Effective as of January 1, 2023
Asia-Pacific Economic Cooperation (“APEC”)
APEC Cross Border Privacy Rules (“CBPR”) System: Box, Inc.’s privacy practices, described in the Privacy Notice, comply with the APEC CBPR System. The APEC CBPR system provides a framework for organizations to ensure protection of Personal Data transferred among participating APEC economies. More information about the APEC framework can be found at: https://www.apec.org/About-Us/About-APEC/Fact-Sheets/What-is-the-Cross-Border-Privacy-Rules-System.
APEC Privacy Recognition for Processors (“PRP”) System: Box, Inc.’s privacy practices, described in this Privacy Notice, comply with the APEC PRP System . The APEC PRP System provides a framework for data processors to demonstrate their ability to effectively implement a data controller’s privacy requirements . More information about the APEC PRP framework can be found at: http://mddb.apec.org/Documents/2015/ECSG/DPS2/15_ecsg_dps2_007.pdf.
Protecting the privacy rights of Customers is fundamental to the services Box provides. Box has historically offered Customers an overlapping set of legal mechanisms and frameworks for data transfers out of the European Economic Area (EEA).
EU Binding Corporate Rules: Box, Inc., and the Box group of companies seek to maintain its EU BCRs by transferring to a lead supervisory data protection authority located in the EEA. While Box awaits approval of its EU BCRs, Box remains committed to adhering to the principles set-forth in the current BCRs authorized and approved by the European data protection authorities, as will be listed at the European Commission website. We have made Standard Contractual Clauses (SCCs) available to all customers, ensuring a lawful data transfer mechanism when transferring data from the European Economic Area (EEA) to outside of the region. Box EU BCRs are made available below:
EU - U.S. Privacy Shield and Swiss - U.S. Privacy Shield: On July 16, 2020, the Court of Justice of the European Union (CJEU) ruled that the EU - U.S. Privacy Shield and Swiss - U.S. Privacy Shield Framework is no longer a valid data transfer mechanism for transferring personal data from the European Economic Area (EEA) to the United States. Per guidance from the United States Department of Commerce, Box, Inc. will continue to participate and certify its compliance with the EU - U.S. Privacy Shield Framework and the Swiss - U.S. Privacy Shield Framework. For more information about our Privacy Shield certifications, please view the Box EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Notice.
UK Binding Corporate Rules: The EU-UK Trade and Cooperation Agreement marked the end of the United Kingdom’s (UK) transition period to leave the European Union (Brexit) on December 31, 2020. Box, Inc. and its subsidiaries (collectively, "Box") remain committed to maintaining and adhering to a valid data protection framework and transfer mechanism. The UK’s Information Commissioner’s Office (ICO) has listed Box as a certified Processor and Controller of UK Binding Corporate Rules (BCRs) on the ICO website. Box’s UK BCRs are made available below:
As required by the California Consumer Privacy Act of 2018, as amended (“CCPA”), this California Notice at Collection (the “CA Notice”) supplements the information contained in the Box Privacy Notice. This CA Notice describes how Box, Inc. and its affiliates collects, uses and shares the personal information of California residents (“consumers” or “you”) and how to exercise your rights under the CCPA.
Scope. When we say Personal Information in this CA Notice, we mean information that identifies, relates to, or could reasonably be linked to you or your household.
The CCPA provides certain exemptions that may apply to Box’s collection of your Personal Information. These exemptions include personal information that we’ve collected from or about you that is publicly available (as described in Cal. Civ. Code Section 1798.140). As such, this CA Notice and the privacy rights described herein may not apply to you or to all your personal information.
For information relating to Box job applicants, current and former employees, contractors or other Box personnel, please review the Box Personnel Privacy Notice or the Box Candidate Privacy Notice.
Notice at Collection. We may collect personal information about you for a variety of purposes. For example, we may collect the below categories of personal information.
Contact Information that we collect directly from you, which may include your name, email address and phone number.
Commercial Information such as the Box products or services you’ve purchased, obtained or considered.
Internet and other related network activity such as your IP address, session logs and how you interact with our website and applications in accordance with the Box Cookie Notice.
Geolocation Data which may include a subset of your internet and network activity such as your IP address.
Other Personal Information such as (1) information you provide to us when you register for Webinars, Demos, Virtual Conferences (2) information you provide when you download our white papers and reports (3) information you provide when you engage with Box’s Community Forums (4) information you provide when you contact us directly through our Box Support portal.
Use of Personal Information. We may use your personal information for the following purposes:
provide, operate, maintain, and improve the Box Services;
communicate with you about services, features, surveys, newsletters, offers, promotions, contests and events, and provide other news or information about Box and our select partners;
personalize and improve the Box Services, and provide Content, features, and/or advertisements that match your interests and preferences or otherwise customize your experiences on the Box Services; or
as otherwise described in the “Use of Information” section of the Box Privacy Notice.
Your California Privacy Rights. Subject to verification of your request, you may exercise your privacy rights listed below in relation to the personal information Box has collected about you.
The right to know what personal information Box has collected about you
The right to delete your personal information;
The right to correct your personal information;
The right to limit the use and disclosure of sensitive personal information;
The right to opt-out of the sale or sharing of your personal information; and
The right to non-discrimination for exercising your rights.
How To Exercise Your Rights. To exercise your California privacy rights, please contact us at email@example.com. We will promptly verify your request and respond within the applicable time frame of forty-five (45) days. Should we reasonably require additional time beyond the applicable time frame, we will notify you directly.
If we are unable to verify your identity as required by CCPA, we reserve the right to not process your request. Upon this determination, we will notify you of our decision along with any rights you may have to appeal the decision. As set forth in CCPA, we are only required to respond to certain rights requests twice in any twelve (12) month period.
If you elect to exercise any of your rights, Box will not deny services, provide a different price or rate for our services, or provide a different level of service to you because you exercised such rights.
Prior Collection, Use and Sharing of Information. In connection with providing you the Box Services (the “business purpose”), we may share your personal information to third parties and other entities as described in the Box Privacy Notice and Subprocessor Notice.
As required by the CCPA, we are obligated to disclose the categories of personal information we’ve collected, the business purpose for the collection and the categories of third parties to whom we’ve disclosed your personal information. The table below sets out our practices over the last twelve (12) months.
Categories of Personal Information
Business Purpose for Collecting Personal Information
Categories of Third Parties to whom Personal Information is Disclosed
Updates to this CA Notice. We may update this CA Notice from time to time. When we make changes to this CA Notice, we will update the “Last Updated” date at the top of the page.
Contact Us. Should you have additional questions about this CA Notice, please contact us at firstname.lastname@example.org.
Starting January 1, 2023, this Virginia Privacy Notice ("VA Notice") supplements the information contained in our Privacy Notice and applies to Virginia residents who use the Box Services ("consumers" or "you"). This VA Notice sets out information regarding Box’s collection, use and sharing of your personal data relating to your use of the Box Services. This VA Notice is intended to comply with the Virginia Consumer Data Protection Act ("CDPA"). When you interact with us or use the Box Services, you agree that as a resident of Virginia, your personal data will be handled as described in the Terms of Service, Privacy Notice and this VA Notice.
Personal Data We Collect from Virginia Residents and How We Use It
Box collects certain categories of personal data when you use the Services, including identifiers, commercial information, internet or other related network activity, geolocation data tied to your IP address, and other personal data. A more detailed description of the personal data Box collects and how we use it is provided in the "Collection of Information," and "Use of Information" sections of the Privacy Notice.
For purposes of the CDPA, Box does not engage in profiling/automated decision making that produces legal or similarly significant effects. In addition, Box does not "sale" personal data to "third parties".
Box may collect personal identifiers from you automatically. These identifiers include IP address, device identifiers, advertising ID and other information about your browser or device. We may collect this information via cookies and other tracking technologies and share it with third parties that operate in the advertising ecosystem for "targeted advertising". This is further described in our Privacy Notice and Cookie Notice.
Virginia Privacy Rights
If you are a resident of Virginia, you may have the right to the following:
request to confirm whether we process your personal data and to access such personal data;
request to correct inaccuracies in your personal data;
request deletion of your personal data, subject to certain exceptions;
request to obtain a copy of your personal data;
request to opt-out of processing of personal data for purposes of targeted-advertising;
request to opt-out of the "sale" of personal data; and
opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.