Bitwarden Inc. Privacy Policy

Privacy Shield

Bitwarden Inc. ("Bitwarden") complies with the EU-U.S., Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the European Union, United Kingdom (UK) and Switzerland, as applicable, to the United States in reliance on Privacy Shield. Bitwarden has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov.

Privacy Shield Principles (Principles)

Notice

Bitwarden provides this Privacy Policy to describe the ways we collect, use, transfer, store, secure and protect Personal Information on our Bitwarden.com website ("Site") and in connection with the Bitwarden password management solution used by customers to securely store, share, and access passwords ("Bitwarden Service"). "Personal Information" means information that personally identifies you as described in the Privacy Policy. This Privacy Policy describes the ways you can exercise your rights to access and control your Personal Information, and the complaint and recourse methods available to you.

Data Integrity and Purpose Limitation

These are the ways that Bitwarden collects, uses, and stores Personal Information:

Bitwarden Service

Collection and Use

Bitwarden processes two kinds of user data to deliver the Bitwarden Service: (i) Vault Data and (ii) Administrative Data.

(i) Vault Data

Vault Data includes all information stored within accounts to the Bitwarden Service and may include Personal Information. If we host the Bitwarden Service for you, we will host Vault Data. Vault Data is encrypted using secure cryptographic keys under your control. Bitwarden cannot access Vault Data.

You may add, modify, and delete Vault Data at any time.

(ii) Administrative Data

Bitwarden obtains Personal Information in connection with your account creation, usage of the Bitwarden Service and support, and payments for the Bitwarden Service such as names, emails address, phone and other contact information for users of the Bitwarden Service and the number of items in your Bitwarden Service account ("Administrative Data"). Bitwarden uses Administrative Data to provide the Bitwarden Service to you. We retain Administrative Data for as long as you are a customer of Bitwarden and as required by law. If you terminate your relationship with Bitwarden, we will delete your Personal Information in accordance with our data retention policies.

Additional Use and Retention

Bitwarden has a legitimate interest to further process your Administrative Data as follows:

The Bitwarden Website

Collection

When you use the Site or communicate with us (e.g. via email) you will provide, and Bitwarden will collect certain Personal Information such as

Use and Retention

Bitwarden may use the Personal Information collected by the Site to provide you with services, to accomplish our business purposes and to fulfill other legal obligations, including:

This information is retained in accordance with the Bitwarden retention policy.

Analytics Data

We use data for analytics and measurement to understand how our the Site and Bitwarden Service are used. For example, we analyze data about your visits to our Site to do things like optimize product design. We use a variety of tools to do this, including Google Analytics. When you visit the Site using Google Analytics, we and Google may link information about your activity from that site with activity from other sites that use Google Analytics services.

Bitwarden Community

If you participate in the Bitwarden Community Forums, we process information about you in order to provide you with this service. You must have a separate account to use the Community Forum.

Bitwarden Hosted Events

If you participate in a Bitwarden Event, and direct us to share your information, we may share information about you with event sponsors and partners so that they may contact you about their products and other participants. Please review the event page where you registered for a listing of sponsors.

If you would like to change your sharing instructions with these sponsors, please visit the website of such sponsors.

Job Candidate Applications

Collection, Use, and Retention

If you apply for a job at Bitwarden, we collect and use your Personal Information for legitimate human resources and business management reasons including:

We retain this information in accordance with our retention policy.

Third Party Access to Candidate Information

Your Personal Information may be accessed by recruiters and interviewers working in the country where the position for which you are applying is based, as well as by recruiters and interviewers working in different countries.

We may use third party service providers to provide a recruiting software system. We also share your Personal Information with other third party service providers that may assist us in recruiting talent, administering and evaluating pre-employment screening and testing, and improving our recruiting practices.

Choice; Access

Here is how to exercise your rights to access and control your Personal Information:

Email Communications Preferences

Bitwarden respects your email communications and marketing preferences. If you prefer not to receive product release notes communications or promotional email messages (such as product updates, security alerts, marketing, events, training and certifications) from Bitwarden, you can unsubscribe from Bitwarden email marketing by following the unsubscribe link located at the bottom of each promotional email, or Contact Us. Note: Please allow five (5) business days to be removed from all email communications.

Accessing, Correcting And Deleting Your Personal Information

Ensuring that Personal Information we hold about you is accurate and complete is important to us. We enable you to access, correct, and delete your account with the Bitwarden Service at any time. If you would like to request assistance with accessing, correcting, or deleting your Personal Information, please submit your request to us by email at [email protected]. We will verify these requests and respond to you in accordance with our legal obligations, which typically means forwarding your request to the licensed administrator (in your organization) of your Bitwarden account for review.

Accountability and Onward Transfer

This section describes our accountability with regard to the onward transfer of your Personal Information to third party service providers (subprocessors, suppliers, vendors, or partners) and across country borders.

Information Sharing

Except as listed below, Bitwarden will not share Personal Information with third party service providers unless you have consented to the disclosure.

Depending on how Bitwarden is deployed by the customer, Bitwarden may share Personal Information with third-party service providers that need your information to provide the following operational or other support services to Bitwarden, the Site or Service:

To ensure the confidentiality and security of your Personal Information, we have data processing terms in place with service providers that handle Personal Information. These service providers are restricted by contract from using Personal Information in any way other than to provide services for Bitwarden, including on your behalf as part of your contract with us.

In the context of an onward transfer, Bitwarden has responsibility for the processing of Personal Information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. Bitwarden shall remain liable under the Principles if its agent processes such Personal Information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

Bitwarden may also provide your Personal Information to a third party if:

Bitwarden may also share your Personal Information with our subsidiaries, affiliates, and partners, to facilitate our global operations and in accordance with applicable laws, and our agreements with customers or service providers.

We may also provide your Personal Information to a third party in connection with a merger or acquisition of Bitwarden, either in part or in whole, or the assignment or other transfer of the Site or Service. In such event, such third party will either:

International Transfer And Storage Of Information Collected

Bitwarden and our subprocessors and vendors primarily store information collected from you within the European Economic Area and the United States. To facilitate our global operations, we may transfer and access such Personal Information from around the world, including from other countries in which Bitwarden or our subprocessors have operations. For more information about our subprocessors, visit https://bitwarden.com/help/article/subprocessors/.

We use applicable, approved information transfer mechanisms where required, such as EU Standard Contractual Clauses (SCCs), or the EU - U.S. Privacy Shield.

Recourse and Enforcement

You may contact us about our practices or to make a complaint and seek recourse according to these methods available to you, and subject to applicable enforcement powers.

In compliance with the EU-U.S. Privacy Shield Principles, Bitwarden commits to resolve complaints about our collection or use of your Personal Information. European Union, UK and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Bitwarden at the information provided below in the "Contact Us" section.

If you have an unresolved complaint, Bitwarden has committed and signed on to the JAMS EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield ADR, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact or visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint.

The services of JAMS EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield ADR are provided at no cost to you. Mediations will be conducted pursuant to JAMS International Mediation Rules unless the parties have specified a different set of Rules or Procedures.

Bitwarden is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). European Union and Swiss individuals have the possibility, under certain conditions, to invoke binding arbitration.

Security

The security of your Personal Information is important to us. Your data, including Personal Information, is never sent to the Bitwarden cloud servers without first being encrypted on your local device using AES 256 bit encryption. In addition, Bitwarden encrypts the transmission of that information using secure socket layer technology (SSL).

We follow generally accepted standards to protect the Personal Information submitted to us, both during transmission and once it is received. You acknowledge and agree that no Internet or email transmission is ever fully secure or error free. You agree to take special care in deciding what information you send to us via email. If you have any questions about the security of your Personal Information, you can Contact Us.

Additional Terms

Cookies

The Bitwarden Service and the Site use cookies and other similar technologies (collectively "cookies"), in order to provide a better service to you, to help keep your account safe, and to generally improve our Site and the Bitwarden Service. Cookies perform essential functions, such as ensuring that a web page loads correctly and securely. They also help us provide you with a consistent and efficient experience.

We use two main categories of cookies: "Strictly Necessary" and "Functional" cookies.

Strictly Necessary cookies such as CloudFlare's cookies help us identify malicious visitors to the Site. They provide necessary security settings or help you use our Site's features and the Bitwarden Services as expected (including remembering your cookie consent preferences).

Functional cookies help us learn how you use the Site to help improve performance and design. These cookies provide us with analytics information such as number of page visits, page load speeds, how long a user spends on a particular page, and the types of browsers or devices used to access the Site. Some of the Functional cookies we use are:

Google Analytics which tracks user behavior on the Site, which helps us better understand how users are using the Site. Learn more at https://www.google.com/policies/privacy, and to opt out, visit http://tools.google.com/dlpage/gaoptout

Do Not Track Signals

We do not track visitors to the Site across third-party websites and therefore we do not respond to Do Not Track signals in these circumstances.

Links To Third-Party Sites

The Site or Bitwarden Service may contain links to a number of sites owned and operated by third parties that may offer useful information. The policies and procedures described in this Privacy Policy do not apply to those third-party sites. Please contact those third-party sites for information on their data collection, security, and distribution policies.

Minimum Age

The Site or Bitwarden Service is not directed to, nor intended to be used by, individuals under the age of 16, or the equivalent minimum age in the relevant jurisdiction. Bitwarden does not knowingly collect Personal Information from individuals under the age of 16, or the equivalent minimum age in the relevant jurisdiction. If you become aware that an individual under the age of 16, or the equivalent minimum age in the relevant jurisdiction, has provided us with Personal Information, please Contact Us. If we become aware that an individual under the age of 16, or the equivalent minimum age in the relevant jurisdiction, has provided us with Personal Information, we will take steps to delete such information.

Updates to this Privacy Policy

Bitwarden may update this Privacy Policy from time to time. When we do update it, for your convenience, we will make the updated Privacy Policy available on this page. Please check this Privacy Policy periodically for changes. If we make any material changes, we will notify you by email (sent to the email address specified in your account registered with the Site or Bitwarden Service) or by means of a notice on the Site or Service.

Notice for California Users

For individuals who are California residents, the California Consumer Privacy Act (CCPA) requires certain disclosures about the categories of Personal Information we collect and how we use it, the categories of sources from whom we collect Personal Information, and the third parties with whom we share it. While we have set out the categories below as required by the California Consumer Privacy Act, you can review the other sections of this Privacy Policy for examples and other information that describes our data collection and use as previously disclosed to you which have not changed under this notice.

Depending on how you interact with us, we may collect the categories of information as summarized below. This Notice for California Users does not apply to Personal Information we collect from employees or job applicants in their capacity as employees or job applicants. It also does not apply to Personal Information we collect from employees, owners, directors, officers, or contractors of businesses in the course of our provision or receipt of business-related services.

The following Personal Information we collect about you (as described below) comes from your interaction with our Site and the Bitwarden Service:

All of the categories of Personal Information we collect about you (as detailed above) are used for the following purposes:

California Rights and Choices

Subject to certain restrictions, as a California resident, you have the right to request that we disclose what Personal Information we collect about you, to delete any Personal Information that we collected from or maintain about you, and to opt-out of the sale of Personal Information about you. You also have the right to designate an agent to exercise these rights on your behalf, subject to verification of that agency relationship. This section describes how to exercise those rights and our process for handling those requests, including our means of verifying your identity. If you would like further information regarding your legal rights under applicable law or would like to exercise any of them, please Contact Us.

Accessing and Deleting Your Personal Information

Right to request access to your Personal Information

You, as a California resident, have the right to request that we disclose what categories of Personal Information that we collect, use, or sell about you. You may also request the specific pieces of Personal Information that we have collected about you. However, we may withhold some information where the risk to you, your Personal Information, or our business is too great to disclose the information.

Right to request deletion of your Personal Information

You may also request that we delete any Personal Information that we have collected from/about you. However, we may retain Personal Information as authorized under applicable law, such as Personal Information required as necessary to provide our services, protect our business and systems from fraudulent activity, to debug and identify errors that impair existing functionality, as necessary for us, or others, to exercise their free speech or other rights, comply with law enforcement requests pursuant to lawful process, for scientific or historical research, for our own internal purposes reasonably related to your relationship with us, or to comply with legal obligations. We need certain types of information so that we can provide our services. If you ask us to delete it, you may no longer be able to access or use our services.

How to exercise your access and deletion rights

California residents may exercise their California privacy rights by submitting a request via email at [email protected] While email is the best way to reach us, you may also call us at the number listed in the Contact Us section.

For security purposes, we may request additional information from you to verify your identity when you request to exercise your California privacy rights. If you do not have an account with us, or if we have reason to suspect that the security of your account is compromised, we will request additional information from you to match with our existing records to verify your identity, depending on the nature of the request and the sensitivity of the information sought.

Sales of Personal Information

California residents may opt out of the "sale" of their Personal Information. We do not "sell" your Personal Information as we understand that term to be defined by the California Consumer Privacy Act and its implementing regulations.

Non-Discrimination Rights

California residents have the right to not be discriminated against for exercising their rights as described in this section. We will not discriminate against you for exercising your rights.

Contact Us

Address: 1 North Calle Cesar Chavez, Suite 102, Santa Barbara, CA 93103

Phone: +1-904-337-9364

Email: [email protected]

Web Form: https://bitwarden.com/contact/