Panopto Privacy Policy 2019 (Outdated)

Effective two weeks from Posting Date

Last updated posting date: November 22, 2019. (Please note: This is an outdated privacy policy. For the most current version, please see https://www.panopto.com/privacy/)

The following privacy policies provide important information regarding how Panopto, Inc. and its subsidiaries and affiliates (collectively, “Panopto”, “we” or “us”) process, use, collect, disclose, utilize and protect information when you use our services, websites and/or products (the “Services”), as well as how we use, disclose, protect, and share your information. This Privacy Policy does not apply to third-party services that are not under Panopto’s control; those parties’ services are governed by their own privacy policies.

Panopto is a proud member of Internet2. For details on the Internet2 Privacy Policy and Terms of Service, please visit the following Internet2 sites:
https://www.internet2.edu/policies/privacy/
https://www.internet2.edu/policies/terms-of-use/

Definitions

“Authorized Users” are those individuals (such as viewers, employees, staff, faculty, student, members, or other persons) who are authorized by a Customer to access certain multimedia, audio, video or other content from their respective account.
“Authorized Support Contacts” means individuals identified by a Customer as authorized to request and modify Services with Panopto.
“Customer” means the organization(s) or Panopto Pro individual that have permission to utilize and use Panopto Services to provide services and distribute media from their account.
“(Data) Controller” is an agency, entity, or legal person who determines the purposes and means of processing Personal Data.
“(Data) Processor” is an agency, entity, or legal person with responsibility for processing Personal Data on behalf of a Controller.
“Licensee” – see “Customer”
“Partners” are trusted third parties that provide Panopto with a portion of the services that we provide to you.
“Personal Data” is any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable person is one who can be identified by referencing an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Services” means the cloud-based hosted services, on premise server deployments, plug-ins, applications, media recorders and players, custom websites, and storage for our video content management software that we provide to Customers.
“you” means any Authorized User that is authorized to use our Services through a Customer’s account.

Panopto as a Data Processor
Panopto primarily provides its Customers, which include both organizations and individuals, with a video hosting platform, and with tools for managing and distributing video, audio, written and other content over the Internet. Panopto has limited knowledge of Customer data within that platform, and only processes hosted data in accordance with the Customer’s instructions. Panopto is a Processor of hosted data, including Customer Content. The Customer is the Controller for that hosted data, including all their provided Content.

Customers utilize our Services to distribute, display, process, and store video, audio, written, and other Content belonging to them or their respective Authorized Users. Such content on the Customer’s account may be viewable to various sized audiences depending upon the Customer-selected configuration of our Services.

Our Customers are responsible for maintaining the privacy of Personal Data pertaining to their Authorized Users, in the Customer’s capacity as the Controller of Personal Data uploaded to our Services. Panopto processes information under the direction of its Customers and may have no direct relationship with the individuals whose Personal Data it processes. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct their query to the Panopto Customer (the “Data Controller”).

Similarly, Panopto has no direct control over the data collected by its Customers. Panopto Customers choose the geographical regions for the storage of data for which they are the Controller, are directly responsible for the configuration and administration of their Panopto Services, and are responsible for adhering to legal and regulatory requirements, including the collection and maintenance of any necessary rights, permissions, and consents for the data which they collect and process as a Controller.

Panopto as a Data Controller
In some circumstances, such as during the account registration process for use of Panopto Services, during billing procedures, and through your use of Panopto Services, Panopto collects and maintains Personal Data. This data is collected and maintained solely for the offer and maintenance of Panopto Services for Customer use, and for the relevant communications and uses detailed within this policy. For these purposes, Panopto is the Controller.

The collection and processing of your Personal Data for direct use and administration of our Services is based on contractual obligation, necessary to provide you with access and use of the Services. Panopto also processes Personal Data where it has a legitimate interest to do so, where we have your consent, and where we are legally required. We have outlined the details for the types of Personal Data processing Panopto engages in below.

Collection of Personal Data

Information Collected from You Directly
Panopto requires some of your Personal Data to effectively operate, while providing you the best experiences with our Services. Some of this data comes directly from you when you perform transactions with Panopto, such as:

Contact us via our websites, phone, email, or Support team,
Create a Panopto account, or have an Authorized User account created for you,
Act as, or be designated as, an Authorized Support Contact on behalf of your organization or the primary Panopto Pro account holder,
Administer your organization’s or your Panopto Pro dashboard access,
Login to or utilize the Services, including any upload/download of Content,
Respond to marketing promotions that we offer,
Inquire or apply for employment with Panopto.

This data may include name, username, title, mailing and billing addresses, organization or employer, phone number, email address, and/or information automatically collected, as detailed below.

Information Collected Automatically
As is true of most websites, we also gather certain information automatically when you visit our websites, mobile application, or interact with our Services, including viewing, commenting on, or otherwise interacting with Content. This information is used to analyze aggregated trends and to administer our Services, and may include Internet protocol (IP) addresses, the type of device you use, operating system and version, device identifier, where the application was downloaded from, usage information, events that occur within the application, performance data, browser type, Internet service provider (ISP), referring/exit pages, the files viewed on our site (e.g., HTML pages, graphics, etc.), date/time stamp, and/or clickstream data. Please see the Cookies and Similar Technology section below for more details.

Similarly, if you contact our customer support team, we may automatically collect or request this information to aid in troubleshooting and error reporting.

Information Received from Third Parties
As detailed above, Panopto primarily acts as a Processor of the Personal Data provided to us by our Customers. We may also receive information about you from other sources, including publicly available databases or from third parties. This data helps us to update, expand, and analyze our records, identify new Customers, and identify Services that may be of interest to you. This may include purchased marketing data about our Customers from third parties, that is combined with information we already have about you, to create more tailored advertising and Services.

Mobile App

When you download and use our Services, we may automatically collect information on the type of device you use, operating system version and the device identifier (or “UDID”).

We may send you push notifications from time-to-time in order to update the services, or to notify you about any events or promotions that we may be running. If you no longer wish to receive these types of communications, you may turn them off at the device level.

We use mobile analytics software to allow us to better understand the functionality of our mobile software on your mobile device. This software may record information such as how often you use the application, the events that occur within the application, aggregated usage, performance data, and where the application was downloaded from.

Use of Personal Data

This section describes how Panopto uses the Personal Data that we collect to operate our business and to provide you our Services, including improvements to those Services and in the personalization of your experiences. We may also use the data to communicate with you, providing account information, security updates and Service information. We may transfer personal information to companies that help us provide our service. Transfers to subsequent third parties are covered by the service agreements with our Customers. Additionally, data is used to market our Services, to comply with applicable laws and legal processes, to enforce our terms and conditions, and to allow us to pursue available remedies or limit any damages that we may sustain.

To provide a requested service or carry out a contract with you, we use Personal Data collected from you in the following ways:

Customer Support: to diagnose and repair technical issues and provide other customer care and support services.
Account Notifications: to communicate Service and account notifications to you. For example, we may contact you by phone, email, or other means to inform you of account status, usage, and billing details, and to notify you when security updates are available.
Security, Safety, and Dispute Resolution: to protect the security and safety of our Services and our Customers, to detect and prevent fraud, to resolve disputes, and to enforce our agreements.
Providing the Services: to carry out transactions requested by you or the respective Customer, and to provide our Services, such as the account administration, viewing, and analytical tools provided within our platform.

Where we have a legitimate interest, we may also use data collected from you in the following ways:

Service Personalization: to include personalized features and recommendations that enhance your productivity and user experience enjoyment, and automatically tailor your Service experiences based on the data we have about your activities, interests, and locations.
Business Operations: to develop aggregate analysis and business intelligence that enable us to operate, protect, make informed decisions about, and report on the performance of our business.
Service Improvement: to continually improve our Services, including adding new features or capabilities. For example, we use error reports to improve performance features of our Services, and usage data to determine new features or Services to prioritize.

Where we rely on legitimate interest for processing your information, we carry out a ‘balancing test’ to ensure that our processing is necessary and that your fundamental rights of privacy are not outweighed by our legitimate interests, before we go ahead with such processing. To better understand how to control the Personal Data collected for these types of processing, please see the Cookies and Similar Technology section below.

Where we have your consent, we may use data we collect to communicate with you in a variety of formats and to tailor those communications to you.

Examples include:

inviting you to participate in surveys,
email subscriptions,
promotional communications from Panopto by email, SMS, physical mail, or telephone,
recruitment, employment and education verification, background checks and human resource matters.

Automated decision making
Panopto employs automated decision making (also known as “profiling”) in the processing of your data in very limited ways, and only in accordance with the specifications of this Policy and applicable laws. For example, we may auto-assign customer support personnel to respond to your inquiries, based on your organization or affiliated Customer, and necessary details of that contract, or auto-assign a regional contact to assist you, based on your location. These actions are necessary to provide you with our Services and related support.

Similarly, some automated decision making is used, with your consent, to determine appropriate communications to you, as detailed above.

Sharing of Personal Data

This section describes how Panopto may share and disclose Personal Data. Customers determine their own policies and practices for the sharing and disclosure of data, and Panopto does not control how they choose to share or disclose Information.

Panopto, Inc. and its subsidiaries and affiliates are in different countries around the world and by accessing our Services, your information may be transferred outside of your local jurisdiction. For additional information, see the International Data Transfers section of this Policy.

Panopto may share your Personal Data with your consent, or as necessary to complete a transaction or provide a Service you or a Customer has requested or authorized. For example:

We may disclose generic, aggregated (pseudonymized) demographic information, not linked to any specific Data Subject, regarding Panopto visitors and users with a Customer owning the content you have interacted with, and to our business partners, trusted affiliates, and suppliers or agents working on our behalf.
We may use third-party service providers to help us operate or administer the Services. For example, companies we’ve hired to provide customer service support or to assist in protecting and securing our services and systems may need access to Personal Data to complete those functions. In such cases, these companies must abide by our data privacy and security requirements and are not allowed to use Personal Data they receive from us for any other purpose.
We may disclose Personal Data to a third-party in the event of any reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings).
As we believe to be necessary or appropriate, we may disclose Personal Data: (a) under applicable laws, including laws outside your country of residence; (b) to comply with a subpoena or other legal process; (c) to respond to requests from public and government authorities, including public and government authorities outside your country of residence; (d) to enforce our terms and conditions; (e) to protect our operations or those of any of our affiliates; (f) to protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or others; and (g) to allow us to pursue available remedies or limit the damages that we may sustain.

If you elect to use connected third-party applications, your Personal Data may be shared with the companies who provide those applications. In those cases, we encourage you to review and understand the terms and conditions and privacy policies of those third parties, over whom we have no control.

As an example, for Panopto Pro accounts, Panopto relies on a Partner to process associated payments. Your billing information is collected and processed by the Partner, at the direction of, and on behalf of Panopto.

Protection of Personal Data

Panopto has adopted security measures to protect Personal Data against loss, theft, unauthorized access, alteration, disclosure, or destruction. These measures include policies, procedures, employee training, physical access control, and technical elements relating to data access controls. In addition, Panopto uses industry-standard encryption to facilitate the exchange and transmission of data. Panopto only processes Personal Data in compliance with the purposes for which it has been collected, in accordance with this Policy.

If Personal Data is acquired by an unauthorized person, and applicable law requires notification, we will promptly notify the affected Data Controller and where applicable and known to Panopto, we will also notify the affected Data Subject(s). Notice will be consistent with the legitimate needs of law enforcement, and any measures necessary for Panopto or law enforcement to determine the scope of the breach and to ensure or restore the integrity of a system. Panopto may delay notification if we, or a law enforcement agency, determine that the notification will impede a criminal investigation. In such case, notification will not be provided unless and until we or the agency determines that notification will not compromise the investigation.

Data Retention

Panopto will only retain your Personal Data for as long as is necessary for us to use your information as described above and to comply with our legal obligations. Please be advised that this means that we may retain some of your information after you cease to use our Services. For instance, we may retain your Personal Data as necessary to meet our legal obligations, enforce an agreement, or for tax and accounting purposes.

Your Rights as a Data Subject

You have several rights when it comes to your Personal Data. Further information and advice about your rights can be obtained from the data protection regulator in your country.

If you wish to exercise any of these rights, you must contact the appropriate Controller, which may be a Panopto Customer.

Rights	What does this mean?
1. The right to object to processing	You have the right to object to certain types of processing, including processing for direct marketing.To manage your contact data, Panopto email subscriptions, and Panopto promotional communications, visit the Profile section of your Panopto platform account.
2. The right to be informed	You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. We are providing you with this information through this Privacy Policy.
3. The right of access	You have the right to obtain access to your Personal Data information that Panopto controls, in order to ensure that we’re using your information in accordance with data protection laws.
4. The right to rectification	You are entitled to have your information corrected if it’s inaccurate or incomplete.
5. The right to erasure	This is also known as ‘the right to be forgotten’ and enables you to request the deletion or removal of your information where there’s no compelling reason for the Controller or Processor to keep using it. This is not a general and total right to erasure, and specific conditions apply.
6. The right to restrict processing	You have rights to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but may not use it further. Panopto may continue to maintain a list of individuals for which processing is restricted, to ensure the request is respected in future.
7. The right to data portability	You have rights to obtain and reuse your Personal Data for your own purposes across different services. If you request a copy of the Personal Data that Panopto is the Controller for, we will deliver it in .csv format or similar.
8. The right to lodge a complaint	You have the right to lodge a complaint about the way we handle or process your Personal Data with your national data protection regulator.
9. The right to withdraw consent	If you have given your consent to anything we do with your Personal Data, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your Personal Data with your consent up to that point is unlawful). This includes your right to withdraw consent to us using your Personal Data for marketing purposes.To manage your contact data, email subscriptions, and promotional communications, visit the Profile section of your Panopto platform account.

Panopto is a service provider and may not be the Controller of your Personal Data. If you wish to exercise any of your rights as detailed above, please first contact the appropriate Panopto Customer. You can also contact Panopto directly, using the information listed in the Contacting Panopto section of this policy. If Panopto is not the Controller responsible for responding to your request, we will forward the request to the appropriate Panopto Customer. Where Panopto is the applicable Controller, we usually act on requests and provide information free of charge, but may charge a reasonable fee to cover our administrative costs of providing the information for:

baseless or excessive/repeated requests, or
further copies of the same information.

Alternatively, we may be entitled to refuse to act on the request.

Please consider your request responsibly before submitting it. These requests do not apply to mandatory service communications that are part of certain Panopto Services, nor to Personal Data controlled by Panopto’s Customers. Generally, Panopto will respond within 30 days from when we receive your request, unless the request will take substantially longer to fulfill.

Cookies & Similar Technologies

Panopto and our partners may use cookies or similar technologies to analyze trends, administer the Services, track users ‘movements around, and interactions with, the platform and website, and to gather demographic information about our user base as a whole. You can control the use of cookies and similar technologies at the individual browser level.

However, if you choose to disable any of these, it may limit your use of certain features or functions on our website and Services. To manage cookies and similar technologies for your browser, see our page on How to Manage Cookies, which includes information on the types of cookies and technologies that Panopto uses.

International Data Transfers

Panopto Customers have control and responsibility for selecting the appropriate geographical region(s) in which they store and upload data, including Personal Data, and administer Panopto Services in accordance with data protection regulations governing the Customer’s data controlling activities.

Panopto is a multinational organization that is headquartered in the United States and has subsidiaries, systems and business functions around the world. We may share Personal Data within Panopto entities and transfer it to countries where we do business, including outside of the European Union and other countries pursuant to standard contractual clauses. Other countries may have privacy laws that are different from privacy laws in your country. We handle Personal Data as described within this policy, regardless of location. Through contractual requirements, Panopto strives to ensure that any employee, partner, or service provider with access to Personal Data, adheres to these same practices.

European Union Model Clauses
Panopto offers European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our Customers that operate in the European Union, and for other international transfers of Personal Data. A copy of our standard data processing addendum, incorporating Model Clauses, is available upon request by contacting us at [email protected].

Other Important Privacy Information

Notice to Authorized Users
If you use an email address provided by an organization you are affiliated with, such as an employer or school, to access Panopto Services, the owner of the domain (e.g., your organization) associated with your email address may control and administer your Panopto account, and may access and process your data, including the contents of your communications and files.

Your use of Panopto Services may be subject to your organization’s policies and procedures. Panopto is not responsible for the privacy or security practices of our Customers, which may differ from those set forth in this privacy statement. Personal Data and privacy inquiries should be directed to your organization’s administrator.

Children
Panopto’s website and services are not designed for use by children under the age of 16. Except as detailed in the paragraph below, Panopto does not voluntarily or knowingly collect information from children under 16. As such, if you are under the age of 16, please stop using this website and/or Panopto Services. If you are a parent or guardian and believe that we may have collected Personal Data from someone under the age of 16, please let us know by emailing [email protected].

If a Panopto Customer uploads content containing Personal Data of a minor under the age of 16, Panopto may process that Personal Data, in order to provide the Services to the Customer. It is the responsibility of the Panopto Customer to obtain any consents required under applicable law, including under the Children’s Online Privacy Protection Act (COPPA) and relevant data protection laws, for the collection of such Personal Data.

Changes to this Privacy Policy
Panopto may change, modify, or update this Privacy Policy at any time. When we do, we will revise the date at the top of this page and provide a link to the archived previous version. We encourage you to check this page for any changes and to stay informed about how we protect the Personal Data we collect. If you continue to use the Services, you acknowledge and agree that it is your responsibility to review this Privacy Policy periodically and become aware of any modifications.

Contacting Panopto
If you are concerned about your privacy while using Panopto Services that are provided by a Customer, you should first address requests and inquiries relating to your Personal Data directly to that specific Customer. If you contact us regarding information on an account of a Customer, we may forward your requests or inquiries to the relevant Customer.

If you have any questions about this Privacy Policy, the Personal Data practices of Panopto, or our Services, please contact us at [email protected] or via mail (worldwide) at:

Panopto, Inc.

Attn: Data Protection Officer

506 2nd Avenue
Suite 1600
Seattle, WA 98104

Our representative in the EU for the purposes of compliance with the GDPR is Panopto EMEA Limited, the UK-based subsidiary of Panopto, Inc., which may be contacted at:

Panopto EMEA Limited
White Collar Factory
1 Old Street Yard
London EC1Y 8AF
Attn: GDPR
Phone: +44 (0)203 137 5955