Privacy Policy

Effective Date: January 1, 2020

Last Updated: February 1, 2024

Palo Alto Software, Inc. ((“Palo Alto Software”, “we”, “us”, “our”), are committed to protecting your privacy, including your Personal Information (as defined in Section 1.1 below).

This Privacy Policy governs our Personal Information collection, processing and usage practices with respect to our Websites and Subscription Services (each as defined in Section 1.2 below under “Websites” and “Subscription Services”). It also describes your choices regarding use, access, and correction of your Personal Information. By using the Websites or the Subscription Services, you consent to the Personal Information processing practices described in this Privacy Policy. If you do not agree with the Personal Information processing practices described in this Privacy Policy, you should not use the Websites or the Subscription Services.

1. Definitions

1.1. “Personal Information”

This refers to any information that identifies you personally, directly or indirectly, including contact information, such as your name, email address, aliases, company name, physical and postal address, phone number, IP address, credit card details and other information about yourself or your household. Personal Information can also include information about any transactions, both free and paid, that you enter into on the Websites.

1.2. “Websites” and “Subscription Services”

This Privacy Policy applies to our websites (“Websites”), including www.paloalto.com, www.bplans.com, www.liveplan.com, as well as any other sites owned and operated by us and related processing activities carried out on our behalf by third parties, e.g., for the purpose of conducting online marketing, payment processing, customer support, as well as other types of services, as described below. The Privacy Policy also applies to our Subscription Service LivePlan offered through our Websites (the “Subscription Services”), including any associated mobile applications (Mobile Apps) owned and controlled by Palo Alto Software.

2. Changes and Updates

We periodically update this Privacy Policy. Any changes will be effective from the time the new Privacy Policy is posted, as indicated by the “Effective Date” listed above.

Your use of the Websites or Subscription Services after changes to this Privacy Policy have been implemented constitutes your acknowledgement and acceptance of the new Privacy Policy. If you do not agree to the terms of the new Privacy Policy, you must no longer use the Websites or Subscription Services.

3. Questions and Concerns

If you have any questions about this Privacy Policy, please contact our Data Protection Officer at privacy@paloalto.com or by calling us at 1-800-229-7526 or by postal mail at:

Palo Alto Software, Inc.
Attn: Noah Parsons, Data Protection Officer
44 W. Broadway, STE 500
Eugene, OR 97401
USA

You can also use these contact details to exercise your privacy rights. In addition, you may be able to submit a request to exercise your privacy rights by filling out a webform available on the Website. Please note that we might need to verify your identity as explained in the Section titled “Verification of Your Identity” below.

VeraSafe has been appointed as Palo Alto Software's representative in the European Union for Personal Information protection matters, pursuant to Article 27 of the General Data Protection Regulation of the European Union. VeraSafe can be contacted in addition to privacy@paloalto.com, only on matters related to the processing of Personal Information. To make such an inquiry, please contact VeraSafe using this contact form: https://www.verasafe.com/public-resources/contact-data-protection-representative

Alternatively, VeraSafe can be contacted at:

VeraSafe Czech Republic s.r.o
Klimentská 46
Prague 1, 11002
Czech Republic

VeraSafe Ireland Ltd
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P
Ireland

VeraSafe has been appointed as Palo Alto Software's representative in the United Kingdom for data protection matters, pursuant to Article 27 of the United Kingdom General Data Protection Regulation. If you are located within the United Kingdom VeraSafe, can be contacted in addition to or instead of privacy@paloalto.com, only on matters related to the processing of personal data. To make such an inquiry, please contact VeraSafe using this contact form or via telephone at +44 (20) 4532 2003.

Alternatively, VeraSafe can be contacted at:

VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL
United Kingdom

4. Information We Collect and How We Use It

4.1. Information You Voluntarily Provide When You Visit Our Websites and Use Our Subscription Services

You are free to explore our Websites without providing any Personal Information about yourself. You may also voluntarily provide Personal Information to us when you sign up to receive additional information from our Websites, or sign up for and use one of our Subscription Services, contact our customer service team, send us an email, post a comment on our blogs, or communicate with us in any other way. The Personal Information we process may include your name, address, email address, phone number, credit card information, and professional information. Furthermore, custom fields may capture any other types of Personal Information that you choose to share with us.

Our online Subscription Services allow you to create business plans and analyze accounting data.

Users of our Subscription Services can store any type of Personal Information in the services. However, Palo Alto Software does not access or share any of that data, and does not know what type of data you or other users are storing. The data is only used by the account owner and invited end-users as they intend to use it. We will not allow humans to read this data unless: (i) we have your affirmative agreement for specific messages, (ii) doing so is necessary for security purposes such as investigating abuse, (iii) to comply with applicable law, or (iv) for our internal operations and even then only when the data has been aggregated and anonymized.

Please refer to Section 5.4 below titled “Use of Personal Information” to understand how we use the Personal Information you voluntarily provide when you visit our Websites and use our Subscription Services. We may share your Personal Information with third parties, as necessary, solely to enable them to perform those specific services for us. Such third parties include those:

Such third parties are prohibited from using your Personal Information except for these purposes, and they are required to maintain the confidentiality and security of your information.

4.2. Payment and Order Information

We collect and process payment information from you when you subscribe to any of our Subscription Services or order any products or services from our Websites, including credit cards numbers, billing information, and shipping information using third party PCI-compliant service providers that provide subscription management, payment gateway integration, and invoicing services. Such third parties are prohibited from using your Personal Information except for these purposes, and they are required to maintain the confidentiality and security of your information.

We use this information to complete billing and payment processes for your use of our Subscription Services or in relation to orders you have placed on our Websites.

4.3. Information We Collect Automatically

When you use any of our Subscription Services or browse one of our Websites, we or our third-party service providers may collect information about your visit to our Websites, your usage of the Subscription Services, and your web browsing. That information may include your IP address, your operating system, your browser ID, your browsing activity, and other information about how you interacted with our Websites. We may collect this information as a part of log files as well as through the use of cookies or other tracking technologies. Our use of cookies and other tracking technologies is discussed further in Section 4.6 below, and in more detail in our Cookie Statement. Please refer to Section 5.4 below titled “Use of Personal Information” to understand how we use the Personal Information you voluntarily provide when you visit our Websites and use our Subscription Services. We may use third parties to perform certain services on our behalf. We may share your Personal Information with these third parties, as necessary, solely to enable them to perform those specific services for us. Such third parties include those:

Such third parties are prohibited from using your Personal Information except for these purposes, and they are required to maintain the confidentiality and security of your information.

4.4. Information from Your Use of Our Subscription Services

We may receive information about how and when you use the Subscription Services and store that information in log files or other types of files associated with your account, and link it to other information we collect about you. This information may include, for example, your IP address, time, date, browser used, and actions you have taken within the Subscription Service. This type of information helps us to improve our Subscription Services for both you and for all of our users. We may use third parties to perform certain services on our behalf. We may share your Personal Information with these third parties, as necessary, solely to enable them to perform those specific services for us. Such third parties include those:

4.5. Information We Receive from Third Parties

We may also receive your Personal Information directly from third parties, such as users of our Subscription Services who may provide your Personal Information directly to us. For example, the account owner provides us with the email address of other end-users so that we can send them an invitation to collaborate in the creation of a business plan. Please refer to Section 5.4 below titled “Use of Personal Information” to understand how we use the Personal Information we receive from third parties.

4.6. Cookies

Palo Alto Software and its third-party partners use cookies or similar technologies to analyze trends, administer our Websites, track users' movements around our Websites, and to gather demographic information about our user base as a whole.

We use “cookies” to help you personalize your online experience. A cookie is a text file that is placed on your hard disk by a Web server. Cookies are not used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you, and can only be read by a Web server in the domain that issued the cookie to you. One of the primary purposes of cookies is to provide a convenience feature to save you time. The purpose of a cookie is to tell the Web server that you have returned to a specific page. For example, if you personalize pages on our Websites, or register for the Subscription Service, a cookie helps us to recall your specific information on subsequent visits. When you return to the same Website, the information you previously provided can be retrieved, so you can easily use the customized features.

Palo Alto Software keeps track of the Websites and pages you visit within the Palo Alto Software network of sites and services, in order to determine what portion of the Website or Subscription Service is the most popular or most used. This data is used to deliver customized content and promotions within the Palo Alto Software Websites and Subscription Services to customers whose behavior indicates that they are interested in a particular subject area.

Palo Alto Software also uses cookies and similar tracking technologies to serve targeted advertisements. In addition, we partner with third parties to display advertising on our Websites or to manage and serve our advertising on other sites. Our third-party partners may use cookies or similar tracking technologies in order to provide you advertising or other content based upon your browsing activities and interests. Our third party advertising partners include Google Ads, Microsoft Ads, Facebook, LinkedIn, GetApp, Software Advice, Capterra and G2.

You have the ability to accept or decline cookies. Most Web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the interactive features of the Subscription Services or Websites you visit. Please note that we have automatically disabled cookies except those which are strictly necessary for the use of the Subscription Services and Websites, for users in the State of California and the European Economic Area. When you opt in to the use of cookies, you are asking us to disclose certain personal information to third parties that place cookies on our Websites. To learn more about our use of cookies and other tracking technologies, as well as how to opt out of the use of cookies, visit our Cookie Statement.

4.7. Clear Gifs, Web Beacons & Web Bugs

We employ a software technology called clear gifs (a.k.a. Web Beacons/Web Bugs), that help us better manage the Websites and Subscription Services by informing us what content is effective. Clear gifs are tiny graphics with a unique identifier, similar in function to cookies, and are used to track the online movements of Web users. In contrast to cookies, which are stored on a user's computer hard drive, clear gifs are embedded invisibly on Web pages or in emails and are about the size of the period at the end of this sentence. We use clear gifs in our HTML-based emails to let us know which emails have been opened by recipients. This allows us to gauge the effectiveness of certain communications and the effectiveness of our marketing campaigns. We tie the information gathered by clear gifs in emails to our customers' Personal Information. If you would like to opt-out of these emails, please see “Right to Unsubscribe from Marketing Communications” below.

We may use third parties to perform certain services on our behalf. We may share your Personal Information with these third parties, as necessary, solely to enable them to perform those specific services for us. Such third parties include those:

4.8. Single Sign-On

You can log in to our Subscription Services using a Single Sign-on (SSO) service like your Google account. This service will authenticate your identity and provide you the option to share certain Personal Information with us such as your name and email address to pre-populate our sign-up form. Such services may give you the option to post information about your activities on this Website to your profile page to share with others within your network. This information is shared with the SSO provider, such as Google.

4.9. Personal Information about Children

The Websites and Subscription Services are not intended for or targeted at children under the age of thirteen (13) years, and we do not knowingly or intentionally collect or disclose Personal Information about children under thirteen (13) years of age. If you believe that we have collected Personal Information about a child under thirteen (13) years of age, please contact us as provided for above in the Section titled “Questions and Concerns”, so that we may delete that Personal Information.

5. How We Use the Personal Information We Collect

5.1. Controllership

Within the scope of this Privacy Policy, we act as either a data controller (or a CCPA-regulated business) (“data controller”) or a data processor (or a CCPA service provider) (“data processor”) for the Personal Information we process, depending on our relationship with you. For example, if Palo Alto Software processes your Personal Information in the course of providing Subscription Services, Palo Alto Software acts as a data processor for your Personal Information that we process. Conversely, Palo Alto Software is a data controller for your Personal Information that we process in relation to our marketing and other front-end activities on our Websites.

5.2. Basis of Processing

Where we act as a data controller within the scope of this Privacy Policy, we may rely on one or more of the following legal grounds for processing of your Personal Information:

Where we rely on your consent as a legal ground for processing your Personal Information, you may withdraw your consent at any time. However, if you withdraw your consent, it will not affect the lawfulness of the processing that occurred based on your consent prior to your withdrawal.

Where we act as a data processor within the scope of this Privacy Policy, we will process your Personal Information based on the documented instructions of the relevant data controllers.

Where we act as a data controller and we receive your Personal Information directly from you for the purpose of providing you with our Subscription Services or other services related to our Websites, we require such Personal Information to be able to perform our contractual obligations to you. Without the necessary Personal Information, Palo Alto Software will not be able to handle your requests.

5.3. We Never Sell Personal Information

We understand how important your Personal Information is to you. We are committed to keeping it strictly confidential. Your privacy is not for sale. We will never sell, rent, or otherwise abuse the Personal Information you have trusted us with. We also confirm that we have not sold any Personal Information to third parties for a business or commercial purpose in the preceding twelve (12) months and have not disclosed Personal Information to any third parties except as described in this Privacy Policy.

Our websites and Subscription Services use third party cookies. However, non strictly necessary cookies are automatically disabled for users in California and the EEA. You can learn more about our use of cookies by reading Section 4.6 titled “Cookies” in this Privacy Policy as well as our Cookie Statement.

5.4. Use of Personal Information

In addition to the uses identified elsewhere in this Privacy Policy, we may use your Personal Information to: (a) improve your browsing experience by personalizing the Websites and to improve the Subscription Services; (b) send information to you which we think may be of interest to you by post, email, or other means; (c) send you marketing communications relating to our business or the businesses of carefully-selected third parties which we think may be of interest to you, and (d) provide other companies with anonymous statistical information about our users – but this information will not be used to identify any individual user.

We may, from time to time, contact you on behalf of external business partners about a particular offering that may be of interest to you. In those cases, we do not transfer your unique Personal Information to the third party.

5.5. Advertising

We partner with third party advertising networks to either display advertising on our Websites or to manage our advertising on other sites. Our ad network partners (which include Google Ads, Microsoft Ads, Facebook, LinkedIn, GetApp, Software Advice, Capterra and G2) use cookies and Web beacons to collect non-personally identifiable information about your activities on this and other Websites to provide you targeted advertising based upon your interests.

5.6. Customer Testimonials and Comments

We post customer testimonials and comments on our Websites, which may contain Personal Information, for purposes of marketing our products and services. If you would like your testimonial or comments altered or removed from our Websites, please contact us as requested in the Section above titled “Questions and Concerns”.

5.7. Use of Credit Card Information

If you give us credit card information, we use it solely to check your financial qualifications and collect payment from you. We use a third-party service provider to manage credit card processing. This service provider is not permitted to store, retain, or use information you provide except for the sole purpose of credit card processing on our behalf.

5.8. Social Media Features

Our Websites include Social Media features, such as the Facebook “Like” button and widgets, the “Tweet This” button, and interactive mini-programs that run on our sites. These features may collect your IP address, which page you are visiting on our sites, and may set a cookie to enable the feature to function properly. Social Media features and widgets are either hosted by a third party or hosted directly on our Websites. The way your Personal Information is processed by these third parties is governed by the privacy policies and other policies of the companies providing them.

5.9. External Websites

Our Websites provide links to other websites. We do not control, and are not responsible for, the content or practices of these other websites. Our provision of such links does not constitute our endorsement of these other websites, their content, their owners, or their practices. This Privacy Policy does not apply to these other websites, which are subject to any privacy and other policies they may have.

5.10. Public Forums

We offer publicly accessible message boards, blogs, and community forums for you to share your ideas and to enhance our Subscription Services and Websites. Please keep in mind that if you directly disclose any information through our public message boards, blogs, or forums, this information may be collected and used by others. We will correct or delete any Personal Information you have posted on the Websites if you so request, as described under the Section titled “Your Privacy Rights” below.

5.11. Retention of Personal Information

Where we act as a data processor, we retain your Personal Information for as long as is necessary for us to perform under our engagement with the data controller.

Where we act as a data controller, we retain Personal Information that you provide us as long as we consider it potentially useful in contacting you about the Subscription Services or our other services, or as needed to comply with our legal obligations, resolve disputes and enforce our agreements, and then we securely delete that Personal Information, but in any case within a period of no more than 12 months after the purposes of processing are satisfied. We may delete this information from the servers at an earlier date if you so request, as described under the Section titled “Your Privacy Rights” below.

5.12. International Transfer of Personal Information

Some of the third parties who receive your Personal Information may be located in countries outside of the European Union or the European Economic Area (“EEA”). In some cases, the European Commission may not have determined that the legal environment in those countries provides a level of data protection that is essentially equivalent to the level of protection provided under European Union law. You can see here the list of countries that the European Commission has recognized as providing an adequate level of protection for Personal Information. We will only transfer your Personal Information to third parties in countries not recognized as providing an adequate level of protection to Personal Information when there are appropriate safeguards in place. These may include the European-Commission-approved standard contractual data protection clauses under Article 46.2 of the GDPR, or transfers on the basis of the Data Privacy Frameworks.

5.13. Corporate Events

If we (or our assets) are acquired by another company, whether by merger, acquisition, bankruptcy or otherwise, that company would receive all information gathered by Palo Alto Software on the Websites and the Subscription Services. In this event, you will be notified via email and/or a prominent notice on our Websites, of any change in ownership, uses of your Personal Information, and choices you may have regarding your Personal Information.

5.14. Compelled Disclosure

We reserve the right to use or disclose your Personal Information if required by law or if we reasonably believe that use or disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or comply with a law, court order, or legal process.

6. Security

6.1. Security of Your Personal Information

We use a variety of security technologies and procedures to help protect your Personal Information from unauthorized access, use, or disclosure. We secure the Personal Information you provide on computer servers in a controlled, secure environment, protected from unauthorized access, use or disclosure. When sensitive Personal Information (such as a credit card number and/or geo-location data) is collected on our Websites and/or transmitted to other websites, it is protected through the use of encryption, such as the Secure Socket Layer (SSL) protocol.

6.2. Alerts in the Event of a Security Breach

If a security breach causes an unauthorized intrusion into our system that materially affects you, then Palo Alto Software will notify you as soon as possible and later report the action we took in response.

7. Your Privacy Rights

If you are a data subject about whom we process Personal Information, you may have the specific rights with respect to that information. Please note that you can only exercise these rights with respect to Personal Information that we process about you when we act as a data controller (i.e. when we decide why and how your Personal Information will be processed, and not our customers). To exercise your rights with respect to information processed by us on behalf of one of our customers, please read the Privacy Policy of our customer.

7.1. Your Privacy Rights

In this Section, we first describe your privacy rights and then we explain how you can exercise those rights.

7.1.1. Right to Know What Happens to Your Personal Information

This is called the “right to be informed”. It means that you have the right to obtain from us all information regarding our data processing activities that concern you, such as how we collect and use your Personal Information, how long we will keep it and who it will be shared with, among other things.

We are informing you of how we process your Personal Information with this Privacy Policy.

We will always try to inform you about how we process your Personal Information. However, if we do not collect the Personal Information directly from you, the GDPR exempts us from the obligation to inform you (i) when providing the information is either impossible or unreasonably expensive; (ii) the gathering and/or transmission is required by law, or if (iii) the Personal Information must remain confidential due to professional secrecy or other statutory secrecy obligations.

7.1.2. Right to Know What Personal Information We Have About You

This is called the right of access. This right allows you to ask for full details of the Personal Information we hold about you.

You have the right to obtain from us confirmation as to whether or not we process Personal Information concerning you, and, where that is the case, request a copy or access to the Personal Information and certain related information.

Please note that the CCPA does not allow us to disclose Social Security numbers, driver's license numbers or other government-issued identification numbers, financial account numbers, any health insurance or medical identification numbers, account passwords, or security questions and answers. We can inform you that we have this information generally, but we may not provide the specific numbers, passwords etc. to you for security and legal reasons.

Please note that you may only submit two access requests within a twelve-month period.

7.1.3. Right to Change Your Personal Information

This is called the right to rectification. It gives you the right to ask us to correct without undue delay anything that you think is wrong or outdated with the Personal Information we have on file about you, and to complete any incomplete Personal Information.

If your account settings do not allow you to change it, please contact us and we will do our best to change the Personal Information for you.

7.1.4. Right to Request that We Remove Your Personal Information From Our Records

This is called the right to erasure, right to deletion or the "right to be forgotten". This right means you can ask us to delete your Personal Information in certain circumstances. Sometimes we can delete your information, but other times it is just not possible, like when the law tells us we cannot do that. If that's the case, we will consider if we can limit how we use it.

7.1.5. Right to Ask us to Change How We Process Your Personal Information

This is called the right to restrict processing. It is the right to ask us to only use or store your Personal Information for certain purposes. You have this right in certain occasions, such as where you believe the data is inaccurate or the processing activity is unlawful. This right enables you to ask us to suspend the usage of Personal Information about you, for example if you want us to establish its accuracy or the reason for processing it.

7.1.6. Right to Ask Us to Stop Using Your Personal Information

This is called the right to object. This is your right to tell us to stop using your Personal Information. You have this right where we rely on a legitimate interest of ours (or of a third party).

We will stop processing the relevant Personal Information unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your Personal Information to establish, exercise, or defend a legal claim.

7.1.7. Right to Port or Move Your Personal Information

This is called the right to data portability. It's the right to ask for and download Personal Information about you that you have given us or that you have generated by virtue of the use of our services, so that you can:

We will provide you Personal Information in a structured, commonly used and machine-readable format. When you request electronically to know which data we have about you, we will provide you a copy in electronic format.

7.1.8. Right to Unsubscribe from Marketing Communications

You may unsubscribe from our marketing communications by clicking on the “unsubscribe” link located on the bottom of our emails, or by contacting us as provided under the Section above tiled “Questions and Concerns”. Customers cannot opt out of receiving transactional emails, such as billing notifications related to their account with us or the Subscription Services.

7.1.9. Right Related to Automated Decision Making

We sometimes use computers to study your Personal Information. We might use this Personal Information so we know how you use our services. For decisions that may seriously impact you, you have "the right not to be subject to automatic decision-making, including profiling". But in those cases, we will always explain to you when we might do this, why it is happening and the effect.

To turn off personalized advertising, please change your cookie settings by clicking here.

7.1.10. Right to Withdraw Your Consent

Where we rely on your consent as the legal basis for processing your Personal Information, you may withdraw your consent at any time. If you withdraw your consent, our use of your Personal Information before you withdraw is still lawful.

If you have given consent for your details to be shared with a third party, and wish to withdraw this consent, please also contact the relevant third party in order to change your preferences.

7.1.11. Right Not to be Discriminated Against for Exercising your Privacy Rights

We will not discriminate against you for exercising any of your privacy rights. Unless the applicable data protection laws permit it, we will not:

7.1.12. Right to Lodge a Complaint with a Supervisory Authority

If the GDPR applies to the processing of your Personal Information with us, the GDPR grants individuals to lodge a complaint with a supervisory authority if you're not satisfied with how we process your Personal Information.

In particular, you can lodge a complaint in the Member State of the European Union of your habitual residence, place of work or of an alleged violation of the GDPR.

7.2. How Can You Exercise Your Privacy Rights?

Where we act as a data controller, to exercise any of these rights, please contact us, as provided in the Section above titled “Questions and Concerns”. We will respond to your request within 30 days and notify you of the action we have taken. If we need more time (up to 90 days in total), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will send our written response by mail or electronically, at your option.

Please note that we are entitled to verify your identity (or the identity of your authorized agent) by any means we consider reasonable and appropriate in the circumstances, as described in the Section below titled “Verification of Your Identity”.

If we cannot satisfy a request, we will also explain why in our response. We commit to not charging a fee for processing or responding to your requests. The only situations where we may charge a fee is when we determine that your request is excessive, repetitive, or manifestly unfounded. In those cases, we will tell you why we made that determination and provide you with a cost estimate before completing your request.

Where we act as a data processor, you may exercise your rights under this Section by contacting the data controller who has provided your Personal Information to us.

7.2.1. Authorized Agents

You may appoint an authorized agent to exercise your rights on your behalf. You should appoint such agent via written permission or a power of attorney pursuant to Probate Code sections 4000 to 4465.

To verify that your authorized agent acts on your behalf, we will ask for this written permission from your agent or for the power of attorney. In case you provided your authorized agent with a written permission, we will require that you also verify your identity.

7.2.2. Verification of Your Identity

To evaluate your requests relating to your Personal Information, we need to be sure it was you who made the request. In some cases, we will ask you to confirm via email your identity. We will only use the Personal Information you provide us in a request to verify your identity or authority to make the request. For more sensitive requests, we will ask you to provide us certain information we already hold about you.

We will only use the personal information you provide us in a request to verify the requestor's identity or authority to make the request.

8. EU-U.S. and Swiss-US Data Privacy Framework Principles

Palo Alto Software complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Palo Alto Software has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Palo Alto Software has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/

Palo Alto Software is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) with regard to the Data Privacy Frameworks. In certain circumstances, the DPF provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the DPF Principles

In compliance with the EU-U.S. and Swiss-U.S. Data Privacy Framework Principles, Palo Alto Software commits to resolve complaints about your privacy and our collection or use of your Personal Information. Individuals whose Personal Information is processed within the scope of our certification under the Data Privacy Frameworks, and who have inquiries or complaints regarding this Privacy Policy, are advised to first contact us as provided under the Section above titled “Questions and Concerns”.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Palo Alto Software commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.

Within the scope of our authorization to do so, and in accordance with our commitments under the DPF, Palo Alto Software will provide individuals access to Personal Information about them. Palo Alto Software also will take reasonable steps to enable individuals to correct, amend, or delete Personal Information that is demonstrated to be inaccurate.

With respect to Personal Information that Palo Alto Software receives in reliance on the DPF, you have the right to opt out of having your Personal Information shared with third parties, and to revoke your consent that you have previously provided for your Personal Information to be shared with third parties, except as required by law. You also have the right to opt out if your Personal Information is used for any purpose that is materially different from, but nevertheless compatible with the purpose(s) for which it was originally collected or subsequently authorized by you.

Palo Alto Software is responsible for the processing of Personal Information it receives, under the DPF, and subsequently transfers to a third party acting as an agent on its behalf. Palo Alto Software complies with the DPF for all onward transfers of Personal Information within the scope of our certification under the DPF, including the onward transfer liability provisions. Palo Alto Software remains liable for the protection of your Personal Information that we transfer to our service providers, except to the extent that we are not responsible for the event giving rise to any unauthorized or improper processing.