VMware Products & Services Privacy Notice

Information we collect from you: We collect personal information directly from our customers and their users in connection with their deployment and use of our Services. Depending on the context, such information may include:

• Contact information: Usernames and contact details such as email address, job title, user role, company name and phone number;
• Login credentials: User IDs and password. Passwords are hashed and encrypted into a form that allows for authentication, but not account access;
• Communications with us: Information about and included in transactional communications between us and you, such as email communications, in-Service messages, chat messages, surveys, phone numbers, time and date stamp, SMS routing information, email address, duration, and the content of the communications; and
  
• Support request data: Personal information you provide us in connection with a support request. You may provide personal information in chats, support calls (including recordings of those calls), Service support tickets or other communications regarding the support request. NOTE: This does not include any files uploaded or attached to a support ticket that are defined as ‘Customer Content’ in our General Terms. We process Customer Content as a ‘processor’ or ‘service provider’ for the purpose of responding to, troubleshooting and otherwise resolving the support request, in accordance with our General Terms and Data Processing Addendum. See Part VII: Information We Process on Behalf of Our Customers.
  
  

Information we collect via the Services: In connection with your use of the Services, we collect information from our software or systems hosting the Services, and from customer systems, applications and devices that are used to access the Services. Such information is used to facilitate the delivery of the Services to our customers, including securing, managing and monitoring the Service infrastructure, and providing support (“Services Operations Data”), and for VMware’s own analytics and product improvement purposes, and to optimize the customer’s experience and use of the Services (“Usage Data”) as detailed further in this Notice in Part II “How We Use Your Information”. The data collected is generally technical information, with limited individually identifying information such as email address, usernames, IP/MAC address of the user’s device, and identifiers (including cookies). Some objects, such as hosts, machine names and dashboards, will occasionally contain value(s) entered by customers. Customers should not use any personal information when naming such objects. Depending on the Service, Services Operations Data and Usage Data may include the following types of data:

• Configuration data: Technical data about how a customer organization has configured the Services and related environment information. Examples include Service environment information, Service settings, third-party applications and third-party systems used in connection with the Services.
• Online identifiers: Online identifiers such as device and user identifiers and IP addresses.
• Feature usage data: Feature usage data relates to how a customer organization uses the Services. Examples include details about which Service features a customer uses and metrics of user interface activity.
• Performance data: Performance data relates to how the Services are performing. Examples include metrics of the performance and scale of the Services, response times for user interfaces, and details about customer API calls.
• Service logs: Service logs are automatically generated by the Services. Typically, these logs record system events and state during the operation of the Services.
• Support data: Support data is information collected and processed in connection with support facilities such as chat, web form, email, support calls (including recordings of those calls) and Service support tickets.
• Survey data: Survey data relates to surveys or feedback triggered by your use of our Services such as a customer's Net Provider Score ("NPS").

Services Operations Data may also include such information as:

• Authentication and Access Information: Information that provides access to the Services, such as username, passwords, and device identifiers.
• Diagnostic Information: Diagnostic information may be contained in log files, event files and other trace and diagnostic files.

The main difference between Usage Data and Services Operations Data are the purposes for which we use the data, as set forth in Part II below. When collecting both Usage Data and Services Operations Data, we always aim to collect the minimum amount of personal information necessary to fulfil these respective purposes. Our Service Usage Data programs is published at the .VMware Trust and Assurance Center.

Both Usage Data and Services Operations Data may be collected via embedded tracking technologies within our Services. See Part IV "Cookies and Tracking Technologies" below for more information on our use of cookies and similar tracking technologies.

How we use Usage Data 

We use Usage Data (sometimes in combination with other data, such as customer account information) for these purposes:

• To make recommendations to our customers: To provide recommendations to our customers and users regarding their use of the Services.
• To improve our Services: To improve the Services that we offer to our customers. For example, we use the Usage Data to (i) help us prioritize future features; (ii) analyze our customers’ use of the Services and features across our customer base; (iii) improve our resolution of support requests; (iv) prioritize the testing of configurations or features of the Services; (v) improve the Services based on usage patterns across different delivery models; (vi) improve capacity forecasting; (vii) conduct testing of features; and (viii) make pricing and packaging decisions.
• To provide us with customer insights: To gain insights into our customers and their use of the Services, such as (i) to understand the impact of NPS and usage behaviours; (ii) to create enriched customer profiles and analyse our customer interactions in order to provide improved customer engagement; (iii) to create advanced analytical models and produce aggregate business intelligence reports and dashboards; (iv) to benchmark or assess our Services across customers and specific industries.
• To provide customer support: To provide support to our customers regarding their use of our Services, whether proactive or reactive, such as: (i) to provide recommendations to improve the general health and optimization of the customer’s use of the Service; (ii) to understand our customer’s Service configuration, events and issues in order to resolve or preempt a support request; (iii) to understand our customer’s configuration of the Services, events and issues in order to improve how we resolve support issues; and (iv) helping customers use our Services and offerings in more effective ways.
• To support business to business marketing and sales: To market additional Services to our customers where permitted by law and to inform sales conversations.
• To provide individualized offerings. To provide our customers with individualized offerings, such as VMware Success 360 or VMware Skyline.
• For other legitimate business purposes: When it is necessary for other legitimate purposes such as protecting VMware's confidential and proprietary information.

How we use Services Operations Data

We use Services Operations Data for these purposes:

• To facilitate the delivery of the Services: To facilitate the delivery of the Services including provisioning and controlling access to the Services, tracking entitlements, and verifying compliance.
• To conduct account administration and related activities: To provide you with the Services and to manage your account. This may include managing product downloads, updates and fixes, and sending other administrative or account-related communications, including release notes.
• To provide support: To troubleshoot and respond to a support request.
• To provide you with Service-specific notices. To provide users with Service-specific notifications such as updates, entitlement expiration, end of life notifications and security alerts.
• To maintain the security, stability and proper functioning of our infrastructure and Services: To maintain the security and operational integrity of our IT infrastructure and our Services, including for security monitoring and incident management, managing the performance and stability of the Services, monitoring, troubleshooting and addressing technical issues.
• To administer our disaster recovery plans and policies: To manage our back-up disaster recovery plans and policies.
• To detect fraud: To help monitor, prevent and detect fraud, enhance security, monitor and verify identity or access, and combat spam or other malware or security risks.
• For quality control and training: For the purposes of quality control and staff training.
• To confirm compliance with license(s) and contractual obligations: To confirm compliance with license, contractual obligations and other terms of use obligations in connection with the relevant Services.
• To comply with legal obligations and operate our business: To comply with applicable laws and regulations and to operate our business, including to comply with legally mandated reporting, disclosure or other legal process requests, for mergers and acquisitions, finance and accounting, archiving and insurance purposes, legal and business consulting and in the context of dispute resolution; and
• For other legitimate business purposes: When it is necessary for other legitimate purposes such as protecting our confidential and proprietary information.

We take care to ensure that your personal information is accessed only by those who need access to perform their tasks and duties, and to share only with third parties who have a legitimate purpose for accessing it. Part III "How we Disclose Your Information" of our Global Privacy Notice provides information about how we may share information with third parties.

We use cookies and other tracking technologies, such as cookies, pixel tags, widgets, embedded URLs, electronic communication protocols, device fingerprinting, buttons and other tools, in furtherance of the purposes described in this Notice. Some of these technologies are essential for the provision of the Services, such as account access/authentication; others assist with the performance and functionality of the services, such as recognizing returning users, remembering preferences or facilitating in-Service educational content; and others (such as Fullstory, referenced below) enable us to analyse usage and improve the Services. For more information about cookies and tracking technologies, see our Cookie Notice.

How to opt-out
You can opt-out of some cookies and other tracking technologies used by the Services by adjusting your cookie settings within the Service, but the functionality of the relevant Service may be impaired. More information regarding your options to control our use of cookies and similar technologies is presented in Part IV of our Cookie Notice.

Specific tools used by our Services
Listed below are some of the third-party tools we use in connection with our Services, and how and why we use them.

• Fullstory. We use Fullstory to record and capture a user’s session so that we can monitor user actions like mouse clicks, movements, etc. This information helps us diagnose and resolve user issues and understand how to change our Services to provide better user experiences. This tool is also used by some of our Services for operations purposes including detecting and responding to fraud and abuse. If you would like to opt out, Fullstory provides the following link: https://www.fullstory.com/optout/.
• Google Analytics. We use Google Analytics to collect limited data directly from users’ browsers to enable us to better understand your use of the Services in order to diagnose and improve our Services and to fix issues. Further information on how Google collects and uses this data can be found here: https://developers.google.com/analytics/resources/concepts/gaConceptsTrackingOverview
• Other tools. VMware also uses other third party tracking tools in connection with our Services.

See Part VI "International Transfers" of our Global Privacy Notice for information about our practices with respect to international transfers of personal information.

See Part V "Security and Confidentiality" of our Global Privacy Notice for information about our practices with respect to security and confidentiality.

In the course of using our Services, customers and their users may upload content to our Services for hosting, storage, or other processing, or may upload or attach files to a support ticket. This Notice does not apply to personal information within such “Customer Content” as defined in our General Terms and as further described in the VMware Trust Center. Personal information within Customer Content is processed by us as a ‘processor’ or ‘service provider’ on behalf of our customer in accordance with our contracts with our customer, typically our General Terms and our Data Processing Addendum. Our Binding Corporate Rules also apply when we are acting as a processor and transfer personal information between our customer and VMware Group members and within the VMware Group members.

If you have any questions or concerns about how your personal information within Customer Content is handled, you should contact our customer that submitted the Customer Content to us (e.g. your employer or organization). We will assist our customer in addressing your concerns in accordance with the terms of our contracts with them.

Choices and rights where we act as a controller: As stated above, we only collect a limited amount of personal information to fulfill the purposes outlined in this Notice. However, where we do collect personal information, users have certain rights and choices. For information about these rights and choices, and how to exercise your rights, please refer to Section IV Your Privacy Choices and Rights"  of our Global Privacy Notice.

Choices and rights where we act as a processor: Certain Services may be used by our customers to process personal information about you. In such cases, we are processing such personal information purely on behalf of our customers and any individuals who seek to exercise their rights should first direct their query to our customer (the controller). See Part VII "Information We Process on Behalf of Our Customers" above.

California notice. This additional California Privacy Notice sets forth our disclosure obligations under California law and provides further information about privacy rights for California residents.

China notice. This additional China Privacy Notice sets forth our disclosure obligations under Personal Information Protection Law of the People's Republic of China (“PIPL”).

European Economic Area and UK – legal basis for processing personal information. Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect and process it. See Part II, ‘How We Use Your Information’, for details regarding the purposes for which we process your personal information and see the tables below for the corresponding legal bases on which we rely. Where the processing is in our legitimate interests, our interests are not overridden by your data protection interests or fundamental rights and freedoms. We may sometimes provide you with additional information about the applicable legal basis at the time information is collected.

Usage Data

Service Operations Data

See Part VII "Deletion and Retention" of our Global Privacy Notice for information about our practices with deletion and retention. Specific to the personal information processed in accordance with this Notice, when considering our justifiable business need to retain the information, we consider the limited scope and sensitivity of the personal information we maintain, and the value provides us in securing, managing, promoting, and improving the Services

Changes to this Notice: We will review and update this Notice periodically in response to changing legal, technical and business developments. When we update this Notice we will note the date of its most recent revision above. If we make material changes to this Notice, we will take appropriate measures to inform you in a manner that is consistent with the significance of the changes we make and is in accordance with applicable law. We encourage you to review this Notice frequently to be informed of how we are protecting your information.

If you have any questions or concerns regarding this Notice, you may write to us by completing the Privacy Contact Form or by mail to: Office of the General Counsel of VMware, Inc., 3401 Hillview Ave, Palo Alto, California, 94304, USA.