Mattermost Privacy Policy

Effective Date: December 23, 2022

This Mattermost, Inc. (“Mattermost” or “we” or “us” or “our”) privacy policy (the “Privacy Policy”) is designed to help you understand what information we collect, including information that directly or indirectly identifies an individual (“personal information”), and how we use or share that information.

For self-hosted (on-premises) products, please see the first section of this Privacy Policy. For all other Mattermost products, services, and interactions, please see the remainder of the policy starting with the section entitled “Scope of this Privacy Policy.”

Self-Hosted (On-Premises) Products

This is the only section of the Privacy Policy that applies to end users of our self-hosted (on-premises) products. With self-hosted products, the Customer (defined below) that purchases the Mattermost product also controls the processing of end user data. If the Customer permits, Mattermost can collect limited service and usage data like error and diagnostics information, security alerts, and log file reports associated with device identifiers. We refer to this information as “telemetry data,” and it does not include any end user personal identifiers or message contents. Please see telemetry data for more information. Our Customers can choose to opt out of the usage data ping through the admin dashboard on the self-hosted products.

  • We use telemetry data to protect and improve the self-hosted products, such as to maintain security and prevent abuse.
  • To the extent that our processing of telemetry data from self-hosted products is subject to the GDPR, the legal bases for such processing include GDPR Art. 6(1)(b) (performance of a contract) and GDPR Art. 6(1)(f) (legitimate interests).

We may share telemetry data collected through our self-hosted products in limited ways to support the product and comply with law, as follows:

  • With service providers, subcontractors, partners, vendors, consultants, and others that help us provide the self-hosted products, and are not permitted to use the information collected on our behalf except to help us conduct and improve our business;
  • To respond or comply with, in our sole discretion, a court order, subpoena, law enforcement, other government request, or other legal process (with or without notice to you, in our discretion) under applicable law;
  • With buyers, successors, or others in connection with a potential or actual merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our business or assets;
  • To: (i) satisfy any applicable law or regulation, (ii) investigate and defend ourselves against any third party claims or allegations, or (iii) protect against harm to the rights, property or safety of us or third parties (including financial loss, or in connection with preventing fraud or illegal activity, and/or to enforce our other agreements with you); and
  • With our Customer’s consent or at the Customer’s direction.

If a Customer chooses to enable push notification services for a self-hosted/on-premises product, then we will additionally collect personal information about end users to support notifications. When push notifications are enabled, we use and disclose the related information in the same ways as described in this Privacy Policy for end users of our other Services.

If you would like to learn more about our self-hosted products practices, you can contact us at [email protected]. If you are a Customer purchasing a self-hosted product, you can see the sections relating to Customers below to learn how we process your personal information collected through our business interactions.

Scope of this Privacy Policy

The remainder of this Privacy Policy applies to:

  • Visitors to Mattermost.com, Mattermost forum, Mattermost documentation, Mattermost Community, code repositories, and other Mattermost websites (collectively, the “Sites”)
  • Mattermost Customers
  • End users of Mattermost’s cloud products and services (collectively, the “Services”)
  • Mattermost community members and contributors

Our different practices for each of these groups are described below. Please read this Privacy Policy carefully. By accessing or using any part of the Services or the Sites, you acknowledge that you have been informed of our practices with regard to your personal information and other data. If you do not agree to this Privacy Policy, please immediately cease use of the Services and the Sites and please shut down your account.

Customer Control of Services Data

In order to provide the Services, Mattermost is utilized by an organization (either an employer or another entity or person) (each, a “Customer”) under a contract that governs the delivery, access, and use of the Services. When you are an end user of our Services, the Customer has authorized you to access the Services. The Customer owns and controls the messages, files, or other content submitted to the Services, including your personal information (the “Customer Data”) and your account with the Services and any associated Customer Data that you provide. In these cases, Mattermost acts as a data processor (or service provider) within the meaning of applicable privacy laws, and the processing of Customer Data is governed by any data processing agreement between Mattermost and the Customer in addition to this Privacy Policy. The Customer also controls and manages any third party services they use in conjunction with the Services. The Customer controls the processing of Customer Data through the Services. Please contact the Customer if you have any questions related to such Customer’s specific settings and privacy practices in relation to the Services.

1. Contact Us

Please contact us at [email protected] if you have any complaints, questions, comments, or concerns with respect to your privacy or this policy.

If you believe that any account credentials for the Services have been compromised, please contact us immediately at [email protected].

2. Information We Collect and How We Use It

We collect information that you provide and information that we receive automatically. As described below, our information practices vary depending on whether you are acting as a visitor to our Sites, a Mattermost Customer, an end user of our Services, or a Mattermost community member or contributor.

Please be aware that some of the information described below is required to offer the Sites and Services, and if this information is not provided, we may not be able to provide the Sites and Services. We may use the information we collect for any lawful purpose, including the purposes specifically described below. We may also use information that has been aggregated or deidentified, so that it cannot reasonably be associated with a specific person, for any business purpose.

Information Collected About Website Visitors:

If you are a visitor to our Sites, we collect information about you as described below. We may also combine the information we collect about you with information we obtain from third parties.

Information You Provide to Us: We collect personal information that you provide when you send us a message through our Sites, register for or create an account with the Sites, or request more information about our Services. This information includes your name, email address, phone number, other contact details, and other information you choose to provide us.

  • We use this information primarily to communicate with you about the Sites and Services and respond to your requests. For instance, we use your contact information to respond to your questions, send you information that may interest you, communicate about account-related matters, and resolve technical issues you may encounter. We may also use your information to give you access to demo and educational materials.
  • We may also use information you provide to improve our Sites and Services and to market to you.
  • To the extent that our processing of the information you provide is subject to the EU General Data Protection Regulation or its UK equivalent (together the “GDPR”), the legal bases for this processing include GDPR Art. 6(1)(b) (performance of a contract) and GDPR Art. 6(1)(f) (legitimate interests).

Technical Information We Collect Automatically: When you use or visit the Sites, we may send cookies to your computer or device that allow us to uniquely identify your browser, computer, or device. Please see our Cookies Policy for more information about our collection and use of cookies. We may use cookies (and similar technologies) to collect other technical information when you use or visit the Sites, such as Internet Protocol (IP) address, location, browser type and settings, date and time the Sites were used, the web page that you were visiting before accessing our Sites, information about your activities on the Sites, external links and the features or content which you accessed from our Sites. When you access the Sites with a device (including a mobile device), we may also collect and store a unique identifier associated with your device and additional information about the device, including user settings, location, operating system of the device, and crash settings.

  • We use this technical information for various purposes, including to protect from potential security attacks and abuse. We may also use this type of information to verify accounts and activity, and to detect, investigate, prevent, and respond to potential or actual security incidents and other malicious, deceptive, fraudulent, or illegal activity. We also use technical information to help us improve performance and content, measure traffic, and measure usage trends. Additionally, we use this information to drive engagement with our Sites and Services and to market our Sites and Services.
  • To the extent that our processing of technical information is subject to the GDPR, the legal basis for such processing is GDPR Art. 6(1)(f) (legitimate interests).

Information Collected About Customers:

As described below, we collect information from our Customers, such as administrative users of our Services and individuals who purchase our Services on behalf of their employer. We may also combine the information we collect about our Customers with information we obtain from third parties.

Information You Provide to Us: We collect personal information that you provide when you register for or create an account with our Services or request more information about our Services. We may also collect Customer information through helpdesk systems, forums, web input forms, surveys, and ticketing tools. This information may include your name, email address, phone number, other contact details, and other information you choose to provide. It can also include business information like billing details (such as payment information and billing addresses) and your organization’s name, phone number, domain, email address, and physical address.

  • We use this information primarily to communicate with you about the Services and respond to your requests. For instance, we use your contact information to respond to your questions, inform you about changes to the Services and any Mattermost events, provide you access to demo and educational materials, communicate about account-related matters, and resolve technical issues you may encounter.
  • We may also use information you provide to improve our Services, to market to you, and to offer you information and updates on our products or Services that may interest you.
  • To the extent that our processing of service and usage information is subject to the GDPR, the legal bases for such processing include GDPR Art. 6(1)(f) (legitimate interests) and GDPR Art. 6(1)(b) (performance of a contract).

Technical Information We Collect Automatically: When you use or visit the Sites, we may send cookies to your computer or device that allow us to uniquely identify your browser, computer, or device. Please see our Cookies Policy for more information about our collection and use of cookies. We may use cookies (and similar technologies) to collect other technical information when you use or visit the Sites, such as Internet Protocol (IP) address, location, browser type and settings, date and time the Sites were used, the web page that you were visiting before accessing our Sites, information about your activities on the Sites, external links and the features or content which you accessed from our Sites. When you access the Sites with a device (including a mobile device), we may also collect and store a unique identifier associated with your device and additional information about the device, including user settings, location, operating system of the device, and crash settings.

  • We use this technical information for various purposes, including to protect from potential security attacks and abuse. We may also use this type of information to verify accounts and activity, and to detect, investigate, prevent, and respond to potential or actual security incidents and other malicious, deceptive, fraudulent, or illegal activity. We also use technical information to help us improve performance and content, measure traffic, and measure usage trends. Additionally, we use this information to drive engagement with our Sites and Services and to market our Sites and Services.
  • To the extent that our processing of technical information is subject to the GDPR, the legal basis for such processing is GDPR Art. 6(1)(f) (legitimate interests).

Information Collected from Mattermost Services:

If you are an end user of the Services we provide to our Customers, we may collect information related to your use of our Services, as described below.

Service and Usage Information: When end users use our Services, we collect information that is generated that provides context about the way end users use the Services such as team and channel memberships, system preferences, features they use, content and links they interact with, the types of files shared and what third party services are used (if any).

  • We use this service and usage information to provide the Services to our Customers. For instance, this may include improving the Services and personalizing end users’ experiences with Services. We may also use this information to research and analyze usage and performance of Services to make the Services more useful, more performant, and more intuitive.
  • To the extent that our processing of service and usage information is subject to the GDPR, the legal bases for such processing include GDPR Art. 6(1)(b) (performance of a contract) and GDPR Art. 6(1)(f) (legitimate interests).

Log and Device Information: We may also record log file information each time end users access and use the Services, such as Internet Protocol (IP) address, location, browser type and settings, date, and time. When end users access the Service with a device (including a mobile device), we may also collect and store a unique identifier associated with an end user’s device and additional information about the device accessing the Services, including user settings, location, the operating system of the device, and crash settings.

  • We use this log and device information to provide the Services to our Customers. As part of providing our Services, we use this information to protect from potential security attacks and abuse, to verify accounts and activity, to improve our Services, to detect, investigate, prevent, and respond to potential or actual security incidents, and to monitor and protect against other malicious, deceptive, fraudulent, or illegal activity.
  • To the extent that our processing of log and device information is subject to the GDPR, the legal bases for such processing include GDPR Art. 6(1)(b) (performance of a contract) and GDPR Art. 6(1)(f) (legitimate interests).

Push Notification Information: Certain Customers that use our self-hosted/on-premises products may choose a specific configuration of the system that uses the optional Mattermost Hosted Push Notification Service (HPNS), in lieu of the self-hosted option also offered. When using this feature, Customers may choose to enable information collection about end users that includes, but is not limited to usernames, full names, channel names and message preview snippets (which may include personal information shared by end users in messages, if the Customer enables the ability to display message preview snippets for the HPNS relay). Customers have the option to configure HPNS to share no personal information in relaying messages to mobile applications.

  • We use this information to provide the Services to our Customers, which may include improving and personalizing our Services.
  • To the extent that our processing of push notification information is subject to the GDPR, the legal bases for such processing include GDPR Art. 6(1)(b) (performance of a contract) and GDPR Art. 6(1)(f) (legitimate interests).

Information from Community Members and Contributors:

If you participate in the Mattermost forum, Mattermost Community, or other similar Sites, we may collect information as described below. We may also combine the information we collect about you with information we obtain from third parties.

Information You Provide to Us: When you participate in the Mattermost forum or Mattermost Community or are a contributor to Mattermost, we collect personal information that you provide to us, such as when you register for or create an account, request more information about our Sites or Services, or contribute to our open source projects. This information may include your name, email address, physical address, phone number, and other information you choose to provide.

  • We use this information primarily to provide the Sites and Services to you. We may also use your contact information to respond to your questions, inform you about changes to the Services and Mattermost events, communicate about your contributions, solicit feedback, send you information about Sites and Services that may be of interest to you, and resolve technical issues you encounter. If you have made a contribution to our open source projects, we may use your physical address to send you certain mailings as well, like thank you gifts.
  • To the extent that our processing of such information is subject to the GDPR, the legal bases for processing this information include GDPR Art. 6(1)(f) (legitimate interests) and Art. 6(1)(b) (performance of a contract).

Technical Information We Collect Automatically: When you participate in the Mattermost forum or Mattermost Community, we may send cookies to your computer or device that allow us to uniquely identify your browser, computer, or device. We may use cookies (and similar technologies) to collect other technical information when you use or visit the Sites and Services, such as Internet Protocol (IP) address, location, browser type and settings, date and time the Sites and Services were used, the web page that you were visiting before accessing our Sites and Services, information about your activities on the Sites and Services, external links and the features or content which you accessed from our Sites or Services. When you access the Sites or Services with a device (including a mobile device), we may also collect and store a unique identifier associated with your device and additional information about the device, including user settings, location, operating system of the device, and crash settings.

  • We use this technical information for various purposes, including to protect from potential security attacks and abuse. We may also use this type of information to verify accounts and activity, and to detect, investigate, prevent, and respond to potential or actual security incidents and other malicious, deceptive, fraudulent, or illegal activity. We also use technical information to help us improve performance and content, measure traffic, and measure usage trends. Additionally, we use this information to market, promote, and drive engagement with our Sites and to market our Services.
  • To the extent that our processing of technical information is subject to the GDPR, the legal basis for such processing is GDPR Art. 6(1)(f) (legitimate interests).

Information Shared with Third Parties and For What Purposes

We do not sell, trade, or otherwise transfer the information described above to unaffiliated third parties for monetary consideration. We may share information about website visitors, Customers, end users of the Services, and our community members and contributors with other entities for specific purposes. This sharing may include:

  • With service providers, subcontractors, partners, vendors, consultants, and others that help us with any of the purposes in this Privacy Policy, including by performing services on our behalf such as processing payments, sending email, providing back-office services, or measuring site traffic. These service providers are not permitted to use the information collected on our behalf except to help us conduct and improve our business.
  • With our affiliates, parent companies, subsidiaries, and other related companies, all for the purposes in this Privacy Policy;
  • To respond or comply with, in our sole discretion, a court order, subpoena, law enforcement, other government request, or other legal process (with or without notice to you, in our discretion) under applicable law;
  • With buyers, successors, or others in connection with a potential or actual merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our business or assets;
  • To: (i) satisfy any applicable law or regulation, (ii) enforce this Privacy Policy, including the investigation of potential violations thereof, (iii) investigate and defend ourselves against any third party claims or allegations, or (iv) protect against harm to the rights, property or safety of us, the Sites, the Services, other users of the Services, or third parties (including financial loss, or in connection with preventing fraud or illegal activity, and/or to enforce our other agreements with you); and
  • With your consent, our Customer’s consent, or as otherwise disclosed at the time of data collection or sharing.

We may share information that has been de-identified or aggregated without limitation.

How We Protect Information

We implement a variety of security measures aimed at maintaining the safety of the personal information we collect from loss, misuse, and unauthorized access or disclosure. These steps take into account the sensitivity of the information we collect, process, and store, as well as the current state of technology. Given the nature of communications and information processing technology, we cannot guarantee that information we collect will be absolutely safe.

Cookies and Similar Technologies

As noted above, we use cookies and similar technologies on our Sites and Services. Please read our Cookies Policy for more details.

Digital Advertising and Analytics

Our Services do not collect, use, or share information for advertising. However, in connection with our Sites, we may partner with ad networks and other ad serving providers (“Advertising Providers”) that serve ads on behalf of us and others on non-affiliated platforms. Some of those ads may be personalized, meaning that they are intended to be relevant to you based on information Advertising Providers collect about your use of the Sites and other sites or apps over time, including information about relationships among different browsers and devices. This type of advertising is known as interest-based advertising.

To opt out of these practices or learn more about this type of advertising, you may visit the Digital Advertising Alliance Webchoices tool at www.aboutads.info/choices. You can also opt out of Google ad tracking by following the instructions on this page: https://adssettings.google.com/. As described below in the “California Privacy Rights” section of this Privacy Policy, California residents (such as our Customers and website visitors) also have a right under California law to opt out of sharing of personal information for interest-based advertising (also known as “cross-context behavioral advertising”). This right can be exercised by using the Webchoices and Google ad tracking tools described above.

Electing to opt out from interest-based advertising will not stop advertising from appearing in your browser or applications. It may make the ads you see less relevant to your interests. If you use a different browser or device, you may need to renew your opt-out choice.

We may also work with third parties that collect data about your use of the Sites and other sites or apps over time for non-advertising purposes. We use Google Analytics and other third-party services to improve the performance of the Sites and for analytics and marketing purposes. For more information about how Google Analytics collects and uses data when you use the Sites, visit www.google.com/policies/privacy/partners, and to opt out of Google Analytics, visit tools.google.com/dlpage/gaoptout.

Our Legal Bases for Processing in the EU

If the GDPR is applicable as per Art. 3 of the GDPR, then references to “personal information” in this Privacy Policy are equivalent to “personal data” governed by the GDPR.
As described above, we rely on various legal bases to process the personal information we collect. Our legal basis for processing this personal information depends on the personal information concerned and the specific context in which we process it. We will normally collect personal information only where we need the personal information to perform a contract (e.g. to provide our Services), where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms, or where we have your consent. In some cases, we may also have a legal obligation to process personal information.

International Data Transfers and Storage

In order for us to operate and provide our Sites and Services globally, the personal information you provide to us or that we collect may be transferred or accessed in various countries, including the United States of America. If you are located in the European Economic Area, Switzerland, or the United Kingdom, please note that we may transfer information, including personal information, to a country and jurisdiction that offers a level of protection that may, in certain instances, be less protective of your personal information than the jurisdiction you typically reside in.

In the event that personal information is transferred outside of the European Economic Area, Switzerland, or the United Kingdom to a country which is not subject to an adequacy decision by relevant regulators or considered adequate as determined by applicable laws, we will take steps to ensure the personal information is protected (e.g., by implementing approved Standard Contractual Clauses or relying on other data transfer mechanisms as available under applicable laws).

Additionally, while Mattermost remains self-certified under the EU-U.S. Privacy Shield and Swiss – U.S. Privacy Shield, we are not relying on these frameworks for transfers of personal information. To see more information about our responsibilities under Privacy Shield, please see https://mattermost.com/privacy-shield. To learn more about the Privacy Shield Program, please see https://www.privacyshield.gov/welcome.

Retention of Personal Information

We retain the personal information we collect for as long as we need to provide our Sites and/or Services, or as required to comply with our legal obligations. After such time, we will delete, de-identify, or aggregate this information within 60 days, unless otherwise required by law.

If you have an account on Mattermost Sites or Services, we will retain your information for as long as your account is active or as needed to perform our contractual obligations, provide our Sites or Services to you, comply with legal obligations, resolve disputes, preserve legal rights, or enforce our agreements. We will delete, de-identify, or aggregate this information to the extent possible once it is no longer necessary to fulfill the purposes for which it was collected and processed.

Depending on the Services plan, Customers may be able to customize their retention settings for end user information such that they are different than Mattermost’s standard data retention practices. Customers may also apply different settings to messages, files, or other types of Customer Data. The deletion of Customer Data and other use of the Services by Customer may result in the deletion and/or de-identification of certain personal information and other information.

European Privacy Rights

Individuals in the European Union, European Economic Area, or the United Kingdom may have certain rights with respect to personal information processed through the Sites and Services. If your personal information was submitted to us by a Customer or your account is controlled by a Customer, then please contact the applicable Customer directly to learn about the rights you may have. Otherwise, please contact us at [email protected] to exercise any of the below rights.

Subject to certain exceptions and limitations, you may have the right:

  • to request information regarding the processing of your personal information by us;
  • to obtain the rectification of any inaccurate personal information stored by us or completion of such information;
  • to obtain the erasure of your personal information stored by us;
  • to obtain the restriction of processing of your personal information;
  • to receive your personal information that you have provided to us in a structured, commonly used and machine-readable format or to demand transmission to another controller;
  • to withdraw your consent once given to us at any time.

In addition to the above-listed rights, you may also have the right to lodge a complaint with your local data protection authority. Further information about how to contact your local data protection authority is available at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

The provision of personal information is neither a statutory nor contractual requirement nor a requirement necessary to enter into a contract. You are not obliged to provide personal information. There are no consequences resulting from failure to provide such information. We also do not process personal information for the purpose of automated decision-making.

California Privacy Rights for Business Contacts

If you are a California resident who is a Mattermost Customer, a visitor to our Sites, a Mattermost community member or contributor, or another business contact of Mattermost (collectively, our “Business Contacts”), this section contains disclosures required by the California Privacy Rights Act (“CPRA”) and applies only to “personal information” we process about you that is subject to the CPRA.

This section does not cover personal information processed to provide our Services, because we process such information on behalf of our Customers as a “service provider” or “processor.” To learn more about the rights that may be available to you as an end user of the Services under state privacy laws, like the CPRA, please visit our Customers’ privacy policies.

Personal Information We Collect and Disclose. In the past 12 months, we collected and disclosed the categories of personal information about our Business Contacts listed below.

  • Personal and online identifiers (such as first and last name, email address, or unique online identifiers);
  • Record-keeping information (such as financial information for payment purposes);
  • Commercial or transactions information (such as records of products or services obtained or considered);
  • Internet or other electronic network activity information (such as interactions with Mattermost’s Sites, emails, applications, and/or advertisements);
  • Audio or visual information (such as video or call recordings);
  • Professional or employment-related information;
  • Sensitive personal information (such as billing information or account log-in information for your account);
  • Inferences drawn from the above information about your predicted characteristics and preferences; and
  • Other information about you that is linked to the personal information above.

Categories of Sources. We collect this personal information from the following categories of sources:

  • You, when you provide it to us directly or by using our Sites or Services;
  • Others at your organization, in connection with the business relationship between Mattermost and your organization;
  • Service providers;
  • Affiliates not under the Mattermost brand;
  • Commercial data resellers; and
  • Event organizers of events you register to attend.

Why We Collect, Use, and Share Personal Information. We collect, use, and disclose personal information about our Business Contacts for our business and commercial purposes described in the “Information We Collect and How We Use It” and the “Information We Share with Third Parties and For What Purposes” sections of this Privacy Policy above.

Recipients of Personal Information. We may disclose each category of personal information we collect about our Business Contacts to the categories of third parties described in the “Information We Share with Third Parties and For What Purposes” section of this Privacy Policy above.

While we do not sell the personal information we collect about our Business Contacts, we may share such personal information for interest-based advertising purposes (also known as “cross-context behavioral advertising”) by allowing third-party advertising providers to collect data on our Sites as described above under “Digital Advertising and Analytics” section of this Privacy Policy.

Your Rights Regarding Personal Information. California residents who are our Business Contacts have certain rights with respect to the personal information collected by businesses like Mattermost. If you are a California resident who is our Business Contact, you may exercise the following rights regarding your personal information, subject to certain exceptions and limitations:

  • The right to know the categories and specific pieces of personal information we collect, use, disclose, and share about you, the categories of sources from which we collected your personal information, our purposes for collecting or sharing your personal information, the categories of your personal information that we have either shared or disclosed for a business purpose, and the categories of third parties to which we have disclosed personal information;
  • The right to request that we delete the personal information we have collected from you.
  • The right to request that we correct inaccurate personal information we maintain about you.
  • The right to opt out of our sharing of your personal information for interest-based advertising purposes. You can opt out of the sharing of personal information above in the “Digital Advertising and Analytics” section of this Privacy Policy through the Digital Advertising Alliance Webchoices and Google ad tracking tools.
  • The right not to receive discriminatory treatment for the exercise of the privacy rights conferred by the CPRA.

While the CPRA provides an opt-out opportunity for certain uses or disclosures of “sensitive personal information” (as defined under the CPRA), Mattermost uses and discloses such information only for purposes permitted by the CPRA that do not require an opt-out opportunity.

To exercise any of the above rights, please contact us using the following information and submit the required verifying information, by email at [email protected].

Verification Process and Required Information. Note that we may need to request additional information from you to verify your identity or understand the scope of your request, although you will not be required to create an account with us to submit a request or have it fulfilled. We will require you to provide, at a minimum, your name, business email address, and business phone number. We will verify your request using the information associated with your account, including email address. Government identification may be required.

Authorized Agent. You may designate an authorized agent to make a CPRA request on your behalf by submitting a written, signed permission to [email protected].

Minors. We do not knowingly sell or share the personal information of minors under 16 years of age.

Third-Party Links and Websites

This Privacy Policy does not apply to any third-party websites, services, or applications, even if they are accessible through our Sites and/or Services. This Privacy Policy only applies to our Sites and Services, so when you follow links to other websites you should read those separate and independent privacy policies to learn about their data practices. We have no responsibility or liability for the content and activities of these linked sites.

The Sites also include integrated social media tools or “plug-ins,” such as social networking tools offered by third parties. If you use these tools to share personal information or you otherwise interact with these features on the Sites, those companies may collect information about you and may use and share such information in accordance with your account settings, including by sharing such information with the general public.

Your interactions with third-party companies and your use of their features are governed by the privacy policies of the companies that provide those features. We encourage you to carefully read the privacy policies of any accounts you create and use.

Your Choices

To opt out of our email marketing, you can use the link provided at the bottom of each marketing message. If you opt out of our email marketing, we will still send you messages related to our transactions and relationship with you, such as order confirmations.

For choices with respect to third-party interest-based advertising activities, please see the “Digital Advertising & Analytics” section above.

For choices we offer to California residents who are our Customers or other business contacts, please see the “Your California Privacy Rights” section above.

Updating Your Information

When you have an account with us, you may review, change, or update your contact information by logging into your account.

Changes to our Privacy Policy

If we decide to change our Privacy Policy, we will post those changes on this page. We encourage you to visit this page periodically to learn of any updates. Your continued use of the Sites and Services after an updated Privacy Policy is posted constitutes your consent to the revised Privacy Policy.

EU – U.S. and Swiss Privacy Shield

Our Obligations to you under the Privacy Shield

Mattermost has subscribed to the EU – U.S. Privacy Shield Framework and Swiss – U.S. Privacy Shield Framework (collectively, “Privacy Shield”) as set forth by the U.S. Department of Commerce, regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom and/or Switzerland as applicable to the United States. Mattermost has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.

If there are any conflicts between the terms in this Privacy Policy and the Privacy Shield, the Privacy Shield shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/list.

Privacy Shield Principles

Mattermost has certified that it adheres to the following Privacy Shield Principles of (1) Notice; (2) Choice; (3) Accountability for Onward Transfer; (4) Security; (5) Data Integrity and Purpose Limitation; (6) Access; and (7) Recourse, Enforcement and Liability with respect to any personal information received from citizens of the European Union and Switzerland.

(1) Notice, (2) Choice, and (3) Accountability for Onward Transfer of Personal information

Mattermost is required to take certain steps when transferring personal information received from the European Union and Switzerland to third parties (such as including necessary contractual provisions in our third-party contracts). Mattermost may be potentially liable in cases of onward transfer of EU and Swiss individuals’ data received pursuant to the Privacy Shield to third parties. We collect and process data in accordance with this Privacy Policy. Please see the “Information We Collect and How We Use It” section for further details of the types of data which we collect from you and the purposes for which we collect it.

(4) Security

Mattermost takes reasonable and appropriate administrative and technical security measures to protect the confidentiality, integrity and availability of personal information. Mattermost takes reasonable steps to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.

(5) Data Integrity and Purpose Limitation

We only collect personal information that is relevant to providing our Sites and Services to you, or as otherwise notified to you. We take reasonable steps to ensure that Mattermost only receives personal information that is necessary, and that the personal information received by Mattermost is accurate, complete, and current.

(6) Access

Our Privacy Policy explains how you may request access to review, correct or delete your personal information that we maintain about you by sending a written request to [email protected]. We may limit or deny access to personal information where providing such access is unreasonably burdensome, expensive under the circumstances, or as otherwise permitted by the Privacy Shield Principles or law.

(7) Recourse, Enforcement, and Liability

In compliance with the Privacy Shield Principles, Mattermost commits to resolve complaints relating to your privacy and our collection or use of your personal information without any charge to you. European Union and Swiss individuals with inquiries or complaints regarding this Privacy Policy should first contact us at:

Email address: [email protected]

We will work to resolve your issue as quickly as possible, but in any event, within 45 days of receipt. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

Mattermost has also committed to cooperate with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) by complying with the advice given by such authorities with regard to human resources data transferred from the EU in the context of the employment relationship with Mattermost. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, you have available to you, your national European Data Protection Board (EDPA) to file complaints about your information in Mattermost’s custody. Please contact the EU DPAs for more information or to file a complaint. To find your national EDPA, please refer to this web site https://edpb.europa.eu/about-edpb/board/members_en. The services of EU DPAs are provided at no cost to you.

In certain circumstances, the Privacy Shield Principles provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the Privacy Shield Principles.

Mattermost is subject to the investigatory and enforcement powers of the Federal Trade Commission and/or the Department of Transportation in the case of any failure to comply with the Privacy Shield.