Commvault Privacy Policy


Commvault Systems, Inc. and its affiliates and subsidiaries (collectively, “Commvault” “us” “we”) prioritize your data privacy and security. Our Solutions empower you to control the collection, use, and processing of your data. Any data collected, used, or shared on a limited basis as a result of your use of our Solutions, Websites, or Portals (as defined herein) will be in accordance with this “Privacy Policy”. 


What Data We Collect


We are provided with data when our products and services (together, the “Solutions”) and our websites or portals (either, “Websites” or “Portals”) are purchased, used, or accessed.  


Types of Data        


Data that identifies, or can reasonably be used to identify, a person or household, either directly or indirectly (“Personal Data”) including:

  • Name and business contacts (email address, physical address, phone number, title, company)
  • Stored data protected by our Solutions
  • Transactional data necessary for us to make and receive payments and deliver the Solutions
  • Information submitted to us by completing forms on our Websites or Portals, entering a promotion or survey, subscribing to, commenting on, or downloading information from our Websites or Portals, or employment candidate applications
  • Recruitment data, as permitted by law, including civil/marital status, date of birth, personal contact information, national ID number, immigration information, driving license, languages spoken, next-of-kin/dependent/emergency contact information, details of any disabilities, resumes and CVs, interview and assessment data, vetting and verification information (e.g., credit, education, financial sanction and background checks), the outcome of your application, employment offer details, and other informal data (e.g., opinions generated during the application process)
  • Online behavior and preferences collected via cookies and other tracking technologies
  • Technical data including electronic identifiers, license entitlement, IP addresses, type of domain names and operating systems, logs, time stamps of usage activities, account modification and authentication metrics, device identifier, geolocation data, browser type and language, access times, encrypted passwords and security questions, account history, and other unique identifiers
  • Demographic information such as your age, gender, country, interests, and preferences, including preferences related to marketing and communications
  • Audio-visual data, where applicable and legally permissible, including CCTV footage of our offices or call recordings


Why we use Data


Commvault uses data, including Personal Data, for a variety of purposes, including:

  • Delivery and optimization of our Solutions
  • Providing best-in-class support for our Solutions
  • Optimizing and personalizing the user experience
  • Commvault Affiliates. Commvault may share data with its affiliates where necessary for administrative purposes or to deliver our Solutions. 
  • Partners. Partners provide us with theirs and their customers’ data as part of marketing, sale and delivery of the Solutions.   Partner represents and warrants they have authorization or the required legal basis to obtain and share such data, including Personal Data, with us.
  • Contractors and Service Providers. Commvault may share data, including Personal Data, with contracted third-party service providers (“Service Providers”). These Service Providers include business partners, payment services, advertising networks, IT and security service providers, auditors and consultants, customer survey companies, staffing and recruiting agencies, and cloud solutions and storage providers. Service Providers with whom we share Personal Data are contractually bound to use and disclose such Personal Data only for the permitted purposes and to provide the same level of protections as required by the relevant Data Privacy Framework (including onward transfer provisions). We require all our Service Providers to use reasonable security measures to protect Personal Data from unauthorized access and use.
  • Legal Purposes. Commvault may share data, including Personal Data, as necessary to comply with applicable laws, court orders, governmental agencies or other lawful requests by public authorities, including to meet national security or law enforcement requirements as well as to protect our security or integrity and that of our customers and partners, or to take precautions against legal liability.
  • Sale. In the event of a merger, consolidation, or acquisition of all, substantially all or a portion of Commvault’s business or assets, you acknowledge and agree that data may be securely shared, disclosed, and transferred to such successor or assignee.


Retention of Data


We may retain data, including Personal Data, for as long as necessary to deliver the Solutions or as needed for other lawful purposes. When your data is no longer required, we ensure it is destroyed in a secure manner. We may retain anonymized or aggregated data indefinitely or to the extent permitted under applicable law.


Global Data Management


Commvault Systems, Inc. is located in the U.S. and has global offices. We act as: (i) a data controller when we collect and process Personal Data for our legitimate business interests, and (ii) a data processor when we provide certain of our Solutions to you as the data controller, joint-data controller, or joint-data processor. Commvault Systems International BV located at Papendorpseweg 75-79, 3528 BJ Utrecht, Netherlands serves as our main establishment for the European Union (“E.U.”). Commvault manages your data in compliance with the E.U.’s General Data Protection Regulation (“GDPR”) and other applicable data privacy and security laws. By using the Solutions, Websites or Portals or by providing Personal Data to us, you acknowledge that Personal Data may be sent to and processed in countries outside your country of residence. For individuals residing in the European Economic Area If your Data Privacy Framework complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. Further information can be found on the official DPF website.


Security


Commvault maintains administrative, physical, and technical safeguards and security measures designed to protect data. Details of our data privacy and security program can be found in Annex II of the applicable Data Processing Agreement. However, we cannot, and we do not believe that anyone can, genuinely guarantee or warrant absolute security of Personal Data disclosed or transmitted via the Internet to us or a third party.


Opt-Out


You can opt-out of receiving marketing and promotional communications from Commvault by following the opt-out instructions set forth in such communication or contacting Commvault Systems, Inc. as set forth below. We will continue to process Personal Data for the purpose of delivering operational and service-related communications relating to our Solutions or policies, and other purposes as permitted by law.


Your Rights


You may have certain rights with respect to Commvault’s handling of Personal Data depending on your geolocation, including without limitation:  

  • Access. You have the right to access your Personal Data held by us. Consumers who reside in California may also request the categories of Personal Data we collect or disclose, the categories of sources of such Personal Data, the business or commercial purpose for collecting that Personal Data, and the categories of third parties with whom we share that Personal Data.
  • Rectification. You have the right to request correction of your Personal Data that is incomplete, incorrect, unnecessary, or outdated.
  • Right to be Forgotten. You have the right to request erasure of all your Personal Data that is incomplete, incorrect, unnecessary, or outdated within a reasonable period of time. We will do everything possible to erase your Personal Data if you so request. However, we cannot erase all your Personal Data if it is technically impossible due to limitations of existing technology or for legal reasons, such as legal mandates to retain Personal Data.
  • Restriction of Processing. You have the right to request restriction of processing your Personal Data for certain reasons, provided we do not have an overriding, legitimate interest to continue processing.
  • Data Portability. If requested, we will provide your Personal Data in a structured, secure, commonly used, and machine-readable format.
  • Right to Withdraw Consent. If your Personal Data is processed solely based on consent, and not based on any other legal basis, you can withdraw consent at any time.
  • Security, auditing, and marketing purposes
  • Processing payments, invoicing and collections
  • Recruitment and hiring practices
  • Business analytics
  • Communications about our Solutions, such as renewal notifications or events 
  • With your consent and if we intend to use your data for purposes outside the scope of this Privacy Policy, or other applicable legal basis, we will seek your consent
  • Where necessary to perform or enforce a contract or comply with law
  • Our legitimate business interests, for example, enhancing our Solutions. Prior to taking such actions, we conduct an assessment to ensure our interests do not override your data privacy rights


To the extent permitted by applicable law, Commvault may use, process, transfer, and share your data in an anonymous, automated, and aggregated manner. We may combine such data with other information collected, including information from third-party sources. By using the Solutions, you acknowledge that we may collect, use, share and store anonymized and aggregated data for benchmarking, analytics, metrics, research, reporting, machine learning and other legitimate business purposes.


How We Use Cookies, Web Beacons, and Other Technologies  


Our Websites and Portals use cookies, web beacons, and other similar technologies to improve the user experience. Cookies are small text files placed on a computer by a web server when browsing online and are used to store user preference data so a web server doesn’t have to repeatedly request this information. You can review and modify your cookie preferences by clicking on ‘Cookie Preferences’ at the footer of the page. However, you may not be able to access all or parts of our Solutions, Websites, or Portals if you block certain cookies. A web beacon is a small pixel incorporated into a web page or email to keep track of activity on the page or email and helps us manage the content of our Websites by informing us of what content is effective.


Do Not Track


Commvault does not change its practices in response to Do Not Track signals from web browsers.


When & Why We Share Your Personal Data


We do not and will not sell Personal Data to marketers or other vendors and we do not access the data protected by our Solutions for marketing or other purposes outside the scope of our Commvault’s Master Terms & Conditions and the applicable Data Agreements.    For the purposes of the California Consumer Protection Act, the categories of data Commvault may share include identifiers, customer records information, commercial information, internet or other network or device activity, and geolocation data.  Commvault may share data or categories of data for the reasons set forth herein with:

(“EEA”) and for Personal Data subject to GDPR, this may include transfers outside of the EEA. Some of these countries may not have data protection laws that provide an equivalent level of data protection as the laws in your country of residence, however we take steps to ensure Personal Data is handled in accordance with this Privacy Policy and all applicable laws. Commvault transfers data from the EEA pursuant to Standard Contractual Clauses, as approved by the European Commission (Art. 46 GDPR). If you are located in the EEA and would like to execute Standard Contractual Clauses with Commvault, please visit Data Agreements.   


Data Privacy Framework Compliance Statements


Commvault complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  Commvault has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  Commvault has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. 

To learn more about the Data Privacy Framework (DPF) program, please visit https://www.dataprivacyframework.gov. Note that Commvault’s certifications to the DPF is currently pending review and acknowledgment by the Department of Commerce.


In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Commvault commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.


The Federal Trade Commission has jurisdiction over Commvault’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).


In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Commvault commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU, UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact Commvault using contact points indicated in the Commvault Contacts section below.

  • Contact Data Protection Regulators. You have the right to contact data protection regulator(s) regarding our handling of Personal Data.


Additionally, California law provides California consumer residents with the right to not be discriminated against (as provided for in applicable law) for exercising rights thereunder. Further, under California’s “Shine the Light” law California consumer residents have the right, twice in a calendar year, to request and obtain from Commvault information about Personal Data Commvault has shared, if any, with other businesses for their own direct marketing uses. This information, if applicable, would include the categories of Personal Data and the names and addresses of those businesses with which Commvault shared Personal Data for the immediately prior calendar year (e.g., requests made in 2022 will receive information regarding 2021 sharing activities).


Third Party Linking & Content


The Solutions, Websites and Portals may contain links to third-party websites that Commvault does not control or maintain. We are not responsible for the privacy practices employed by these third-party websites and encourage you to read the privacy statements of such other websites before submitting any Personal Data. Our Website may contain third-party content which may include statements, opinions, advice, criticisms, offers or other information (collectively, “Third-Party Content”). Any Third-Party Content solely reflects the opinion and belief of the respective third party and not that of Commvault. We make no endorsement, guarantee or other statement, express or implied, about Third-Party Content. You must independently evaluate any Third-Party Content if you intend to rely on it in any way.


Regarding Children


Commvault does not knowingly collect or distribute any Personal Data from children under 13 years old. If a child under 13 has provided Commvault with Personal Data, the parent or guardian of that child should contact Commvault immediately at privacy@commvault.com to delete this Personal Data.


Changes to Commvault’s Privacy Policy


As laws and best practices evolve, this Privacy Policy will change. At times we may provide privacy notices within our Solutions, Websites or Portals. By continuing to access our Websites and Portals or use our Solutions, you acknowledge and accept the Privacy Policy as updated. We encourage you to periodically review this Privacy Policy to stay informed about how we manage data. If we update this Privacy Policy, the new Privacy Policy will be posted to the website fifteen (15) days prior to the changes taking effect.  If we make a material change to the Privacy Policy, you will be provided with appropriate notice in accordance with legal requirements. At such time, your continued use of the Solutions, or access to our Websites and Portals after notice of posting or notice of such changes, constitutes your agreement to the latest version of this Privacy Policy.


Contact Commvault


Commvault’s Privacy Team can be contacted at privacy@commvault.com.


To exercise any of your rights, or for questions or complaints, please contact Commvault at privacy@commvault.com. We take reasonable steps to verify your identity when you exercise your rights. Please ensure that you keep your contact information up to date and accurate so that we may process your requests in accordance with applicable law and within a reasonable period of time.


You may also contact us by mail:


U.S. and international regions other than the EEA, U.K. or Switzerland:
Commvault Systems, Inc.
Attn: Legal Department/Global Data Governance Officer
One Commvault Way
Tinton Falls, New Jersey 07724

EEA, U.K. and Switzerland:
Commvault Systems International BV
Attn: Legal Department/Global Data Governance Officer
Papendorpseweg 75-79, 3528 BJ
Utrecht, Netherlands.


Last Updated: November 2023