General
This is the privacy notice of Sophos Limited and its subsidiaries.
This document was last updated on 11 December 2024.
We are committed to safeguarding the privacy of your personal data. Please read the following privacy notice to understand how we collect and use your personal data, for example when you contact us, visit or use one of our websites, mobile applications, portals, or other parts of our network (each a “Site”), or use our products and services, regardless of how you access them. This privacy notice also explains the rights available to you in respect of your personal data.
- What personal data do we collect, how do we collect it, and why?
- Other specific ways we collect and use your personal data
- Legal basis for processing personal data
- With whom might we share your personal data
- International transfers of data
- Data retention
- Use by children
- Automated decision-making
- Your data protection rights
- Links
- Security
- California privacy rights
- Data Processing Agreement
- Contact
- Notification of changes
What personal data do we collect, how do we collect it, and why?
Data that you provide voluntarily to us
When you use our Site, products or services, or you otherwise communicate with us, we may ask you to provide certain personal data voluntarily, including but not limited to your name, company position, postal address, telephone number, mobile number, fax number, email address, credit card or other payment details, age or date of birth, account usernames, passwords, or gender. For example, we may ask you to provide some or all of this personal data when you register an account with us, subscribe to our marketing communications, purchase products or services, and/or submit enquiries to us. We use this information to create and administer your account, send you marketing communications, provide you with the products and services you request, and to respond to your enquiries. In general, the personal data that you are asked to provide, and the reasons why you are asked to provide it, will be made clear to you at the point we ask you to provide your personal data.
Data collected automatically
When you use our Site, products, or services, we may collect certain data automatically from your computers or devices (including mobile devices). The data we collect automatically may include your IP address (explained further below), device type, operating system details, unique device identification numbers (including mobile advertising identifiers), browser-type, browser language, operating system, geographic location (as explained further under the heading “Location information”) and other technical information. We may also collect data about how your device has interacted with our Site, products or services, including the pages or features accessed and links clicked, the amount of time spent on particular pages, mouse hovers, the date and time of the interaction, error logs, referring and exit pages and URLs, and similar information. Collecting this data enables us to better understand the visitors who use our Site, products, and services, including where they come from and what features are of interest to them. We use this information for our internal analytics purposes, and to improve the quality, relevance, and security of our Site, products and services.
For example, every time you connect to the Site, we store a log of your visit that shows the unique number your machine uses when it is connected to the Internet - its IP address. This log tells us what your machine has looked at, whether the page request was successful or not, and which browser your machine used to view the pages. This data is used for statistical purposes as well as to help customize the user experience as you browse the Site and subsequently interact with Sophos. This helps us to understand which areas of the Site are of particular interest, which pages are not being requested, and how many people are visiting the Site in total. It also helps us to determine which products and services may be of specific interest to you. We may also use this information to block IP addresses where there is a breach of the terms and conditions for use of the Site.
Some of the data may be collected automatically using tracking technologies, as explained further under the heading “Cookies and similar tracking technology”.
Data that we obtain from third party sources
From time to time, we may receive personal data about you from third party sources (including without limitation recruitment agencies, credit check agencies, agencies providing compliance checks, lead generation providers, resellers, and other partners who sell our products and services to you), but only where such third parties have confirmed that they have your consent or are otherwise legally permitted or required to disclose your personal data to us.
The types of information we collect from third parties include contact details, credit history, and order information, and we use the information we receive from these third parties to carry out compliance checks required under applicable law (such as anti-bribery and corruption checks), make credit decisions, maintain and improve the accuracy of the records we hold about you, and market our products and services to you.
We also receive information from other members of the industry that forms part of or otherwise helps us to develop, test, and enhance our own product offering (for example spam lists, malicious URL lists, and sample viruses), some of which could contain personal data (where permitted by applicable law).
We may combine information that we collect from you with information about you that we obtain from such third parties.
Data collected through our products and services
We use data that we collect from products and services for the purposes for which you provided it, usage and audience counts, monitoring the performance and effectiveness of the products/services, monitoring compliance with our terms and conditions, enabling compatibility with third party operating systems/products/services, planning future roadmap strategy, planning product/service/feature lifecycles and retirements, conducting spam, threat and other scientific research, developing new products and services, enhancing existing products and services, troubleshooting product issues, generating statistics, reporting, and trend analysis. This may include incidental personal data (for example usernames, machine IDs, domain names, IP addresses, file names, and file paths).
Our products and services may collect further additional personal data about you beyond the data described in this privacy policy, or use your personal data in ways that are different to or in addition to those described in this privacy policy. We provide a Product Privacy Information page that explains how our products and services collect and use personal data. Please review the relevant section of the Product Privacy Information page for the product or service you are using to ensure that you are fully informed.
Cookies and similar tracking technology
A cookie is a piece of text that gets entered into the memory of your browser by a website, allowing the website to store information on your machine and later retrieve it.
Our Site, products, and services may use cookies, unique device identifiers (like Apple ID For Advertisers on iOS devices, and Android Advertising ID on Android devices), and other tracking technologies (collectively, "Cookies") to distinguish you from other users and better serve you when you return to the Site, product, or service, and to monitor and analyse the usage of the Site, product, or service. Cookies also enable us and our third party partners to track and target the interests of our users to enhance the onsite or in-product experience through content, features, and advertisements.
We, along with our service providers, may also use other Internet technologies, such as Flash technologies, Web beacons or pixel tags, and other similar technologies, to deliver or communicate with cookies and track your use of the Site, product, or service, as well as serve you ads and personalize/customize your experience when you are using our Site, product, or service and/or when you are on other websites where those cookies can be accessed. We may also include Web beacons in email messages, newsletters, and other electronic communications to determine whether the message has been opened and for other analytics, personalization, and advertising. As we adopt additional technologies, we may also gather additional information through other methods. This practice is explained further under the heading “Marketing and promotions”.
As explained above, we occasionally share information you have provided to us with service providers, who will de-identify the information and associate it with cookies that enable us to reach you. We may also help these service providers place their own cookies, by deploying a cookie that is associated with a 'hashed' value associated with interest-based or demographic data, to permit advertising to be directed to you on other websites, applications or services.
Most browsers automatically accept cookies, but you can modify your browser setting to decline cookies by visiting the Help portion of your browser's toolbar. If you choose to decline cookies, please note that your ability to sign in, customize, or use some of the interactive features of our Site, product, or service may be impeded, and the advertisements you see may not be as relevant to you.
For more information about the cookies that we use, please refer to our Cookie Information page.
Location information
We may collect different types of information about your location, including general information (for example IP address or ZIP code) and more specific information (for example GPS-based functionality on mobile devices when used to access a Site, product, or service). This information may be used to customize the services provided to you, such as location-based information, advertising, and features. In order to do this, your location information may be shared with our agents, vendors, or advertisers. If you access the Services through a mobile device and you do not want your device to provide us with location-tracking information, you can disable the GPS or other location-tracking functions on your device, provided your device allows you to do this. See your device manufacturer's instructions for further details.
Other specific ways we collect and use your personal data
Partner portal
Our resellers, distributors, and other partners may visit our partner portal Site. We may use the information provided on that Site for partner relationship management, billing, forecasting, trend analysis, renewal management, marketing, and in order to sell and provide the products and services.
Account management
If you obtain products or services from us, we may use your contact details and (where applicable) payment information for the purposes of (i) providing training, customer support, and account management, (ii) order processing and billing, (iii) verifying your usage of the products and services in accordance with the terms and conditions of your agreement with us, (iv) carrying out checks for export control, anti-bribery, anti-corruption, the prevention of modern slavery, and other compliance purposes in accordance with requirements under applicable law; (v) contacting you (including by email communication) regarding license expiry, renewal, and other related notices, and (vi) maintaining our company accounts and records.
Market research and surveys
If you participate in surveys, we may use your personal data for our internal business analysis and training purposes in order to improve our understanding of our users’ demographics, interests and behaviour, to measure and increase customer satisfaction, and to improve our products and services.
Competitions, contests, promotions
If you participate in a competition, contest, or promotion conducted by us or on our behalf, we may use your personal data in order to administer such competition, contest, or promotion. We may also use your personal data as explained further under the heading “Marketing and promotions”.
Chat rooms
Please be careful and responsible whenever you are online. Should you choose to voluntarily disclose information to open areas of our Site, such as via the Sophos Community, online help, or other chat rooms, that information can be viewed publicly and may be collected and used by third parties without our knowledge or consent, and may result in unsolicited messages from other individuals or third parties.
Marketing and promotions
We (or our resellers or other selected third parties acting on our behalf) may contact you from time to time in order to provide you with information about products and services that may be of interest to you. Such communications may contain tracking technology that tells us whether you opened the communication and whether you followed the hyperlinks within the communication, in order to help us analyse the effectiveness of, monitor, and improve our marketing campaigns. All marketing communications that we send to you will respect any marketing preferences you have expressed to us and any consent obligations required under applicable privacy and anti-spam rules. You have the right to ask us not to process your personal data for certain or all marketing purposes, but if you do so, we may need to share your contact information with third parties for the limited purpose of ensuring that you do not receive marketing communications from them on our behalf.
Network monitoring
We may collect logs and other data about access to and traffic passing through our network and equipment for the purposes of availability and performance monitoring, maintenance, security monitoring and investigations, conducting spam, threat and other scientific research, new product and service development, the enhancement of existing products and services, generating statistics, reporting, and trend analysis.
Sample submissions
We collect information about suspected spam, suspected malicious files, and files that may be unwanted or undesirable for our customers (for example file names, URLs, file paths, hashes, and file samples) that are (i) received by our own network and equipment, and (ii) voluntarily submitted via our products and services or our Site submission pages. We use this information for spam, threat and other scientific research, new product and service development, the enhancement of existing products and services, generating statistics, reporting, and trend analysis.
Legal basis for processing personal data
Our legal basis for collecting and using personal data will depend on the personal data concerned and the specific context in which we collect it.
However, we will normally collect personal data from you only where we need the personal data to perform a contract with you, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms, or where we have your consent to do so. In some cases, we may also have a legal obligation to collect personal data from you or may otherwise need the personal data to protect your vital interests or those of another person.
If we collect and use your personal data in reliance on our legitimate interests (or those of any third party) other than as described in this privacy policy, we will make clear to you at the relevant time what those legitimate interests are.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal data, please contact us using the contact details provided under the “Contact” heading.
With whom might we share your personal data
We may transfer or disclose your personal data to the following categories of recipients:
- to our group companies, third party services providers, suppliers, agents, and other organisations who provide data processing services to us (for example, to support the delivery of, provide functionality on, or help to enhance the security of our Site, products, or services), or who otherwise process personal data on our behalf for purposes that are described in this privacy policy or notified to you when we collect your personal data (such as advertising, sweepstakes, analytics, research, customer support, fraud prevention, and legal services);;
- to our authorised resellers, distributors, and other channel partners in order to process your order or sales enquiry, manage your subscription, provide technical or customer support, advise of upcoming product or service subscription expiry and renewal dates, or as otherwise notified to you when we collect your personal data;
- a subset of our threat intelligence data to selected reputable members of the IT security industry for the purpose of anti-spam and security threat research;
- to any government department, agency, court or other official bodies where we believe disclosure is necessary (i) as a matter of applicable law or regulation (such as in response to a subpoena, warrant, court order, or other legal process), (ii) to exercise, establish, participate in, or defend our legal rights, or limit the damages we sustain in litigation or other legal dispute, or (iii) to protect your vital interests, privacy, or safety, or those of our customers or any other person;
- to a potential or actual buyer or transferee (and its agents and advisers) in connection with any proposed or actual transfer of control, purchase, merger, reorganisation, consolidation, or acquisition of any part of our business, provided that we inform the buyer or transferee it must use your personal data only for the purposes disclosed in this privacy policy;
- to any other person with your consent to the disclosure.
Except as set out above, we will not disclose your personal data save where we need to do so in order to enforce this privacy policy, our End User License Agreement, our rights generally, or where required or permitted by applicable local or foreign law.
Whenever we share personal data, we take all reasonable steps to ensure that it is treated securely and in accordance with this privacy policy. This may include without limitation aggregating or de-identifying information so that it is not intended to be used by the third party to identify you.
Data Transfers
As a global company, we and our service providers operate, and our Site, products, and services are accessed from, all over the world. When you give us personal data, that data may be used, processed, or stored anywhere in the world, including in countries that have data protection laws that are different to the country in which you reside.
However, we have taken appropriate safeguards to require that your personal data will remain protected in accordance with this privacy policy. For example, these include implementing the European Commission’s Standard Contractual Clauses (SCCs) for transfers of personal data between our group companies, which require all group companies to protect personal data they process from the European Economic Area in accordance with European Union data protection law. We have implemented similar appropriate safeguards with our third party service providers, and further details can be provided upon request by contacting us using the contact details provided under the “Contact” heading.
Data retention
We retain personal data we collect from you for as long as necessary for the purposes for which the personal data was collected or where we have an ongoing legitimate business need to do so (for example, to provide you with a product or service you have requested, to ensure that transactions can be processed, settled, refunded, charged back, or to identify fraud), or to comply with applicable legal, tax, or regulatory requirements. Even if you close your account, we will retain certain information in order to meet our obligations.
When we have no ongoing legitimate business need to process your personal data, we will either securely destroy, erase, delete or anonymise it, or if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.
Use by children
The Site, the products, and the services are not intended for persons under the age of 16. By using the Site, product, or service, you hereby represent that you are at least 16 years old.
Automated decision-making
In some instances, our use of your personal data may result in automated decisions being taken that legally affect you or similarly significantly affect you.
Automated decisions mean that a decision concerning you is made automatically on the basis of a computer determination (using software algorithms), without our human review. For example, our products and services use automated decisions to determine whether a domain, URL, or IP address is sending spam or malicious content in order to protect our customers from unwanted or undesirable content. We have implemented measures to safeguard the rights and interests of individuals whose personal data is subject to automated decision-making, including controlled product releases and regular quality assessments.
When we make an automated decision about you (for example if we block a domain, URL, or IP address used by you), you have the right to contest the decision, to express your point of view, and to require a human review of the decision. You can exercise this right by contact us using the contact details provided under the “Contact” heading.
Your data protection rights
Under applicable data protection laws, you may have the following data protection rights:
- the right to access, delete or request portability of your personal data.
- the right to ask us to correct or update your personal data, object to processing of your personal data, or ask us to restrict processing of your personal data.
- where we have collected and process your personal data with your consent, then you can withdraw your consent at any time.
To exercise any of these rights, please submit a request via our data protection rights request portal.
You have also the right to opt-out of marketing communications we send you at any time. You can usually exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. Alternatively, you can email unsubscribe@sophos.com.
Please note some of the rights detailed above are not absolute and may not be applicable in certain scenarios. We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.
If you have a complaint about our processing of your personal data, please contact us first using the contact details provided under the “Contact” heading. If you are unhappy with our response, you have the right to complain to the data protection authority in your country.
Links
This privacy policy applies to personal data collected by us. If we provide a link to a third party site (whether through our Site, a product or service, or in an e-mail we send you), please be aware that we are not responsible for the content or privacy practices of such third party site. We encourage our users to be aware when they leave our Site, and to read the privacy policy of other sites that collect personal data. We are not liable for any disputes, loss, or damage that may arise from or in connection with your use of such third party sites.
Security
While we strive to protect your personal data, no data transmission or storage can be guaranteed as 100% secure. We endeavour to protect all personal data using reasonable and appropriate physical, administrative, technical, and organisational measures, and in accordance with our internal security procedures and applicable law. These safeguards vary based on the sensitivity of the information that we collect, process, and store, and the current state of technology.
If you have been given or have created log-in details to provide you with access to certain parts of our Site (for example our partner portal), you are responsible for keeping those details confidential in order to prevent unauthorised access to your accounts.
California privacy rights
California Online Privacy Protection Act Notice Concerning Do Not Track Signals
Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. DNT is a way for users to inform websites and services that they do not want certain information about their webpage visits collected over time and across websites or online services. We do not recognize or respond to browser-initiated DNT signals, as the Internet industry is currently still working toward defining exactly what DNT means, what it means to comply with DNT, and a common approach to responding to DNT. To learn more about Do Not Track, you can do so here.
Your California privacy rights
California law permits users who are California residents to request and obtain from us once a year, free of charge, a list of the third parties to whom we have disclosed their 'personal information' (if any, and as defined under applicable California law) for their direct marketing purposes in the prior calendar year, as well as the type of personal information disclosed to those parties. If you are a California resident and would like to request this information, please submit your request using the contact details provided under the “Contact” heading.
Data Processing Agreement
If the provision of products and/or services constitutes processing by Sophos of personal data as processor under applicable data protection laws, Sophos’ obligations are documented in the Sophos Data Processing Addendum (“DPA Addendum”). The DPA Addendum is incorporated by reference into our agreements with our Customers, Managed Service Providers and OEM partners. If you require a signable Data Processing Agreement (“DPA”), you can countersign our pre-signed version here.
Please note, Sophos will not sign a Data Processing Agreement with its distributors and resellers, unless they are using Sophos products. Order data from end customers that is provided by distributors/ resellers to Sophos is received by Sophos in its capacity as a data controller.
Contact
This is the website of Sophos Limited, a company registered in England and Wales under company number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxon, OX14 3YP, United Kingdom, and whose VAT registration number is 991 2418 08. Sophos Limited is the controller of personal data collected under this privacy policy (unless we indicate otherwise).
We have appointed individuals who are responsible for the protection and security of your personal data. If you have any questions about this privacy policy or complaints about the manner in which we treat your personal data, please contact our Data Protection and Privacy team atdataprotection@sophos.com.
If you wish to unsubscribe from marketing communications, please email unsubscribe@sophos.com.
Notification of changes
We reserve the right to amend or vary this policy from time to time to reflect evolving legal, regulatory, or business practices. When we update our privacy policy, we will take appropriate measures to inform you, consistent with the significance of the changes we make (which, for minor changes, may include posting the revised privacy policy to our Site with immediate effect). Please check this page periodically for changes. We will obtain your consent to any material privacy policy changes if and where this is required by applicable data protection laws.
You can see when this privacy policy was last updated by checking the “last updated” date displayed at the top of this privacy policy under the “General” heading.