Privacy Statement
This privacy statement (the “Privacy Statement”) is effective June 12, 2024.
Illumio, Inc. and its subsidiaries around the world (“Illumio” , "us", "our" or “we”) understand that when our clients, partners and other individuals provide personal data to Illumio, they place their trust in us. Illumio takes this trust seriously and is committed to comply with the laws of all countries in which it operates, including the General Data Protection Regulation and other applicable data protection laws around the globe.
This Privacy Statement describes Illumio’s practices regarding the collection, use and disclosure of personal information about an identified or identifiable natural person (“personal data”) processed through the use of Illumio’s website at www.illumio.com (the “Site”). This Privacy Statement does not apply to any third-party websites, services or applications, even if they are accessible through our Site.
If your company has engaged Illumio to provide Illumio products and/or services (collectively, the “Services”), your company and Illumio have agreed to a separate agreement that, among other things, governs the use of all of the data collected and maintained by Illumio in connection with the operation of the Services. The agreement between your company and Illumio takes precedence over any conflicting provision in this Privacy Statement.
Personal Data We Collect
Our primary goals in collecting information are to provide and improve our Site, to administer your use of the Site, and to enable you to enjoy and easily navigate our Site. We collect and use personal data that you provide in order to operate our business, provide our products and services, send marketing and other communications, and comply with applicable laws and regulations. In addition to the personal data you provide to us directly, we may also process personal data about you that we receive from our clients or third parties. The types of personal data we process will depend on the purpose.
How We Process Personal Data
When we receive personal data about you from our clients in order to provide our services, Illumio processes the personal data as instructed by our clients and in accordance with our contractual obligations. Our clients are responsible for complying with regulations or laws regarding notice, disclosure, and/or obtaining consent prior to transferring the personal data to Illumio for processing.
How We Share Personal Data
We do not sell or otherwise disclose personal data about our website visitors or others that interact with Illumio or our products or services, except as described herein. We may share your personal data with authorized Illumio personnel in our subsidiaries with a need to know the information in order to process the personal data for the purpose we collected it. We also share personal data with third parties who are acting on our behalf in order to provide the products or services you request or to support our relationship with you. These third parties are not authorized by us to use or disclose the information except as necessary to perform services on our behalf pursuant to a contractual obligation or to comply with legal requirements. Illumio requires such third parties to comply with applicable data protection and privacy laws and agree to implement and maintain appropriate technical and organizational security measures to safeguard the personal data.
Our sharing may include:
- with any of our subsidiaries and trusted third party suppliers/partners in order to perform our services or business operations;
- with our professional advisors and insurers to run our business;
- with competent legal authorities when required by applicable laws or regulations;
- with law enforcement authorities or other government officials when we are required to do so by law or pursuant to legal process (including for national security purposes); when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual fraud or illegal activity; or when we believe that disclosure is necessary to protect our rights, protect your safety or the safety of others; and
- with appropriate third parties in connection with the sale, transfer or financing of all or part of an Illumio business or its assets, including any such activities associated with a bankruptcy proceeding.
How We Protect Personal Data
We use reasonable security procedures and technical and organizational measures to protect against accidental or unlawful destruction, loss, disclosure or use of personal data we handle. Our network and systems used to provide services are governed by corporate Information security policies, which are based upon standards, including International Organization for Standardization (ISO) 27001 and National Institute of Standards and Technology (NIST). We limit access to and use of your personal data to authorized persons and trusted third parties who have a reasonable need to know the information in order to perform our services and business operations and who are bound by confidentiality obligations.
Illumio is subject to the investigatory and enforcement powers of the Federal Trade Commission. Illumio is responsible for and may be held liable in the event of onward transfers to third parties. Provided that an individual has invoked binding arbitration by delivering notice to Illumio organization and following the procedures and subject to conditions set forth in Annex I of Principles, Illumio is obligated to arbitrate claims and follow the terms as set forth in Annex I of the DPF Principles: https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction#:~:text=%E2%80%8BThis%20Annex%20I%20provides,by%20the%20EU%2DU.S.%20DPF
How Long We Retain Personal Data
We retain your personal data only for as long as is necessary to fulfill the purpose for which the data was collected from you and in consideration of and compliance with applicable legal or regulatory requirements to maintain the data for legitimate purposes. For example: (1) where required by law for audits or accounting requirements; or (2) to enforce our agreements or handle disputes. When personal data is no longer needed for the purpose it was collected or processed or to comply with a legal obligation, we securely destroy it.
How to Request Access to Personal Data
We rely on you to provide accurate, complete and current personal data to us. If you need to correct or update the personal data you provided to us, in many cases, you can edit your data from the location where you provided the personal data to us. If you are not able to access it yourself, we will respond in a timely manner to all reasonable requests to access, correct or delete your personal data. Requests and questions can be submitted to [email protected].
For EEA, UK or Switzerland Residents
For individuals whose personal data we collect directly or instruct our trusted third party to collect on our behalf, Illumio, Inc. or one of our subsidiaries located in the EEA, UK, or Switzerland is a data controller under the General Data Protection Regulation. The type of data we process as a data controller includes contact details such as name, company, email, phone, website preferences and other information collected for marketing or business operation purposes. We process personal data as a data controller using the following legal basis:
- to meet our legitimate business interests such as to develop and improve our solutions, support our sales and business operations, secure our systems, facilities and personnel;
- to comply with applicable laws and regulations;
- in order to perform or fulfill our obligations under an agreement with you or the entity with which you are affiliated; and
- based upon the provision of your consent, which you may withdraw at any time by contacting us at [email protected].
If you are a resident of the EEA, UK or Switzerland, you may exercise the following rights:
- to obtain confirmation from us if we are processing your personal data;
- to request that we correct inaccurate personal data and to have incomplete data completed;
- to object to the processing of your personal data for compelling and legitimate reasons relating to your particular situation and we will comply except in cases where legal provisions expressly provide for that processing;
- in circumstances when the processing is based on your consent or a contract and the processing is carried out by automated means, to receive your personal data that you have provided to us, in a structured, commonly used and machine-readable format;
- to restrict processing of your personal data if (i) you contest the accuracy of the data; (ii) the processing is unlawful and you oppose the erasure of the data and request restriction instead; (iii) we no longer need the data, but you tell us you need the data to establish, exercise or defend a legal claim; or (iv) you object to processing based on public or legitimate interest;
- to erase your personal data where there is no compelling reason for its continued processing; and
- to lodge a complaint with a supervisory authority, in particular in the EU Member State of your residence, place of employment, or the location where the issue that is the subject of the complaint occurred.
Please note that in case we ask for your consent to processing, you are free to refuse to give consent and you can withdraw your consent at any time without any adverse or negative consequences. The lawfulness of any processing of your personal data that occurred prior to the withdrawal of your consent will not be affected. You can exercise these rights by contacting us at [email protected]. If you consider that the way we process your personal data infringes your rights under the GDPR or is not compliant, you can lodge a complaint with Illumio directly or with a supervisory authority in the EU Member State in which you reside or where the data was processed.
In compliance with the EU-U.S. DPF (as defined below) and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF (as defined below), Illumio commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.
How We Process and Transfer Personal Data Across International Borders
Illumio is a global enterprise based in the United States with operations in countries around the world. Authorized Illumio personnel and third parties acting on our behalf may access, use and process personal data collected from you in a country that is different from the country where you entered the personal data, which may have less stringent data protection laws. As a network security company, Illumio has implemented global privacy practices for processing personal data protected under various data protection laws. Illumio transfers personal data between the countries in which we operate in accordance with the standards and conditions of applicable data privacy laws, including standards and conditions related to security and processing and acceptable transfer mechanisms.
Illumio complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Illumio has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Illumio has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/
Children
It is not our intent to collect personal data from children under the age of consent in their country of residence. Our Site is not designed to attract children and we request that children under the age of consent not submit personal data to us through our Site.
Changes to this Privacy Statement
Any personal data that we process is subject to the Privacy Statement in effect at the time such personal data is processed. We may, however, modify and revise this Privacy Statement from time to time. If we make any material changes to this Privacy Statement, we will notify you of such changes by posting the updated Privacy Statement on the Site or by sending you an email or other notification, and we will indicate when such changes will become effective.
Questions?
Please contact us at [email protected] if you have any questions about our Privacy Policy.