Box Privacy Notice

Effective as of December 2, 2019, Box, Inc., and its subsidiaries, (collectively, “Box” or “we” or “us” or “our”) have updated our Box Privacy Notice (“Privacy Notice”).

Overview

At Box, we respect the privacy rights of users and recognize the importance of protecting your information. We provide a cloud-based content management platform and our products make it easier for people to share ideas, collaborate and help get work done. This Privacy Notice explains how information (including personal data as defined under GDPR) is collected, retained, used, disclosed, and transferred by Box and the available choices you have in regards to your personal information. This Privacy Notice applies to information collected, used or shared by Box when you use or access our websites, products, applications or services (collectively, the "Box Services"), including when you attend a Box event or otherwise interact with us.

Business Accounts

If you use the Box Services as part of a business, an entity, or a non-profit (collectively, “Organization”) that has an agreement with Box, then the terms of that agreement between the Organization and Box will supersede the Privacy Notice where the terms overlap.

Changes to This Notice

We may change this Privacy Notice from time to time. If we make any changes, we will revise the date at the top of this Privacy Notice. If there are material changes to this Privacy Notice, we may notify you or your Organization more directly by email or post a notice on Box’s website prior to the changes becoming effective. We encourage you to periodically review our Privacy Notice to stay informed about our data protection practices and the ways you can help protect your privacy.

 

Regional Notices

For region-specific guidance and information on Box’s certifications, please refer to our Regional Notice page.

Collection of Information

Box collects information in the following ways:

  1. Information You Provide. We collect the information you directly provide to Box when you visit our websites or register for and/or use the Box Services.
  2. Information We Collect Automatically. We collect information related to your usage of the Box Services and the devices you use to access those Box Services.
  3. Information We Collect from Other Sources. We collect information from third parties where you have provided us with access to information from those third parties.

In some situations, you can decline to provide information to Box when asked for it. If you decline to provide information where Box requires such information to operate the Box Services and fulfill our obligations, you may not be able to use the applicable Box Service(s). Situations where this may occur include:

  • Where Box asks you to provide personal information to be able to add features or services to an existing account at your request;
  • Where Box asks you to provide personal information to create an account; or
  • Where a third-party application on Box asks you to provide information to use their feature or service.

There may be situations where you do not have the ability to decline to provide information. This includes where Box automatically collects personal information through your use of Box Services. For any questions about providing us with your personal information, please contact us at privacy@box.com

Learn More

Use of Information

Box uses information collected for the purpose of providing the Box Services. Box will process and transfer information within and to the U.S. and other countries and territories from which Box or its authorized third parties may operate, which may have different privacy laws from your country of residence. For more details please see the Regional Notices page.

Learn More

Sharing and Disclosure of Information

We will not share personal information about you or any Content with any third parties, unless you allow it, as described in this Privacy Notice, or in connection with providing you the Box Services. We may share information with (i) third parties and vendors or other services providers working on our behalf; (ii) the third-party Box integrations or other third-party products that you choose to use while working with the Box Services or (iii) when necessary, to protect the security and safety of our users or when required by law or a legal process.

Learn More

Your Personal Information Choices

We understand that your personal information is important to you, and that is why you have choices in how your personal information is used and shared. You can exercise your data protection and privacy rights at any time by logging into your Box account and updating your preferences or contacting Box at privacy@box.com.

For example, you can:

  • Update, access, and delete your account information;
  • Choose whether you wish to receive promotional and newsletter communications; and
  • Choose whether you wish to share personal information with and use Box integrations.
Learn More

Protection of Personal Information

Box is committed to securing your personal information. We take appropriate technological and organizational measures to help protect your personal information from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. Box complies with applicable data protection, privacy, and security breach notification laws.

Some of the ways in which Box protects your personal information include:

  • We encrypt your Content when it is stored at rest in our data centers.
  • We protect sensitive information with encryption during transmission over the public Internet.
  • We keep the servers on which personal information is stored in a controlled environment with limited access.
  • We maintain a wide variety of compliance and security programs.

Our Policy Toward Children

The Box Services are not directed to individuals under the age of 18 and we do not knowingly collect information from anyone under 18. If you become aware that a child has provided us with personal information, please contact us at privacy@box.com. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information as soon as possible.

Contacting Us

Please contact us at privacy@box.com or at Box Privacy, 900 Jefferson Avenue, Redwood City, CA 94063, United States of America if you:

  • Have questions about this Privacy Notice;
  • Would like to contact Box’s Data Protection Officer;
  • Wish to make a complaint or have a concern about our handling of your personal information; or
  • Want to report a possible breach of privacy laws.

Box will respond to your inquiry within 30 days. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

If you are in the EEA or Switzerland, you can report this to your local data protection authority (“DPA”), or if you are in the United Kingdom, the Information Commissioner's Office (“ICO”).

Box complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom and/or Switzerland, as applicable, to the United States in reliance on Privacy Shield. Box has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

The Federal Trade Commission has investigation and enforcement authority over our compliance with the Privacy Shield.

 

If we have received your personal information under the Privacy Shield and subsequently transfer it to a third party service provider for processing, we will remain responsible if they process your personal information in a manner inconsistent with the Privacy Shield Principles, unless we prove that we are not responsible for the event giving rise to the damage.