mirror of
https://github.com/zitadel/zitadel.git
synced 2025-12-27 15:36:40 +00:00
docs(legal): Draft Privacy Policy according to DPF principles (#10099)
# Which Problems Are Solved This document is draft for applying to the DPF it provides a privacy policy compliant to DPF principles. Privacy Policy according to [DPF principles](https://www.dataprivacyframework.gov/). This draft was approved by the U.S. Department of Commerce. # How the Problems Are Solved * Add DPF Adherence Statement * Add Recourse, Enforcement, and Liability: Including IDR and Arbitration * Self-certification completed * Registered for independent recourse mechanism (JAMS) * Approval by U.S. Department of Commerce # Additional Changes * Update HQ address * Removed the analytics providers and provided a link to the sub-processor list. All analytics providers are marked as such and have a link to their privacy policy. * Added a note that future notices will be published on our trust center * Smaller changes such as updating headings --------- Co-authored-by: Florian Forster <florian@zitadel.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This commit is contained in:
Maximilian
@@ -3,41 +3,37 @@ title: Privacy Policy
|
||||
custom_edit_url: null
|
||||
---
|
||||
|
||||
Last updated on 20 March, 2025
|
||||
Last updated on October 23, 2025.
|
||||
|
||||
This privacy policy describes how ZITADEL Inc. and its wholly owned subsidiaries and affiliates (collectively, "**ZITADEL**", “**CAOS**", "**we**" or "**us**") collect, use, disclose and otherwise process your personal data in connection with the management of our business and our relationships with customers, visitors and event attendees.
|
||||
This privacy policy describes how Zitadel, Inc. and its wholly owned subsidiaries and affiliates (collectively, "**Zitadel**", "**CAOS**", "**we**" or "**us**") collect, use, disclose and otherwise process your personal data in connection with the management of our business and our relationships with customers, visitors and event attendees.
|
||||
|
||||
This privacy policy explains your rights and choices related to the personal data we collect when:
|
||||
|
||||
* You interact with our websites, including zitadel.com, zitadel.cloud and zitadel.ch as well any other websites that we operate and that link to this privacy policy (our “**Sites**”)
|
||||
|
||||
* You interact with our websites, including zitadel.com, zitadel.cloud and zitadel.ch as well any other websites that we operate and that link to this privacy policy (our "**Sites**")
|
||||
* You visit, interact with, or use any of our offices, events, sales, marketing or other activities; and
|
||||
|
||||
* You use our platform, including ZITADEL and our software, mobile application, and other products and services (the “**Services**”).
|
||||
* You use our platform, including Zitadel and our software, mobile application, and other products and services (the "**Services**").
|
||||
|
||||
This privacy policy does not cover:
|
||||
|
||||
* **Organizational Use**. When you use our Services on behalf of an organization (your employer), your use is administered and provisioned by your organization under its policies regarding the use and protection of personal data. If you have questions about how your data is being accessed or used by your organization, please refer to your organization's privacy policy and direct your inquiries to your organization's system administrator.
|
||||
|
||||
* **Third Parties**. Our Sites include links to websites and/or applications operated and maintained by third parties (e.g. GitHub, LinkedIn, etc.). This privacy policy does not apply to any products, services, websites, or content that are offered by third parties and/or have their own privacy policy.
|
||||
|
||||
If any inconsistencies arise between this privacy policy and the otherwise applicable contractual terms, framework agreement, or general terms of service, the provisions of this privacy policy shall prevail (where applicable). This privacy policy covers both existing personal data and personal data which may be collected from you in the future.
|
||||
|
||||
ZITADEL determines the purposes for and means of the processing (i.e., we are the data controller) of your personal data as described in this privacy policy, unless expressly specified otherwise. The responsible party for the data processing described in this privacy policy and contact for questions and issues regarding data protection is:
|
||||
Zitadel determines the purposes for and means of the processing (i.e., we are the data controller) of your personal data as described in this privacy policy, unless expressly specified otherwise. The responsible party for the data processing described in this privacy policy and contact for questions and issues regarding data protection is:
|
||||
|
||||
**Zitadel Inc.**
|
||||
Data Protection Officer
|
||||
Four Embarcadero Center, Suite 1400
|
||||
**Zitadel, Inc.**
|
||||
Data Protection Officer
|
||||
1 Embarcadero Center
|
||||
Suite 1200
|
||||
San Francisco, CA 94111-4164
|
||||
United States of America
|
||||
[legal@zitadel.com](mailto:legal@zitadel.com)
|
||||
|
||||
**CAOS AG (Affiliate of Zitadel, Inc.)**
|
||||
Data Protection Officer
|
||||
Lerchenfeldstrasse 3
|
||||
9014 St. Gallen
|
||||
Switzerland
|
||||
[legal@zitadel.com](mailto:legal@zitadel.com)
|
||||
Lerchenfeldstrasse 3
|
||||
9014 St. Gallen
|
||||
Switzerland
|
||||
[legal@zitadel.com](mailto:legal@zitadel.com)
|
||||
|
||||
@@ -57,11 +53,24 @@ In cooperation with our suppliers, we make every effort to protect the databases
|
||||
|
||||
This website uses TLS encryption for security reasons and to protect the transmission of confidential content, such as requests that you send to us as the website operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://".
|
||||
|
||||
## Data Privacy Framework (DPF) Adherence Statement
|
||||
|
||||
Zitadel complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.
|
||||
Zitadel has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.
|
||||
Zitadel has also certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S.
|
||||
Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.
|
||||
If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.
|
||||
To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit [https://www.dataprivacyframework.gov/](https://www.dataprivacyframework.gov/)
|
||||
|
||||
### Transfers of Employee Data
|
||||
|
||||
Zitadel also commits to apply the DPF Principles to personal data of its employees collected in the context of their employment relationship with zitadel, where such data is transferred from the EU, UK, or Switzerland to the United States. In this regard, Zitadel commits to cooperate with the EU data protection authorities (DPAs), the UK Information Commissioner's Office (ICO) (and the Gibraltar Regulatory Authority (GRA)), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by these authorities with regard to such data.
|
||||
|
||||
## Processing of personal data, legal basis, storage period
|
||||
|
||||
**Personal data** is any information that relates to an identified or identifiable person. A **data subject** is a person about whom personal data is processed. Processing includes any handling of personal data, regardless of the means and procedures used, in particular the storage, disclosure, acquisition, deletion, storage, modification, destruction and use of personal data.
|
||||
|
||||
We process personal data in accordance with Swiss data protection law. In addition, we process - to the extent and insofar as the EU Data Protection Regulation is applicable - personal data in accordance with the following legal bases within the meaning of Art. 6 (1) DSGVO :
|
||||
We process personal data in accordance with Swiss data protection law. In addition, we process - to the extent and insofar as the EU Data Protection Regulation is applicable - personal data in accordance with the following legal bases within the meaning of Art. 6 (1) DSGVO:
|
||||
|
||||
* Insofar as we obtain the consent of the data subject for processing operations, Art. 6 (1) a) DSGVO serves as the legal basis.
|
||||
* When processing personal data for the fulfillment of a contract with the data subject as well as for the implementation of corresponding pre-contractual measures, Art. 6 para. 1 lit. b DSGVO serves as the legal basis.
|
||||
@@ -69,7 +78,7 @@ We process personal data in accordance with Swiss data protection law. In additi
|
||||
* For the processing of personal data in order to protect vital interests of the data subject or another natural person, Art. 6 para. 1 lit. d DSGVO serves as the legal basis.
|
||||
* If personal data is processed in order to protect the legitimate interests of us or of third parties and if the fundamental freedoms and rights and interests of the data subject do not override our interests and the interests of third parties, Article 6 (1) (f) of the GDPR serves as the legal basis. Legitimate interests are in particular our business interest in being able to provide our website and our products, information security, the enforcement of our own legal claims and compliance with Swiss law.
|
||||
|
||||
We will retain personal data for the period of time necessary for the particular purpose for which it was collected and where we have an ongoing legitimate business need to do so (for example to comply with applicable legal, tax or accounting requirements). Subsequently, they are either deleted or made anonymous, unless we need them for a longer period of time in exceptional cases, e.g. due to legal storage and documentation obligations or our legitimate interests, such as the protection of rights to which we are entitled or the defense of claims.
|
||||
We will retain personal data for the period of time necessary for the particular purpose for which it was collected and where we have an ongoing legitimate business need to do so (for example to comply with applicable legal, tax or accounting requirements). Subsequently, they are either deleted or made anonymous, unless we need them for a longer period of time in exceptional cases, e.g. due to legal storage and documentation obligations or our legitimate interests, such as the protection of rights to which we are entitled or the defense of claims.
|
||||
|
||||
### Processing of personal data when using the website, contact forms and in connection with newsletters
|
||||
|
||||
@@ -87,7 +96,7 @@ You can revoke your consent to the storage of the data, the e-mail address and t
|
||||
|
||||
### Processing of personal data when applying for a job with us
|
||||
|
||||
Our Sites can generally be visited without registration. If you apply for a job with us, we may collect and process according to the [Privacy policy for the ZITADEL employer branding and recruitment](https://jobs.zitadel.com/privacy-policy). You may request and delete your data with the links on our [data & privacy page](https://jobs.zitadel.com/data-privacy).
|
||||
Our Sites can generally be visited without registration. If you apply for a job with us, we may collect and process according to the [Privacy policy for the Zitadel employer branding and recruitment](https://jobs.zitadel.com/privacy-policy). You may request and delete your data with the links on our [data & privacy page](https://jobs.zitadel.com/data-privacy).
|
||||
|
||||
### Processing of personal data in connection with the use of our Services
|
||||
|
||||
@@ -135,7 +144,7 @@ We disclose personal data to law enforcement agencies, investigative authorities
|
||||
|
||||
Our Sites use cookies. These are small text files that make it possible to store specific information related to the user on the user's terminal device while the user is using the website. Cookies enable us, in particular, to offer a single sign-on procedure, to control the performance of our Services, but also to make our offer more customer-friendly. Cookies remain stored beyond the end of a browser session and can be retrieved when the user visits the site again.
|
||||
|
||||
When you use our Services, we may collect information about your visit, including via cookies, beacons, invisible tags, and similar technologies (collectively “cookies”) in your browser and on emails sent to you. This information may include personal data, such as your IP address, web browser, device type, and the web pages that you visit just before or just after you use the Services, as well as information about your interactions with the Services, such as the date and time of your visit, and where you have clicked.
|
||||
When you use our Services, we may collect information about your visit, including via cookies, beacons, invisible tags, and similar technologies (collectively "cookies") in your browser and on emails sent to you. This information may include personal data, such as your IP address, web browser, device type, and the web pages that you visit just before or just after you use the Services, as well as information about your interactions with the Services, such as the date and time of your visit, and where you have clicked.
|
||||
|
||||
### Necessary cookies
|
||||
|
||||
@@ -151,18 +160,15 @@ Necessary cookies provide basic functionality such as:
|
||||
|
||||
### Analytical cookies
|
||||
|
||||
We also use cookies for website analytics purposes in order to operate, maintain, and improve the Services for you. We use Google Analytics 4 and PostHog to collect and process certain analytics data on our behalf. Google Analytics and PostHog helps us understand how you engage with the Services and may also collect information about your use of other websites, apps, and online resources.
|
||||
We use cookies for website analytics purposes in order to operate, maintain, and improve the Services for you.
|
||||
We use third-party providers, mentioned in our [List of Subprocessors](https://trust.zitadel.com/subprocessors), that collect and process certain analytics data on our behalf.
|
||||
These third-party providers helps us understand how you engage with the Services and may also collect information about your use of other websites, apps, and online resources.
|
||||
|
||||
You can learn about the analytics providers' practices by going to
|
||||
You can opt out by managing your cookie consent through our Services or a third-party tool of your choice.
|
||||
|
||||
* [https://www.google.com/policies/privacy/partners/](https://www.google.com/policies/privacy/partners/)
|
||||
* [https://posthog.com/privacy](https://posthog.com/privacy)
|
||||
* [https://legal.hubspot.com/privacy-policy](https://legal.hubspot.com/privacy-policy)
|
||||
* [https://www.commonroom.io/privacy-policy/](https://www.commonroom.io/privacy-policy/)
|
||||
|
||||
and opt out by managing your cookie consent through our Services or a third-party tool of your choice.
|
||||
|
||||
If you do not want us to use cookies during your visit, you can disable their use in your browser settings. In this case, certain parts of our Sites (e.g. language selection) may not function or may not function fully. Where required by applicable law, we obtain your consent to use cookies.
|
||||
If you do not want us to use cookies during your visit, you can disable their use in your browser settings.
|
||||
In this case, certain parts of our Sites (e.g. language selection) may not function or may not function fully.
|
||||
Where required by applicable law, we obtain your consent to use cookies.
|
||||
|
||||
## How we protect personal data
|
||||
|
||||
@@ -182,7 +188,7 @@ You have the right to know what personal data we hold and process about you and
|
||||
|
||||
### Right to rectification
|
||||
|
||||
You have the right to request the correction of inaccurate personal data concerning you.
|
||||
You have the right to request the correction of inaccurate personal data concerning you.
|
||||
|
||||
### Right to erasure (right to be forgotten)
|
||||
|
||||
@@ -214,43 +220,73 @@ You can opt out of receiving marketing emails from us by following the unsubscri
|
||||
|
||||
If you have a concern about how we collect and use personal data, please contact us using the contact details provided at the beginning of this privacy policy. You also have the right to contact your local data protection authority if you prefer, such as:
|
||||
|
||||
* Data protection authorities in the European Economic Area (EEA): [https://edpb.europa.eu/about-edpb/board/members\_en](https://edpb.europa.eu/about-edpb/board/members_en);
|
||||
* Swiss data protection authorities: [https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html](https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html);
|
||||
* Data protection authorities in the European Economic Area (EEA): [https://edpb.europa.eu/about-edpb/board/members_en](https://edpb.europa.eu/about-edpb/board/members_en);
|
||||
* Swiss data protection authorities: [https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html](https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html);
|
||||
* UK data protection authority: [https://ico.org.uk/global/contact-us/](https://ico.org.uk/global/contact-us/).
|
||||
|
||||
## Recourse, Enforcement, and Liability
|
||||
|
||||
Zitadel, Inc. is committed to addressing any concerns regarding its compliance with the Data Privacy Framework Principles.
|
||||
|
||||
### Commitment to Resolve Complaints
|
||||
|
||||
Zitadel commits to resolving complaints about our collection or use of your DPF-covered personal information. Individuals from the EU, UK, or Switzerland with inquiries or complaints regarding our DPF policy should first contact Zitadel Inc. at the address given in this policy.
|
||||
|
||||
Zitadel will investigate and attempt to resolve DPF-related complaints and disputes within 45 days of receipt.
|
||||
|
||||
### Alternative Dispute Resolution (ADR)
|
||||
|
||||
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Zitadel Inc. commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS Mediation, Arbitration and ADR Services ("JAMS"), an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit [https://www.jamsadr.com/dpf-dispute-resolution](https://www.jamsadr.com/dpf-dispute-resolution) for more information or to file a complaint. The services of JAMS are provided at no cost to you.
|
||||
|
||||
### Binding Arbitration
|
||||
|
||||
Under certain conditions, more fully described on the [Data Privacy Framework website](https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction), you may be entitled to invoke binding arbitration for DPF complaints not resolved by any of the other DPF mechanisms. This option serves as an ultimate recourse for individuals if other avenues for resolution have been exhausted.
|
||||
|
||||
### Liability in Cases of Onward Transfers
|
||||
|
||||
Zitadel is committed to the Data Privacy Framework (DPF) Principles, which includes accountability for personal data that it subsequently transfers to a third party acting as an agent on its behalf. Zitadel remains liable under the DPF Principles if an agent processes such personal data in a manner inconsistent with the Principles, unless Zitadel proves that it is not responsible for the event giving rise to the damage.
|
||||
|
||||
### U.S. Regulatory Oversight
|
||||
|
||||
Zitadel's compliance with the Data Privacy Framework Principles is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC). The FTC has jurisdiction over Zitadel's adherence to its DPF commitments. This oversight by a U.S. regulatory authority is a key component of the DPF's enforcement structure.
|
||||
|
||||
### Cooperation with Data Protection Authorities
|
||||
|
||||
Zitadel commits to cooperate with the EU DPAs, the UK ICO (and GRA), and the Swiss FDPIC in the investigation and resolution of complaints brought under the DPF and will comply with the advice given by these authorities with regard to data transferred from the EU, UK, and Switzerland.
|
||||
|
||||
## Additional Information for U.S. Residents
|
||||
|
||||
Categories of personal data we collect and our purposes for collection and use
|
||||
You can find a list of the categories of personal data that we collect in the section above titled “Processing of personal data, legal basis, storage period”. In the last 12 months, we collected the following categories of personal data depending on the Services used:
|
||||
You can find a list of the categories of personal data that we collect in the section above titled "Processing of personal data, legal basis, storage period". In the last 12 months, we collected the following categories of personal data depending on the Services used:
|
||||
|
||||
* Identifiers and account information, such as the username and email address;
|
||||
* Commercial information, such as information about transactions undertaken with us;
|
||||
* Internet or other electronic network activity information, such as information about activity on our Site and Services.
|
||||
* Geolocation information based on the IP address.
|
||||
* Audiovisual information in pictures, audio, or video content that you may choose to submit to us.
|
||||
* Professional or employment-related information or demographic information, but only if you explicitly provide it to us, such as by filling out a survey or by applying for a job with us.
|
||||
* Identifiers and account information, such as the username and email address;
|
||||
* Commercial information, such as information about transactions undertaken with us;
|
||||
* Internet or other electronic network activity information, such as information about activity on our Site and Services.
|
||||
* Geolocation information based on the IP address.
|
||||
* Audiovisual information in pictures, audio, or video content that you may choose to submit to us.
|
||||
* Professional or employment-related information or demographic information, but only if you explicitly provide it to us, such as by filling out a survey or by applying for a job with us.
|
||||
* Inferences we make based on other collected data, for purposes such as recommending content and analytics.
|
||||
|
||||
For details regarding the sources from which we obtain personal data, please see the “Processing of personal data, legal basis, storage period” section above.
|
||||
We collect and use personal data for the business or commercial purposes described in the “Processing of personal data, legal basis, storage period” section above.
|
||||
For details regarding the sources from which we obtain personal data, please see the "Processing of personal data, legal basis, storage period" section above.
|
||||
We collect and use personal data for the business or commercial purposes described in the "Processing of personal data, legal basis, storage period" section above.
|
||||
|
||||
Categories of personal data disclosed and categories of recipients
|
||||
### Categories of personal data disclosed and categories of recipients
|
||||
|
||||
We disclose the following categories of personal data for business or commercial purposes to the categories of recipients listed below:
|
||||
|
||||
* We disclose identifiers with businesses, service providers, and third parties, such as analytics providers and social media networks.
|
||||
* We disclose Internet or other network activity with businesses, service providers, and third parties, such as analytics providers and social media networks.
|
||||
* We disclose geolocation information with businesses, service providers, and third parties such as advertising networks, analytics, and social media.
|
||||
* We disclose payment information with businesses and service providers who process payments.
|
||||
* We disclose commercial information with businesses, service providers, and third parties, such as analytics providers and social media networks.
|
||||
* We disclose audiovisual information with businesses and service providers who help administer customer service and fraud or loss prevention services.
|
||||
* We disclose inferences with businesses and service providers who help administer marketing and personalization.
|
||||
* We disclose identifiers with businesses, service providers, and third parties, such as analytics providers and social media networks.
|
||||
* We disclose Internet or other network activity with businesses, service providers, and third parties, such as analytics providers and social media networks.
|
||||
* We disclose geolocation information with businesses, service providers, and third parties such as advertising networks, analytics, and social media.
|
||||
* We disclose payment information with businesses and service providers who process payments.
|
||||
* We disclose commercial information with businesses, service providers, and third parties, such as analytics providers and social media networks.
|
||||
* We disclose audiovisual information with businesses and service providers who help administer customer service and fraud or loss prevention services.
|
||||
* We disclose inferences with businesses and service providers who help administer marketing and personalization.
|
||||
|
||||
### Privacy rights
|
||||
|
||||
Right to Opt-Out of Cookies and Sale/Sharing: Although we do not sell personal data for monetary value, our use of cookies and automated technologies may be considered a “sale” / “sharing” in certain states, such as California. Visitors to our US website can opt out of such third parties by clicking the “Manage cookie preferences” link at the bottom of our Site. The categories of personal data disclosed that may be considered a “sale” / “sharing” include identifiers, device information, Internet or other network activity, geolocation data, and commercial data.
|
||||
Right to Opt-Out of Cookies and Sale/Sharing: Although we do not sell personal data for monetary value, our use of cookies and automated technologies may be considered a "sale" / "sharing" in certain states, such as California. Visitors to our US website can opt out of such third parties by clicking the "Manage cookie preferences" link at the bottom of our Site. The categories of personal data disclosed that may be considered a "sale" / "sharing" include identifiers, device information, Internet or other network activity, geolocation data, and commercial data.
|
||||
|
||||
The categories of third parties to whom personal data was disclosed that may be considered “sale”/ “sharing” include data analytics providers and social media networks.
|
||||
The categories of third parties to whom personal data was disclosed that may be considered "sale"/ "sharing" include data analytics providers and social media networks.
|
||||
|
||||
We do not have actual knowledge that we sell or share the personal data of individuals under 16 years of age.
|
||||
|
||||
@@ -287,7 +323,9 @@ Our Site is not intended for or directed to children under the age of 14. We do
|
||||
|
||||
## Changes to this Privacy Policy
|
||||
|
||||
We may revise this privacy policy from time to time and will post the date it was last updated at the top of this privacy policy. We will provide additional notice to you if we make any changes that materially affect your privacy rights.
|
||||
We may revise this privacy policy from time to time and will post the date it was last updated at the top of this privacy policy.
|
||||
We will provide additional notice to you if we make any changes that materially affect your privacy rights.
|
||||
Please subscribe to updates in our [Trust Center](http://trust.zitadel.com/updates) to receive future notices and updates.
|
||||
|
||||
## Contact us
|
||||
|
||||
|
||||
Reference in New Issue
Block a user