Privacy Policy

BitSight Privacy Policy

Date of Last Revision: February 2, 2023

At BitSight Technologies, Inc. ("we" or "us"), including our majority owned subsidiaries ThirdPartyTrust, LLC, NSEC Sistemas Informáticos, S.A., BitSight Technologies UK, Limited, BitSight Technologies Singapore Pte. Ltd., and BitSight Technologies Argentina SA, BitSight Technologies IL, Ltd., we respect and protect the privacy of our customers and others who use our websites (including the www.bitsight.com, www.bitsighttech.com, and www.thirdpartytrust.com domains) (the “Sites”) and our products and services (collectively, our “Services”). This privacy policy (the “Privacy Policy”) provides details about how your personal information is collected, secured, transferred, disclosed and used by us. It also describes your choices regarding use, access and correction of your personal information. Personal information is any information that identifies you or would enable someone to contact you, which may include your name, email address, phone number and other non-public information that is associated with such information. It does not include aggregate information, anonymous information or any other non-personally identifiable information. Unless expressly set forth herein or required by law, this Privacy Policy also does not apply to any unsolicited information you provide to us through the Sites or the Services or through any other means, such as information posted to any public areas of the Services (including our online community and blog), any ideas for new products or modifications to existing products, and other unsolicited submissions (collectively, “Unsolicited Information”). All Unsolicited Information shall be deemed to be non-confidential and we shall be free to reproduce, use, disclose, and distribute such Unsolicited Information to others without limitation or attribution. This Privacy Policy does not cover how our customers may use the data that we provide to them in connection with our Services.

Summary and Contents

The summary below provides the key concepts of the full Privacy Policy. If you have questions, please click the links to view the complete text below.

• Information We Collect:  When you interact with us through the Sites or the Services, we may collect personal information and other information from you, including information you give us, information we get from your use of our Services, information we receive from other sources and information collected by third parties on our Sites. Learn more

• Our Use of Your Information:  We collect information only as necessary to fulfill the purposes set forth in this Privacy Policy (including to provide our services) and we will only use this information as described in this Privacy Policy. Learn more

• Disclosure of Your Personal and Other Information:  We do not sell your personal information. There are, however, certain circumstances in which we may share your personal information with certain third parties without further notice to you, including in connection with business transfers, to affiliates, service providers, agents, consultants and related third parties, partners and resellers, to other users of the BitSight customer forum and to comply with legal requirements. Learn more

• Accessing, Updating and Deleting Your Personal Information:  Upon request we will provide you with information about whether we hold any of your personal information and allow you to access, correct, object to processing or request deletion of such information.  In the event you close any account in connection with the Services, we will remove access to your name and other personal information. Learn more

• Opt-out Choices: You may decide to opt-out of interest-based advertising. Learn more

• Links from other Sites:  Certain pages of the Sites and Services may, from time to time, contain external links or access to services provided by third parties.  We are not responsible for the privacy practices of other websites or third parties. Learn more

• Security:  We take reasonable steps to protect the personal information provided via the Sites and Services from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. Learn more

• Children:  Our Sites and our Services are designed for business use and are not directed to persons under 18.  If we become aware that a child under 18 has provided us with personal information, we will delete such information from our files. Learn more

• International Use:  We are headquartered in the United States of America. Personal information may be accessed by us or transferred to us in the United States or to our affiliates, service providers, agents, consultants and related third parties, partners and resellers, or service providers elsewhere in the world. By providing us with personal information, you consent to this transfer. Learn more

• Privacy Shield Frameworks - EU, UK, and Switzerland: We participate in and have certified our compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Economic Area, Switzerland and the United Kingdom to the United States, respectively. Learn more

• APEC: Our privacy practices, described in this Privacy Policy, comply with the APEC Cross Border Privacy Rules (CBPR) System and APEC Privacy Recognition for Processors (PRP) System. Learn more

• California and Other State-Specific Privacy Rights: Depending where they live, consumers may have certain rights afforded to them under the applicable laws of those states (including the California Consumer Privacy Act and California Privacy Rights Act). This section provides additional details on those rights. Learn more

• Our Contact Information:   We have designated our Privacy Manager to oversee our compliance with applicable privacy laws. Questions and inquiries concerning your privacy may be submitted by completing this form, by email to [email protected], by phone to 1 (844) 735-0076, or to the address below. Learn more

• Notification of Changes:  Your access to and use of the Sites and the Services is strictly conditioned upon your agreement with and consent to the terms and conditions of this Privacy Policy. In the event of any material modification by us to this Privacy Policy, we will notify you as described below. Learn more

 

Information We Collect and Their Sources

When you interact with us through the Services or Sites, we may collect, hold, and use the following personal information and other information from you, including:

• Information you give us.
  • Contact Information (Identifiers): We collect personal information from you when you complete our online forms, contact us with inquiries, or as part of your access and use of the Services. This information includes contact information such as name, mailing address, email, phone number, title, company information, and any other information provided by a user of the Services (including a user-submitted photograph).

  • Account and Payment Information: We also collect personal information from you when you log into the Services, provide payment and billing information (excluding credit card information), or post in BitSight customer community forum. You are solely responsible for the personal information you choose to submit in any customer community forums. Please note a third-party payment processor collects credit card information directly from you and holds and processes such information pursuant to their own privacy policy.

  • Call and Video Call Information: We may collect personal information from you when you call us (including video calls) and calls may be recorded and analyzed for training, quality control and for sales and marketing purposes. We may use third party vendors to facilitate calls. During such calls we will notify you of the recording via either text disclaimer, voice prompt or script.

    Chat information: We may collect personal information from you when you chat online with us and chats may be recorded and analyzed for training, quality control and for sales and marketing purposes. We may use third party vendors to facilitate chats.

• Information we get from your use of our Sites or Services (e.g. ISPs)

  • Internet or other similar network activity (i.e. IP Address, Log Data, and Other Data): As is true of most websites, we gather certain information automatically. This information may include Internet protocol ("IP") addresses, browser type, Internet service provider (ISP), referring/exit pages, the files viewed on our site (e.g., HTML pages, graphics, etc.), operating system, date/time stamp, and/or clickstream data to analyze trends in the aggregate and administer the site.

  • Such information we get from your use of our Sites and Services, which is collected passively using various technologies, cannot presently be used to specifically identify you unless you have previously interacted with us by completing a form on our website or log into the Services (see “Contact Information” and “Account Information” above). We may store such information itself or such information may be included in databases owned and maintained by our affiliates, agents or service providers.

  • Tracking Technologies: As described in this Privacy Policy, we and third parties on our Sites, may use cookies and similar tracking technologies to collect information and infer your interests for interest-based advertising purposes. If you would prefer to not receive personalized ads based on your browser or device usage, see Opt-out Choices for more information .

• Information we receive or collect from other sources (e.g. third party vendors)

  • Third Party Data: We may receive information about you from other sources, including public internet sources, third parties from whom we have purchased data, or affiliated companies, and combine this data with information we already have about you. This helps us to update, expand and analyze our records, identify new customers, and provide products and services that may be of interest to you. If you provide us personal information about others, or if others give us your information, we will only use that information for the specific reason for which it was provided to us.

• Information collected by third parties on our sites (e.g. vendors and service providers)  

  • Social Media Information: Our Sites include social media features and widgets such as Facebook, YouTube, Twitter and LinkedIn or interactive mini-programs that run on our Sites. These features may collect your IP address, which page you are visiting on our Sites, and may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on our Sites. Your interactions with these features are governed by the privacy statement of the company providing it.

  • Automated Technologies, Usage and Analytic Data: We may accumulate and aggregate certain statistical and related data - such as what product features you use the most, when an object (like a ticket) is opened and closed, and how often certain features (like workflows) are triggered in your account - when you or your users interact with the Sites and Services in order to improve the performance and functionality of the Sites and Services, to develop new products and/or services or to analyze the usage of the Sites and Services or to provide our products and services, including providing our customers with support and customer success, and for sales and marketing purposes (including profiling for automated targeted marketing campaigns). We engage third party providers to collect usage data. For more information about how we protect your information with these service providers, please see Disclosure of Your Personal and Other Information.

We are the sole owner of information collected on the Sites and Services (including any metadata), except for vendor lists and contact information that you provide to us in connection with your use of our Sites and Services.

To extent the General Data Protection Regulation (the “GDPR”) applies to any personal information you give us to enable us to provide the service or operate our Sites, we rely on legitimate interest. We also process data based on consent for certain sales and marketing purposes.

 

Our Use of Your Information

We collect information only as necessary to fulfill the business purposes set forth in this Privacy Policy and we will only use this information as described in this Privacy Policy.

If you provide personal information for a specific reason, we will use such personal information in connection with the reason for which it was provided. We may also use personal information for business purposes including but not limited to:

• For internal purposes, such as administering your account,
• To communicate with you by responding to your requests, comments and questions,
• To help us improve the content and functionality of the Sites and Services,
• To provide aggregated and non-identifiable analytical and benchmarking data for security and other insights,
• To prevent fraudulent activity and for any other purpose based on our legitimate interest, and
• To better understand our users and to improve the Sites and Services and to market our Services to you (including profiling for automated targeted marketing campaigns for customers and prospects).

We may also use this information to contact you in the future to tell you about services we believe will be of interest to you. Each bulk marketing communication we send to you will contain instructions to "opt-out" of receiving future marketing communications. In addition, if at any time you wish not to receive any future marketing communications or wish to have your name deleted from our mailing lists, contact us as indicated below under “Our Contact Information.” You may also opt out as to whether your personal information is (i) to be disclosed to a third party other than as described herein or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected (or subsequently authorized by you) by contacting us as indicated below under “Our Contact Information.” 

 

Disclosure of Your Personal and Other Information

We do not sell your personal information. There are, however, certain circumstances in which we may share your personal information with certain third parties without further notice to you, as set forth below:

• Business Communications. As we develop our business, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution or similar event, personal information may be part of the transferred assets or otherwise shared as is in our legitimate business interests. 

• Related Parties. We may also share your personal information with our affiliates for purposes consistent with this Privacy Policy. We may share your information with others within your organization (including any affiliates or any other individuals designated as users on your account). 

• Service Providers, Agents, Consultants and Third Parties. Occasionally, we enter into contracts with carefully selected third parties so that they can assist us in servicing you (for example, providing or maintaining databases, analytics, processing payment, fraud detection and deterrence or access to advertising assets), to assist us in our own marketing and advertising activities or to engage in co-marketing activities with us. Our contracts with such third parties prohibit them from using any of your personal information for any purpose beyond the purpose for which it was shared.

• Business Partners and Resellers . We may share your personal information with our partners and resellers so that they can assist you in using our Services and sell or resell our Services to you.

• Data Submitted in Connection with BitSight Customer Community Forum. Your name and/or username and the information you post in the BitSight customer community forums and any activities you engage in will be available to other users of BitSight customer community forum.

• Legal Requirements. We may disclose your personal information as is in our legitimate interests when such disclosure is necessary or advisable, in our sole discretion, to conduct an investigation, respond to a third party or law enforcement subpoena or court order, bring legal action, prevent harm to others or pursue other relief when you or a third party are or may be: violating our terms and conditions of use; causing injury or other harm to, or otherwise violating our property or other legal rights, or those of other users of our Sites and Services or third parties; or violating federal, state, local, or other applicable law. This disclosure may include transferring information to the U.S. and outside the European Economic Area

We may also share aggregated and non-identifiable information with any third party, including the media and industry observers and as part of our products and services. For example, we may disclose security trends, benchmarking data or the number of customers that have evaluated or purchased our products and services.

Opt-out Choices

To opt-out of interest-based advertising by participating companies in the following consumer choice mechanisms, please visit:

• Digital Advertising Alliance (DAA)’s self-regulatory opt-out page (http://optout.aboutads.info/) and mobile application-based "AppChoices" download page (https://youradchoices.com/appchoices)
• European Interactive Digital Advertising Alliance (EDAA)'s consumer opt-out page (http://youronlinechoices.eu)
• Network Advertising Initiative (NAI)’s self-regulatory opt-out page (http://optout.networkadvertising.org/).

“Do Not Track” is a privacy preference that users can set in certain web browsers. DNT is a way for users to inform websites and services that they do not want certain information about their webpage visits collected over time and across websites or online services. Please note that we do honor DNT signals or similar mechanisms transmitted by web browsers except for the www.thirdpartytrust.com website, which does not currently honor DNT or other similar signals

Retention of Information

Personal and other information we collect will not be kept for longer than is necessary for the business purpose described above for which it is collected and processed and will be retained in accordance with our internal document retention policies. The criteria used to determine our retention periods include: (a) the length of time we have an ongoing relationship with our customers and provide services, (b) whether there is a legal obligation to which we are subject, and (c) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).

 

Accessing, Updating and Deleting Your Personal Information

Depending on the jurisdiction in which you are located, you may have the right to request that we provide the following information regarding the personal information we hold about you:

• The categories and/or specific pieces of personal information we collected
• The categories of sources from which personal information is collected
• The business or commercial purpose for collecting personal information
• The categories of third parties with whom we shared personal information

Applicable laws may also give you the right to lodge a complaint with a local supervisory authority related to this Privacy Policy.

If you are entitled to exercise privacy rights under applicable law, you may access, correct, object to processing or request deletion of your personal information by logging into your account or contacting us (including our European representative) by completing this form. We will respond to your request within a reasonable timeframe. Please be aware that even after we have processed your request, we may retain certain residual information in the backup and/or archival copies of our database or any data that we may retain in compliance with applicable law. We will not discriminate against you for exercising any of your rights with respect to your personal information.

In the event you close any account in connection with the Services, your account will be deactivated and your name and other personal information will no longer be accessible by you. We may retain your personal information for as long as your account is active or to provide you services, improve our Services, comply with our legal obligations, resolve disputes and enforce our agreements.

 

Links from other Sites

Certain pages of the Sites and Services may, from time to time, contain external links or access to services provided by third parties. You should verify and validate any and all privacy practices of other websites. We encourage you not to provide personal information, without first assuring yourself of the privacy policies of such other websites. 

WE ARE NOT RESPONSIBLE IN ANY WAY FOR THE PRIVACY PRACTICES OF OTHER WEBSITES OR THIRD PARTIES OR FOR ANY USE AND/OR MISUSE OF ANY PERSONAL INFORMATION OR OTHER INFORMATION PROVIDED BY YOU AT SUCH OTHER WEBSITES OR SERVICES.

 

Security

We take reasonable steps to protect the personal information provided via the Sites and Services from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. For example, access to your personal information and/or your information on the Services is password-protected (it is your responsibility to protect the security of any of your login information). Notwithstanding our efforts, we cannot guarantee absolute or unqualified protection of this information given the open nature and resulting instability of the Internet, and we make no representations or warranties as to the effectiveness of our security and assume no liability for security breaches or any failure in the security of your computer equipment, your internet service provider or other networks and communications providers. If you have any questions about the security of your personal information, you can contact us at [email protected].

 

Children

Our Sites and our Services are designed for business use and are not directed to persons under 18. We do not knowingly collect personal information from children under 18 and as such do not sell or share personal information of consumers under the age of 18. If a parent or guardian becomes aware that his or her child has provided us with personal information without such parent or guardian's consent, he or she should contact us. If we become aware that a child under 18 has provided us with personal information, we will delete such information from our files.

 

International Use

We are headquartered in the United States of America. Personal information may be accessed by us or transferred to us in the United States or to our affiliates, service providers, agents, consultants and related third parties, partners and resellers, or service providers elsewhere in the world. By providing us with personal information, you consent to this transfer. We will protect the privacy and security of personal information according to this Privacy Policy, regardless of where it is processed or stored, however you explicitly acknowledge and consent to the fact that personal information stored or processed in the United States will be subject to the laws of the United States, including the ability of governments, courts or law enforcement or regulatory agencies of the United States to obtain disclosure of your personal information.

 

Privacy Shield Frameworks – EU, UK, and Switzerland

We participate in and have certified our compliance for our U.S. entitles - BitSight Technologies, Inc. and VisibleRisk, Inc. - with the EU-U.S. Privacy Shield Framework and the Swiss - U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Economic Area, Switzerland and the United Kingdom to the United States, respectively. We are committed to subjecting all personal information received from European Union (EU) member countries, the United Kingdom and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List.

We are responsible for the processing of personal information we receive under each Privacy Shield Framework and subsequent transfers to a third party acting as an agent on our behalf. We comply with the Privacy Shield Principles for all onward transfers of personal information from the EU, the United Kingdom and Switzerland, including the onward transfer liability provisions.

With respect to personal information received or transferred pursuant to the Privacy Shield Frameworks, we are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

 

APEC

Our privacy practices, described in this Privacy Policy, comply with the APEC Cross Border Privacy Rules (CBPR) System and APEC Privacy Recognition for Processors (PRP) System. The APEC CBPR and PRP systems provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies. More information about the APEC framework can be found here.

 

California and Other State Privacy Rights

This section provides additional details about the personal information we collect about California residents and the rights that may be afforded to them under the applicable state laws, including the California Consumer Privacy Act and California Privacy Rights Acts of 2020 (collectively, “CCPA”).

For more details about the personal information we have collected over the last 12 months, including the categories of sources, please see the Information We Collect section above. We collect this information for the business and commercial purposes described in the Our Use of Your Information section above. We share this information with the categories of third parties described in the Disclosure of Your Personal and Other Information section above. BitSight does not sell (as such term is defined in the CCPA) the personal information we collect (and will not sell it without providing a right to opt out). Please note that we do use third-party cookies for our advertising purposes as further described in our Tracking Technologies section above. If you believe your global privacy controls set on your browser are not reflecting your “do not track” settings, please reach out to us using this form to let us know

Subject to certain limitations and applicable law, the CCPA provides California consumers with the right to submit a verifiable request for:

• The right to know: You have the right to request information about the personal information we have collected, used, disclosed, sold, and shared about you, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom we disclose personal information, and copies of specific pieces of your personal information obtained about you.
• The right to delete: you have the right to request the deletion of your personal information.
• The right to correct: you have the right to request the correction of inaccurate personal information maintained by us, taking into account the nature of the personal information and the purposes of processing the personal information.
• The right to opt out: you have the right to opt-out of any “sales” of your personal information and sharing of your personal information for cross-context behavioral advertising that may be occurring. However, a noted above we do not sell your personal information or share it for cross-context advertising, and
• The right to not be discriminated against for exercising these rights.

California consumers may make a request pursuant to their rights under the CCPA by contacting us as described in the Our Contact Information section below.

We may verify your request using the information associated with your account, including email address. California consumers may also designate an authorized agent to make a request pursuant to the above rights by providing the authorized agent written permission to do so and by verifying your own identity with us directly.

Residents of Colorado, Connecticut, Virginia, and Utah may also have additional rights which may include the rights included above in the absence of a valid exemption.

Right to Opt-Out of the Sale of Your Personal Information

In addition to the rights described above, California residents may opt-out of the “sale” of their personal information. California law broadly defines what constitutes a “sale” – including in the definition making available a wide variety of information in exchange for “valuable consideration”. We do not, and will not, sell your personal information.

Further, we do not share the personal information of California residents with third parties for their own direct marketing purposes.

Our Contact Information

We have designated our Privacy Manager to oversee our compliance with applicable privacy laws. Questions and inquiries to us (including our European representative) concerning your privacy may be directed:

• By email to [email protected].
• By phone at 1 (844) 735-0076, or you can write us at:

BitSight Technologies, Inc.
111 Huntington Ave, Floor 19
Boston, MA 02199
United States
Attn: Legal Department/Privacy Manager

We will use commercially reasonable efforts to make an initial response to your inquiries, questions or comments within five (5) business days of their receipt.

All data subject or similar access requests must be made by completing this form.

 

Notification of Changes

Your access to and use of the Sites and Services is strictly conditioned upon your agreement with and consent to the terms and conditions of this Privacy Policy, as it may be amended and/or updated from time to time at our sole discretion. In the event of any material modification by us to the way and purpose we process your personal information, we will notify you by email (sent to the email specified in your account) or by means of a notice on www.bitsight.com prior to the change becoming effective and your continued use of the Sites and Services will indicate your acknowledgement of such changes and agreement to be bound by the modified Privacy Policy terms. If you object to any such changes, you may not continue to access or use the Sites or Services. We encourage you to periodically review this page for the latest information on our privacy practices.