PRIVACY NOTICE

We process Customer Data and Service Data in order to provide the Services. This Privacy Notice applies solely to Service Data and does not apply to Customer Data. “Customer Data” is defined as data provided by or on behalf of Customer or Customer End Users for processing via the Services, unless it is otherwise defined in the specific product’s Terms of Service, in which case, that definition applies. For additional information related to Customer Data processing, please refer to your relevant Customer agreement for information about processing Customer Data and to Annex 1 for information about subprocessors.

Service Data is the personal information we collect or generate during the provision and administration of the Services, excluding any Customer Data. Service Data includes:

• When you engage us to use our Services or sign-up to the Services, and to provide support as agreed. We collect and process your contact information and billing information when you engage us to use our Services or sign-up to the Services and to provide support as agreed between the parties. If you are a representative of a business that wishes to use, or is already using, our Services, we will collect your contact information such as your name, title and company name, contact information, i.e., email address and phone number, and information relating to the potential or existing engagement and any support agreed between us and that business.
• Payments and transactions. We keep reasonable business records of charges, payments, and billing details and issues.
• Settings and configurations. We record your configuration and settings, including usernames, resource identifiers, and attributes. This includes service and security settings for data and other resources.
• Technical and operational details of your usage of the Services. We collect information about usage, operational status, software errors and crash reports, authentication details, quality and performance metrics, and other technical details necessary for us to operate and maintain the Services and related software. This information includes device identifiers, identifiers from cookies or tokens, and IP addresses.
• Your direct communications. We keep records of your communications and interactions with us and our partners, for example, when you send us an inquiry, provide feedback, or sign up to get a demo or to receive news and updates from us.
• When you visit the Website. We collect analytics information about your interaction with the Website, such as device identifiers and identifiers from cookies or tokens.

We process Service Data for the following purposes:

• Provide the Services you request. Service Data is primarily used to deliver the Services that you and our customers request. This requires processing of Service Data for purposes such as billing for the services you use, ensuring those Services are delivered or working as intended, detecting and avoiding outages or other problems you might experience, and securing your data and Services.
• Make recommendations to optimize use of the Services. We use Service Data to provide you and our customers with recommendations. This includes suggesting ways to better secure your account or data, options to reduce service charges or improve performance, and information about new or related products and features. We also evaluate your response to our recommendations.
• Maintain and improve the Services and Cloud Services. We evaluate Service Data to help us improve the performance and functionality of the Services. As we optimize the Services for you, this will improve them for our customers and vice versa.
• Provide and improve other services you request, including Cloud Services. We use Service Data to deliver and improve other Services that you and our customers request, including Google or third-party services that are enabled via the Services, administrative consoles, marketplaces, or APIs.
• Assist you, including support. We use Service Data to provide the technical support that you and our customers request, and to assess whether we have met your needs. We also use Service Data to improve our online support, and to communicate with you and our customers. This includes sending notifications about updates to the Services, and responding to support requests.
• Protect you, our users, the public, us, and Google. We use Service Data to improve the safety and reliability of our services by detecting, preventing, and responding to fraud, abuse, security risks, and technical issues that could harm us, our users, our customers, the public or Google. These activities are an important part of our commitment to secure our services.
• Comply with legal obligations. We use Service Data to comply with our legal obligations and Google’s legal obligations, for example, where we are responding to a legal process or an enforceable governmental request, or to meet our financial record-keeping obligations.

To achieve these purposes, we use Service Data together with information we collect from other Google products and services you use. In particular, we combine Service Data with this other information because:

• It helps us evaluate the use of the Services and other Google products to inform product development decisions. 
• It helps us detect fraud and abuse, such as fraudulent login attempts. 
• It enables us to comply with enforceable legal requests seeking data about a particular user's interactions across Google’s products.
• It enables us to provide specific features of the Services (for example, to inform rankings for surfacing relevant contacts in Gmail).

We use algorithms to recognize patterns in Service Data. Manual collection and review of Service Data may also occur, such as when you interact directly with our billing or support teams. We also use Service Data for internal reporting and analysis of applicable product and business operations for which we aggregate and anonymize Service Data to eliminate personal information.

We maintain servers around the world and Service Data may be processed on servers located outside of the country where our users and customers are located from these locations, or as otherwise specified. Data protection laws vary among countries, with some providing more protection than others. 

Regardless of where your information is processed, we apply the same protections described in this privacy notice. We also comply with certain legal frameworks relating to the transfer of data, such as the frameworks described below.

• Adequacy decisions

The European Commission has determined that certain countries outside of the European Economic Area (EEA) adequately protect personal data, which means that data can be transferred from the European Union (EU), Norway, Liechtenstein, and Iceland to that third country without any further safeguard being necessary. The UK and Switzerland have approved similar adequacy decisions. We rely on the following adequacy decisions in some cases:

1. European Commission adequacy decisions

2. UK adequacy regulations

3. Swiss adequacy decisions

• Data Privacy Frameworks

As described in the certification table, Google complies with the EU-U.S. and Swiss-U.S. Data Privacy Frameworks (DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries (including EEA member countries), Switzerland and the UK respectively.

Regarding Google Cloud Acquisitions, certain entities have certified their respective adherence to these DPF Principles. The respective entities remain responsible for any of your personal information that is shared under the Onward Transfer principle (see DPF Principles for more details) with third parties for external processing on their behalf, as described in the How We Share Service Data section of this notice. To learn more about the DPF, please visit the DPF website.

If you have an inquiry regarding our relevant DPF certifications, we encourage you to contact us. Google is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC). You may also refer a complaint to your local data protection authority and we will work with them to resolve your concern. In certain circumstances, the DPF provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the DPF Principles.

• Standard contractual clauses

Standard contractual clauses (SCCs) are written commitments between parties that can be used as a ground for data transfers from the EU to third countries by providing appropriate data protection safeguards. SCCs have been approved by the European Commission and can’t be modified by the parties using them (you can see the SCCs adopted by the European Commission here, here, and here). Such clauses have also been approved for transfers of data to countries outside the UK and Switzerland. Where required, we rely on SCCs for data transfers. If you want to obtain a copy of the SCCs, you can contact us via our contact email address below.

Our Services are offered with strong security features to protect your data. We work hard to protect you from unauthorized access, alteration, disclosure, or destruction of information we hold, including:

• Encrypting Service Data at rest and while in transit between our facilities.
• Regularly reviewing our Service Data collection, storage, and processing practices, including physical security measures, to prevent unauthorized access to our systems; and
• Restricting access to Service Data to our employees, contractors, and agents, including Google employees, contractors, and agents, who need that Service Data in order to process it for us. Anyone with this access is subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.

We do not share Service Data with companies, organizations, or individuals outside the Google Cloud Acquisitions or Google except in the following cases:

• When you procure third-party services

We share your information outside of the Google Cloud Acquisitions when you or our customer choose(s) to procure a third-party service through Google Cloud Platform, the Google Cloud Platform Marketplace, the Google Workspace Marketplace, or choose(s) a third-party application that requests access to your information.

• With your consent

We’ll share your information outside of the Google Cloud Acquisitions where we have obtained your consent to do so. 

• With your administrators and authorized resellers

When you use the Services, your administrator and resellers authorized to manage your or your organization’s account will have access to certain Service Data. For example, they may be able to:

• View account and billing information, activity and statistics
• Change your account password
• Suspend or terminate your account access
• Access your account information in order to satisfy applicable law, regulation, legal process, or enforceable governmental request
• Restrict your ability to delete or edit your information or your privacy settings
• For external processing

We do not sell your Service Data to any third parties.

We share your Service Data with trusted third-party providers to process it for us as we instruct them, in compliance with this Privacy Notice and appropriate confidentiality and security measures. In particular, we share your Service Data with our third-party providers when you request technical support services (we share the information you provide in the support ticket) and professional services (we share your contact details to enable communication and collaboration).

• For legal reasons

We share Service Data outside the Google Cloud Acquisitions or Google if we have a good-faith belief that access to, or use, preservation, or disclosure of the Service Data is reasonably necessary to:

• Comply with applicable law, regulation, legal process, or enforceable governmental request.
• Enforce applicable agreements, including investigation of potential violations.
• Detect, prevent, or otherwise address fraud, security, or technical issues.
• Protect against harm to the rights, property or safety of us, Google, our customers, users, and the public as required or permitted by law.

If we or Google are involved in a reorganization, merger, acquisition, or sale of assets, we’ll continue to ensure the confidentiality of your Service Data and give affected users notice before Service Data becomes subject to a different privacy notice.

Your organization may allow you to access and export your data in order to back it up or transfer it to a third-party service. Some Services may enable you to directly access and download the data you have stored in the services.

You may be able to access certain categories of Service Data directly from the Services, such as your billing contact information, payment and transaction information, or certain product and communication settings and configurations.

If you’re unable to access your data, you can always request access via our contact email address below.

We retain Service Data for different periods of time depending on the type of data, how we use it, and how you configure your settings. When we no longer need such data, we delete or anonymize it.

For each type of Service Data and processing operation, we set retention timeframes based on the purposes for which we process it, and ensure that the information is kept for no longer than necessary. We retain most types of Service Data for a set period of up to 180 days (the exact number depends on the specific type of data). However, some data may be kept for longer periods where there is a business need. We generally have longer retention periods (which can be over a year) for Service Data that is kept for the following purposes:

• Security, fraud and abuse prevention. We retain Service Data to protect the Google Cloud Acquisitions or Google, users, customers, and the public from security threats (including when it is necessary to protect against fraudulent attempts to gain access to user accounts), or to investigate violations of applicable Google Cloud Acquisitions agreements. Usually, the Service Data retained where there is reason to suspect fraud or abuse would include device identifiers, identifiers from cookies or tokens, and IP addresses, as well as log data about usage of the Google Cloud Acquisitions Services.
• Complying with legal or regulatory requirements. We retain Service Data when required by an enforceable legal process, such as when the Google Cloud Acquisitions or Google receives a lawful subpoena.
• Complying with tax, accounting or financial requirements. When the Google Cloud Acquisitions or Google processes a payment for you, or when you make a payment to the Google Cloud Acquisitions or Google, we retain Service Data about those transactions (including billing information), typically for a minimum of five years, as required for tax or accounting purposes, or to comply with applicable financial regulations.

At the end of the applicable retention period, we follow detailed protocols to make sure that the Service Data is securely and completely deleted from our active systems (the servers the Google Cloud Acquisitions or Google uses to run applications and store data) or retained only in anonymized form. After completion of these steps, copies of the data will remain for a limited period in our encrypted backup systems (which we maintain to protect this information from accidental or malicious deletion and for outage and disaster recovery purposes), before being overwritten by new backup copies.

Exercising your data protection rights

If European Union (EU), UK, or Swiss data protection law applies to the processing of Service Data relating to you, you have certain rights, including the rights to access, correct, delete and export that information, and to object to or request that we restrict processing of your personal information.

The entities listed in Annex 1 below. will be the data controllers responsible for your personal information. However, where you or our customer has entered into an agreement covering the Services with a different Google affiliate, that affiliate will be the data controller responsible for processing your Service Data, but only in connection with billing for the Services.

If you want to exercise your data protection rights with regard to Service Data we process in accordance with this Privacy Notice, and you are not able to do so via the tools available to you or your organization’s administrator, you can contact us via our contact email address below.

You can always contact your local data protection authority if you have concerns regarding your rights under local law.

Our grounds for processing your Service Data

When we process Service Data for the purposes described in this Privacy Notice (see Why We Process Your Information above), we rely on the following legal grounds:

Additional information (Switzerland) 

If Swiss data protection law applies to the processing of your Service Data, the following additional information is relevant.

Please see the section titled ‘Where Service Data is Stored’ (above) for information on where we and our affiliates process Service Data. We also disclose your Service Data to service providers, partners and other recipients (see the section titled ‘How We Share Service Data’) that are located or process information in any country in the world.

We comply with certain legal frameworks relating to the transfer of information as set out in the sections titled ‘Model contract clauses’ and ‘Standard contractual clauses’ . We may also transfer your information to a third country based on an exception provided for by the Swiss Federal Data Protection Act.

An exception may apply in the event of legal proceedings abroad; in cases of overriding public interest or if the performance of a contract with you or in your interest requires disclosure; if you have consented; if the information has been made generally available by you and you have not objected to the processing; if the disclosure is necessary in order to protect the life or the physical integrity of you or a third party and we can't get consent within a reasonable period of time; or if the information originates from a register provided for by Swiss law which is accessible to the public or to persons with a legitimate interest, provided that the legal conditions for the consultation of such register has been met in the specific case.

If Brazilian data protection law applies to the processing of your personal information, you have certain rights, including the rights to access, correct, delete or export that information, as well as to object to or request that we restrict processing of that information. You also have the right to object to the processing of your information or to export your information to another service.

For users based in Brazil, the data controller responsible for information we collect under this Privacy Notice is Cloud Brasil Computação e Serviços de Dados Ltda. If you want to exercise your data protection rights with regard to personal information we process in accordance with this Privacy Notice and are not able to do so via the tools available to you or your organization’s administrator, you can always contact us via our contact email address. And you can contact your data protection authority if you have concerns regarding your rights under Brazilian law.

In addition to the purposes and grounds described in this Privacy Notice, we may process personal information on the following legal grounds:

• Where necessary for the performance of a contract with you

We may process your information where necessary for us to enter into a contract with you or to comply with our contractual commitments to you.

• When we’re complying with legal obligations

We’ll process your information when we have a legal obligation to do so.

• When we’re pursuing legitimate interests

We may process personal information based on our legitimate interests and those of third parties while applying appropriate safeguards that protect your privacy. This means that we process your information in the interests of providing the Services you request; making recommendations to optimize use of the Services; maintaining and improving the Services; providing and improving other services you request; assisting you; and protecting against harm to the rights, property or safety of the Google Cloud Acquisitions or Google, our users, our customers, and the public, as required or permitted by law.

Some U.S. state privacy laws require specific disclosures for state residents.

These laws may include

• California Consumer Privacy Act (CCPA) (as amended by the California Consumer Privacy Act Regulations (CCPR);
• Virginia Consumer Data Protection Act (VCDPA);
• Colorado Privacy Act (CPA);
• Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA); and
• Utah Consumer Privacy Act (UCPA)

This Privacy Notice is designed to help you understand how we handle Service Data:

• We explain the categories of Service Data we collect and the sources of that Service Data in Service Data We Collect.
• We explain the purposes for which Google collects and uses Service Data in Why We Process Service Data.
• We explain when we may disclose Service Data in How We Share Service Data. We do not sell your Service Data to any third parties. We also do not “share” your personal information as that term is defined in the CCPA, as amended by the CCPR.
• We explain how we retain Service Data in Deletion Or Retention of Service Data. Google may also de-identify personal information about you so that the information can no longer be linked to you. When we de-identify personal information, we maintain policies and technical measures to avoid re-identifying that information.

U.S. state privacy laws also provide the right to request information about how Google collects, uses, and discloses Service Data. And they give you the right to access your Service Data, sometimes in a portable format;  correct Service Data; and to request that Google delete that Service Data. They also provide the right to not be discriminated against for exercising these privacy rights.

We provide the information and tools described in Access to Service Data so you can exercise these rights. When you use them, we’ll validate your request by verifying your identity.

If you have questions or requests related to your rights under U.S. state privacy laws, you (or your authorized agent) can also contact us via our contact email address below. And if you disagree with the decision on your request, you can ask us to reconsider it by responding to the team’s email.

Some U.S. state privacy laws require a description of Service Data practices using specific categories. This table uses these categories to organize the information in this Privacy Notice.

If Japanese data protection law (the Act on the Protection of Personal Information, “APPI”) applies to the processing of your Service Data, we provide the following additional information for users of the Services residing in Japan.

Controller of Service Data. Any Service Data provided to or gathered by the Google Cloud Acquisitions is controlled primarily by the entities listed below.

Purpose of collection and use of Service Data. The Google Cloud Acquisitions collects and uses Services Data for the purposes set out here and here.

Measures undertaken to protect retained personal information.

Establishment of general policy

The Google Cloud Acquisitions established and published this Privacy Notice outlining our general policy relating to Service Data.

Establishment of internal policy relating to handling of personal data

The Google Cloud Acquisitions established internal policies about handling measures and persons in charge and their responsibility etc. with regard to the acquisition, utilization, records, provision, deletion, etc., of personal data.

Internal organization as security control action

The Google Cloud Acquisitions and/or Google have large security and privacy teams responsible for developing, implementing, and reviewing internal personal data handling processes. Google Cloud Acquisitions and/or Google employees are trained to report suspected incidents involving personal data, which may be done through various channels such as through dedicated email addresses or digital platforms. A dedicated team assesses reported incidents, and as appropriate a coordinated team is assigned to manage the overall incident, including liaising with Legal and the product team as part of the investigation and response. The team on-call for an incident is assigned on a daily rotation. Incident responses may follow either a standard or an expedited route, depending on the severity and priority assigned to the incident.

Personnel measures as security control action

The Google Cloud Acquisitions and/or Google conduct periodical training for its employees about matters to consider when handling personal data.

Physical measures as security control action

The Google Cloud Acquisitions and/or Google take measures to prevent unauthorized persons from accessing personal data in any situation and to prevent theft or loss of devices and electronic media for handling personal data.

Technical measures as security control action

Please see How we Secure Service Data and Deletion or Retention of Service Data for further information on the security measures undertaken to secure, retain, and delete Service Data.

Research of external environment

Data protection laws vary among countries, with some providing more protection than others. The Google Cloud Acquisitions and/or Google have established a personal information protection system to ensure your information is accorded protections equivalent to APPI, as described in this Privacy Notice. We also comply with certain legal frameworks relating to the transfer of data, such as the European frameworks described above. For more detail, please see Data Transfer Frameworks. Further, with regard to the location of our data centers storing Service Data, please see Where Service Data is Stored (above). There may be cases where the Google Cloud Acquisitions or Google entrust the processing of information to subprocessors or its subsidiaries or affiliates. With regard to locations of Google offices, subsidiaries, and affiliates, please see Google’s Office Locations. With regard to the location of subprocessors, please see Annex 1 (below).

Contact information. For users of the Services residing in Japan that have any inquiries or requests about your Service Data related rights under applicable law, please email appi-inquiries-external@google.com.

This Privacy Notice applies to Google Cloud Acquisition Service Data. This Privacy Notice does not apply to:

• Products, sites, or services which are covered under a different privacy notice;
• the information practices of other companies and organizations that advertise our services,
• services offered by companies or individuals other than the Google Cloud Acquisitions.

We may update this Privacy Notice from time to time. We will not make any significant changes without notifying you in advance by posting a prominent notice on this page describing the changes or by sending you a direct communication. We encourage you to regularly review this Privacy Notice, and we will always indicate the date the last changes were published.