Privacy Shield Principles (Principles)
These are the ways that Bitwarden collects, uses, and stores Personal Information:
Collection and Use
Bitwarden processes two kinds of user data to deliver the Bitwarden Service: (i) Vault Data and (ii) Administrative Data.
(i) Vault Data
Vault Data includes all information stored within accounts to the Bitwarden Service and may include Personal Information. If we host the Bitwarden Service for you, we will host Vault Data. Vault Data is encrypted using secure cryptographic keys under your control. Bitwarden cannot access Vault Data.
You may add, modify, and delete Vault Data at any time.
(ii) Administrative Data
Bitwarden obtains Personal Information in connection with your account creation, usage of the Bitwarden Service and support, and payments for the Bitwarden Service such as names, emails address, phone and other contact information for users of the Bitwarden Service and the number of items in your Bitwarden Service account ("Administrative Data"). Bitwarden uses Administrative Data to provide the Bitwarden Service to you. We retain Administrative Data for as long as you are a customer of Bitwarden and as required by law. If you terminate your relationship with Bitwarden, we will delete your Personal Information in accordance with our data retention policies.
Additional Use and Retention
Bitwarden has a legitimate interest to further process your Administrative Data as follows:
- To administer your Bitwarden Service user accounts.
- To enable your access and use of the Bitwarden Service, and to enable you to communicate, collaborate, and share information with those you designate.
- To enable us to verify the license(s) you've contracted with us to use the Service.
- To provide product enablement and licensing, customer service and support.
- To monitor your user experience on the Service.
- To enable us to proactively help customers maintain the performance and functionality of deployments of the Bitwarden Service.
When you use the Site or communicate with us (e.g. via email) you will provide, and Bitwarden will collect certain Personal Information such as
- Business name and address
- Business telephone number
- Email address
- IP-address and other online identifiers
- Any customer testimonial you have given us consent to share.
- Information you provide to the Site's Interactive Areas, such as fillable forms or text boxes, training, webinars or event registration.
- Information about the device you are using, comprising the hardware model, operating system and version, unique device identifiers, network information, IP address, and/or Bitwarden Service information when interacting with the Site.
- If you interact with the Bitwarden Community or training, or registered for an exam or event, we may collect biographical information and the content that you share.
- Information gathered via cookies, pixel tags, logs, or other similar technologies.
Use and Retention
Bitwarden may use the Personal Information collected by the Site to provide you with services, to accomplish our business purposes and to fulfill other legal obligations, including:
- To provide you services that you request, such as when we:
- Respond to your requests for information about our products, services, training and events;
- To enable your access and use of the Site, and to enable you to communicate, collaborate, and share information with those you designate;
- To send you technical notices, updates, security alerts, and support and administrative messages;
- For our business purposes we have a legitimate interest, when we:
- Operate the Site;
- Administer your account if you have registered on the Site, including billing and payment;
- Send marketing, advertising, training, certification or event materials to which you've agreed, requested or subscribed or to otherwise inform you about our products and services;
- Apply information security policies and controls on the Site, including overall Site integrity, identity management and account authentication;
- For research and development to improve the Bitwarden Service, Site and other Bitwarden services;
- Perform other general business management and operations purposes, such as to provide, operate, maintain, make modifications to protect and improve the Site.
- To fulfill legal obligations, including:
- Legal compliance, such as to enforce our legal rights, to comply in good faith with applicable laws, and to protect users of the Site or Service.
- For other purposes about which we notify you and, where relevant or required, give you choice about the new purpose.
This information is retained in accordance with the Bitwarden retention policy.
We use data for analytics and measurement to understand how our the Site and Bitwarden Service are used. For example, we analyze data about your visits to our Site to do things like optimize product design. We use a variety of tools to do this, including Google Analytics. When you visit the Site using Google Analytics, we and Google may link information about your activity from that site with activity from other sites that use Google Analytics services.
If you participate in the Bitwarden Community Forums, we process information about you in order to provide you with this service. You must have a separate account to use the Community Forum.
If you participate in a Bitwarden Event, and direct us to share your information, we may share information about you with event sponsors and partners so that they may contact you about their products and other participants. Please review the event page where you registered for a listing of sponsors.
If you would like to change your sharing instructions with these sponsors, please visit the website of such sponsors.
Collection, Use, and Retention
If you apply for a job at Bitwarden, we collect and use your Personal Information for legitimate human resources and business management reasons including:
- Identifying and evaluating candidates for potential employment, as well as for future roles that may become available;
- Recordkeeping in relation to recruiting and hiring;
- Ensuring compliance with legal requirements, including diversity and inclusion requirements and practices;
- Conducting criminal history checks as permitted by applicable law;
- Protecting our legal rights to the extent authorized or permitted by law; or
- Emergency situations where the health or safety of one or more individuals may be endangered.
We retain this information in accordance with our retention policy.
Third Party Access to Candidate Information
Your Personal Information may be accessed by recruiters and interviewers working in the country where the position for which you are applying is based, as well as by recruiters and interviewers working in different countries.
We may use third party service providers to provide a recruiting software system. We also share your Personal Information with other third party service providers that may assist us in recruiting talent, administering and evaluating pre-employment screening and testing, and improving our recruiting practices.
Email Communications Preferences
Bitwarden respects your email communications and marketing preferences. If you prefer not to receive product release notes communications or promotional email messages (such as product updates, security alerts, marketing, events, training and certifications) from Bitwarden, you can unsubscribe from Bitwarden email marketing by following the unsubscribe link located at the bottom of each promotional email, or Contact Us. Note: Please allow five (5) business days to be removed from all email communications.
Accessing, Correcting And Deleting Your Personal Information
Ensuring that Personal Information we hold about you is accurate and complete is important to us. We enable you to access, correct, and delete your account with the Bitwarden Service at any time. If you would like to request assistance with accessing, correcting, or deleting your Personal Information, please submit your request to us by email at firstname.lastname@example.org. We will verify these requests and respond to you in accordance with our legal obligations, which typically means forwarding your request to the licensed administrator (in your organization) of your Bitwarden account for review.
This section describes our accountability with regard to the onward transfer of your Personal Information to third party service providers (subprocessors, suppliers, vendors, or partners) and across country borders.
Except as listed below, Bitwarden will not share Personal Information with third party service providers unless you have consented to the disclosure.
Depending on how Bitwarden is deployed by the customer, Bitwarden may share Personal Information with third-party service providers that need your information to provide the following operational or other support services to Bitwarden, the Site or Service:
- Data management.
- Database hosting.
- Integration services.
- Professional services.
- Information security, integrity, and identity and authentication services.
- Email communications (e.g. operational, marketing, events, training, certifications).
- Financial operations (e.g. licensing, billing).
- Payments and payment card processing.
- Shipping services.
- Communication services (e.g enabling collaboration, conferencing or messaging).
- Support services (e.g. providing customer service and support).
- Cloud services (e.g. functioning of the Site or Bitwarden Service).
To ensure the confidentiality and security of your Personal Information, we have data processing terms in place with service providers that handle Personal Information. These service providers are restricted by contract from using Personal Information in any way other than to provide services for Bitwarden, including on your behalf as part of your contract with us.
In the context of an onward transfer, Bitwarden has responsibility for the processing of Personal Information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. Bitwarden shall remain liable under the Principles if its agent processes such Personal Information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
Bitwarden may also provide your Personal Information to a third party if:
- We believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process, or lawful government request, including in connection with national security or law enforcement requirements. This may include disclosures: to respond to subpoenas or court orders; to establish or exercise our legal rights or defend against legal claims; or to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Service Agreement, or as otherwise required by law. In each case, we will make reasonable efforts to verify the validity of the request before disclosing your Personal Information.
- To protect the security and integrity of the Site or Bitwarden Service.
- To respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing serious bodily injury or death of any person.
Bitwarden may also share your Personal Information with our subsidiaries, affiliates, and partners, to facilitate our global operations and in accordance with applicable laws, and our agreements with customers or service providers.
We may also provide your Personal Information to a third party in connection with a merger or acquisition of Bitwarden, either in part or in whole, or the assignment or other transfer of the Site or Service. In such event, such third party will either:
- inform you and get your express affirmative consent to opt-in to the new practices; and/or
- inform you in some prominent manner enabling you to make a choice about whether to agree to the new practices.
- You may choose to opt-out of allowing your Personal Information to be shared with certain third-parties. To do so, please Contact Us. We will do our best to respond in a timely manner and grant your request to the extent permitted by law.
Bitwarden and our subprocessors and vendors primarily store information collected from you within the European Economic Area and the United States. To facilitate our global operations, we may transfer and access such Personal Information from around the world, including from other countries in which Bitwarden or our subprocessors have operations. For more information about our subprocessors, visit https://bitwarden.com/help/subprocessors/.
We use applicable, approved information transfer mechanisms where required, such as EU Standard Contractual Clauses (SCCs), or the EU - U.S. Privacy Shield.
You may contact us about our practices or to make a complaint and seek recourse according to these methods available to you, and subject to applicable enforcement powers.
In compliance with the EU-U.S. Privacy Shield Principles, Bitwarden commits to resolve complaints about our collection or use of your Personal Information. European Union, UK and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Bitwarden at the information provided below in the "Contact Us" section.
If you have an unresolved complaint, Bitwarden has committed and signed on to the JAMS EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield ADR, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact or visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint.
The services of JAMS EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield ADR are provided at no cost to you. Mediations will be conducted pursuant to JAMS International Mediation Rules unless the parties have specified a different set of Rules or Procedures.
Bitwarden is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). European Union and Swiss individuals have the possibility, under certain conditions, to invoke binding arbitration.
The security of your Personal Information is important to us. Your data, including Personal Information, is never sent to the Bitwarden cloud servers without first being encrypted on your local device using AES 256 bit encryption. In addition, Bitwarden encrypts the transmission of that information using secure socket layer technology (SSL).
We follow generally accepted standards to protect the Personal Information submitted to us, both during transmission and once it is received. You acknowledge and agree that no Internet or email transmission is ever fully secure or error free. You agree to take special care in deciding what information you send to us via email. If you have any questions about the security of your Personal Information, you can Contact Us.
We use two main categories of cookies: 'Strictly Necessary' and 'Functional' cookies.
Strictly Necessary cookies such as CloudFlare's cookies help us identify malicious visitors to the Site. They provide necessary security settings or help you use our Site's features and the Bitwarden Services as expected (including remembering your cookie consent preferences).
Functional cookies help us learn how you use the Site to help improve performance and design. These cookies provide us with analytics information such as number of page visits, page load speeds, how long a user spends on a particular page, and the types of browsers or devices used to access the Site. Some of the Functional cookies we use are:
Google Analytics which tracks user behavior on the Site, which helps us better understand how users are using the Site. Learn more at https://www.google.com/policies/privacy, and to opt out, visit http://tools.google.com/dlpage/gaoptout
We do not track visitors to the Site across third-party websites and therefore we do not respond to Do Not Track signals in these circumstances.
The Site or Bitwarden Service is not directed to, nor intended to be used by, individuals under the age of 13, or the equivalent minimum age in the relevant jurisdiction. Bitwarden does not knowingly collect Personal Information from individuals under the age of 13, or the equivalent minimum age in the relevant jurisdiction. If you become aware that an individual under the age of 13, or the equivalent minimum age in the relevant jurisdiction, has provided us with Personal Information, please Contact Us. If we become aware that an individual under the age of 13, or the equivalent minimum age in the relevant jurisdiction, has provided us with Personal Information without parental consent, we will take steps to delete such information.
Depending on how you interact with us, we may collect the categories of information as summarized below. This Notice for California Users does not apply to Personal Information we collect from employees or job applicants in their capacity as employees or job applicants. It also does not apply to Personal Information we collect from employees, owners, directors, officers, or contractors of businesses in the course of our provision or receipt of business-related services.
The following Personal Information we collect about you (as described below) comes from your interaction with our Site and the Bitwarden Service:
- Personal Identifiers (such as name, physical address, unique personal identifier, online identifier, Internet Protocol address, email address or other similar identifiers)
- Financial and Commercial Information (such as billing data when you make a purchase, records and history of products or services purchased or considered.)
- Location Information (inferred from your IP address)
- Professional/Employment Information (such as the name of your employer and your title)
- Legally Protected Classifications (such as your correspondence salutation)
- Other Identifying Information (such as cookies used for website performance analytics)
All of the categories of Personal Information we collect about you (as detailed above) are used for the following purposes:
- Providing our services (for example, account servicing and maintenance, customer service, advertising and marketing, analytics, and communication about our services)
- For our operational purposes, and the operational purposes of our service providers and integration partners
- Improving our existing services and developing new services (e.g., by conducting research to develop new products or features)
- Detecting, protecting against, and prosecuting security incidents and fraudulent or illegal activity
- Bug detection, error reporting, and activities to maintain the quality or safety of our services
- Auditing consumer interactions on our site (for example, measuring ad impressions)
- Short-term, transient use, such as customizing content that we or our service providers display on the services
- Other uses for which we provide you with notice
Subject to certain restrictions, as a California resident, you have the right to request that we disclose what Personal Information we collect about you, to delete any Personal Information that we collected from or maintain about you, and to opt-out of the sale of Personal Information about you. You also have the right to designate an agent to exercise these rights on your behalf, subject to verification of that agency relationship. This section describes how to exercise those rights and our process for handling those requests, including our means of verifying your identity. If you would like further information regarding your legal rights under applicable law or would like to exercise any of them, please Contact Us.
Right to request access to your Personal Information
You, as a California resident, have the right to request that we disclose what categories of Personal Information that we collect, use, or sell about you. You may also request the specific pieces of Personal Information that we have collected about you. However, we may withhold some information where the risk to you, your Personal Information, or our business is too great to disclose the information.
Right to request deletion of your Personal Information
You may also request that we delete any Personal Information that we have collected from/about you. However, we may retain Personal Information as authorized under applicable law, such as Personal Information required as necessary to provide our services, protect our business and systems from fraudulent activity, to debug and identify errors that impair existing functionality, as necessary for us, or others, to exercise their free speech or other rights, comply with law enforcement requests pursuant to lawful process, for scientific or historical research, for our own internal purposes reasonably related to your relationship with us, or to comply with legal obligations. We need certain types of information so that we can provide our services. If you ask us to delete it, you may no longer be able to access or use our services.
How to exercise your access and deletion rights
California residents may exercise their California privacy rights by submitting a request via email at email@example.com. While email is the best way to reach us, you may also call us at the number listed in the Contact Us section.
For security purposes, we may request additional information from you to verify your identity when you request to exercise your California privacy rights. If you do not have an account with us, or if we have reason to suspect that the security of your account is compromised, we will request additional information from you to match with our existing records to verify your identity, depending on the nature of the request and the sensitivity of the information sought.
Sales of Personal Information
California residents may opt out of the "sale" of their Personal Information. We do not "sell" your Personal Information as we understand that term to be defined by the California Consumer Privacy Act and its implementing regulations.
California residents have the right to not be discriminated against for exercising their rights as described in this section. We will not discriminate against you for exercising your rights.
Last revised 10-JUN-2021