This privacy policy applies for the data collected by Bitdefender as a controller or a joint controller for providing the Bitdefender Business Solutions Certain Bitdefender Solutions and services may have additional specific privacy notices as detailed herein. In case of conflict, such specific privacy notices shall derogate from this general policy.
The document explains how Bitdefender collects, stores, uses, and discloses your Personal Data and how and where we may use it, how we protect it, who has access to it, with whom we share it, and how you may correct it within the Bitdefender Business Solutions.
DISCLAIMER: NOT APPLICABLE
(i) If you are a home user client of Bitdefender Home user solutions this Privacy Policy does not apply to you. Please check our Bitdefender Privacy Policy for Home Users Solutions.
(ii) if you are a visitor of Bitdefender websites, the applicable privacy policy is the Privacy Policy for Bitdefender websites.
(iii) if you are a Data Subject of the Bitdefender Business Solutions where Bitdefender acts as a Data Processor, such as Bitdefender Gravityzone Security for Mobile Solution, Bitdefender Gravityzone Integrity Monitoring, Bitdefender Gravityzone Cloud Security, where your employer or the provider that offers you the cybersecurity service is a data controller, please check with them for their privacy policy or similar information on how your personal data is processed. Bitdefender will process your Personal Data in that context pursuant to the terms of the Data Processing Agreement in place between that company and Bitdefender.
(iv) if you are an employee or a candidate of employment with Bitdefender, please check the applicable policies in the context of your direct interactions with Bitdefender.
1. General information
1.1. S.C. BITDEFENDER S.R.L. (“Bitdefender”), with its official headquarters in Bucharest, 6th District, 15A Sos. Orhideelor, Orhideea Towers Building, 10-12 floors, registered in the Bucharest Trade Register with number J40/20427/2005, fiscal code RO18189442, e-mail: privacy@bitdefender.com processes personal data in agreement with the Romanian data protection legislation and the EU GDPR – General Data Protection Regulation (Regulation 2016/679). Our Data Protection Officer can be found at the following contacts: dpo@bitdefender.com , Phone: 4021 -206.34.70. Bitdefender SRL and its affiliates and subsidiaries (collectively, “Bitdefender”) value the security and privacy of your data. This Privacy Policy is issued by Bitdefender, so a reference to “we”, “us”, or “our” in this Privacy Policy shall refer to Bitdefender.
1.2. Bitdefender is a cybersecurity leader delivering best-in-class threat prevention, detection, and response solutions worldwide. Guardian over millions of consumers, enterprises, and government environments, Bitdefender is one of the industry’s most trusted experts for eliminating threats, protecting privacy, digital identity and data, and enabling cyber resilience. The company has pioneered breakthrough innovations in antimalware, IoT security, behavioral analytics, and artificial intelligence.
1.3. Our main goal is to ensure cybersecurity of our clients including but not limited to endpoint security, network security, cloud security or other cyber security purposes and also support activities for this purpose and only in specific cases, when support activities are included in the specific contract with Bitdefender as well as for identifying errors and troubleshooting, for improvement of our solutions and services and in statistical and trends analysis by providing quality solutions and services in these areas while also respecting privacy and personal data of our customers, other Internet users and our business partners, and in some cases for the purpose of compliance with Bitdefender’s legal obligations where applicable laws require us to process your Personal Data (“Purpose”).
1.4. When collecting and processing data, we strive, on a best-efforts basis, to apply adequate technical measures to anonymize it, or at least to pseudonymize it. Our main goal is to collect solely the necessary technical data and to anonymize personal data in order to process it for the specified Purpose.
1.5. In cases where perfect anonymization is not technically possible, the potential identification of a user is extremely unlikely to happen. Personal Data according to the European legislation definition (Regulation 2016/679) means: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. In this context, Bitdefender processes Personal Data from its Bitdefender Business Solutions for the Purpose by:
(i) ensuring correct and efficient operation of Bitdefender Business Solutions, according to the technical specifications and documentation, and for the improvement of our solutions, including analyzing the reported malware or other cybersecurity issues and delivering and customizing our solutions for cybersecurity needs and developing new technologies;
(ii) offering support or counseling to the Data Subjects of Bitdefender Business Solutions, if the Data Subject specifically demands it and only if Bitdefender Solution includes such feature or services.
2. Personal data collected
2.1. All personal data collected by Bitdefender is recorded, stored, used, and managed on protected servers, as well as on other devices that allow these operations with standard industry security measures. Also, all Bitdefender's websites are hosted on protected servers having standard industry security measures. Bitdefender may collect personal information from Data Subjects, as users of Bitdefender Business Solutions which is limited to technical and licensing data, which sometimes may include personal data: (i) Personal Data directly provided by Data Subjects or Bitdefender clients and partners when creating an account; (ii) technical data collected by Bitdefender Business Solutions
2.2. The Personal Data could contain personal and business identifiers and contact information such as name, job title, company name, contact, shipping and billing information, phone number, email address, and contact preferences, internet or other electronic network activity, i.e. technical data such as domain name, URLs; your device’s IP address; login data e.g. username, password; data you provide to us to receive technical assistance or during customer service interactions; your personal or professional interests, demographics, experience with our products and contact preferences or completing any 'free text' boxes in our forms; and commercial information, i.e. transactional data and transaction history, Personal Data disclosed by you on message boards, chat features, blogs and other services or platforms to which you (including third-party services and platforms). We also may record our telephone or other communications with you, to the extent permitted by applicable law.
2.2.1. Personal data directly provided by Data Subjects or Bitdefender clients and partners including but not limited to:
When a license is provided to you, your employer or partner may share with us your business contacts, such as email address or phone number so we can contact you with updates, notices, or to provide support, other than business contact details. Also, when you access the Support Center, we may ask for a valid email address or a phone number and/or other technical information to communicate with you in providing support. All such data is being used to provide a specific user with a license to use Bitdefender Business Solutions, for solving a request or complaint you addressed to us, or for offering technical support. Bitdefender may also ask for other data that could be considered personal data, if necessary for resolving the information security issue reported by you where asked for help. More details will be shared when using a specific communication tool with us.
Retention: The data used for licensing information is kept for the duration of the contract, plus no more than five years after its expiration to be able to defend any legal complaints on contractual issues. The data used for support services is kept for different periods of time, depending especially if the problem has been solved and the exact method of communication with the support services, but in no case the data will be kept for more than five years after the last communication took place, to be able to defend any legal complaints on contractual issues.
2.2.2. Technical data sent by Bitdefender Business Solutions including but not limited to:
– When you use Bitdefender Business Solutions it is possible to share with us some technical details, such as data for identifying the device (UDID), the infected URL you reported, or IP addresses. If you use a Bitdefender Business Solutions that integrates with your email server, some technical data of the infected files could be sent to us, including data such as sender, recipient, subject, or attachment. In most cases, these technical data may not lead to your direct or indirect identification, but in some very specific cases computer specialists might be able to identify a specific computer. Therefore, we treat all such information as personal data and protect it as such. This information is solely used for the Purpose by correct and efficient operation of our solutions and services, according to the technical specifications, and their improvement, including by analyzing the reported security issues. This includes delivering and customizing related services. Also, we may use this information for statistical purposes and improving the quality of our solutions.
Retention: This data is stored for a limited period, depending on its usefulness for the current information security needs. Based on the current speed of technology, we will not need them for over 10 years from the day of the collection.
- when you use a Bitdefender console for management and settings of the acquired Bitdefender Business Solutions, we will collect usage data (e.g featured used, error encountered, loading times, device used, access logs) connected to user identifiers in order to allow us to provide security of these services, for identifying errors and troubleshooting, as well as for improvement of our services. Most of this data is used in the latter purpose only as aggregated data in statistical and trends analysis.
Retention: This data is stored for a limited period, depending on the purpose of each data usage and of the platforms used to analyze the data, but the maximum period would not exceed 12 months from their collection.
3. Legal basis and other details for personal data processing
3.1. Bitdefender processes personal data from its Bitdefender Business Solutions based on legitimate interests of Bitdefender, but also the legitimate interests of the Data Subjects that it aims to protect from cyber-attacks and malware and for the Purpose, as explained in the Recital 47 of the GDPR. How this data processing is managed will not affect the interests or fundamental rights and freedoms of the data subject that require protection of personal data.
3.2. In certain cases, we collect your Personal Data, with Your consent, where we have obtained your consent to process your Personal Data for certain activities. You may withdraw your consent at any time by using the contextual preference tools available in the communications or in the user interfaces of the products and services we provide to you. Absent those, please contact us as explained below. However, please note that your withdrawal of consent will not affect the lawfulness of any use of your Personal Data by Bitdefender based on your consent prior to withdrawal.
3.3. If you have any questions or would like more information regarding the legal basis on which we collect your Personal Data, please review the supplemental privacy notice(s) of Bitdefender solution concerned or contact us as explained below.
3.4. Bitdefender applies the principle of “data minimization” to the collected data, so that the data collected is anonymized by default. As a leader in information security services, confidentiality and data protection are of vital importance for us. Access to the collected personal data is restricted to Bitdefender personnel and data processors that need access to this information, as explained below.
All Bitdefender information security policies are ISO 27001 and SOC2 Type2 certified.
4. Who has access to personal data
4.1. In principle, Bitdefender will not reveal any personal data about its Data Subjects to third parties with the exceptions mentioned below and in chapter 6.
Bitdefender sometimes uses other companies to process the collected personal data but only when needed, for the Purpose and to allow them to conduct Bitdefender business. These companies are considered data processors and have strict contractual obligations to keep the confidentiality of the processed data and to offer at least the same level of security as Bitdefender.
Data processors have the obligation not to allow third parties without Bitdefender prior approval and only for the purposes as instructed by Bitdefender to process personal data on behalf of Bitdefender and to access, use and/or keep the data secure and confidential.
4.2. We only disclose your information as described in this Policy as follows:
Affiliates or Subsidiaries. In some specific situations when processing of Personal Data might require support from other Bitdefender Affiliates, we may disclose limited data to our affiliates or subsidiaries Data we collect from you may be disclosed to our affiliates or subsidiaries.
Service Providers. Data we collect from you may be disclosed to third party service or technology providers as subcontractors of Bitdefender, for the Bitdefender solutions we provide.
Business Transfers. Data we have collected from you may be transferred to another company as part of a merger or acquisition by that company.
Consent. We may disclose your personal information for any other purpose with your consent.
Legal Obligations and Rights. We may disclose your Personal Data to any legally entitled recipients: (i) in connection with the establishment, exercise or defense of legal claims; (ii) to comply with laws or to respond to lawful requests or legal process; (iii) for fraud or security monitoring purposes (e.g., to detect and prevent cyberattacks); (iv) to protect the rights of Bitdefender or its employees; or (v) as otherwise permitted by applicable law.
If we disclose your Personal Data, to the extent reasonably practicable and permissible, we will require its recipients to comply with adequate privacy and confidentiality requirements, and security standards.
4.3. Bitdefender may host or transfer personal data in Romania, Ireland, or other state members of the European Union or in any other jurisdictions, which offers adequate level of personal data protection according to European Union standards (art 45 GDPR) or other appropriate safeguards, including Standard Contractual Clauses (art 46.2 GDPR).
For Bitdefender Business Solutions, most of the data is hosted and managed internally. But for certain data, we may use the following type of data processors for services based in EU, USA and APAC:
(i) for Live channels communication we use data processors from EU and USA for purposes of support services, live chat and call centers.
(ii) for off-line channels communication we use data processors from EU and USA for support services and hosting the data.
(iii) for certain security services, we use data processors from EU, USA, Singapore and UK.
Due to confidentiality obligations the specific information regarding the processors used will be provided to competent authorities.
However, Bitdefender may reveal personal data to competent authorities, upon their request according to the applicable laws or when this is necessary to protect the rights and interests of our clients and Bitdefender.
5. Your personal data rights
5.1. According to GDPR, data subjects have the right to access to data, right to rectification, right to erasure and the right not to be subject to individual decisions. Data subjects also have the right to restriction of personal data processing and to request the deletion of the collected personal data, as well as the right to data portability.
5.2. For any data processing based on consent, you have the right to withdraw the consent at any time.
5.3. To exercise these rights, you may send a written request, dated and signed, to the Bitdefender DPO at: dpo@bitdefender.com or to privacy@bitdefender.com.
5.4 Data subjects are not subject to decisions based solely on automated processing, including profiling, which may produce legal effects or similarly significantly affects them.
5.5. Data subjects also have the right to lodge a complaint with a supervisory authority and the right to address a court.
6. Other joint data – controllers
6.1. If you use our Bitdefender Business Solutions, then it is possible that another company (usually your employer as our business Client or a Partner that includes our services) is also a joint data controller for some of the data collected by the Bitdefender Business Solutions, especially those accessible in the Bitdefender GravityZone Console for the Purpose.
6.2. According to our joint controllers arrangement with them, these companies have the full responsibility for the personal data processed by them and need to inform you on all aspects of their personal data processing, including legal basis for data processing and all purposes of collection, including the purpose of information security.
7. Additional information regarding Personal Data collection in certain Bitdefender Business Solutions.
7.1. Additional information regarding personal data collection of Anti-theft services of Bitdefender Business Solutions
This chapter complements the privacy policy with specific information regarding processing information that may be personal data and that is collected by Bitdefender for the anti-theft services, if those are active within the Bitdefender Business Solutions that you use. Some of Bitdefender Business Solutions include an anti-theft service option designed for both mobile phone solutions as well as for tablets and laptops. Once activated and configured, the anti-theft option can track in real time via geo-localization the lost or stolen device. This Bitdefender service offers the localization option as well as other connected options such as remote blocking of the device, deleting the entire content of the device, or taking photos of the person who is accessing the phone without authorization. More details are available here. If the anti-theft services are activated, Bitdefender may receive personal data such as geo-localization data either from GPS, GSM cells, Wi-Fi usage, or IP address. The only purpose of processing this data is information security via the Bitdefender anti-theft service. For the purpose of identifying the precise location, we may use third party processors. All the data is mostly hosted on the EU territory. However, certain data might also be hosted in USA by processors which offer adequate level of personal data protection according to European Union standards (art 45 GDPR) or other appropriate safeguards, including Standard Contractual Clauses (art 46.2 GDPR). All geo-localization information is kept for as long as the anti-theft service is active and will be deleted when the service is deactivated. Thus, the Admin of a Bitdefender Solution may have administration rights for Bitdefender services and Solutions. Therefore, on the devices where the anti-theft services are installed, he/she can operate commands remotely. In this regard, it is the responsibility of the Admin to ensure that he/she can fulfill these actions from a legal standpoint and that he/she has the right to know the location, to take pictures remotely, to block or delete the device's content or to interact in any way with it.
7.2. Additional information regarding personal data collection of Human Risk services of Bitdefender Business Solutions
This chapter complements the privacy policy with specific information regarding processing information that may be personal data and that is collected by Bitdefender for the Human Risk Analytics services, only if those are activated within the Bitdefender Business Solutions that you use. The only purpose of this data collection is to help identify user actions and behaviors that pose a security risk to the organization. This is being implemented with a privacy-friendly solution, by processing data exclusively on the local endpoints to identify potential human risk security activities. The generic result is being displayed in the GravityZone console only available to the Admin of the solution, together with a general score for Human Risk. The data is not being used by Bitdefender for other purposes. More technical data on what is being processed is available in the technical documentation of Business Solutions and on our website.
7.3. Additional information regarding Privacy Policy for GravityZone Security for Email Solution
We use world-class, highly accredited provider to deliver GravityZone Security for Email Solution, and that includes Censornet. This is a cloud-driven security gateway able to protect any type of email service against multiple types of email threat vectors. Specific data centre locations depending on client location include UK, EU, USA, EAU. Email messages flow through the infrastructure within the selected data centre(s) above and are checked for spam and viruses and other content. If the message is validated by the solution as ‘clean’, it is then logged and delivered to the Client’s email server.
Email log data includes IP addresses, To, From (email addresses) and Subject fields, full emails if marked as spam and quarantined server responses, and other email header data (does not include the message body or any file attachments). Log data is stored in the same data center that processes email traffic.
During processing the message is written to disk. Once delivered to the Client’s email server it is immediately deleted. This typically takes no more than a few seconds.
If a message is validated by Bitdefender as “spam”, then the message may optionally be written to a quarantine where it is stored for thirty (30) days. Bitdefender Client may choose to delete spam rather than quarantine it. Retention for log data is 90 days up to 12 months (archive log data).
8. Publication date
8.1. The privacy policy has been adopted on the date mentioned in the title of the document and will be modified each time is necessary without prior or future notice of the changes. The new version will enter into force when published on the website and it will be marked accordingly. The present document is available at https://www.bitdefender.com/site/view/eula-business-solutions.html.