Last updated: February 21, 2020
At Particle, we believe that everyone has the general right to Privacy, and specifically, should be able to exercise fine-grained control over how their personal information is used by an organization. To this end, Particle aspires to not only meet the requirements of the various privacy legislation that applies to our global customer and employee base, but also extend a common set of rights which exceeds these requirements to everyone who interfaces with Particle.
This document describes how we do this, and how users of Particle products and services can exercise those rights.
This policy applies to the entire Particle organization, including its products and services. There are no exceptions.
‘Particle’ refers to the legal entity, Particle Industries Inc, headquartered at 126 Post Street, Floor 4, San Francisco, CA 94108, USA. ‘Products and services’ are defined as any application developed by Particle for use by our customers, such as the Particle Web IDE, the Particle Device Cloud, or any physical hardware products shipped by Particle that connect to these services.
Depending on the nature of the relationship between an individual and Particle, Particle’s classification in regards to its role in data privacy can change, and this can alter how Particle responds to requests for information. It does not, however, alter our commitment to safeguarding personal information that we’ve been entrusted with during the course of business.
Particle as a data collector
If Particle collects personally identifiable information from you directly, for example, if you register for an account on the Particle platform, or purchase a Particle product from our store, our relationship with you is as a data collector.
- Under the EU General Data Protection Regulation (GDPR) this classification is known as a data controller.
Particle as a data processor
Particle can also serve as a third-party data processor. This situation occurs when an entity that leverages Particle’s products and services to deliver their own product or service to their customers.
- Under the EU General Data Protection Regulation (GDPR) this classification is known as a data processor.
- Under the California Consumer Privacy Act (CCPA) this classification is known as a service provider.
What does this mean?
Any individual can make a request to Particle directly regarding privacy of personally identifiable information (as described in this policy), but it is important to remember Particle will always respond to such requests in its capacity as a data collector. For various legal, contractual and technical reasons, Particle cannot respond directly to individuals with regards to personally identifiable information collected in its role as a data processor. Instead, Particle works with our enterprise customers to align with their own privacy programs and practices, and establishes mechanisms for timely response to such requests.
So in summary, if you have a third party relationship with Particle through another business, you should make your personally identifiable information privacy request through that business’s published channels. Behind the scenes Particle will be working with them to ensure we do our part to provide relevant information.
Legal basis for collection of personally identifiable information
Particle collects personally identifiable information only where it has a legal basis to do so. Typically, this is because you’ve expressed an interest in, or decided to purchase a Particle product or service, and therefore we need to ship it to you, provide support and perform other general e-commerce transaction and service provider functions. Particle will not intentionally gather information from children under the age of 13.
Types of personally identifiable information collected
Particle may collect the following types of personally identifiable information:
- General personal information, such as full name, email address, mailing and billing addresses.
- Technical identifiers, such as usernames, device IDs, SIM card ID and IP address.
- Geolocation information, such as GPS coordinates.
- Browser identifiers, such as user agent strings.
How Particle collects personally identifiable information
There are three ways in which Particle may collect personally identifiable information:
- Directly, and voluntarily, from you as a consumer of our products and services - through our websites and stores.
- Directly, and autonomously, from your browser or device through visits to Particle websites or while using Particle applications.
- Indirectly, through third party entities, who provide data to Particle during the course of normal business operations. This typically means Particle enterprise customers, but could also include service providers with which Particle has contracted to deliver a specific function, for example, a payment service provider.
Disclosure of personal information
Particle does not ‘sell’ personally identifiable data for direct financial benefit. Particle may share personally identifiable information with it’s chosen service providers in support of its principal business operations, but all such relationships are governed by contractual agreements with those service providers and are routinely vetted to ensure they meet our strict security and privacy requirements.
In relation to Particle’s role as a data processor, Particle will receive and process data on behalf of our customers, before passing the data back to them. Particle stores only the minimum amount of data required to deliver the service reliably, such as device identifiers and IP addresses, and does not make a habit of storing more data than is absolutely necessary.
Responding to legal requests for information
Particle may disclose personally identifiable information as is necessary:
- To comply with a subpoena or court order.
- Cooperate with law enforcement or other government agencies.
- Establish or exercise our legal rights.
- Protect the property or safety of our company and employees, contractors, vendors, suppliers, and customers.
- Defend against legal claims.
- Help with internal and external investigations.
Security of personally identifiable information
Particle has a dedicated information security team that works to ensure that appropriate safeguards and controls are applied to any data collected by Particle. The security team has input into all aspects of Particle’s operations, including the development of hardware and software products, as well as setting company-wide policies and performing operational security monitoring.
When collecting personal information over the Internet via our websites, all transmissions occur via connections encrypted with Transport Layer Security (TLS).
All communication between Particle hardware devices and the Particle cloud is encrypted in transit using an appropriately strong, and modern, set of cryptographic ciphers.
The Particle Device Cloud is hosted in a leading Infrastructure-as-a-Service environment, which is routinely audited against a variety of data security and compliance standards, including SOC II, and ISO 27001.
Payment card data is processed by a third party service provider that has been audited against the Payment Card Industry Data Security Standard (PCI-DSS).
Storage of and transfer of personally identifiable information
All personally identifiable information collected by Particle is processed and stored in the United States.
Retention of information
Generally speaking, the data collected by Particle when delivering its services exchanged in real time. The Particle platform is primarily a conduit for passing that information between Particle hardware and Particle customers. Therefore, by design, there isn’t a great deal of ‘retention’ that happens intrinsically.
Retention of certain financial and transactional records associated with Particle generally happens for financial reporting reasons, or to allow us to identify the owner of a given device to provide support. In these cases, such records are retained for 7 years.
Your rights in regards to personally identifiable information
Particle extends a common set of rights to everyone in regards to how we leverage personally identifiable information. These rights are as follows:
- Right to access - you can request a copy of your personally identifiable information held by Particle. Upon appropriately validating your identity, Particle will submit a copy, in a legible format, of all personally identifiable data collected in the preceding 12 month period within 30 days of receiving the request.
- Right to rectification - in addition to being able to update your Particle user account directly, you can make a written request to Particle to update personally identifiable information held about you.
- Right to erasure (or right to be forgotten) - you can request that Particle erase (‘delete’) personally identifiable elements of data from our systems, and we will do so with consideration for any overriding local, state or federal laws. The most likely outcome of this right is to no longer receive Particle marketing materials. Particle does retain the right to remember that we’ve been asked to forget you.
- Right to restrict processing - You have the right to request that Particle restrict the processing of your personally identifiable information, under certain conditions.
- Right to object to processing - You have the right to object to Particle processing your information, under certain conditions.
- Right to data portability - you have the right to request that Particle transfer your data directly to you, or to another entity. Particle will do so providing we can do so securely.
Making a privacy request
In order to make a request to exercise any of the rights listed above, you must contact Particle’s privacy team via email to firstname.lastname@example.org.
Particle will respond to any privacy requests received here within 30 calendar days. Particle will not disclose, update, or otherwise alter personally identifiable information, unless it can satisfactorily authenticate and identify the subject making the request.
Contacting Particle’s Data Privacy Officer
Please use the following to contact Particle’s Data Privacy Officer (DPO) directly:
By email: email@example.com.
By mail: Privacy Officer, Particle Industries, 126 Post Street, Floor 4, San Francisco, CA 94108, USA.
Particle, like many other organizations, will store session information (often called “Cookies”) in your browser that will help Particle to identify information such as browsing activity, IP addresses and page view order. You do have the option to not use these Cookies; the majority of browsers will have a “help” tool that will help you to prevent Cookies if you want to, but Particle recommends you keep Cookies active as it will provide a better user experience on Particle’s Websites.
Notice to European Union Residents
We’re committed to protecting the rights of EU residents who leverage the Particle platform, and encourage EU residents to contact us to exercise those rights using the mechanism described in the ‘making a privacy request’ section above.
Participation in EU-U.S. and Swiss-U.S. Privacy Shield
Transfer to the United States of European Personal Data
Information submitted to Particle by users of our service is stored on servers located in the United States, and may be transferred by us to third parties who may also be situated in the United States. The United States does not have similar data protection laws to the European Union, and you should be aware in particular that the law and practice in the United States in respect of law enforcement authority access to data is significantly different from Europe. Where we transfer your information we will take all reasonable steps to ensure that your privacy rights continue to be protected consistent with our obligations under local law and the Privacy Shield Framework. By submitting information to Particle, you agree to this storing, processing and/or transfer.
Accountability for onward transfers
Particle is responsible for the processing of Personal Data it receives, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Particle complies with the Privacy Shield Principles for all onward transfers of Personal Data from the EU, UK and Switzerland, including the onward transfer liability provisions.
With respect to Personal Data received or transferred pursuant to the Privacy Shield Framework, Particle is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Resolution of Privacy-Shield Related Queries and Complaint Mechanism
In compliance with the Privacy Shield Principles, Particle commits to resolve any complaints about the collection, or use of personal data. EU residents with inquiries or complaints regarding our Privacy Shield policy should contact Particle’s privacy officer, via email to firstname.lastname@example.org, or via mail to: Privacy Officer, Particle Industries, 126 Post Street, Floor 4, San Francisco, CA 94108, USA.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) using this form: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/. As further explained in the Privacy Shield Principles, a binding arbitration option also be made available to you in order to address residual complaints not resolved by any other means.
Notice to California Residents
Particle operates in accordance with the California Consumer Privacy Act (CCPA), and as such, this policy has been designed to incorporate the specific requirements laid out within the CCPA.
We’re committed to protecting the rights of California residents who leverage the Particle platform, and encourage California residents to contact us to exercise those rights using the mechanism described in the ‘making a privacy request’ section above.
Particle will not discriminate against individuals who exercise their rights under the CCPA.
Categories of personal information collected
Particle collects the following categories of information, as defined under the CCPA:
- Commercial Information
- Geolocation data
- Inferences about personal preferences and attributes drawn from profiling
Do not sell my information
Since Particle is not involved in the sale of personal information to third parties for financial gain, we do not maintain a separate opt-out page, in accordance with the CCPA.
Information disclosed for business purposes
Over the preceding 12 months, Particle has disclosed personally identifiable information to its service providers to support the following business activities:
- Advertising analytics
- Auditing legal and regulatory compliance
- Identifying and fixing technical errors
- Short-term uses
- Contextual ad customization that does not involve or contribute to profiling
- Performing services
- Account maintenance
- Customer service
- Processing transactions
Notice to Particle Employees and Contractors
Particle maintains an internally accessible addendum to this policy that includes specific provisions regarding additional data that is collected during the course of employment at Particle.
Updates to this policy