What Data We Collect
We are provided with data when our products and services (together, the “Solutions”) and our websites or portals (either, “Websites” or “Portals”) are purchased, used, or accessed.
Types of Data
Data that identifies, or can reasonably be used to identify, a person or household, either directly or indirectly (“Personal Data”) including:
- Name and business contacts (email address, physical address, phone number, title, company)
- Stored data protected by our Solutions
- Transactional data necessary for us to make and receive payments and deliver the Solutions
- Information submitted to us by completing forms on our Websites or Portals, entering a promotion or survey, subscribing to, commenting on, or downloading information from our Websites or Portals, or employment candidate applications
- Recruitment data, as permitted by law, including civil/marital status, date of birth, personal contact information, national ID number, immigration information, driving license, languages spoken, next-of-kin/dependent/emergency contact information, details of any disabilities, resumes and CVs, interview and assessment data, vetting and verification information (e.g., credit, education, financial sanction and background checks), the outcome of your application, employment offer details, and other informal data (e.g., opinions generated during the application process)
- Online behavior and preferences collected via cookies and other tracking technologies
- Technical data including electronic identifiers, license entitlement, IP addresses, type of domain names and operating systems, logs, time stamps of usage activities, account modification and authentication metrics, device identifier, geolocation data, browser type and language, access times, encrypted passwords and security questions, account history, and other unique identifiers
- Demographic information such as your age, gender, country, interests, and preferences, including preferences related to marketing and communications
- Audio-visual data, where applicable and legally permissible, including CCTV footage of our offices or call recordings
Why We Use Data
Commvault uses data, including Personal Data, for a variety of purposes, including:
- Delivery and optimization of our Solutions
- Providing best-in-class support for our Solutions
- Optimizing and personalizing the user experience
- Security, auditing, and marketing purposes
- Processing payments, invoicing and collections
- Recruitment and hiring practices
- Business analytics
- Communications about our Solutions, such as renewal notifications or events
- Where necessary to perform or enforce a contract or comply with law
- Our legitimate business interests, for example, enhancing our Solutions. Prior to taking such actions, we conduct an assessment to ensure our interests do not override your data privacy rights
To the extent permitted by applicable law, Commvault may use, process, transfer, and share your data in an anonymous, automated, and aggregated manner. We may combine such data with other information collected, including information from third-party sources. By using the Solutions, you acknowledge that we may collect, use, share and store anonymized and aggregated data for benchmarking, analytics, metrics, research, reporting, machine learning and other legitimate business purposes.
Do Not Track
Commvault does not change its practices in response to Do Not Track signals from web browsers.
When & Why We Share Your Personal Data
We do not and will not sell Personal Data to marketers or other vendors and we do not access the data protected by our Solutions for marketing or other purposes outside the scope of our Commvault’s Master Terms & Conditions and the applicable Data Agreements. For the purposes of the California Consumer Protection Act, the categories of data Commvault may share include identifiers, customer records information, commercial information, internet or other network or device activity, and geolocation data. Commvault may share data or categories of data for the reasons set forth herein with:
- Commvault Affiliates. Commvault may share data with its affiliates where necessary for administrative purposes or to deliver our Solutions.
- Partners. Partners provide us with theirs and their customers’ data as part of marketing, sale and delivery of the Solutions. Partner represents and warrants they have authorization or the required legal basis to obtain and share such data, including Personal Data, with us.
- Contractors and Service Providers. Commvault may share data, including Personal Data, with contracted third-party service providers (“Service Providers”). These Service Providers include business partners, payment services, advertising networks, IT and security service providers, auditors and consultants, customer survey companies, staffing and recruiting agencies, and cloud solutions and storage providers. Service Providers with whom we share Personal Data are contractually bound to use and disclose such Personal Data only for the permitted purposes and to provide the same level of protections as required by the relevant Data Privacy Framework (including onward transfer provisions). We require all our Service Providers to use reasonable security measures to protect Personal Data from unauthorized access and use.
- Legal Purposes. Commvault may share data, including Personal Data, as necessary to comply with applicable laws, court orders, governmental agencies or other lawful requests by public authorities, including to meet national security or law enforcement requirements as well as to protect our security or integrity and that of our customers and partners, or to take precautions against legal liability.
- Sale. In the event of a merger, consolidation, or acquisition of all, substantially all or a portion of Commvault’s business or assets, you acknowledge and agree that data may be securely shared, disclosed, and transferred to such successor or assignee.
Retention of Data
We may retain data, including Personal Data, for as long as necessary to deliver the Solutions or as needed for other lawful purposes. When your data is no longer required, we ensure it is destroyed in a secure manner. We may retain anonymized or aggregated data indefinitely or to the extent permitted under applicable law.
Global Data Management
Data Privacy Framework Compliance Statements
To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Commvault commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.
The Federal Trade Commission has jurisdiction over Commvault’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Commvault commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact Commvault using contact points indicated in the Commvault Contacts section below.
If your Data Privacy Framework complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. Further information can be found on the official DPF website.
Commvault maintains administrative, physical, and technical safeguards and security measures designed to protect data. Details of our data privacy and security program can be found in Annex II of the applicable Data Processing Agreement. However, we cannot, and we do not believe that anyone can, genuinely guarantee or warrant absolute security of Personal Data disclosed or transmitted via the Internet to us or a third party.
You can opt-out of receiving marketing and promotional communications from Commvault by following the opt-out instructions set forth in such communication or contacting Commvault Systems, Inc. as set forth below. We will continue to process Personal Data for the purpose of delivering operational and service-related communications relating to our Solutions or policies, and other purposes as permitted by law.
You may have certain rights with respect to Commvault’s handling of Personal Data depending on your geolocation, including without limitation:
- Access. You have the right to access your Personal Data held by us. Consumers who reside in California may also request the categories of Personal Data we collect or disclose, the categories of sources of such Personal Data, the business or commercial purpose for collecting that Personal Data, and the categories of third parties with whom we share that Personal Data.
- Rectification. You have the right to request correction of your Personal Data that is incomplete, incorrect, unnecessary, or outdated.
- Right to be Forgotten. You have the right to request erasure of all your Personal Data that is incomplete, incorrect, unnecessary, or outdated within a reasonable period of time. We will do everything possible to erase your Personal Data if you so request. However, we cannot erase all your Personal Data if it is technically impossible due to limitations of existing technology or for legal reasons, such as legal mandates to retain Personal Data.
- Restriction of Processing. You have the right to request restriction of processing your Personal Data for certain reasons, provided we do not have an overriding, legitimate interest to continue processing.
- Data Portability. If requested, we will provide your Personal Data in a structured, secure, commonly used, and machine-readable format.
- Right to Withdraw Consent. If your Personal Data is processed solely based on consent, and not based on any other legal basis, you can withdraw consent at any time.
- Contact Data Protection Regulators. You have the right to contact data protection regulator(s) regarding our handling of Personal Data.
Additionally, California law provides California consumer residents with the right to not be discriminated against (as provided for in applicable law) for exercising rights thereunder. Further, under California’s “Shine the Light” law California consumer residents have the right, twice in a calendar year, to request and obtain from Commvault information about Personal Data Commvault has shared, if any, with other businesses for their own direct marketing uses. This information, if applicable, would include the categories of Personal Data and the names and addresses of those businesses with which Commvault shared Personal Data for the immediately prior calendar year (e.g., requests made in 2022 will receive information regarding 2021 sharing activities).
Third Party Linking & Content
The Solutions, Websites and Portals may contain links to third-party websites that Commvault does not control or maintain. We are not responsible for the privacy practices employed by these third-party websites and encourage you to read the privacy statements of such other websites before submitting any Personal Data. Our Website may contain third-party content which may include statements, opinions, advice, criticisms, offers or other information (collectively, “Third-Party Content”). Any Third-Party Content solely reflects the opinion and belief of the respective third party and not that of Commvault. We make no endorsement, guarantee or other statement, express or implied, about Third-Party Content. You must independently evaluate any Third-Party Content if you intend to rely on it in any way.
Commvault does not knowingly collect or distribute any Personal Data from children under 13 years old. If a child under 13 has provided Commvault with Personal Data, the parent or guardian of that child should contact Commvault immediately at email@example.com to delete this Personal Data.
Commvault’s Privacy Team can be contacted at firstname.lastname@example.org.
To exercise any of your rights, or for questions or complaints, please contact Commvault at email@example.com. We take reasonable steps to verify your identity when you exercise your rights. Please ensure that you keep your contact information up to date and accurate so that we may process your requests in accordance with applicable law and within a reasonable period of time.
You may also contact us by mail:
U.S. and international regions other than the EEA, U.K. or Switzerland:
Commvault Systems, Inc.
Attn: Legal Department/Global Data Governance Officer
One Commvault Way
Tinton Falls, New Jersey 07724
EEA, U.K. and Switzerland:
Commvault Systems International BV
Attn: Legal Department/Global Data Governance Officer
Papendorpseweg 75-79, 3528 BJ
Last Updated: November 2023