Privacy Policy

Last updated: March 13, 2024

Overview

At Particle, we believe that everyone has the general right to Privacy, and specifically, should be able to exercise fine-grained control over how their personal information is used by an organization. To this end, Particle aspires to not only meet the requirements of the various privacy legislation that applies to our global customer and employee base, but also extend a common set of rights which exceeds these requirements to everyone who interfaces with Particle.

This document describes how we do this, and how users of Particle products and services can exercise those rights.

Scope

This policy applies to the entire Particle organization, including its products and services. There are no exceptions.

‘Particle’ refers to the legal entity, Particle Industries Inc, headquartered at 325 9th Street, San Francisco, 94103, USA, and our wholly owned subsidiary companies listed in the subsidiaries section of this policy. ‘Products and services’ are defined as any application developed by Particle for use by our customers, such as the Particle Web IDE, the Particle Device Cloud, or any physical hardware products shipped by Particle that connect to these services.

Particle’s Role

Depending on the nature of the relationship between an individual and Particle, Particle’s classification in regards to its role in data privacy can change, and this can alter how Particle responds to requests for information. It does not, however, alter our commitment to safeguarding personal information that we’ve been entrusted with during the course of business.

Particle as a data collector

If Particle collects personally identifiable information from you directly, for example, if you register for an account on the Particle platform, or purchase a Particle product from our store, our relationship with you is as a data collector.

  • Under the EU General Data Protection Regulation (GDPR) this classification is known as a data controller.

Particle as a data processor

Particle can also serve as a third-party data processor. This situation occurs when an entity that leverages Particle’s products and services to deliver their own product or service to their customers.

  • Under the EU General Data Protection Regulation (GDPR) this classification is known as a data processor.
  • Under the California Consumer Privacy Act (CCPA) this classification is known as a service provider.

What does this mean?

Any individual can make a request to Particle directly regarding privacy of personally identifiable information (as described in this policy), but it is important to remember Particle will always respond to such requests in its capacity as a data collector. For various legal, contractual and technical reasons, Particle cannot respond directly to individuals with regards to personally identifiable information collected in its role as a data processor. Instead, Particle works with our enterprise customers to align with their own privacy programs and practices, and establishes mechanisms for timely response to such requests.

So in summary, if you have a third party relationship with Particle through another business, you should make your personally identifiable information privacy request through that business’s published channels. Behind the scenes Particle will be working with them to ensure we do our part to provide relevant information.

Legal basis for collection of personally identifiable information

Particle collects personally identifiable information only where it has a legal basis to do so. Typically, this is because you’ve expressed an interest in, or decided to purchase a Particle product, service, or event, and therefore we need to ship it to you, provide support, perform other general e-commerce functions, send you registration information, and other service provider functions. Particle will not intentionally gather information from children under the age of 13.

Types of personally identifiable information collected

Particle may collect the following types of personally identifiable information:

  • General personal information, such as full name, email address, mailing and billing addresses.
  • Technical identifiers, such as usernames, device IDs, SIM card ID and IP address.
  • Geolocation information, such as GPS coordinates.
  • Browser identifiers, such as user agent strings.

How Particle collects personally identifiable information

There are three ways in which Particle may collect personally identifiable information:

  • Directly, and voluntarily, from you as a consumer of our products and services - through our websites and stores.
  • Directly, and autonomously, from your browser or device through visits to Particle websites or while using Particle applications.
  • Indirectly, through third party entities, who provide data to Particle during the course of normal business operations. This typically means Particle enterprise customers, but could also include service providers with which Particle has contracted to deliver a specific function, for example, a payment service provider.

How Particle uses personally identifiable information

There are two ways in which Particle uses information collected

  • To provide the service or product that you have signed up for. By sending you important information about your account, and performing billing functions.
  • To provide additional information about Particle services, events, new and upcoming products that may be of interest to you.

In both cases listed above, the information is used directly by Particle, and not accessible to any third parties.

Disclosure of personal information

Particle does not ‘sell’ personally identifiable data for direct financial benefit. Particle may share personally identifiable information with its chosen service providers in support of its principal business operations, but all such relationships are governed by contractual agreements with those service providers and are routinely vetted to ensure they meet our strict security and privacy requirements.

In relation to Particle’s role as a data processor, Particle will receive and process data on behalf of our customers, before passing the data back to them. Particle stores only the minimum amount of data required to deliver the service reliably, such as device identifiers and IP addresses, and does not make a habit of storing more data than is absolutely necessary.

Our subprocessors

NameAddressProcessing Purpose
Amazon Web Services, Inc.410 Terry Avenue North, Seattle, WA 98109, United StatesHosting infrastructure
MongoDB, Inc.MongoDB, Inc., 229 W. 43rd Street, 5th Floor, New York, NY 10036Hosting infrastructure
Stripe, Inc.354 Oyster Point Blvd South San Francisco, CA 94080Payment processing
Google, LLC (Google Workspace + Google Analytics)1600 Amphitheatre Parkway, Mountain View, CA 94043, United StatesCorporate email hosting and website analytics
Adobe, Inc. (Marketo)345 Park Avenue San Jose, CA 95110-2704Marketing automation
Zendesk, Inc.1019 Market Street San Francisco, CA 94103 USASupport ticket tracking
Snowflake, Inc.Suite 3A, 106 East Babcock Street, Bozeman, Montana 59715, USAData warehousing
Twilio, Inc. (Segment)375 Beale St Suite 300, San Francisco, CA 94105Website analytics
Outreach Corporation333 Elliott Ave W #500, Seattle, WA 98119Email automation
Salesforce.com, Inc.Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105Customer relationship management

Responding to legal requests for information

Particle may disclose personally identifiable information as is necessary:

  • To comply with a subpoena or court order.
  • Cooperate with law enforcement or other government agencies.
  • Establish or exercise our legal rights.
  • Protect the property or safety of our company and employees, contractors, vendors, suppliers, and customers.
  • Defend against legal claims.
  • Help with internal and external investigations.

Security of personally identifiable information

Particle has a dedicated information security team that works to ensure that appropriate safeguards and controls are applied to any data collected by Particle. The security team has input into all aspects of Particle’s operations, including the development of hardware and software products, as well as setting company-wide policies and performing operational security monitoring. Particle is a SOC 2 Type II compliant entity, and undergoes an annual third party audit against this standard.

When collecting personal information over the Internet via our websites, all transmissions occur via connections encrypted with Transport Layer Security (TLS).

All communication between Particle hardware devices and the Particle cloud is encrypted in transit using an appropriately strong, and modern, set of cryptographic ciphers.

The Particle Device Cloud is hosted in a leading Infrastructure-as-a-Service environment, which is routinely audited against a variety of data security and compliance standards, including SOC II, and ISO 27001.

Payment card data is processed by a third party service provider that has been audited against the Payment Card Industry Data Security Standard (PCI-DSS).

Storage of and transfer of personally identifiable information

All personally identifiable information collected by Particle is processed and stored in the United States.

Retention of information

Generally speaking, the data collected by Particle when delivering its services exchanged in real time. The Particle platform is primarily a conduit for passing that information between Particle hardware and Particle customers. Therefore, by design, there isn’t a great deal of ‘retention’ that happens intrinsically.

Retention of certain financial and transactional records associated with Particle generally happens for financial reporting reasons, or to allow us to identify the owner of a given device to provide support. In these cases, such records are retained for 7 years.

Your rights in regards to personally identifiable information

Particle extends a common set of rights to everyone in regards to how we leverage personally identifiable information. These rights are as follows:

  • Right to access - you can request a copy of your personally identifiable information held by Particle. Upon appropriately validating your identity, Particle will submit a copy, in a legible format, of all personally identifiable data collected in the preceding 12 month period within 30 days of receiving the request.
  • Right to rectification - in addition to being able to update your Particle user account directly, you can make a written request to Particle to update personally identifiable information held about you.
  • Right to erasure (or right to be forgotten) - you can request that Particle erase (‘delete’) personally identifiable elements of data from our systems, and we will do so with consideration for any overriding local, state or federal laws. The most likely outcome of this right is to no longer receive Particle marketing materials. Particle does retain the right to remember that we’ve been asked to forget you.
  • Right to restrict processing - You have the right to request that Particle restrict the processing of your personally identifiable information, under certain conditions.
  • Right to object to processing - You have the right to object to Particle processing your information, under certain conditions.
  • Right to data portability - you have the right to request that Particle transfer your data directly to you, or to another entity. Particle will do so providing we can do so securely.

Making a privacy request

In order to make a request to exercise any of the rights listed above, you must contact Particle’s privacy team via email to privacy@particle.io.

Particle will respond to any privacy requests received here within 30 calendar days. Particle will not disclose, update, or otherwise alter personally identifiable information, unless it can satisfactorily authenticate and identify the subject making the request.

Contacting Particle’s Data Privacy Officer

Please use the following to contact Particle’s Data Privacy Officer (DPO) directly:

By email: privacy@particle.io.

By mail: Privacy Officer, Particle Industries, 325 9th Street, San Francisco, CA 94103, USA.

Our subsidaries

NameAddressProcessing Purpose
Particle Industries (Hong Kong) LimitedSuite 603, 6/F Laws Comm Plaza, 788 Cheung Sha Wan Road, Kowloon, Hong KongService delivery and technical support
Padikeji Shenzhen Technology Co.Room 201, Building A, No. 1 Qianwan First Road, Qianhai Shenzhen-Hongkong Cooperation Zone, Shenzhen, ChinaService delivery and technical support
Particle Labs México S.A. de C.V.Particle Labs México c/o Gossler, S.C. Calle José Clemente Orozco 335, interior 304, Colonia Zona Valle Oriente, C.P. 66278, San Pedro Garza García, Nuevo León, MexicoService delivery and technical support

Notice regarding use of Cookies

Particle, like many other organizations, will store session information (often called “Cookies”) in your browser that will help Particle to identify information such as browsing activity, IP addresses and page view order. You do have the option to not use these Cookies; the majority of browsers will have a “help” tool that will help you to prevent Cookies if you want to, but Particle recommends you keep Cookies active as it will provide a better user experience on Particle’s Websites. You can also use the ‘Cookies’ link in the footer of www.particle.io to set marketing cookie preferences.

Notice to European Union Residents

Particle operates in accordance with the General Data Protection Regulation (GDPR), and as such, this privacy policy has been designed to incorporate the specific requirements laid out within the GDPR.

We’re committed to protecting the rights of EU residents who leverage the Particle platform, and encourage EU residents to contact us to exercise those rights using the mechanism described in the ‘making a privacy request’ section above.

Participation in EU-U.S. and Swiss-U.S. Data Privacy Frameworks

Particle complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Particle has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. Particle has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/

EU/UK Standard Contractual Clauses

In response to the Schrems II case, which invalidated the EU-US Data Privacy Framework from a legal perspective, Particle leverages the Standard Contractual Clauses to provide assurance of protection to data transferred from the EEA to Particle in the United States.

The 2021 Standard Contractual Clauses, approved by the European Commission in decision 2021/914, will apply to data transfers from the European Economic Area to Particle. They will apply in the following manner:

Module One (Controller to Controller) will apply where Customer is a controller of customer data and Particle is a controller of customer data - for example, geo-location data.

Module Two (Controller to Processor) will apply where Customer is a controller of customer data and Particle is a processor of customer data.

Module Three (Processor to Processor) will apply where Customer is a processor of customer data and Particle is a sub-processor of customer data.

To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this policy, the provisions of the Standard Contractual Clauses will prevail.

Transfer to the United States of European Personal Data

Information submitted to Particle by users of our service is stored on servers located in the United States, and may be transferred by us to third parties who may also be situated in the United States. The United States does not have similar data protection laws to the European Union, and you should be aware in particular that the law and practice in the United States in respect of law enforcement authority access to data is significantly different from Europe. Where we transfer your information we will take all reasonable steps to ensure that your privacy rights continue to be protected consistent with our obligations under local law and the Data Privacy Framework (DPF). By submitting information to Particle, you agree to this storing, processing and/or transfer.

Accountability for onward transfers

Particle is responsible for the processing of Personal Data it receives, under the Data Privacy Framework (DPF)/Standard Contractual Clauses, and subsequently transfers to a third party acting as an agent on its behalf. Particle complies with the EU Standard Contractual Clauses applicable to all onward transfers of Personal Data from the EU, UK and Switzerland, including the onward transfer liability provisions.

Enforcement

With respect to Personal Data received or transferred pursuant to the Data Privacy Framework (DPF), Particle is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission (FTC). In certain situations, we may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Resolution of Data Privacy Framework Related Queries and Complaint Mechanism

In compliance with the EU-U.S. DPF and the Swiss-U.S. DPF, Particle commits to resolve any complaints about the collection, or use of personal data. EU residents with inquiries or complaints regarding our Data Privacy Framework policy should contact Particle’s privacy officer, via email to privacy@particle.io, or via mail to: Privacy Officer, Particle Industries, 325 9th Street, San Francisco, CA 94103, USA.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) using this form: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/. As further explained in the Data Privacy Framework Principles, a binding arbitration option also be made available to you in order to address residual complaints not resolved by any other means.

Notice to California Residents

Particle operates in accordance with the California Consumer Privacy Act (CCPA), and as such, this policy has been designed to incorporate the specific requirements laid out within the CCPA.

We’re committed to protecting the rights of California residents who leverage the Particle platform, and encourage California residents to contact us to exercise those rights using the mechanism described in the ‘making a privacy request’ section above.

Particle will not discriminate against individuals who exercise their rights under the CCPA.

Categories of personal information collected

Particle collects the following categories of information, as defined under the CCPA:

  • Identifiers
  • Commercial Information
  • Geolocation data
  • Inferences about personal preferences and attributes drawn from profiling

Do not sell my information

Since Particle is not involved in the sale of personal information to third parties for financial gain, we do not maintain a separate opt-out page, in accordance with the CCPA.

Authorized Agents

A California customer may use an authorized agent to make a CCPA privacy request on the customer’s behalf. To make a request on behalf of a Particle customer, the authorized agent must first provide a copy of either (a) a letter signed by the customer authorizing the agent to submit a CCPA request on their behalf, or (b) a valid power of attorney issued pursuant to California Probate Code sections 4000 to 4465. An authorized agent must email one of these documents to privacy@particle.io and include a phone number where the agent may be reached during regular business hours.

Information disclosed for business purposes

Over the preceding 12 months, Particle has disclosed personally identifiable information to its service providers to support the following business activities:

  • Auditing
    • Advertising analytics
    • Auditing legal and regulatory compliance
    • Security
  • Debugging
    • Identifying and fixing technical errors
  • Short-term uses
    • Contextual ad customization that does not involve or contribute to profiling
    • Performing services
  • Account maintenance
    • Customer service
    • Processing transactions
    • Marketing

Notice to Particle Employees and Contractors

Particle maintains an internally accessible addendum to this policy that includes specific provisions regarding additional data that is collected during the course of employment at Particle.

Updates to this policy

Particle may update this privacy policy from time to time and is committed to ensuring the latest version of it is publicly available. Please refer to the ‘last updated’ date at the beginning of this policy.