Introduction
This Privacy Notice (“Notice”) describes the types of information Pure Storage Inc. and its subsidiaries and affiliates, (collectively, “Pure,” “we,” “our,” or “us”) collect through our websites, including the website at purestorage.com (our “sites”) or any website that uses this notice, how we use and disclose such information, the steps we take to protect it, and how you can exercise your data protection rights.
We will only process your personal data in accordance with this Notice and any applicable law to which we are subject when offering you a localized website in your language and country, in particular any United States federal and state legislation, and for users located in the EEA and the UK subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), and all other national data protection laws globally (altogether “Data Protection Legislation").
If you are unable to access this notice due to a disability or any other impairment, please contact us using the contact details provided below and we will arrange to supply you with the information you need in an alternative format that you can access.
Data Privacy Framework
1. Compliance. Pure and its U.S. subsidiaries, Pure Storage, LLC, Pure Storage Holdings, Inc., Pure Storage International, Inc., and Portworx Inc., comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Pure has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Pure has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
2. Complaints. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Pure commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Pure Storage, Inc. at privacy@purestorage.com.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Pure commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.
3. Arbitration. If your DPF complaint cannot be resolved through the above channel, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2.
4. Onward Transfers. Transfers of Personal Information to a third party acting as a data processor are covered by the provisions of this Notice. Pure holds contracts with the third-party Data Processor that provide that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify Pure immediately if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made, the third party Data Processor ceases processing or takes other reasonable and appropriate steps to remediate. When transferring Personal Information to a third party acting as an Data Processor, Pure: (i) transfers such data only for limited and specified purposes; (ii) has ascertained that the Data Processor is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) takes reasonable and appropriate steps to ensure that the Data Processor effectively processes the Personal Information transferred in a manner consistent with the Pure’s obligations under the Principles; (iv) requires the Data Processor to notify Pure if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), Pure will take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) will provide a summary or a representative copy of the relevant privacy provisions of its contract with that Data Processor to the Department of Commerce upon request.
5. Liability. Pure is potentially liable in cases of onward transfer to third parties of data of EU, the United Kingdom, or Swiss individuals received pursuant to the EU-U.S. Data Privacy Framework.
6. Enforcement. Pure is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.
Data Collected, Purpose and Legal Basis
Pure collects personal information in a variety of contexts, each of which is defined below. The categories of information, types of information, sources of information and our purposes for collecting, processing, using, and sharing such information is determined based on this context. “Personal Data” is information relating to, directly or indirectly, an identified or identifiable natural person or household.
When visiting our Sites
Pure collects Personal Data through our sites. This includes things like your name, postal address, telephone number, and email address, as well as less obvious information, e.g., browser and device data, and internet or network activity information, such as activity on our sites, data collected through cookies, pixel tags and other technologies, and other information that is generated through your use of the internet to access our websites.
Personal Data is collected from you directly or through your web browser when accessing our sites. The purpose of our processing is to optimize the user experience and the site's functionality including creating statistics, developing new as well as enhancing, improving, or modifying our products and services; and identifying usage trends, for example, understanding which parts of our sites are the most interesting to any visitor.
This processing of Personal Data is necessary for us to pursue our legitimate interest in operating and improving these Sites (Article 6(1) (f) GDPR).
When signing up for our Communications
If you sign up for communications, we will collect your name, e-mail address, your IP address, and the language in which you wish to receive such communications.
The purpose for collecting your Personal Data is to contact you for marketing and sales purposes, including notifications related to product enhancements, warranties, and renewals, that are related specifically to customer needs and interests.
The sending of marketing materials and the necessary processing of respective Personal Data is based on the consent of the recipient to receive the newsletters (Article 6(1) (a) GDPR).
However, where local laws require a separate legal basis for the processing than consent (e.g. Denmark), Personal Data is processed to pursue our legitimate interest in marketing our services and engaging with our customers and prospects (Article 6(1) (f) GDPR).
When engaging with us through Social Media
Pure’s sites may use social media features, such as the Facebook “like” button etc.. These features may collect your IP address and which page you are visiting on our site, and may set a cookie, pixel, beacon or other similar technologies to enable the feature to function properly.
You may be given the option by such a feature to post information about your activities on our products and services to a profile page of yours that is provided by a third-party social media network in order to share with others within your network. These features are either hosted by a third-party or hosted directly on sites. Information collected in the context of the feature is subject to the relevant social media platforms’ own data collection, use, and disclosure policies.
Sharing of Your Data
Except as described in this Notice, we will not disclose information about you that we collect on or through our sites to third-parties without your consent, unless legally required or permitted to do so. We may disclose information to third-parties if you consent to us doing so, as well as in the following circumstances:
Any information that You voluntarily choose to include in a publicly accessible area of the Sites will be available to anyone who has access to that content, including other users.
We may share your information with our partners in connection with, selling or distributing our products and services, or engaging in joint marketing activities, in accordance with your expressed marketing preferences.
We may share information with our corporate affiliates (e.g., parent and sister companies, subsidiaries, joint ventures or other companies under common control). If another company acquires, or plans to acquire, our company, business, or assets, we will also share information with that company, including at the negotiations stage.
We may disclose your information if required to do so by any competent law enforcement body, regulatory, government agency, court or other third-party where we believe disclosure is necessary to comply with applicable law or regulation, in response to a court order, judicial or other government subpoena or warrant, or to otherwise cooperate with law enforcement or other governmental agencies.
We also reserve the right to disclose your information that we believe, in good faith, is appropriate or necessary to (i) take precautions against liability, (ii) protect ourselves or others from fraudulent, abusive, or unlawful uses or activity, (iii) investigate and defend ourselves against any third-party claims or allegations, (iv) protect the security or integrity of our products and services and any facilities or equipment used to make our products and services available, or (v) protect our property or other legal rights (including, but not limited to, enforcement of our agreements), or the rights, property, or safety of others.
We may make certain aggregated, automatically-collected, or otherwise non-personal information available to third-parties for various purposes, including (i) compliance with various reporting obligations; (ii) for business or marketing purposes; or (iii) to assist such parties in understanding our users’ interests, habits, and usage patterns for certain programs, content, services, advertisements, promotions, and/or functionality available through our Offerings.
We may share your information with service providers. Among other things, service providers may help us to administer our website, conduct surveys, provide technical support, process payments, and assist in fulfillment of services. We contract with these service providers to ensure they only use your information to fulfill their obligations to provide services to us.
Cross-border transfer
Your Personal Data may be stored and processed in any country where we have facilities or in which we engage service providers, and by browsing our Sites You understand that your information will be transferred to countries outside of your country of residence, including the United States, which may have data protection rules that are different from those of your country. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your Personal Information.
When we transfer Personal Data out of the European Union (“EU”), European Economic Area (“EEA”), the United Kingdom (“U.K.”), and Switzerland to countries that do not benefit from an adequacy decision, we may rely on Standard Contractual Clauses or other legal transfer mechanisms with appropriate safeguards in place to protect Personal Data. As previously noted, Pure complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the U.K. Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) for transfers of Personal Data from the EU, EEA, U.K. (and Gibraltar), and Switzerland to the U.S.
Data retention
We retain Personal Data we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax or accounting requirements). When we have no ongoing legitimate business need to process your Personal Data, we will either delete or anonymize it or, if this is not possible (for example, because your Personal Data has been stored in backup archives), then we will securely store your Personal Data and isolate it from any further processing until deletion is possible.