INFISICAL

Privacy Policy

Last Updated: Sep 2, 2022

Overview

This Privacy Policy (“Privacy Policy”, “Policy”) describes how Infisical, Inc. (“Infisical”, “we”, “us” or “our”) collects, uses, shares, processes and protects personal information (“Personal Information”) relating to individuals (“you”, or “your”), who may use or interact with our websites or services, communicate with us, contact us, or attend our events. “You” may be a visitor to one of our websites, a user of one or more of our Services (“User”), a collaborator, or a customer (“Customer”).

Infisical respects your privacy and is committed to protecting your Personal Information (any information that relates to an identified or identifiable individual).

Note: We do not rent, sell or trade your Personal Information.

Scope

This Policy applies to all visitors of our websites, and users of our products, websites, features or services, or any other Infisical websites that link to this Policy (collectively, the “Websites”), unless covered by a separate privacy policy, and explains how we collect, use, disclose, and safeguard your information. Please note that this Privacy Policy does not apply to the extent that we process Personal Information in the role of a processor (or a comparable role such as “service provider” in certain jurisdictions) on behalf of our customers, including where we offer to our customers various cloud products and services, through which our customers (and/or their affiliates) connect their own applications to our hosted platform, sell or offer their own products and services, send electronic communications to other individuals, or otherwise collect, use, share or process Personal Information via our cloud products and services.

Please read this Privacy Policy carefully.

Data collections and uses

Overview

This Policy describes how we collect and use your Personal Information, whether it is shared and/or disclosed, and how we address privacy matters, such as deletion of your Personal Information upon request, and opting-out of marketing communications. Lastly, we describe methods for contacting us if you have privacy questions, comments or feedback.

Personal Information we collect and receive

Transparency is one of the best ways to earn your trust. Below are the types of personal data elements we may receive and process about you through: the use of our website, products, or support services; attendance of our virtual and in-person events; third party advertising and marketing partners; and applications to our open roles. The summary sections and tables below explain in further detail the specific personal data elements information we collect from you or receive from third parties and why, based upon your relationship with us and as your relationship evolves with Infisical.

Visitors

When you visit our public websites, without logging into an account or using our products and/or services, we consider you a Visitor. As a Visitor, the information we collect from you is listed below. You’re not obligated to provide us with such Personal Information, and you are free to change or completely opt-out of information being shared with us; however refusing to provide requested Personal Information might prevent you from using certain features of the Websites or the Websites completely.

For this purpose, we collect:

  1. Cookies: To recognize you when you make a return visit and deliver overall a consistent experience. Most modern browsers allow you to delete or limit cookies. You can manage your cookie preferences and settings by making choices in our cookie banner or through our cookie preference center.
  2. Third-party Tags and Coockies: To deliver an overall consistent experience, and measure our marketing effectiveness. Most modern browsers allow you to delete or limit cookies, including third-party cookies; however, you may not be able to limit marketing tags entirely unless you do not visit our sites. You can manage your cookie preferences and settings by making choices in our cookie banner or through our cookie preference center.
  3. Internet Protocol (IP) Address: It is a part of the basic function of the internet to measure who is visiting us and from where. The only way to avoid this is to not visit our sites.
  4. Browser Metadata (i.e. browser type, version, operating system): This is done to maintain website functionality. Browsers communicate this automatically; however, some third-party extensions may allow you to limit this
  5. Log data: This is done to maintain website functionality. Log data is collected automatically and may include: Internet Protocol (IP) addresses; browser types, product versions, and operating systems, date and time stamp, language preferences, etc.
  6. Contact Data (i.e., Names, emails, phone numbers, etc.): This is used to respond to your inquiry via our “contact us” methods. This information is shared voluntarily.
  7. Online behavioral data. We may automatically collect certain information about your use and interactions with our websites, customers’ websites or e-commerce stores, Platform, social media websites, and marketing campaigns that we or our customers organize, including device information (such as your IP address and unique device IDs), page view information and search results, links and if you are a customer contact, whether or not a campaign presented or sent to you using our offerings has been viewed, delivered, opened, clicked on, whether it has bounced or was treated as spam.
  8. Usage information. We may collect information about your usage of the Platform, such as the pages you viewed, the services and features you used or interacted with, your browser type and details about any links or communications with which you interacted.

Customers/Prospective Customers (Marketing)

In addition to the data above, you may also voluntarily share Personal Information with us, as customers or prospective customers, in order to receive information about products and services, or to register for an upcoming event. This information may include:

  1. First Name, Last Name, Email, Company name (To respond to your inquiry; Email you about product offerings, updates and other marketing promotions); This information is voluntarily shared, to provide individuals with relevant marketing materials; You can opt out of marketing emails by emailing to the [email protected].
  2. Analytics Information (To measure the effectiveness of our marketing activities); You can manage your preferences and settings by making choices in our cookie banner or through our preference center

Users/Customers

If you choose to register for an account with Infisical or on our Websites, you will share Personal Information with us.

When you register, create a User Account on our Website and begin using our products, we consider you a User. This section describes our privacy practices related to Users. Keep in mind Users are also considered Visitors so we collect this data in addition to what was described for Visitors. The information we collect for Users includes:

  1. Email, Username, and Password. This is required in order to establish your account and allow you to securely access it as well as email you about service updates, maintenance activities, security notifications, weekly summaries, and other account related information. These are required for us to facilitate your account lifecycle or to contact you. You can; however, opt out of marketing emails by emailing [email protected].

  2. Phone Number (For 2-factor authentication to increase security). This is required to enable 2-factor authentication.

  3. Payment Data (credit card data, address, etc.): In order to process you payment, we require the minimum amount of data. This is required to process your payment.

    NOTE: We do not store any financial data, as we use Stripe to process the payments.

  4. Other personal data. This includes but is not limited by the following use cases: • To facilitate use of our website contact forms. • To fulfill support tickets • To facilitate events and attendance • For interactions of social media • Participation in surveys Each of these activities are optional and personal data is provided voluntarily.

How we use Personal Information.

Purposes of Processing

In addition to those detailed above, we will not use or share your Personal Information in ways unrelated to those described below. We do not use automatic decision-making or profiling, and will not sell your Personal Information for any purpose.

  • Customer’s instructions. Infisical will only share and disclose Personal Information in accordance with a Customer’s instructions, including any applicable terms in the Customer’s agreement(s) with us, and in compliance with applicable laws and regulations.
  • Customer access. Owners, administrators and other Customer representatives and personnel, as defined in the Customer agreement(s) with us, may be able to access, modify, or restrict access to Personal Information.
  • To provide and maintain our products. To respond to support requests, prevent or address any issues, monitor usage, and improve our products.
  • Administer events. We will use personal data provided to facilitate an event which may include providing information to third party vendors and partners.
  • *During a change to Infisical’s business. **If Infisical is involved in a merger, acquisition, sale of all or a portion of our assets, or bankruptcy, your Personal Information would be an asset transferred to or acquired by the successor entity or third party. You acknowledge that such transfers may occur and that the transferee may process Personal Information in a manner different to that set out in this Privacy Policy. You will be notified by email and/or a prominent notice on our Websites of any change in ownership or uses of your Personal Information, as well as any choices you may have regarding your Personal Information.
  • Aggregated or de-identified information. We may disclose or use aggregated or de-identified Personal Information for any purpose. For example, we may share aggregated or de-identified information with prospects or partners for business or research purposes, such as showing a total count of active users accessing our products. We may use aggregated and de-identified Personal Information to further develop our own products and services as well.
  • To enforce our rights, prevent fraud, and for safety. Infisical may process your Personal Information to protect and defend the rights, property, or safety of Infisical or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud or security issues. In all such instances, use and disclosure will be limited as much as reasonably possible.

Legal Basis for Processing

Our legal basis for collecting and using the personal information described in the above sections will depend on the personal information concerned and the specific context in which we collect it. However, in most cases we collect the personal information to facilitate the business relationships we have with our Users where we have consent to do so, to fulfill contractual agreements, or to pursue our legitimate interests where these are not overridden by the interests, rights, or freedoms of Users. In some cases we may be required legally to collect or disclose personal information; in which case we will make this clear. In other cases, where we rely on an alternative legal basis, we will do so only with the appropriate legal requirements in place. For any questions on our legal basis for processing, please contact us at [email protected].

Third Party Sharing

We may engage third party companies or individuals as service providers or business partners to process Personal Information and support our business. We may share Personal Information with third parties for a variety of reasons, including but not limited to:

  • Service providers, business partners, and subprocessors. Service providers, business partners, and subprocessors all help to support Infisical’s products and operations. For a full list of Infisical’s subprocessors that process Personal Information on our behalf, please view this webpage or reach out to [email protected].
  • To comply with laws. If we receive a valid request for information, we may disclose Personal Information if we reasonably believe disclosure is in accordance with or required to comply with the legal process, a government request, or any applicable law or regulation.

How long do we keep your data?

We only process and keep any Personal Information for as long as necessary to achieve the purpose for which the information was originally collected. The exact length of time we keep Personal Information depends on our processing purposes and the statutory retention period for that type of information. After the statutory period of time passes, or if storage of Personal Information is not needed, Personal Information is deleted or anonymized.

Security

Infisical takes appropriate administrative, technical, physical, and organizational security measures to protect your Personal Information from loss, theft, misuse and unauthorized access, disclosure, alteration, and destruction. We follow industry standards to protect the Personal Information submitted to us, both during transmission and once it is received, taking into account the nature of such information and the risks involved in processing, and comply with applicable laws and regulations. While we have taken reasonable steps to secure the Personal Information you provide to us, please be aware that despite our best efforts, no security measures are perfect or impenetrable, and no method of data transmission can be guaranteed against any interception or other type of misuse. For more information on our practices with regards to security and confidentiality please visit our security page.

If you have any questions about our security, or have reason to believe that your interaction with us is no longer secure, please contact us at [email protected].

Policy For Children

We do not knowingly solicit information from or market to children under the age of thirteen (13). If you are under age 13, please do not give us any Personal Information. We encourage parents and legal guardians to monitor their children’s Internet usage and to help us enforce our Privacy Policy by instructing them to never share Personal Information through our Websites without their permission. If you suspect or become aware of any data we have collected from children under age 13, please contact us immediately by emailing [email protected] or by using the contact information provided below.

International Data Transfers

All information processed by us may be transferred, processed, and stored anywhere in the world, which may have data protection laws that are different from the laws where you live. We endeavor to safeguard your information consistently with the requirements of applicable laws.

Where we transfer your personal information to countries and territories outside of the European Economic Area and the UK, which have been formally recognized as providing an adequate level of protection for personal information, we rely on the relevant “adequacy decisions” from the European Commission and “adequacy regulations” from the Secretary of State in the UK.

Where the transfer is not subject to an adequacy decision or regulations, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Policy.

Notice for California Residents

The California Consumer Privacy Act (CCPA) is a new data privacy law that applies to certain businesses which collect Personal Information from California residents. The law went into effect on January 1, 2020. Infisical now offers data protection terms pursuant to the EU GDPR and UK GDPR in Europe and the same terms under the CCPA. Your rights under the CCPA are described below.

Please note that Infisical does not rent or sell any Personal Information.

In addition, California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits California residents to request and obtain from us, once a year and free of charge, 1) information about categories of Personal Information (if any) we disclosed to third parties for direct marketing purposes, and 2) the names and addresses of the third parties with which we shared Personal Information in the preceding calendar year.

If you are under 18 years of age, reside in California, and have a registered account with our Websites, you have the right to request removal of unwanted data that you publicly post on our Websites. To request removal of such data, please contact us at [email protected] and include the email address associated with your account and a statement that you reside in California. We will make sure the data is not publicly displayed on our Websites, but please be aware that the data may not be completely or comprehensively removed from our systems due to legal and regulatory requirements.

Your Rights

We recognize, under the EU-U.S. Privacy Shield, the Swiss-U.S. Privacy Shield, CCPA, the EU GDPR, the UK GDPR, the Brazilian General Data Protection Law (LGPD), and other applicable privacy laws, that you may have certain rights in regards to your Personal Information. We feel that your privacy and ability to preserve and exercise your rights is very important. You are encouraged to review and understand these rights as they pertain to you and your Personal Information. In certain circumstances, these rights include, but are not limited to:

  • Right to be Informed: This means we have to tell you why we process your Personal Information, our retention periods, and who it will be shared with.
  • Right of Access: This means we have to provide you with a copy of your Personal Information we process upon your request.
  • Right to Rectification: This allows you to have inaccurate Personal Information rectified, or completed if it is incomplete.
  • Right to Erasure: This allows you to have your Personal Information erased.
  • Right to Restrict Processing: This means you can limit the way we use their data.
  • Right to Data Portability: This allows you to receive a copy of your Personal Information in a structured, commonly used and machine-readable format and gives you the right to transmit the data to another controller without hindrance.
  • Right to Object: This allows you to object to the processing of your Personal Information at any time.
  • Right to Non-Discrimination: The CCPA prohibits covered businesses from discriminating against consumers for exercising their CCPA rights. This means we cannot charge a different price, deny access to our products, or impose penalties for exercising your rights under the CCPA.
  • Right to Withdraw Consent: This means you can withdraw your consent at any time.

In support of these rights, you may exercise any of the above rights, with respect to your Personal Information. You may update, correct, or delete your Personal Information; if you wish to delete or suspend your account, please note that we may retain certain information as required by law or for legitimate business purposes. If you have become aware that an account has been created about you without your knowledge or consent, you may contact us to request deletion of that said account. You may contact us by emailing [email protected]

For your protection, we may only respond with the Personal Information associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will respond to your request within 30 days.

Changes to This Policy

If we make material changes to this Policy, we will revise the “Last Updated” date at the top of this Policy, and in some cases, where required by law, we may provide you with more prominent notice (such as adding a statement to our homepage or sending you an email notification). Any changes or modifications will be effective immediately upon posting of the updated Privacy Policy.

We encourage you to review the Policy whenever you access the Websites to stay informed about our information practices and the ways you can help protect your privacy.

Contact Us

For any and all privacy-related matters, questions or comments, or to exercise a right under the EU’s GDPR, the UK’s GDPR or the CCPA, you may contact us in writing or by email. Our contact us at [email protected].

EU or Swiss residents with inquiries or complaints regarding this Privacy Policy should first contact Infisical at [email protected]. Please allow a reasonable amount of time to respond to your request.

If these processes do not result in a resolution, you may then contact your local data protection authority, the U.S. Department of Commerce, and/or the Federal Trade Commission for assistance. Under certain conditions, you may invoke binding arbitration when other dispute resolution procedures have been exhausted and upon written notice to Infisical at [email protected].

Full Infisical Logo

PRODUCT

Secret Management

Secret Scanning

Share Secret

Pricing

Security

RESOURCES

Blog

Infisical vs Vault

Careers

Hiring

Forum

Open Source Friends

Customers

Company Handbook

Trust Center

LEGAL

Terms of Service

Privacy Policy

Subprocessors

Service Level Agreement

CONTACT

Team Email

Sales

Support