you designate.
Sharing and Disclosure of Information
We will not share personal information about you or any Content with any third parties, unless you allow it, as described in this Privacy Notice, or in connection with providing you the Box Services. We may share information with (i) third parties and vendors or other services providers working on our behalf; (ii) the third-party Box integrations or other third-party products that you choose to use while working with the Box Services or (iii) when necessary, to protect the security and safety of our users or when required by law or a legal process.
We may share information about you as follows:
- Vendors, Consultants, and Other Service Providers: We share information with third-party vendors, consultants, and other service providers who are working on our behalf and require access to your information to carry out that work, such as to process billing, provide customer support, etc. These service providers are authorized to use your information only as necessary to provide services to Box and/or Box Services.
We also share your information with third-party vendors to understand which areas and features of the Box Services are most popular and/or to improve the overall effectiveness of Box’s Services and features. In addition, Box uses subprocessors for certain Box Services. For more information on Box’s subprocessors, please refer to our Subprocessor Page.
- Business Account: If you have an individual Box account and your account email domain is owned or managed by your employer or another organization, your employer or that organization may be provided with access to information relating to your account.
- For Collaboration: We share your information with third parties you choose when using collaboration or sharing features in the Box Services. The personal information we may share includes: your name, email address, information from your profile and online account (including your photo), and any Content you choose to share will be shared with such third parties, and such third parties may communicate with you (such as by posting comments or emailing you) in connection with your use of the collaboration features of the Box Services.
- Third Party Applications: Box provides you with opportunities to connect with third-party applications or services, such as through our Box application partner ecosystem or integration partners. If you choose to use any third-party applications or services, we share information about you including your username and any Content you choose to use in connection with those applications and services, and such third parties may contact you directly.
Note, this Privacy Notice does not apply to your use of such third-party applications and services, and we are not responsible for how those third parties collect, use, and disclose your information and Content. We encourage you to review the privacy notices of those third parties before connecting to or using their applications or services to learn more about their information and privacy practices.
- Compliance with Laws: We may disclose your information to a third party if (a) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process, or governmental request; (b) to enforce our agreements and policies with our users and customers; (c) to protect the security or integrity of the Box Services; (d) to protect Box, our users and customers, or the public from harm or illegal activities; (e) to respond to an emergency which we believe in the good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person, or (f) to any other third party with your prior consent.
- Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
- Aggregated or Anonymized Data: We may also share aggregated or anonymized information that does not directly identify you with third parties.
Retention of Personal Information
We will retain your personal information for the period necessary to fulfill the purposes outlined in this Privacy Notice and in order to provide you the Box Services, and for as long as your account is active or as needed to provide you services. We will also retain your information to comply with our legal obligations, resolve disputes, and enforce of our agreements.
Your Personal Information Choices
We understand that your personal information is important to you, and that is why you have choices in how your personal information is used and shared. You can exercise your data protection and privacy rights at any time by logging into your Box account and updating your preferences or contacting Box at firstname.lastname@example.org.
For example, you can:
- Update, access, and delete your account information;
- Choose whether you wish to receive promotional and newsletter communications; and
- Choose whether you wish to share personal information with and use Box integrations.
- Account Information: You may update, correct, or delete your personal information at any time by logging into your account and modifying your personal information or by emailing us at email@example.com. You may also submit an access request by emailing firstname.lastname@example.org, and Box will provide you with information about whether we hold, or process on behalf of a third party, any of your personal information. We will respond to your access request within 30 days.
- Deactivating or Deleting Your Account: If you have an individual Box account and wish to deactivate your account, please check on Box Community for instructions, but note that we may retain certain information, including cached or archived copies, as required by law or for legitimate business purposes. If you have an Organization Box account, please email your Box Services administrator appointed by your Organization for information regarding cancelling your account.
- Collaboration and Sharing Features: The Box Services offer collaboration and sharing features and support Box and third-party integrations, which allow you to share your Content or other information through the Box Services. You can set permissions and change your settings at any time for files and folders through your account. For more information about collaboration and sharing features and on how you can manage your permissions and defaults please see Box Community.
- Community Forums and Blogs: Some of our website offers publicly accessible blogs or community forums. You should be aware that any information you provide in these areas may be read, collected, and used by others.
To request removal of your personal information from our blog or testimonials, please submit a ticket with Contact Support on Box Community. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.
- Advertising: You may opt out of personalized ads anytime by deleting your browser's cookies. In addition, you may opt-out of interest-based advertising from some third-party partners by visiting http://optout.aboutads.info/, http://optout.networkadvertising.org/, or the third-party provider’s websites. Residents of the European Economic Area (“EEA”) please visit http://www.youronlinechoices.eu. For more information, please review our Cookie Notice.
- Links to Third-Party Websites: We may link to third-party websites in the Box Services. When you click on a link to a third-party website from our website, your activity and use on the linked website is governed by that website’s policies, not by those of Box. We encourage you to visit their websites and review their privacy and user policies.
- Promotional and Newsletter Communications: You may opt out of receiving promotional and newsletter emails from Box by following the opt-out instructions provided in those emails. If you have previously unsubscribed and are a U.S. user, you consent that you’re re-subscribing to receive commercial content by taking such actions like submitting a “Contact Us” form, registering for a Box event or webinar, downloading a Box resource, along with other activities. You may opt-out at any time by emailing email@example.com with your specific request or by visiting the Box preference management center here. If you opt out, we will still send you non-promotional communications, such as security alerts and notices related to your access to or use of the Box Services, or those about your online account or our ongoing business relations.
Protection of Personal Information
Box is committed to securing your personal information. We take appropriate technological and organizational measures to help protect your personal information from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. Box complies with applicable data protection, privacy, and security breach notification laws.
Some of the ways in which Box protects your personal information include:
- We encrypt your Content when it is stored at rest in our data centers.
- We protect sensitive information with encryption during transmission over the public Internet.
- We keep the servers on which personal information is stored in a controlled environment with limited access.
- We maintain a wide variety of compliance and security programs.
Our Policy Toward Children
The Box Services are not directed to individuals under the age of 18 and we do not knowingly collect information from anyone under 18. If you become aware that a child has provided us with personal information, please contact us at firstname.lastname@example.org. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information as soon as possible.
Please contact us at email@example.com or at Box Privacy, 900 Jefferson Avenue, Redwood City, CA 94063, United States of America if you:
- Have questions about this Privacy Notice;
- Wish to make a complaint or have a concern about our handling of your personal information; or
- Want to report a possible breach of privacy laws.
Box will respond to your inquiry within 30 days.
To contact Box's Data Protection Officer, please email firstname.lastname@example.org.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.