CyberArk privacy notice

CyberArk collects the personal data described below from you or the company you represent during your interactions with us. Below is a list of the personal data that CyberArk processes about you and an explanation of when and why we process it. You can also find the legal reason or multiple independent reasons we are permitted to process your personal data under GDPR (“lawful bases for processing where the GDPR applies”).

Instance of Personal Data Collection	Personal Data Processed	Purposes of Processing	Lawful Bases for Processing Where the GDPR Applies.
When you use one of our Websites
When you browse our Websites	Names, usernames or similar identifiers used on our Websites information from your web browser (such as browser type and browser language), your Internet Protocol (“IP”) address, internet service provider (“ISP”), operating system, date/time stamp, clickstream data and analytics data regarding the actions you take on the Websites (such as the web pages viewed and the links clicked on) Contact details from any web forms you may fill out (see category immediately below)	Administer our Websites provide you with relevant website content measure the effectiveness of the content served to you and of our marketing efforts analyze and improve the use of the Websites provide more relevant and personalized information like ads, promote our business in various platforms and assess the success of our promotional activities fraud prevention and security of our Websites	Our legitimate interests in monitoring and improving our Websites and/or your consent where necessary under applicable law.
When you submit a contact form or request a demo form through the Websites, download any whitepapers or other downloadable materials from the Websites, and/or when you subscribe for a free trial	First and last name, email address, telephone number, company name, role, job title, department, and country	To reply to your request or query to set up a demo at your request to send the requested materials to you, if requested to send you communications related to our products, services, and/or events through different channels	Our legitimate business interests and/or your consent where necessary under applicable law (e.g. where you have provided your consent for CyberArk or our Partners to send you marketing communications).
When you use our Portals (either as a representative of a customer/prospective customer, channel/alliance partner, or a prospective channel/alliance partner)
When you set up an account in our Portals	First and last name, telephone number, mobile phone number, country, language, email address, job function, organization, and address	To set you up as an authorized user of the Portal and create a user profile for you to manage and administer your use of the Portals To send you communications (including marketing) related to our products, services or events via different channels to operate our business, for example, transmitting your personal data within the CyberArk group for internal administrative purposes, such as auditing and accounting	Our and/or our customers’ legitimate business interests and/or your consent where necessary under applicable law (e.g. where you have provided your consent to be included in our marketing mailing lists)
When you log into and use our Portals	Credentials used to log into our Portals Browser type and browser language, referring URL, your IP address, ISP, operating system, date/time stamp, and clickstream data and the actions you take on the Portals (such as the web pages viewed, the links clicked on and searches performed)	To provide you with support and training related to the Portals to understand how our partners/customers use the Portals and analysis thereof for the purpose of monitoring and improvement of Portals to measure the effectiveness of the content served to you To send you communications (including marketing) related to our products, services or events via different channels	Our and/or our customers’ legitimate business interests and/or your consent where necessary under applicable law (e.g. where you have provided your consent to be included in our marketing mailing lists)
When you download and use CyberArk Mobile (excluding when you are using the applications on behalf of your employer or customer)
When you set up an account for use of any of our Services	First name, last name, phone number, phone model and operating system, and, if you choose to provide this, a profile picture	To allow you access to the services, in accordance with the specific functionality for which you have access rights and authorizations provide technical support	Fulfilment of our contractual obligation
		measure our marketing efforts and performance to operate our business, for example, transmitting your personal data within the CyberArk group for internal administrative purposes, such as auditing to notify you about transactional issues, or other issues relating to CyberArk services (such as new features, version releases) or invitations to our customers to attend related events	Our legitimate business interest
When you attend a CyberArk hosted or sponsored physical or virtual conference or event
When you register to the event	First and last name, email address, telephone number, company name, role, job title, department, and country, IP-based location	To set you up as a registered participant in the event to manage and administer your participation in the event including sending your communications related to your attendance To send you communications (including marketing) related to our products, services or events via different channels to operate our business, for example, transmitting your personal data within the CyberArk group for internal administrative purposes, such as auditing and accounting To determine the country where you are located as relevant to the way we communicate with you in compliance with privacy laws	Fulfilment of our contractual obligation, our legitimate business interest and/or your consent where necessary under applicable law
When you log into the event and during the event in which you participate (online events)	Log in and out time, time spent, any information that you choose to provide for networking purposes,  and chat stream	To manage and enable your access to the event To provide you with technical support related to the event to keep records regarding our events and analysis thereof for the purpose of planning of future events to improve our understanding of your needs and interests understand how you and other participants benefit from the events, including to assess which content is the most useful To send you communications (including marketing) related to our products, services or events via different channels	Fulfilment of our contractual obligation, our legitimate business interest and/or your consent where necessary under applicable law
During the event in which you participate (in person)	Business card information	To send you communications (including marketing) related to our products, services or events via different channels	Fulfilment of our contractual obligation, our legitimate business interest and/or your consent where necessary under applicable law
When you sign up to receive a promotional gift	Mailing address, clothing size or gift preferences	To provide you with a promotional gift at your request	Our legitimate business interest and/or your consent where necessary under applicable law
When we otherwise communicate with you when you are or when you represent a prospective customer/ customer/partner/investor or if we conduct business dealings with you if you represent a service provider, contractor, processor or supplier
When we request and you submit feedback to a survey, for example, following closing of a support ticket, delivery of our services or following training;	Your responses to the survey	To consider your feedback and assess the level of service we have provided, and to improve our processes and services follow-up with you depending on the nature of your feedback	Our legitimate business interests including as necessary for the performance of the contract with the relevant customer/partner/investor.
When delivering communications to you (including marketing communications and advertising).	Your email address, display name of your email account, information about your interactions with our communications (e.g. links clicked on), actions that you take on our and our partners’ websites such as your visits or interactions with such websites.	To monitor and analyze electronic communications sent or received by our users, including to tailor our communications accordingly and measure our marketing efforts security and fraud prevention to cater to your requests, for example, to reply to your inquiry, arrange a meeting for you, arrange a demo for you, etc. measure the effectiveness of our (online) advertising, improve our marketing practices, and helps us deliver more relevant communications and advertising to you and people like you (including on social media).	Our legitimate business interests and/or your consent where necessary under applicable law
When you interact with a chatbot or feedback submission form on the Websites or product documentation pages	The input data you enter into the feedback form or chat interface Your contact information if you provide it	To receive feedback from you To provide you a tool to search product documentation or Websites To reply to your inquiries	Our legitimate business interests and/or your consent where necessary under applicable law
When you conduct business dealings with us as a representative of a service provider, contractor, processor or supplier	Your contact information, such as name, title, company name, email address, address, and phone number	To enter into and perform under a contract providing us certain services to communicate with you about potential business dealings	Fulfilment of our contractual obligation, our legitimate business interest, and/or your consent where necessary under applicable law
When you visit our offices	Your contact information such as name, email address, phone number Your company name (if applicable) Time and date of arrival Image or video.	To provide you with visitor access To enforce security of our premises To detect or prevent fraud or illegal activity	Our legitimate business interests, and/or your consent where necessary under applicable law, and/or as necessary to comply with our legal obligations and to ensure compliance with contractual agreements.
When you use our Products and Services
When, as an end user of our Services, you use or are accessing systems which are secured by CyberArk.	Statistical, de-identified and/or aggregated information that relates to the use and configuration of our Services and data derived from it, including usage analytics and telemetry.	To prevent fraudulent or illegal use of our Services and ensure compliance with our software license agreement. To improve and develop our Services, including by using AI and machine learning capabilities. To comply with applicable laws, including to comply with disclosure or reporting obligations and for dispute resolution purposes.	Our legitimate business interests to improve and develop our Services. As necessary to comply with our legal obligations and to ensure compliance with our terms.

In addition to the above uses of your personal data, we will also process your personal data:

1. To prevent, detect and fight fraud or other illegal or unauthorized activities
2. To ensure legal compliance – from our side (to legal requirements that apply to us (such as various records keeping) and to our obligations under the Terms of Use) and from your side (compliance with laws applicable to you and with the Terms of Use)
3. In other circumstances if we provide an in-time notification with respect to any additional personal data collected and processed.

We may share your personal data with other parties when outsourcing tasks or processes to service providers or subcontractors. This could happen in relation to our services, website operation or internal requirements. CyberArk’s third party service providers are only authorized to process your personal data as necessary to provide us with their services. We use the following categories of service providers:

• Relationship management software
• Marketing automation platform
• Webinar software
• E-mail platforms
• Hosting provider, including website hosting
• Customer success software
• Online community platforms
• Human Resources Information Systems
• Background check service providers
• Analytics providers
• Customer reference management software
• Survey tool service providers
• Learning management system software
• Business partners running or sponsoring events with us
• Social media and advertising companies providing personalized communications, ads, and experiences

In some cases, the third parties we work with may share your personal data with us if you have provided your information to them, and they have the legal right to disclose this information to us. This includes contact details and other identifiers. Where you are a member of staff at a CyberArk Customer or Partner and you register for a CyberArk event, this information may be shared with that Customer or Partner.

We may also use or disclose personal data with affiliated CyberArk entities, Partners and Resellers who help us to distribute our services, in the event of a merger / sale / change in control / business reorganization, or if required by applicable law or if we reasonably believe that doing so is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or to comply with a judicial proceeding, court order, legal process or governmental authority. Unless we are prohibited by law from doing so, we will use reasonable efforts to give you notice to enable you to seek a protective order or take other appropriate action.

We may transfer your information if we sell, buy, merge or partner with other companies or businesses, undergo a reorganization, bankruptcy, or liquidation; or otherwise undertake a business transaction or sell some or all of our assets. In such transactions, your information may be among the transferred assets.

For CyberArk’s applications available on the Google Play Store, our use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

CyberArk may transfer your data (including to third parties) outside of the EEA, Switzerland, UK or other jurisdiction that regulates transfers of personal data. If CyberArk transfers your personal data to a country that has not been designated by your country as providing adequate levels of protection for personal data, the data transfer will be protected by one of the following: the European Commission approved standard contractual clauses (SCCs); the Information Commissioner’s Office International Data Transfer Addendum to the SCCs; other comparable clauses approved by data protection authorities; or a vendor’s Binding Corporate Rules.

We will retain your personal data for such periods of times required or permitted by law or subject to our retention policies as may be in place from time to time. CyberArk takes the following considerations into account in order to determine the retention period:

• The time required to retain personal data to fulfill business purposes, including providing products and services
• Maintaining corresponding transaction and business records
• Controlling and improving the performance and quality of the Websites
• Handling possible user queries or complaints and locating problems
• Whether the user agrees to a longer retention period
• Whether we reasonably believe that this data will be needed for the handling of any litigation
• Whether the laws, contracts, and other equivalencies pose any requirements for data retention.

We will maintain administrative, physical and technical safeguards designed to protect the security, confidentiality, and integrity of your personal data processed by us as part of your use of our products/services, our Websites, and any other aspects of our business as described in this Privacy Notice. If we change our safeguards, we will not materially decrease overall security. However, no method of data security is 100% effective. Therefore, we cannot guarantee or warrant its absolute security.

Our Websites, Portals and Services are not intended for or directed at children under the age of 18, and we do not knowingly collect personal data from children under the age of 18.

CyberArk provides community forums on some of the Company’s Websites, Portals or Services. Any personal data you choose to submit in such a forum may be viewed by others who visit these forums. CyberArk is not responsible for any misconduct by any person or entity of any personal data you choose to submit in these forums.

If you submit a Deal Registration Form via the Portal, we will also collect the following information: corporate name of end customer and contact details for your point of contact within the end customer (including name, job title and address).

Any marketing consents opt-ins/opt-outs or other preference details provided to us in connection with another website or service operated by us (such as the CyberArk community or our transactional websites) will be recorded and administered separately from any preferences or consents provided in connection with the Portal. You have the option to change your preferences registered in connection with any of our Websites or Services at any time.

If you are an authorized channel partner and no longer want us to contact you related to marketing events or information, please contact us at [email protected].

You may contact us at any time using this form, or you can email [email protected] to exercise rights you have over your personal data under applicable law. We will respond to your request in the timescales prescribed by the relevant local laws.

Depending on your location (e.g., if you are a California resident or in the United Kingdom, Switzerland, or European Economic Area) and on the laws that apply to you (e.g., CCPA or GDPR), you may be entitled to some or all of the following rights:

The right to access – You have the right to request CyberArk for copies of your personal data, which includes the right to confirm whether your personal data is being processed.

The right to rectification/correct – You have the right to request that CyberArk fix or correct any personal information that you believe is inaccurate. You also have the right to request CyberArk to complete the personal information you believe is incomplete.

The right to erasure/deletion – You have the right to request that CyberArk erase/delete your personal data, under certain conditions.

The right to restrict processing – You have the right to request that CyberArk restrict the processing of your personal data, when: (a) you contest the accuracy of your personal data, for a period allowing CyberArk to verify its accuracy; (b) you believe personal data has been unlawfully processed and you wish to restrict processing rather than delete it; (c) CyberArk no longer needs the personal data but you require to keep it in order to establish, exercise or defend a legal claim; or (d) you exercise your right to object to the processing (below) for a period allowing CyberArk to consider whether your legitimate grounds override CyberArk’s.

The right to object to processing – You have the right to object to the processing of a part or all of your personal data at any time. When relating to processing for marketing purposes, you have an absolute right to object; while for other purposes, the existence of the right depends on what lawful basis the processing relies on and on the existence of our compelling legitimate grounds to continue the processing.

The right to data portability – You have the right to request that CyberArk transfer the data that we have collected to another organization, or directly to you, under certain conditions. This includes receiving your personal data in a portable, structured, commonly used, and machine-readable format that can be sent to another entity.

The right not to be discriminated against – You have the right not to be discriminated against for exercising any of your privacy rights, which includes us not: (i) denying you goods or services; (ii) charging you different prices or rates, including through the use of discounts or imposing penalties; (iii) providing you a different level or quality of goods or services; (iv) suggesting you will receive a different price or a different level or quality of goods or services; and (v) retaliating against you for exercising your privacy rights.

If allowed by applicable laws, you have the right to withdraw your consent at any time when CyberArk processes your personal data based on your consent. However, withdrawal does not affect the legitimacy and effectiveness of how we process your personal data based on your consent before the withdrawal is made.

The right to appeal the outcome of a request you make by emailing [email protected].

Although we will make reasonable efforts to address your requests, we reserve the right to refuse a request if it is unfounded or not eligible under applicable law. We may require, as pre-requisite to fulfilling any request, to verify your identity through information or identification to ensure that all data subjects’ privacy is protected and that we have the information we need to evaluate your request. We may charge you a small fee for the exercise of some of rights under conditions permitted by applicable laws.

You may exercise your privacy rights through an authorized agent. If we receive your request from an authorized agent, we may ask for evidence that the agent has valid authority to submit requests to exercise rights on your behalf. If you are an authorized agent seeking to make a request, please email us at [email protected].

While we would appreciate the chance to deal with your concerns before you approach an external regulator, you can contact a data protection supervisory authority in any of the countries in which CyberArk is established and/or where you are based, such as the Information Commissioner’s Office in the United Kingdom, and lodge a complaint. You can obtain the contact information for all EEA data protection authorities at https://edpb.europa.eu/about-edpb/board/members_en.

To opt-out of receiving marketing or promotional communications from CyberArk, you can unsubscribe in any marketing email you receive, complete this form, or email [email protected]. Please note that if you are an existing customer or partner then we may need to retain business contact information in order to provide you with CyberArk services and contact you as needed to fulfill contracts. However, your information will not be used for general marketing once you make a request.

We will make periodic updates to our Privacy Notice on this page and will note the date the then-existing version takes effect at the bottom of the notice. If you have any questions about these changes, please contact [email protected].

How We Use Cookies & Tracking Technologies.

We and our partners use cookies, web beacons, pixels, tags, and other tracking technologies that may collect Personal Data on our Website, portals, mobile application, and emails. We may use these technologies to provide our online and communication services, including to maintain and improve our Website, customize and enhance your experience on our Website, provide customer support, detect and prevent security risks, personalize advertisements, and conduct analytics.

What are cookies, web beacons, pixels, and tracking technologies?

A cookie is a very small text document, which often includes a unique identifier that is downloaded on your device to remember your preferences or webpage actions. Cookies are created when your browser loads a website. The website sends information to the browser, which then creates a text file. Every time the user goes back to the same website on the same device, the website will recognize that you have visited before and, in some cases, tailor the content to your prior visits.  We use both session-based and persistent cookies. Session-based cookies exist only during a single session and disappear from your device when you close your browser or turn off the device. Persistent cookies remain on your device. Find out more about the use of cookies at www.allaboutcookies.org.

In addition to cookies, we use other technologies with a similar purpose which allow us to monitor and improve our Website. For example, web beacons and pixels are small electronic files that are used on websites to collect information about how users interact with content and to gather usage and performance data. Tracking technologies have the ability to process information related to your access and use of our Website.

These technologies may collect log data about your device and software, including your IP address, device ID, geolocation, unique identification, the areas on the Website that you visit, the content you interact with, and the date and time of your visit. We have described the types of cookies we use below. When we talk about cookies, this term includes these similar technologies.

What types of cookies do we use, and what information do they collect?

Category	Purpose
Required cookies	These cookies are required to enable core functions of our Websites or Portals, for example, so we can identify you while you are logged in. If you disable these cookies certain parts of the Websites will not function for you.
Functional cookies	These cookies help us improve, analyse or optimise the experience we provide. They allow us to measure how visitors interact with our Websites and we use this information to improve user experience and performance. These cookies collect technical information such as the number of pages visited, which parts of our website are clicked on and the length of time between clicks.
Advertising Cookies	We use these cookies to collect information about your browsing habits in order to make advertising more relevant to you and your interests and measure the effectiveness of an advertising campaign.  We may share this information with other parties who help manage online advertising –see “Third Parties” below for more details.

Third parties

In addition, we also use third parties to help us implement and use cookies, web beacons, and other tracking technologies. Your use of our Website may result in some cookies being stored that are not controlled by us. This may occur when a Website you visit makes use of a third party analytics or marketing automation/management tool or includes content displayed from a third party website. In some cases, we link the information gathered by cookies, web beacons, and other tracking technologies with the personal information third parties collect to tailor our Website and communications so they are relevant to a user’s interests and to personalize advertisements you see on other websites. The third parties’ uses of cookies are subject to their own Privacy Notices (not ours).

How do you manage these technologies?

You can manage your preferences surrounding cookies in a number of ways—through tools we provide and through external tools.

Website Cookies Preferences: To change or set your cookie preferences for our Website, depending on your location, you will interface with our banner upon first site visit. Anyone worldwide can manage their choices at any time by clicking the Cookie Preferences link or Your Privacy Choices link in the footer of any webpage.

Browser Settings & Opt-Out Preference Signals: You can manage certain cookies preferences through your browser, including by clearing your browser’s cache history or enabling certain settings, if available. Some browsers and extensions support opt-out preference signals such as the Global Privacy Control (“GPC”), which can send a signal to the websites you visit indicating your choices to opt-out of certain types of data processing. These signals are honored where a website has been configured to recognize them. You can enable Global Privacy Control on your device or browser to opt out of the sale or sharing of your Personal Information that is tracked through cookies. You may need to download a plugin to use GPC and follow your browser’s instructions. Our Website will make reasonable efforts to honor GPC signals. GPC signals are unique to each device and each browser, so you must enable GPC on each device and browser that you use to visit our Website.

Device Settings: You can also control the use of cookies through your device. If you want to delete cookies that are already on your device, please refer to the help and support area on your internet browser for instructions on how to locate and clear the file or directory that stores cookies.

Third-Party Tools: Some vendors also provide tools to manage your choices surrounding the third-party cookies they place. For example, For more information on how Google Analytics uses data collected through the Site, visit: https://policies.google.com/technologies/partner-sites. To opt out of Google Analytics Tracking Technologies, visit: https://myadcenter.google.com/personalizationoff and https://tools.google.com/dlpage/gaoptout.

This section is only applicable to California residents under California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”) and other California privacy laws. This section supplements the information in this Privacy Notice and explains:

• What types of personal information we collect
• The purposes of collection
• Our practices surrounding the sale or sharing of personal information
• Your rights and choices

Collection and Use of Personal Information You can find a comprehensive list of the categories of personal information we collect, the sources where we got it, and the purposes for which we use it, and where we have disclosed it under the sections titled What personal data does CyberArk process and for what purposes?  & How will CyberArk disclose your personal data to other parties?

As it relates to the CCPA, in the preceding 12 months, we may have collected, used, and disclosed the following categories of Personal Information to provide you with our services:

• Identifiers (e.g., name, email address, contact information, IP address, and advertising IDs if available)
• Commercial information (records of services or other purchasing or usage history)
• Internet activity information (information regarding interactions with a website application, advertisement, or browser history)
• Financial information (required to process payment for our services)
• Professional and employment-related information (your position, title, or organization)
• Geolocation data (city or county-level location information)
• Audio, electronic and visual data (required to offer certain services and collected at our and our Partners’ events)
• Inferences (information about your interests or preferences derived from the other categories of personal information we may collect)

We may collect the following sensitive personal information from you solely to provide our services: login credentials, full payment information, and precise geolocation.

We retain this Information for as long as needed for the purposes for which it was collected, as we have described in this notice at: How long will CyberArk store your personal data?

Selling or Sharing of Personal Information

We do not transfer your personal information for money. However, many companies like ours use services that help deliver personalized ads or content and obtain certain analytics data, which may be considered a “sale”or “sharing” under California law. We may transfer your personal information (like identifiers, including email addresses, or internet activity) with third party advertisers to tailor ads to you. Within the past 12 months, we have not sold or shared your sensitive personal information. For more details about how we disclose personal information to third parties please see the above sections entitled How will CyberArk disclose your personal data with other parties and How does CyberArk use Cookies in relation to your use of the Websites and Portals.

You can opt-out of being tracked or targeted with ads by these third parties by the “Your Privacy Choices” link at the bottom of our website and selecting your preferences. We have also provided additional information in the How do you manage these technologies? section of this Notice (this is a subsection under How does CyberArk use Cookies in relation to your use of the Websites and Portals) explaining how you can use Universal Opt Out Mechanisms, like Global Privacy Control, through your browser to opt out of the sharing of cookies. You can also contact us at [email protected] or by completing this form.

Please note that, even if you opt out, you will still see some advertising, but those ads will not be tailored to your interests.

As a California resident, you have certain privacy rights and related choices that we have described in the Your choices, rights and instructions Section of this Notice. You specifically have the rights to:

• Know: We have disclosed in this Notice what personal information we have collected about you, the sources of collection, the business purpose for collecting and sharing your personal information, the categories of third parties to whom your personal information was disclosed, the specific pieces of information, and the length of time your information is retained
• Access & Portability: You can request a copy of the Personal Information we have
• Correction: You can request that we correct any inaccurate Personal Information Deletion: With certain exceptions, you can request that we delete the Personal Information we hold
• Opt Out of the Sale/Sharing of Personal Information for Cross-Contextual Behavioral or Targeted Advertising: You have the right to opt out of any future “sale” or “sharing” of your personal information as explained above.
• Limit the Use or Disclosure of Sensitive Personal Information: We collect limited sensitive personal information when necessary to enable our services. We do not share this data with third parties, other than to enable the services. Should we ever use or disclose your Sensitive Personal Information for reasons other than legitimate business purposes, we will update this Notice and provide you with instructions to limit the use and disclosure of this data.
• Nondiscrimination: You may exercise your privacy rights, and we will not discriminate against you or penalize you for exercising them.

You may designate an authorized agent to make a request under the CCPA on your behalf. We may require proof of authorization and for you to verify your own identity also.

You may contact CyberArk’s Data Protection Office and make the relevant requests permitted pursuant to applicable law by completing this form or sending an email to [email protected].