VMware's Privacy Notices
VMware Products & Services Privacy Notice
This Products & Services Privacy Notice (the "Notice") explains how VMware, Inc. and its group companies ("VMware", "we", "us" and "our") collect, use and share information, including personal information from our customers and their users (“customer”, “user”, "you" and "your") in connection with their deployment and use of VMware products and services (including mobile apps and trials) and associated support services ("Services"). "Personal information" is information that identifies an individual or relates to an identifiable individual.
This Notice applies only to the limited personal information we collect and use for our own purposes (i.e., as a 'data controller' or ‘business’) in connection with your use of our Services. This Notice does not cover (i) any personal information we process on behalf of our customers (where we act as a 'data processor' or ‘service provider’), which is addressed by our contracts with our customers; or (ii) personal information we collect to communicate and maintain a relationship with you, to bill you for the Services, or to market to you, (all where we act as a ‘data controller’ or ‘business) which is addressed by our Global Privacy Notice. The personal information we collect in connection with your use of the Services may be combined with personal information we collect under ourGlobal Privacy Notice. and used for the purposes set forth in this Notice.
This Notice may be supplemented by just-in-time notices, or other disclosures contained within or in connection with the provision of the Services. Those notices and disclosures may describe in more detail our relevant data collection, use and sharing practices, or provide you with additional choices about how we process your data.
Information we collect from you: We collect personal information directly from our customers and their users in connection with their deployment and use of our Services. Depending on the context, such information may include:
- Contact information: Usernames and contact details such as email address, job title, user role, company name and phone number;
- Login credentials: User IDs and password. Passwords are hashed and encrypted into a form that allows for authentication, but not account access;
- Communications with us: Information about and included in transactional communications between us and you, such as email communications, in-Service messages, chat messages, surveys, phone numbers, time and date stamp, SMS routing information, email address, duration, and the content of the communications; and
- Support request data: Personal information you provide us in connection with a support request. You may provide personal information in chats, support calls (including recordings of those calls), Service support tickets or other communications regarding the support request. NOTE: This does not include any files uploaded or attached to a support ticket that are defined as ‘Customer Content’ in our General Terms. We process Customer Content as a ‘processor’ or ‘service provider’ for the purpose of responding to, troubleshooting and otherwise resolving the support request, in accordance with our General Terms and Data Processing Addendum. See Part VII: Information We Process on Behalf of Our Customers.
Information we collect via the Services: In connection with your use of the Services, we collect information from our software or systems hosting the Services, and from customer systems, applications and devices that are used to access the Services. Such information is used to facilitate the delivery of the Services to our customers, including securing, managing and monitoring the Service infrastructure, and providing support (“Services Operations Data”), and for VMware’s own analytics and product improvement purposes, and to optimize the customer’s experience and use of the Services (“Usage Data”) as detailed further in this Notice in Part II “How We Use Your Information”. The data collected is generally technical information, with limited individually identifying information such as email address, usernames, IP/MAC address of the user’s device, and identifiers (including cookies). Some objects, such as hosts, machine names and dashboards, will occasionally contain value(s) entered by customers. Customers should not use any personal information when naming such objects. Depending on the Service, Services Operations Data and Usage Data may include the following types of data:
- Configuration data: Technical data about how a customer organization has configured the Services and related environment information. Examples include Service environment information, Service settings, third-party applications and third-party systems used in connection with the Services.
- Online identifiers: Online identifiers such as device and user identifiers and IP addresses.
- Feature usage data: Feature usage data relates to how a customer organization uses the Services. Examples include details about which Service features a customer uses and metrics of user interface activity.
- Performance data: Performance data relates to how the Services are performing. Examples include metrics of the performance and scale of the Services, response times for user interfaces, and details about customer API calls.
- Service logs: Service logs are automatically generated by the Services. Typically, these logs record system events and state during the operation of the Services.
- Support data: Support data is information collected and processed in connection with support facilities such as chat, web form, email, support calls (including recordings of those calls) and Service support tickets.
- Survey data: Survey data relates to surveys or feedback triggered by your use of our Services such as a customer's Net Provider Score ("NPS").
Services Operations Data may also include such information as:
- Authentication and Access Information: Information that provides access to the Services, such as username, passwords, and device identifiers.
- Diagnostic Information: Diagnostic information may be contained in log files, event files and other trace and diagnostic files.
The main difference between Usage Data and Services Operations Data are the purposes for which we use the data, as set forth in Part II below. When collecting both Usage Data and Services Operations Data, we always aim to collect the minimum amount of personal information necessary to fulfil these respective purposes. Our Service Usage Data programs is published at the .VMware Trust and Assurance Center.
How we use Usage Data
We use Usage Data (sometimes in combination with other data, such as customer account information) for these purposes:
- To make recommendations to our customers: To provide recommendations to our customers and users regarding their use of the Services.
- To improve our Services: To improve the Services that we offer to our customers. For example, we use the Usage Data to (i) help us prioritize future features; (ii) analyze our customers’ use of the Services and features across our customer base; (iii) improve our resolution of support requests; (iv) prioritize the testing of configurations or features of the Services; (v) improve the Services based on usage patterns across different delivery models; (vi) improve capacity forecasting; (vii) conduct testing of features; and (viii) make pricing and packaging decisions.
- To provide us with customer insights: To gain insights into our customers and their use of the Services, such as (i) to understand the impact of NPS and usage behaviours; (ii) to create enriched customer profiles and analyse our customer interactions in order to provide improved customer engagement; (iii) to create advanced analytical models and produce aggregate business intelligence reports and dashboards; (iv) to benchmark or assess our Services across customers and specific industries.
- To provide customer support: To provide support to our customers regarding their use of our Services, whether proactive or reactive, such as: (i) to provide recommendations to improve the general health and optimization of the customer’s use of the Service; (ii) to understand our customer’s Service configuration, events and issues in order to resolve or preempt a support request; (iii) to understand our customer’s configuration of the Services, events and issues in order to improve how we resolve support issues; and (iv) helping customers use our Services and offerings in more effective ways.
- To support business to business marketing and sales: To market additional Services to our customers where permitted by law and to inform sales conversations.
- To provide individualized offerings. To provide our customers with individualized offerings, such as VMware Success 360 or VMware Skyline.
- For other legitimate business purposes: When it is necessary for other legitimate purposes such as protecting VMware's confidential and proprietary information.
How we use Services Operations Data
We use Services Operations Data for these purposes:
- To facilitate the delivery of the Services: To facilitate the delivery of the Services including provisioning and controlling access to the Services, tracking entitlements, and verifying compliance.
- To conduct account administration and related activities: To provide you with the Services and to manage your account. This may include managing product downloads, updates and fixes, and sending other administrative or account-related communications, including release notes.
- To provide support: To troubleshoot and respond to a support request.
- To provide you with Service-specific notices. To provide users with Service-specific notifications such as updates, entitlement expiration, end of life notifications and security alerts.
- To maintain the security, stability and proper functioning of our infrastructure and Services: To maintain the security and operational integrity of our IT infrastructure and our Services, including for security monitoring and incident management, managing the performance and stability of the Services, monitoring, troubleshooting and addressing technical issues.
- To administer our disaster recovery plans and policies: To manage our back-up disaster recovery plans and policies.
- To detect fraud: To help monitor, prevent and detect fraud, enhance security, monitor and verify identity or access, and combat spam or other malware or security risks.
- For quality control and training: For the purposes of quality control and staff training.
- To comply with legal obligations and operate our business: To comply with applicable laws and regulations and to operate our business, including to comply with legally mandated reporting, disclosure or other legal process requests, for mergers and acquisitions, finance and accounting, archiving and insurance purposes, legal and business consulting and in the context of dispute resolution; and
- For other legitimate business purposes: When it is necessary for other legitimate purposes such as protecting our confidential and proprietary information.
We take care to ensure that your personal information is accessed only by those who need access to perform their tasks and duties, and to share only with third parties who have a legitimate purpose for accessing it. Part III "How we Disclose Your Information" of our Global Privacy Notice provides information about how we may share information with third parties.
How to opt-out
Specific tools used by our Services
Listed below are some of the third-party tools we use in connection with our Services, and how and why we use them.
- Fullstory. We use Fullstory to record and capture a user’s session so that we can monitor user actions like mouse clicks, movements, etc. This information helps us diagnose and resolve user issues and understand how to change our Services to provide better user experiences. This tool is also used by some of our Services for operations purposes including detecting and responding to fraud and abuse. If you would like to opt out, Fullstory provides the following link: https://www.fullstory.com/optout/.
- Google Analytics. We use Google Analytics to collect limited data directly from users’ browsers to enable us to better understand your use of the Services in order to diagnose and improve our Services and to fix issues. Further information on how Google collects and uses this data can be found here: https://developers.google.com/analytics/resources/concepts/gaConceptsTrackingOverview
- Other tools. VMware also uses other third party tracking tools in connection with our Services.
In the course of using our Services, customers and their users may upload content to our Services for hosting, storage, or other processing, or may upload or attach files to a support ticket. This Notice does not apply to personal information within such “Customer Content” as defined in our General Terms and as further described in the VMware Trust Center. Personal information within Customer Content is processed by us as a ‘processor’ or ‘service provider’ on behalf of our customer in accordance with our contracts with our customer, typically our General Terms and our Data Processing Addendum. Our Binding Corporate Rules also apply when we are acting as a processor and transfer personal information between our customer and VMware Group members and within the VMware Group members.
If you have any questions or concerns about how your personal information within Customer Content is handled, you should contact our customer that submitted the Customer Content to us (e.g. your employer or organization). We will assist our customer in addressing your concerns in accordance with the terms of our contracts with them.
Choices and rights where we act as a controller: As stated above, we only collect a limited amount of personal information to fulfill the purposes outlined in this Notice. However, where we do collect personal information, users have certain rights and choices. For information about these rights and choices, and how to exercise your rights, please refer to Section IV Your Privacy Choices and Rights" of our Global Privacy Notice.
Choices and rights where we act as a processor: Certain Services may be used by our customers to process personal information about you. In such cases, we are processing such personal information purely on behalf of our customers and any individuals who seek to exercise their rights should first direct their query to our customer (the controller). See Part VII "Information We Process on Behalf of Our Customers" above.
California notice. This additional California Privacy Notice sets forth our disclosure obligations under California law and provides further information about privacy rights for California residents.
China notice. This additional China Privacy Notice sets forth our disclosure obligations under Personal Information Protection Law of the People's Republic of China (“PIPL”).
European Economic Area and UK – legal basis for processing personal information. Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect and process it. See Part II, ‘How We Use Your Information’, for details regarding the purposes for which we process your personal information and see the tables below for the corresponding legal bases on which we rely. Where the processing is in our legitimate interests, our interests are not overridden by your data protection interests or fundamental rights and freedoms. We may sometimes provide you with additional information about the applicable legal basis at the time information is collected.
|Purpose of Processing||Legal Basis|
|To make recommendations to our customers||Our legitimate interests in improving the adoption of our Services, in promoting our Services, in facilitating the sale and use of our Services|
|To improve our Services||Our legitimate interests in understanding our customers’ use of our Services; in prioritizing feature development and improvements; in improving resolution of support requests; in improving the functionality and adoption of our Services; in capacity planning; in testing our Services; and in pricing and packaging our Services|
|To provide us with customer insights||Our legitimate interests in understanding our customers’ use and assessment of our Services; in understanding our customers’ preferences; and in promoting and facilitating the sale and use of our Services;|
|To provide customer support||Our legitimate interest in providing support; in ensuring proper functioning of our Services; in serving downloads, updates and fixes; in optimizing our customers’ use of, and satisfaction with, our Services; and in improving the adoption of our Services|
|To support business to business marketing and sales||Our legitimate interests in promoting our Services; in facilitating the sale and use of our Services; in improving the adoption of our Services|
|To provide individualized offerings||Our legitimate interests in promoting our Services; in facilitating the sale and use of our Services; in improving the adoption of our Services; in understanding our customers’ preferences; and in pricing and packaging our Services|
|For other legitimate business purposes||Our legitimate interests, such as our legitimate interests in promoting our business, improving our Services, and protecting our confidential and proprietary information|
Service Operations Data
|Purpose of Processing||Legal Basis|
|To facilitate the delivery of the Services||Performance of a contract|
|To conduct account administration and related activities||Performance of a contract|
|To provide support||Performance of a contract|
|To provide you with Service-specific notices||Performance of a contract|
|To maintain the security, stability and proper functioning of our infrastructure and Services||Performance of a contract and our legitimate interest in ensuring the security, stability, and proper functioning of our infrastructure and Services|
|To administer our disaster recovery plans and policies||Performance of a contract and our legitimate interest in back-up and disaster recovery|
|To detect fraud||Performance of a contract and our legitimate interest in monitoring for, preventing and detecting fraud, enhancing security, monitoring and verifying identity and access, and combating spam or other malware or security risks|
|For quality control and training||Our legitimate interest in ensuring the quality of our Services and in staff training|
|To confirm compliance with license(s) and contractual obligations||Performance of a contract and our legitimate interests in the protection of our rights, our confidential information and our intellectual property|
|To comply with legal obligations and to operate our business (e.g., reporting requirements, mergers and acquisitions, finance and accounting, archiving and insurance purposes, dispute resolution)||Compliance with applicable laws and our legitimate interests in facilitating mergers and acquisitions and furthering the acquiring and target entities’ objectives, in proper financial management and accounting, and in defending our rights and interests|
|For other legitimate business purposes||Our legitimate interests, including our legitimate interests in operating our business and protecting our confidential and proprietary information|
See Part VII "Deletion and Retention" of our Global Privacy Notice for information about our practices with deletion and retention. Specific to the personal information processed in accordance with this Notice, when considering our justifiable business need to retain the information, we consider the limited scope and sensitivity of the personal information we maintain, and the value provides us in securing, managing, promoting, and improving the Services
Changes to this Notice: We will review and update this Notice periodically in response to changing legal, technical and business developments. When we update this Notice we will note the date of its most recent revision above. If we make material changes to this Notice, we will take appropriate measures to inform you in a manner that is consistent with the significance of the changes we make and is in accordance with applicable law. We encourage you to review this Notice frequently to be informed of how we are protecting your information.