Privacy Shield Notice

Datto, Inc. participates in and has certified compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Economic Area (EEA), the United Kingdom or Switzerland to the United States. Our certification covers our U.S. subsidiaries, including Autotask Corporation, Backupify, Inc. and Open Mesh, Inc. You may view our Privacy Shield certification at the Privacy Shield Framework list.

For purposes of this Notice, Personal Data means data that relates to an identified or identifiable natural person (excluding our own human resources data) that is transferred to the U.S. from the EEA, the United Kingdom or Switzerland. This Notice outlines our general policy and practices for implementing the Privacy Shield principles for Personal Data.

Our Privacy Shield compliance is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

Personal Data Covered by our Privacy Shield Certification

Our Privacy Shield certification covers Personal Data we collect to market, sell, provision, and manage our products. We are generally considered a controller of such Personal Data. This includes data such as name, address, email, billing information, IP address, and product logging and usage information. We also use such Personal Data to conduct and manage our business, including for internal administrative and analytics purposes, and to comply with our legal and compliance obligations, policies and procedures.

We collect and process Personal Data as part of the products and services we offer; we are processors of such Personal Data. We give our customers the ability to use data centers located in the EEA and the United Kingdom for the main processing associated with most of our products. Our Privacy Shield certification covers Personal Data for which we are a processor if we agree with our customer that the processing of such Personal Data is covered by our Privacy Shield certification. Our Privacy Shield certification also covers Personal Data related to technical and administrative support for a Product or its management portal even if the product’s processing takes place in a European data center.

In addition to this Privacy Shield Notice, we disclose our privacy practices in our website Privacy Policy and/or individual notices available at the time of initial data collection. When we receive Personal Data from our subsidiaries, affiliates or other entities in the EEA, the United Kingdom or Switzerland, we may rely on the notices provided by such entities. If there is a conflict between the terms of our privacy notices and the Privacy Shield principles, the Privacy Shield principles will govern with respect to Personal Data covered by this Notice.

Choice

We commit to provide choice to limit use of Personal Data if, other than as described in this Notice, it is to be disclosed to another controller or if is to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized.

Onward Transfer

We may share Personal Data within our family of companies (including parent, subsidiaries and affiliates) for purposes consistent with this Notice. We share certain Personal Data for which we are a controller with third parties whose services we use to help 1) market, sell, provide and support our products; and 2) operate and manage our business. We make sure any third parties with whom we share Personal Data will use the data only for the purpose of providing their services to us, and in a manner consistent with our privacy practices. We assume responsibility for the processing of Personal Data that we transfer to a third party acting as our agent. We remain liable under the Privacy Shield principles if our agent processes such Personal Data in a manner inconsistent with the principles, unless we prove we are not responsible for the event giving rise to the damage.

In addition, we may share Personal Data 1) as required by law, such as to comply with a subpoena, warrant, regulatory oversight or similar legal process 2) when we have a good faith belief the disclosure is necessary to prevent or respond to fraud, defend our websites or products against possible attacks, or to protect the safety of persons and property; and 3) in connection with any potential sale, transfer, merger, consolidation or other transaction involving all or part of our company.

Security and Integrity and Purpose Limitation

We maintain commercially reasonable technical and organizational measures to protect against accidental or unlawful access, destruction, loss or alteration of Personal Data under its control. We retain Personal Data for which we act as a controller for as long as is reasonable for the original purpose for which it was collected and for furthering our legitimate business interests. We retain Personal Data for which we act as a processor for the term of the Product agreement with our customer, plus any post termination period during which we make Personal Data available for export by our customer.

Compelled Disclosure

We may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Access, Inquiries and Complaints

We provide reasonable access to and opportunity to correct, amend or delete Personal Information where it is inaccurate. We may limit or deny access to Personal Data where providing such access is unreasonably burdensome or expensive under the circumstances, or as otherwise permitted by the Privacy Shield principles. If you believe we maintain your Personal Data within the scope of our Privacy Shield certification, you may direct any inquiries or complaints concerning our Privacy Shield compliance please inquire at our Privacy Request page. We will respond within 45 days. If we fail to respond within that time, or if you have an unresolved privacy issue within the scope of our Privacy Shield certification, you may contact JAMS (Judicial Arbitration and Mediation Services, Inc), our U.S.-based third-party dispute resolution provider, free of charge by visiting their site. If neither we nor our dispute resolution provider resolves your issue, you may seek resolution via binding arbitration as described in Annex 1 of the Privacy Shield.

If your inquiry involves Personal Data for which we are a processor, please provide the name of the party who submitted your Personal Data to our product. We will refer your request to that party and to the extent reasonably possible consistent with the functionality of the Product, we will support that party as needed in responding to your request.

Amendment

We may amend this Privacy Shield Notice from time-to-time in compliance with the requirements of the Privacy Shield principles or applicable law.

This Privacy Shield Notice is effective as of March 29, 2019.