Global Privacy Policy
Effective Date: May 15, 2024
Introduction
This privacy policy (“Privacy Policy”) applies to the personal data that Zscaler, Inc. and its affiliates (“Zscaler”, “we”, “us” or “our”) process in relation to your interaction with our websites, events, and business promotion.
This Privacy Policy does not apply to situations where we act on behalf of our customers, generally in the role as “data processor” or “service provider”, as defined by applicable data protection laws, in relation to the data our customers submit, manage, use, or process through or as part of our services. For additional information about our data processing activities in our role as data processor or service provider, please see our Privacy Overview page.
What Personal Data We Collect
When we use the term “personal data” in this Privacy Policy, we mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an individual. The term does not include aggregate or de-identified data that is maintained in a form that is not reasonably capable of being associated with or linked to an individual and does not apply to other information that is excluded from privacy protections under applicable data protection law.
We collect your personal data in three ways: (i) Personal Data You Provide, (ii) Automatically Collected Personal Data, and (iii) Personal Data from Third Parties. More detail is provided below.
Personal Data You Provide
• Information When You Contact Us or Interact With Us: we collect personal data that you provide when you contact or interact with us, such as your name, address, email address, and telephone number. We may collect other information to process your request properly, such as questions, comments, feedback or requests.
• Promotions and Products Interest: we collect personal data if you choose to participate in a survey, research, promotion, marketing campaign, free trials or evaluations of our products, webinars, community, help forums, or events conducted or sponsored by us. You may provide us with personal data such as your name, email address, and/or telephone number, employer name, your title, and audio or visual information.
• Purchase Information: when you make a purchase on our websites or with our staff, including the purchase of Zscaler products and services, we collect information about the purchase, such as contact information, items you have purchased, and professional information.
Automatically Collected Personal Data
• Cookies: we use cookies and similar technologies to monitor the usage of our website. For example, we use cookies to remember your language preferences and login information, as well as to analyze our website traffic patterns. To learn more about our use of cookies, please see our Cookies Policy. We will obtain your consent to our use of cookies where required by law.
• Technical and Usage Information: we collect certain device and network connection information when you access and interact with our website. This information includes IP address, browser type, internet service provider, URLs of referring and exit pages, operating system, date and time stamp, information that you search for, locale and language preferences, identification numbers associated with your device, your mobile carrier, and system configuration information. Occasionally, we connect personal data gathered in our log files as necessary to improve our website. In such a case, we would treat the combined information in accordance with this Privacy Policy.
Personal Data From Third Parties
We obtain personal data from other sources, which we may combine with personal data we collect automatically or directly from you. We may receive the same categories of personal data as described above from the following third parties:
• Our Customers, and Other Users or Individuals who Interact with our Services: we may receive your personal data from our customers, and other users or individuals who interact with our services. This includes any information collected by us when your organization contacts us for support related to your organization’s use of our products, services or events. In such instances, we will also collect information about the reason for the inquiry and any other information provided to us.
• Your Employer or Organization: if you interact with our services through your employer or organization, we may receive your personal data from them.
• Business Partners: we may receive your personal data from our business partners.
• Social Media: when you interact with our services through various social media networks, we may receive some information about you when permitted to share with third parties. The data we receive is dependent upon your privacy settings with the social network, and including, but not limited to, your profile information, profile picture, gender, username, user ID, age range, language, and country. Individuals should always review and, if necessary, adjust their privacy settings on third-party websites and social media networks and services before sharing information and/or linking or connecting them to other services.
• Service Providers: our service providers that perform services on our behalf, such as survey and marketing providers collect personal data and often share some or all of this data with us.
• Other Sources: we may also collect personal data about you that we do not otherwise have from, for example, publicly available sources, third-party data providers, brand partnerships, or through transactions such as mergers and acquisitions.
How We Use Your Personal Data
We use your personal data to operate, provide, develop and improve our website and products, including for the following purposes. You can find more detail in “Our Legal Basis and How We Process Your Personal Data”.
• To provide our products, services, and information that you request, such as to respond to your questions regarding the use of our products or to send you a newsletter or white paper about our products.
• To respond to your inquiries.
• To process and complete transactions, and send you related information, such as purchase confirmations and invoices.
• To send you transactional messages, such as responses to your comments, questions, and requests; provide customer service and support; and send you technical notices, updates, security alerts, and support and administrative messages.
• To send promotional communications, such as providing you with information about our products, features, surveys, newsletters, offers, promotions, contests, and events; and provide other news or information about us and our partners.
• To monitor and analyze trends, usage, and activities in connection with our website and services, and your use of our content, including for marketing or advertising purposes.
• To investigate and prevent fraudulent transactions, unauthorized access to our products, and other illegal activities.
• To personalize and customize certain features and content on our website, content and products, including by providing features or advertisements that match your interests and preferences.
• To complete your requests related to an even hold or sponsored by us, such as completing the registration to the event, enable your participation, access to the event activities, book travel accommodations, purchase an event ticket, and other marketing purposes.
• To comply with our legal obligations and to maintain the security of our website, content and products.
• For other purposes for which we obtain your consent, or for any other purpose disclosed at the time of collection.
From time to time, we may post testimonials on our website that may contain personal data. We will obtain your consent to post your name along with your testimonial. If you wish to update or delete your testimonial, you can contact us.
Our Legal Bases and How We Process Your Personal Data
We may only use your personal data when we have a legal basis to do so. We use different legal bases depending on the purpose of our processing activity. These legal bases are contractual necessity, legitimate interests (ours, yours or those of another party), consent, compliance with a legal obligation, performing a task in the public interest, and protection of vital interests.
Here we explain the legal bases we rely on when we process your information. This section also describes why we use your information, how this information is processed, and the associated rights, which always includes the right to access your information. For more information on how to exercise any of your rights, please check out the “Your Rights and Choices” section in the Privacy Policy.
Contractual Necessity
If you enter into a contract with us or we take steps at your request prior to agreeing a contract, we may process your personal data when it is necessary to perform the contract. This means we may use your personal data for purposes such as to enable the delivery of our services, become our customer or partner, communicate with you about orders, and enforce our terms and policies.
Legitimate Interest
We use your personal data when this is necessary to achieve legitimate interests - whether belonging to us, you, or a third party - provided these interests are not outweighed by your interests or fundamental rights and freedoms. This includes, but is not limited to, the following processing activities: when we communicate, when you use our services, when managing our marketing list, and sharing personal data with other parties to run our business efficiently and securely.
Consent
We ask for your consent to access or use your personal data for specific purposes. If we do, you will be able to revoke your consent by contacting us. This includes, but is not limited to when you sign up for our newsletter or events, and request a demo.
Legal Obligation
We may use your personal data when it is necessary to comply with a legal obligation, such as bookkeeping, accounting, taxation, employment, and other business activities.
Your Rights and Choices
You have rights and choices when it comes to your personal data. Some of these rights apply generally, while others will only apply in certain circumstances. Depending on the scenario, these rights may be subject to some limitations provided by law.
• Right to access: you have the right to obtain information about the data stored about you, including certain information about the processing.
• Right to rectification: you have the right to demand the rectification of any incorrect or inaccurate personal data we hold with respect to you.
• Right to erasure: you have the right to have some or all your personal data erased.
• Right to restriction of processing: you have the right to have your data with processing restriction by satisfying prerequisites in the law (e.g., contesting the accuracy of your personal data).
• Right to withdraw consent: you are entitled to withdraw any declaration(s) of consent previously made and relating to the processing of your personal data with future effect. However, such withdrawal of consent does not affect the legitimacy of any processing operations previously executed.
• Right to data portability: you have the right to data portability in circumstances where we rely on contractual necessity or consent as our legal basis. This means that you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to share it with a third party.
• Right to object the processing: you have the right to object to the processing of your personal data in certain circumstances. This right applies when we are performing a task in the public interest, pursuing our legitimate interests or those of a third party, or when your data is processed for the purpose of facilitating scientific or historical research in certain circumstances.
Please note that you may not be able to benefit from all features of our website if you request the deletion of your personal data or object to or withdraw your consent to such processing.
To exercise any of the above rights, please contact us by following the instructions available in the section “Contact Us” in this Privacy Policy.
If you are not satisfied with how we have responded to any of your rights requests, you also have the right to lodge a complaint with your local supervisory authority.
Data Security and Retention
Security of your personal data is important to us. We maintain appropriate technical, administrative, and physical security measures that are designed to protect your personal data from loss, misuse, unauthorized access, disclosure, alteration and destruction. We regularly review our security measures to consider available new technologies and methods. If you have any questions about the security of your personal data, you can contact us.
We retain personal data for as long as necessary to provide our services and for the other purposes set out in this Privacy Policy. We also retain personal data when necessary to comply with contractual and legal obligations, when we have a legitimate interest to do so (e.g., improving and developing our business, and enhancing its safety, security and stability), and for the exercise or defence of legal claims.
The retention periods will be different depending on the type of personal data and the purposes for which we use the personal data. If you have any questions about the retention of your personal data, you can contact us.
International Data Transfers
The personal data we collect may be transferred to and stored in countries outside of the jurisdiction you are in to locations where we and our third-party service providers have operations.
In the event of a transfer, we ensure that the personal data is transferred to countries recognised as offering an adequate level of protection, or the transfer is made pursuant to appropriate safeguards, such as standard contractual clauses adopted by the European Commission. If you wish to inquire further about these safeguards used, please contact us.
Data Privacy Framework Statement
Zscaler complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), (collectively the “Data Privacy Framework” or “DPF”), as set forth by the U.S. Department of Commerce, regarding the transfers of non-HR personal data from the European Union, the United Kingdom (and Gibraltar), and Switzerland, in accordance with the transfer requirements under applicable data protection laws, including the EU General Data Protection Regulation (“GDPR”). Zscaler has certified to the U.S. Department of Commerce that it adheres to the DPF Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement, and liability with respect to all personal data received from the EU, UK, or Switzerland in reliance on the DPF.
If there is any conflict between the terms in this statement and the DPF Principles, the DPF Principles shall govern. To learn more about the DPF program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
• Purposes of Data Processing: Zscaler may act as a data processor or a data controller when processing non-HR personal data transferred from the European Economic Area to the United States of America, depending on the product(s) or service(s) being provided. The types of non-HR data we collect and process varies depending on the business relationship, the product or service being provided, customers’ preferences, contractual requirements with customers, and the legitimate interests, including marketing, security, billing, transaction processing, product support, and relationship management.
• Notice: At the time of data collection, or as soon as practicable thereafter Zscaler notifies data subjects about its data practices regarding personal data.
• Choice: Zscaler offers individuals the opportunity to opt-out of personal data, or opt-in for sensitive data being: (i) disclosed to a third party (other than to Zscaler’s service providers under contract or pursuant to lawful request as set forth below), or (ii) used for a purpose materially different from the purpose for which it was originally collected or subsequently authorized by you.
• Access: Individuals whose personal data may be processed by Zscaler are entitled to obtain confirmation of whether such personal data is being processed, access the information held, and ask us to correct, amend, or delete that information where it is inaccurate or has been processed in violation of the laws. If requested to remove data, we will respond within a reasonable timeframe.
• Accountability for Onward Transfers (Transfer to Third Parties): When Zscaler transfers personal data to a third party, we take reasonable and appropriate steps to ensure the third party processes personal data for limited and specified purposes and in a manner consistent with our DPF obligations. Where the transfer is to a third-party agent acting on our behalf, we may be liable if such third parties fail to meet those obligations.
• Security: Zscaler takes reasonable and appropriate measures to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction.
• Data Integrity and Purpose Limitation: Zscaler will retain personal data for a reasonable period of time necessary to comply with applicable law, in accordance with our retention policies, and in a manner that is compatible with and relevant to the purposes for which it was collected or authorized by individuals.
• Lawful Requests: We may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. To learn more about how we handle requests from government agencies, regulatory bodies, and other law enforcement authorities, see our Transparency Report.
• Enforcement and Dispute Resolution: If you have a question or complaint related to Zscaler’s participation in the DPF, please contact the Privacy Team at [email protected]. Please note, to pursue your rights under the DPF, your complaint must concern personal data received from the EU, UK, or Switzerland in reliance on the DPF, which excludes any personal data transferred under the Standard Contractual Clauses (SCCs), any approved derogation from the EU Directive, or other non-DPF data transfer mechanisms.
Zscaler has further committed to refer unresolved DPF complaints to the International Centre for Dispute Resolution, which is the international division of the American Arbitration Association (“ICDR/AAA”), located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit the ICDR/AAA at https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of the ICDR/AAA are provided at no cost to you.
If neither Zscaler nor its dispute resolution provider is able to resolve your DPF complaint, you may be entitled, under certain conditions, to invoke binding arbitration through the Data Privacy Framework Panel. DPF-certified organizations must respond within 45 days of receiving a complaint.
Interest-Based Advertising
We may partner with ad networks and other ad serving providers (“Advertising Providers”) that serve ads on behalf of us and others on non-affiliated platforms. Some of those ads may be personalized, meaning that they are intended to be relevant to you based on information Advertising Providers collect about your use of the Website and other sites or apps over time, including information about relationships among different browsers and devices. This type of advertising is known as Interest-Based Advertising (“IBA”). We adhere to the Digital Advertising Alliance (“DAA”) Self-Regulatory Principles in connection with this activity.
We use data collected from non-affiliated websites over time as well as other data described in this Policy to provide advertising on behalf of our clients that is relevant to interests inferred from this data. We may also partner with other ad companies to extend our audiences across different browsers for interest-based advertising purposes. If you would like to exercise choice regarding our collection of web viewing data from web browsers for interest-based advertising purposes please visit https://optout.aboutads.info/ and select “opt out of all”, or if located in the European Union you can click here to make choices with respect to companies integrated in the YourOnlineChoices consumer choice platform.
When you make your choices on your browser using these choice tools, we will stop collecting and using data from that browser and associated browsers for interest-based advertising on it. We will also stop using data collected from that browser on other browsers associated with it, and will stop using data collected from those associated browsers for interest-based advertising on the opted-out browser. Note that electing to opt out will not stop advertising from appearing in your browser. It may make the ads you see less relevant to your interests. In addition, note that if you use a different browser or erase cookies from your browser, you may need to renew your opt-out choice.
You may visit the DAA WebChoices tool at www.aboutads.info to learn more about IBA and how to opt out of this advertising on websites by companies participating in the DAA self-regulatory program.
Companies participating in the WebChoices tool may continue to collect data for non-IBA purposes such as for analytics and other non-IBA related ad operational purposes. Additionally, your browser may offer tools to limit the use of cookies or to delete cookies; however, if you use these tools, our Site may not function as intended.
Children’s Privacy
We do not knowingly collect personal data from children under 13. If you are under 13, do not use or provide any information on this website or provide any data about yourself to us. If we learn we have collected or received personal data from a child under 13 without verification of parental consent, we will delete that data. If you believe we might have any information from or about a child under 13, please contact us.
Links to Other Websites
Our website may contain links to other websites. We are not responsible for the privacy practices of any websites other than our own. This Policy applies only to information collected by us on our website and not to any third-party websites. We encourage you to review the privacy statements of any such websites to understand their information practices.
Contact Us
You can contact us by sending an email to [email protected] or at the following postal address:
Zscaler, Inc.
Attn: Privacy Department
120 Holger Way
San Jose, CA 95134
United States