VMware Products & Services Privacy Notice

Information we collect from you: We collect personal information directly from our customers and their users in connection with the provision of VMware Services. Depending on the context, such information may include:

• user names and contact details such as email address, job title, company name and phone number;
• user IDs and passwords; and
• other information that customers or users provide to VMware in connection with the provision of the Services.
  

Further details of the personal information we collect directly from you and our customers and how we process it is covered in our main Privacy Notice. Such information may be combined with information we automatically collect in connection with the provision of the Services and used for the purposes set forth in this Notice.

Information we collect via the Services: In connection with the provision of the Services, VMware collects information from VMware’s software or systems hosting the Services, and from the customer systems, applications and devices that are used to access the Services. Such information is used to facilitate the delivery of the Services to its customers, including managing and monitoring the infrastructure, and providing support (“Services Operations Data”), and for VMware’s own analytics and product improvement purposes (“Usage Data”) as detailed further in this Notice in Part II “How we use your information”. The data collected is generally technical information, with limited individually identifying information such as email address, usernames, filenames, file paths, machine names, IP/MAC address of the user’s device, and identifiers (including cookies). Depending on the Service, the information may include the following types of data:

• Configuration Data: Technical data about how a customer organization has configured VMware Services and related environment information. Examples include Service environment information, Service settings, third party applications and third party systems used in connection with the Services.
• Feature Usage Data: Feature usage data relates to how a customer organization uses VMware Services. Examples include details about which Service features a customer uses and metrics of user interface activity.
• Performance Data: Performance data relates to how the Services are performing. Examples include metrics of the performance and scale of the Services, response times for user interfaces, and details about customer API calls.
• Service Logs: Service logs are automatically generated by the Services. Typically, these logs record system events and state during the operation of the Services in a semi-structured or unstructured form.
• Support Data: Support data relates to information that has been provided by a customer to VMware or is otherwise processed in connection with support facilities such as chat, support calls (including recordings of those calls) and Service support tickets.
• Survey Data: Survey data relates to a customer's Net Provider Score ("NPS") and other similar in-Service surveys or feedback in relation to a customer’s use of the relevant Services.

Services Operations Data may also include such information as:

• Authentication and Access Information: Information that provides access to the Services, such as username and passwords.
• Diagnostic Information: Diagnostic information may be contained in log files, event files and other trace and diagnostic files.

The main difference between Usage Data and Services Operations Data are the purposes for which we use the data. When collecting both Usage Data and Services Operations Data, we always aim to collect the minimum amount of personal information necessary to fulfil these respective purposes. Further information regarding the Usage Data we automatically collect in connection with our existing customer experience improvement programs for certain of our Services is set forth at the VMware Trust and Assurance Center.

Both Usage Data and Services Operations Data may be collected via embedded tracking technologies within our Services. See Part IV "Cookies and Tracking Technologies" below for more information on VMware’s use of cookies and similar tracking technologies.

How we use Usage Data 

VMware uses Usage Data (sometimes in combination with other data, such as customer account information) for purposes such as:

• To make recommendations to our customers: VMware may use Usage Data to provide recommendations to our customers and users (such as you) regarding their use of the Services.
• To improve VMware Services: VMware may use the Usage Data to improve the Services that we offer to our customers. For example, we use the Usage Data to (i) help us prioritize future products and service features for our customers; (ii) analyze our customers use of the Services and features across our customer base; (iii) improve our resolution of support requests; (iv) prioritize the order in which certain configurations or features of the product or service should be tested; (v) improve the product or service based on usage patterns across different delivery models; (vi) improve capacity forecasting for the relevant Services; (vii) conduct testing of product or service features; and (viii) make pricing and packaging decisions.
• To provide us with customer insights: VMware uses Usage Data to gain insights into our customers and their use of the VMWare Services, such as (i) to understand the impact of Net Provider Score and usage behaviours; (ii) to create enriched customer profiles and analyse customer interactions with VMware in order to provide improved customer engagement; (iii) to create advanced analytical models and produce aggregate business intelligence reports and dashboards; (iv) to benchmark or assess our Services across customers and specific industries.
• To provide customer support: VMware uses Usage Data to provide support to our customers regarding their use of VMware Services, whether proactive or reactive, such as: (i) to provide support recommendations to our customers to improve the general health of the customer’s use of the Service; (ii) to understand our customer’s Service configuration, events and issues in order to resolve a specific support request; (iii) to understand our customer’s configuration of the Services, events and issues in order to improve how VMware support resolves an issue; and (iv) helping customers use our Services and offerings in more effective ways.
• To support business to business marketing and sales: VMware may use Usage Data to market additional Services to our customers, where permitted by law and to inform sales conversations.
• For other legitimate business purposes: VMware may use Usage Data when it is necessary for other legitimate purposes such as protecting VMware's confidential and proprietary information.

Usage Data may be collected and used pursuant to one of VMware’s established customer experience improvement programs depending on the Service.  For details regarding these customer experience improvement programs, see the VMware Trust and Assurance Center.

How we use Services Operations Data 

VMware uses Services Operations Data for the following purposes:

• To facilitate the delivery of the Services: VMware will also use Systems Operations to facilitate the delivery of the Services and this may include provisioning and controlling access to the Services, tracking entitlements, and verifying compliance.
• To conduct account administration and similar Services related activities: VMware may use Services Operations Data to provide you with the Services and to manage your account. This may include managing product downloads, updates and fixes, and sending other administrative or account-related communications, including release notes.
• To provide support: VMware processes Services Operations Data when users or other individuals contact VMware via one of our support channels, so that we can contact them in relation to the relevant support request. In some cases, users may need to send us copies of any affected files, logs or other information to enable us to assist with the support request. In such cases, we will use such information for the purposes of responding to, troubleshooting and otherwise resolving the support request.
• To maintain the security of our infrastructure and Services: VMware may use Services Operations Data to maintain the security and operational integrity of the VMware IT infrastructure and our Services, including for security monitoring and incident management, managing the performance and stability of the Services, and addressing technical issues.To administer our disaster recovery plans and policies: VMware may use Services Operations Data to operate our back-up disaster recovery plans and policies.
• To detect fraud: VMware may use Services Operations Data to help monitor, prevent and detect fraud, enhance security, monitor and verify identity or access, and combat spam or other malware or security risks.
• For quality control and training: VMware may use or Services Operations Data for the purposes of quality control and staff training.
• To confirm customer compliance with license(s) and contractual obligations: VMware may use Services Operations Data to confirm compliance with license, contractual obligations and other terms of use obligations in connection with the relevant VMware Services.
• To comply with legal obligations: VMware may use any of the Services Operations Data to comply with applicable laws and regulations and to operate our business, including to comply with legally mandated reporting, disclosure or other legal process requests, for mergers and acquisitions, finance and accounting, archiving and insurance purposes, legal and business consulting and in the context of dispute resolution; and
• For other legitimate business purposes: VMware may use Services Operations Data when it is necessary for other legitimate purposes such as protecting VMware's confidential and proprietary information.

We take care to ensure that your personal information to be accessed only by those who really need access in order to perform their tasks and duties, and to share with third parties who have a legitimate purpose for accessing it. Part III "How we share your information" of our main Privacy Notice provides information about how we may share information with third parties.

VMware use cookies and other tracking technologies, such as cookies, pixel tags, widgets, embedded URLs, electronic communication protocols, buttons and other tools, in furtherance of the purposes described in this Notice. The types of technology used by VMware may change over time as technology evolves. Some of these technologies are essential for the provision of the Services, such as account access/authentication; others assist with the performance and functionality of the services, such as recognizing returning users or remembering preferences; and others (such as Fullstory and Google referenced below) enable us to analyse and customize the Services. 

How to opt-out
Below are some of the third-party tools we use that collect cookies, with information about how and why we use these tools in support of VMware Services. You can elect to opt-out of these third-party cookies (and therefore the analytics they provide to VMware) by navigating directly to the third-party websites using the links below. You can also opt-out of other cookies used by the Services by adjusting your browser settings but the functionality of the relevant VMware Service will likely be impaired. 

Fullstory
VMware uses Fullstory is a tool that we use to provide a better user experience for you and collect data used to diagnose user issues. It records and captures a user’s session so that we can monitor user actions like mouse clicks, movements, etc. If you would like to opt out, Fullstory provides the link below: https://www.fullstory.com/optout/

Google Analytics
VMware uses Google Analytics to collect limited data directly from user's browsers to enable us to better understand your use of the Services in order to diagnose and improve our Services and to fix issues. Further information on how Google collects and uses this data can be found here: https://developers.google.com/analytics/resources/concepts/gaConceptsTrackingOverview

Other tools
VMware also uses other third party tracking tools in connection with our Services.

See Part IV "International transfers of information" of our main Privacy Notice for more information about international transfers of information.

See Part V "Security and Confidentiality" of our main Privacy Notice for information about Security and Confidentiality.

In the course of using our Services, VMware customers and their users may submit or upload information to VMware's Services for hosting or storage. This customer content is processed by VMware on behalf of the customer, and our privacy practices will be governed by the contract we have in place with our customer. This Notice will not apply to any personal information contained in such customer content. In accordance with the terms of such contract, VMware will process customer content for the purposes of providing the relevant VMware Services and in accordance with our customer's instructions. If you have any questions or concerns about how such information is handled, you should contact the person or entity who has contracted with VMware to use the VMware Service to host or process this information (e.g. your employer or organization). We will provide assistance to our customers to address any concerns you may have in accordance with the terms of our contract with them. In relation to VMware’s role as a processor of customer content, our Binding Corporate Rules will apply to any transfers of personal data.

Carbon Black, Inc. complies with the US-EU and US-Swiss Privacy Shield Framework regarding the collection, use, and retention of personal information from individuals in the European Union member countries and Switzerland. Carbon Black, Inc. has certified that it adheres to the Privacy Shield Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability. If there is any conflict between this Privacy Notice and the Privacy Shield Principles, the Privacy Shield Privacy Principles shall govern. To learn more about the Privacy Shield program, and to view Carbon Black Inc.’s certification page, please visit https://www.privacyshield.gov.

Carbon Black, Inc. is responsible for the processing of personal data it receives under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Carbon Black, Inc. complies with the Privacy Shield Principles for all onward transfers of personal data from the European Union and Switzerland, including the onward transfer liability provisions. With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Carbon Black, Inc. is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.

Carbon Black, Inc. commits to endeavor to promptly resolve complaints about privacy and collection or use of personal information (See ‘How To Contact Us” for contact details). If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

Under certain conditions, more fully described on the Privacy Shield website here https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

As stated above, we only collect a limited amount of personal information to fulfil the purposes outlined in this Notice, however where we do collect personal information users do have certain rights and choices in relation to it. For more information about these rights and choices, and how to exercise your rights, please refer to Section VII "Your privacy rights and choices"  of our main Privacy Notice.

Rights and Choices where VMware acts as a Processor: Certain VMware Services may be used by our customers to collect personal information about you. In such cases, we are processing such personal information purely on behalf of our customers and any individuals who seek to exercise their rights should first direct their query to our customer (the controller). See Part VI "Information we process on behalf of our customers" above.

Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it and the purposes for which it is used.

We process Usage Data on the basis of VMware's legitimate interests in improving its Services and customer experience and/or otherwise pursuing the purposes set out in Part II "How we use Usage Data" of this Notice. We have assessed that these legitimate interests are not overridden by the data protection interests or fundamental rights of any individuals.

For Services Operations Data, we process any personal information contained within it on the basis of VMware's legitimate interest in performing, maintaining and securing our Services and operating our business in an efficient and appropriate manner and/or to pursue the purposes set out in Part II "How we use Usage Data" of this Notice and/or our customer's legitimate business purposes. We have assessed that these legitimate interests are not overridden by the data protection interests or fundamental rights of any individuals.

If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under Part XII  "How to contact us"  below.

See the Your California Privacy Rights notice for information about California Privacy Rights, and other required disclosures, if any.

How Long we Retain Information: We retain information that we collect in connection with the Services for as long as is needed to fulfil the purposes outlined in this Notice or where we have another business or legal reason to do so (subject to any retention commitments we have made in any agreements with our customers).

When we have no justifiable business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. You can request deletion of your personal information at any time (see Part VIII "Your Privacy Rights and Choices" section above for further information) and we will consider your request in accordance with applicable laws. 

Changes to this Notice: VMware will review and update this Notice periodically in response to changing legal, technical and business developments. When we update this Notice we will note the date of its most recent revision above. If we make material changes to this Notice, we will take appropriate measures to inform you in a manner that is consistent with the significance of the changes we make and is in accordance with applicable law. We encourage you to review this Notice frequently to be informed of how VMware is protecting your information.

If you have any questions or concerns regarding this Notice, you may write to us by submitting a request to our Privacy Contact Form or by mail to: Office of the General Counsel of VMware, Inc., 3401 Hillview Ave, Palo Alto, California, 94304, USA.