These are the ways that Bitwarden collects, uses, and stores Personal Information:
Collection and Use
Bitwarden processes two kinds of user data to deliver the Bitwarden Service: (i) Vault Data and (ii) Administrative Data.
(i) Vault Data
Vault Data includes all information stored within accounts to the Bitwarden Service and may include Personal Information. If we host the Bitwarden Service for you, we will host Vault Data. Vault Data is encrypted using secure cryptographic keys under your control. Bitwarden cannot access Vault Data.
You may add, modify, and delete Vault Data at any time.
(ii) Administrative Data
Bitwarden obtains Personal Information in connection with your account creation, usage of the Bitwarden Service and support, and payments for the Bitwarden Service such as names, emails address, phone and other contact information for users of the Bitwarden Service and the number of items in your Bitwarden Service account ("Administrative Data"). Bitwarden uses Administrative Data to provide the Bitwarden Service to you. We retain Administrative Data for as long as you are a customer of Bitwarden and as required by law. If you terminate your relationship with Bitwarden, we will delete your Personal Information in accordance with our data retention policies.
Additional Use and Retention
Bitwarden has a legitimate interest to further process your Administrative Data as follows:
When you use the Site or communicate with us (e.g. via email) you will provide, and Bitwarden will collect certain Personal Information such as
Use and Retention
Bitwarden may use the Personal Information collected by the Site to provide you with services, to accomplish our business purposes and to fulfill other legal obligations, including:
This information is retained in accordance with the Bitwarden retention policy.
We use data for analytics and measurement to understand how our the Site and Bitwarden Service are used. For example, we analyze data about your visits to our Site to do things like optimize product design. We use a variety of tools to do this, including Google Analytics. When you visit the Site using Google Analytics, we and Google may link information about your activity from that site with activity from other sites that use Google Analytics services.
If you participate in the Bitwarden Community Forums, we process information about you in order to provide you with this service. You must have a separate account to use the Community Forum.
If you participate in a Bitwarden Event, and direct us to share your information, we may share information about you with event sponsors and partners so that they may contact you about their products and other participants. Please review the event page where you registered for a listing of sponsors.
If you would like to change your sharing instructions with these sponsors, please visit the website of such sponsors.
Collection, Use, and Retention
If you apply for a job at Bitwarden, we collect and use your Personal Information for legitimate human resources and business management reasons including:
We retain this information in accordance with our retention policy.
Third Party Access to Candidate Information
Your Personal Information may be accessed by recruiters and interviewers working in the country where the position for which you are applying is based, as well as by recruiters and interviewers working in different countries.
We may use third party service providers to provide a recruiting software system. We also share your Personal Information with other third party service providers that may assist us in recruiting talent, administering and evaluating pre-employment screening and testing, and improving our recruiting practices.
Here is how to exercise your rights to access and control your Personal Information:
Bitwarden respects your email communications and marketing preferences. If you prefer not to receive product release notes communications or promotional email messages (such as product updates, security alerts, marketing, events, training and certifications) from Bitwarden, you can unsubscribe from Bitwarden email marketing by following the unsubscribe link located at the bottom of each promotional email, or Contact Us. Note: Please allow five (5) business days to be removed from all email communications.
Ensuring that Personal Information we hold about you is accurate and complete is important to us. We enable you to access, correct, and delete your account with the Bitwarden Service at any time. If you would like to request assistance with accessing, correcting, or deleting your Personal Information, please submit your request to us by email at [email protected]. We will verify these requests and respond to you in accordance with our legal obligations, which typically means forwarding your request to the licensed administrator (in your organization) of your Bitwarden account for review.
This section describes our accountability with regard to the onward transfer of your Personal Information to third party service providers (subprocessors, suppliers, vendors, or partners) and across country borders.
Except as listed below, Bitwarden will not share Personal Information with third party service providers unless you have consented to the disclosure.
Depending on how Bitwarden is deployed by the customer, Bitwarden may share Personal Information with third-party service providers that need your information to provide the following operational or other support services to Bitwarden, the Site or Service:
To ensure the confidentiality and security of your Personal Information, we have data processing terms in place with service providers that handle Personal Information. These service providers are restricted by contract from using Personal Information in any way other than to provide services for Bitwarden, including on your behalf as part of your contract with us.
In the context of an onward transfer, Bitwarden has responsibility for the processing of Personal Information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. Bitwarden shall remain liable under the Principles if its agent processes such Personal Information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
Bitwarden may also provide your Personal Information to a third party if:
Bitwarden may also share your Personal Information with our subsidiaries, affiliates, and partners, to facilitate our global operations and in accordance with applicable laws, and our agreements with customers or service providers.
We may also provide your Personal Information to a third party in connection with a merger or acquisition of Bitwarden, either in part or in whole, or the assignment or other transfer of the Site or Service. In such event, such third party will either:
Bitwarden and our subprocessors and vendors primarily store information collected from you within the European Economic Area and the United States. To facilitate our global operations, we may transfer and access such Personal Information from around the world, including from other countries in which Bitwarden or our subprocessors have operations. For more information about our subprocessors, visit https://bitwarden.com/help/article/subprocessors/.
We use applicable, approved information transfer mechanisms where required, such as EU Standard Contractual Clauses (SCCs), or the EU - U.S. Privacy Shield.
You may contact us about our practices or to make a complaint and seek recourse according to these methods available to you, and subject to applicable enforcement powers.
In compliance with the EU-U.S. Privacy Shield Principles, Bitwarden commits to resolve complaints about our collection or use of your Personal Information. European Union, UK and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Bitwarden at the information provided below in the "Contact Us" section.
If you have an unresolved complaint, Bitwarden has committed and signed on to the JAMS EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield ADR, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact or visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint.
The services of JAMS EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield ADR are provided at no cost to you. Mediations will be conducted pursuant to JAMS International Mediation Rules unless the parties have specified a different set of Rules or Procedures.
Bitwarden is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). European Union and Swiss individuals have the possibility, under certain conditions, to invoke binding arbitration.
The security of your Personal Information is important to us. Your data, including Personal Information, is never sent to the Bitwarden cloud servers without first being encrypted on your local device using AES 256 bit encryption. In addition, Bitwarden encrypts the transmission of that information using secure socket layer technology (SSL).
We follow generally accepted standards to protect the Personal Information submitted to us, both during transmission and once it is received. You acknowledge and agree that no Internet or email transmission is ever fully secure or error free. You agree to take special care in deciding what information you send to us via email. If you have any questions about the security of your Personal Information, you can Contact Us.
We use two main categories of cookies: "Strictly Necessary" and "Functional" cookies.
Strictly Necessary cookies such as CloudFlare's cookies help us identify malicious visitors to the Site. They provide necessary security settings or help you use our Site's features and the Bitwarden Services as expected (including remembering your cookie consent preferences).
Functional cookies help us learn how you use the Site to help improve performance and design. These cookies provide us with analytics information such as number of page visits, page load speeds, how long a user spends on a particular page, and the types of browsers or devices used to access the Site. Some of the Functional cookies we use are:
Google Analytics which tracks user behavior on the Site, which helps us better understand how users are using the Site. Learn more at https://www.google.com/policies/privacy, and to opt out, visit http://tools.google.com/dlpage/gaoptout
We do not track visitors to the Site across third-party websites and therefore we do not respond to Do Not Track signals in these circumstances.
The Site or Bitwarden Service is not directed to, nor intended to be used by, individuals under the age of 16, or the equivalent minimum age in the relevant jurisdiction. Bitwarden does not knowingly collect Personal Information from individuals under the age of 16, or the equivalent minimum age in the relevant jurisdiction. If you become aware that an individual under the age of 16, or the equivalent minimum age in the relevant jurisdiction, has provided us with Personal Information, please Contact Us. If we become aware that an individual under the age of 16, or the equivalent minimum age in the relevant jurisdiction, has provided us with Personal Information, we will take steps to delete such information.
Depending on how you interact with us, we may collect the categories of information as summarized below. This Notice for California Users does not apply to Personal Information we collect from employees or job applicants in their capacity as employees or job applicants. It also does not apply to Personal Information we collect from employees, owners, directors, officers, or contractors of businesses in the course of our provision or receipt of business-related services.
The following Personal Information we collect about you (as described below) comes from your interaction with our Site and the Bitwarden Service:
All of the categories of Personal Information we collect about you (as detailed above) are used for the following purposes:
Subject to certain restrictions, as a California resident, you have the right to request that we disclose what Personal Information we collect about you, to delete any Personal Information that we collected from or maintain about you, and to opt-out of the sale of Personal Information about you. You also have the right to designate an agent to exercise these rights on your behalf, subject to verification of that agency relationship. This section describes how to exercise those rights and our process for handling those requests, including our means of verifying your identity. If you would like further information regarding your legal rights under applicable law or would like to exercise any of them, please Contact Us.
Right to request access to your Personal Information
You, as a California resident, have the right to request that we disclose what categories of Personal Information that we collect, use, or sell about you. You may also request the specific pieces of Personal Information that we have collected about you. However, we may withhold some information where the risk to you, your Personal Information, or our business is too great to disclose the information.
Right to request deletion of your Personal Information
You may also request that we delete any Personal Information that we have collected from/about you. However, we may retain Personal Information as authorized under applicable law, such as Personal Information required as necessary to provide our services, protect our business and systems from fraudulent activity, to debug and identify errors that impair existing functionality, as necessary for us, or others, to exercise their free speech or other rights, comply with law enforcement requests pursuant to lawful process, for scientific or historical research, for our own internal purposes reasonably related to your relationship with us, or to comply with legal obligations. We need certain types of information so that we can provide our services. If you ask us to delete it, you may no longer be able to access or use our services.
How to exercise your access and deletion rights
California residents may exercise their California privacy rights by submitting a request via email at [email protected] While email is the best way to reach us, you may also call us at the number listed in the Contact Us section.
For security purposes, we may request additional information from you to verify your identity when you request to exercise your California privacy rights. If you do not have an account with us, or if we have reason to suspect that the security of your account is compromised, we will request additional information from you to match with our existing records to verify your identity, depending on the nature of the request and the sensitivity of the information sought.
Sales of Personal Information
California residents may opt out of the "sale" of their Personal Information. We do not "sell" your Personal Information as we understand that term to be defined by the California Consumer Privacy Act and its implementing regulations.
California residents have the right to not be discriminated against for exercising their rights as described in this section. We will not discriminate against you for exercising your rights.Last revised 10-JUN-2021