Effective two weeks from Posting Date
Last updated posting date: November 22, 2019
Previous version (effective May 1, 2018): https://www.panopto.com/privacy-old/
Panopto as a Data Processor
Panopto primarily provides its Customers, which include both organizations and individuals, with a video hosting platform, and with tools for managing and distributing video, audio, written and other content over the Internet. Panopto has limited knowledge of Customer data within that platform, and only processes hosted data in accordance with the Customer’s instructions. Panopto is a Processor of hosted data, including Customer Content. The Customer is the Controller for that hosted data, including all their provided Content.
Customers utilize our Services to distribute, display, process, and store video, audio, written, and other Content belonging to them or their respective Authorized Users. Such content on the Customer’s account may be viewable to various sized audiences depending upon the Customer-selected configuration of our Services.
Our Customers are responsible for maintaining the privacy of Personal Data pertaining to their Authorized Users, in the Customer’s capacity as the Controller of Personal Data uploaded to our Services. Panopto processes information under the direction of its Customers and may have no direct relationship with the individuals whose Personal Data it processes. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct their query to the Panopto Customer (the “Data Controller”).
Similarly, Panopto has no direct control over the data collected by its Customers. Panopto Customers choose the geographical regions for the storage of data for which they are the Controller, are directly responsible for the configuration and administration of their Panopto Services, and are responsible for adhering to legal and regulatory requirements, including the collection and maintenance of any necessary rights, permissions, and consents for the data which they collect and process as a Controller.
Panopto as a Data Controller
In some circumstances, such as during the account registration process for use of Panopto Services, during billing procedures, and through your use of Panopto Services, Panopto collects and maintains Personal Data. This data is collected and maintained solely for the offer and maintenance of Panopto Services for Customer use, and for the relevant communications and uses detailed within this policy. For these purposes, Panopto is the Controller.
The collection and processing of your Personal Data for direct use and administration of our Services is based on contractual obligation, necessary to provide you with access and use of the Services. Panopto also processes Personal Data where it has a legitimate interest to do so, where we have your consent, and where we are legally required. We have outlined the details for the types of Personal Data processing Panopto engages in below.
Collection of Personal Data
Information Collected from You Directly
Panopto requires some of your Personal Data to effectively operate, while providing you the best experiences with our Services. Some of this data comes directly from you when you perform transactions with Panopto, such as:
This data may include name, username, title, mailing and billing addresses, organization or employer, phone number, email address, and/or information automatically collected, as detailed below.
Information Collected Automatically
As is true of most websites, we also gather certain information automatically when you visit our websites, mobile application, or interact with our Services, including viewing, commenting on, or otherwise interacting with Content. This information is used to analyze aggregated trends and to administer our Services, and may include Internet protocol (IP) addresses, the type of device you use, operating system and version, device identifier, where the application was downloaded from, usage information, events that occur within the application, performance data, browser type, Internet service provider (ISP), referring/exit pages, the files viewed on our site (e.g., HTML pages, graphics, etc.), date/time stamp, and/or clickstream data. Please see the Cookies and Similar Technology section below for more details.
Similarly, if you contact our customer support team, we may automatically collect or request this information to aid in troubleshooting and error reporting.
Information Received from Third Parties
As detailed above, Panopto primarily acts as a Processor of the Personal Data provided to us by our Customers. We may also receive information about you from other sources, including publicly available databases or from third parties. This data helps us to update, expand, and analyze our records, identify new Customers, and identify Services that may be of interest to you. This may include purchased marketing data about our Customers from third parties, that is combined with information we already have about you, to create more tailored advertising and Services.
When you download and use our Services, we may automatically collect information on the type of device you use, operating system version and the device identifier (or “UDID”).
We may send you push notifications from time-to-time in order to update the services, or to notify you about any events or promotions that we may be running. If you no longer wish to receive these types of communications, you may turn them off at the device level.
We use mobile analytics software to allow us to better understand the functionality of our mobile software on your mobile device. This software may record information such as how often you use the application, the events that occur within the application, aggregated usage, performance data, and where the application was downloaded from.
Use of Personal Data
This section describes how Panopto uses the Personal Data that we collect to operate our business and to provide you our Services, including improvements to those Services and in the personalization of your experiences. We may also use the data to communicate with you, providing account information, security updates and Service information. We may transfer personal information to companies that help us provide our service. Transfers to subsequent third parties are covered by the service agreements with our Customers. Additionally, data is used to market our Services, to comply with applicable laws and legal processes, to enforce our terms and conditions, and to allow us to pursue available remedies or limit any damages that we may sustain.
To provide a requested service or carry out a contract with you, we use Personal Data collected from you in the following ways:
Where we have a legitimate interest, we may also use data collected from you in the following ways:
Where we rely on legitimate interest for processing your information, we carry out a ‘balancing test’ to ensure that our processing is necessary and that your fundamental rights of privacy are not outweighed by our legitimate interests, before we go ahead with such processing. To better understand how to control the Personal Data collected for these types of processing, please see the Cookies and Similar Technology section below.
Where we have your consent, we may use data we collect to communicate with you in a variety of formats and to tailor those communications to you.
Automated decision making
Panopto employs automated decision making (also known as “profiling”) in the processing of your data in very limited ways, and only in accordance with the specifications of this Policy and applicable laws. For example, we may auto-assign customer support personnel to respond to your inquiries, based on your organization or affiliated Customer, and necessary details of that contract, or auto-assign a regional contact to assist you, based on your location. These actions are necessary to provide you with our Services and related support.
Similarly, some automated decision making is used, with your consent, to determine appropriate communications to you, as detailed above.
Sharing of Personal Data
This section describes how Panopto may share and disclose Personal Data. Customers determine their own policies and practices for the sharing and disclosure of data, and Panopto does not control how they choose to share or disclose Information.
Panopto, Inc. and its subsidiaries and affiliates are in different countries around the world and by accessing our Services, your information may be transferred outside of your local jurisdiction. For additional information, see the International Data Transfers section of this Policy.
Panopto may share your Personal Data with your consent, or as necessary to complete a transaction or provide a Service you or a Customer has requested or authorized. For example:
If you elect to use connected third-party applications, your Personal Data may be shared with the companies who provide those applications. In those cases, we encourage you to review and understand the terms and conditions and privacy policies of those third parties, over whom we have no control.
As an example, for Panopto Pro accounts, Panopto relies on a Partner to process associated payments. Your billing information is collected and processed by the Partner, at the direction of, and on behalf of Panopto.
Protection of Personal Data
Panopto has adopted security measures to protect Personal Data against loss, theft, unauthorized access, alteration, disclosure, or destruction. These measures include policies, procedures, employee training, physical access control, and technical elements relating to data access controls. In addition, Panopto uses industry-standard encryption to facilitate the exchange and transmission of data. Panopto only processes Personal Data in compliance with the purposes for which it has been collected, in accordance with this Policy.
If Personal Data is acquired by an unauthorized person, and applicable law requires notification, we will promptly notify the affected Data Controller and where applicable and known to Panopto, we will also notify the affected Data Subject(s). Notice will be consistent with the legitimate needs of law enforcement, and any measures necessary for Panopto or law enforcement to determine the scope of the breach and to ensure or restore the integrity of a system. Panopto may delay notification if we, or a law enforcement agency, determine that the notification will impede a criminal investigation. In such case, notification will not be provided unless and until we or the agency determines that notification will not compromise the investigation.
Panopto will only retain your Personal Data for as long as is necessary for us to use your information as described above and to comply with our legal obligations. Please be advised that this means that we may retain some of your information after you cease to use our Services. For instance, we may retain your Personal Data as necessary to meet our legal obligations, enforce an agreement, or for tax and accounting purposes.
Your Rights as a Data Subject
You have several rights when it comes to your Personal Data. Further information and advice about your rights can be obtained from the data protection regulator in your country.
If you wish to exercise any of these rights, you must contact the appropriate Controller, which may be a Panopto Customer.
|Rights||What does this mean?|
|1. The right to object to processing||You have the right to object to certain types of processing, including processing for direct marketing.
To manage your contact data, Panopto email subscriptions, and Panopto promotional communications, visit the Profile section of your Panopto platform account.
|3. The right of access||You have the right to obtain access to your Personal Data information that Panopto controls, in order to ensure that we’re using your information in accordance with data protection laws.|
|4. The right to rectification||You are entitled to have your information corrected if it’s inaccurate or incomplete.|
|5. The right to erasure||This is also known as ‘the right to be forgotten’ and enables you to request the deletion or removal of your information where there’s no compelling reason for the Controller or Processor to keep using it. This is not a general and total right to erasure, and specific conditions apply.|
|6. The right to restrict processing||You have rights to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but may not use it further. Panopto may continue to maintain a list of individuals for which processing is restricted, to ensure the request is respected in future.|
|7. The right to data portability||You have rights to obtain and reuse your Personal Data for your own purposes across different services. If you request a copy of the Personal Data that Panopto is the Controller for, we will deliver it in .csv format or similar.|
|8. The right to lodge a complaint||You have the right to lodge a complaint about the way we handle or process your Personal Data with your national data protection regulator.|
|9. The right to withdraw consent||If you have given your consent to anything we do with your Personal Data, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your Personal Data with your consent up to that point is unlawful). This includes your right to withdraw consent to us using your Personal Data for marketing purposes.
To manage your contact data, email subscriptions, and promotional communications, visit the Profile section of your Panopto platform account.
Panopto is a service provider and may not be the Controller of your Personal Data. If you wish to exercise any of your rights as detailed above, please first contact the appropriate Panopto Customer. You can also contact Panopto directly, using the information listed in the Contacting Panopto section of this policy. If Panopto is not the Controller responsible for responding to your request, we will forward the request to the appropriate Panopto Customer. Where Panopto is the applicable Controller, we usually act on requests and provide information free of charge, but may charge a reasonable fee to cover our administrative costs of providing the information for:
Alternatively, we may be entitled to refuse to act on the request.
Please consider your request responsibly before submitting it. These requests do not apply to mandatory service communications that are part of certain Panopto Services, nor to Personal Data controlled by Panopto’s Customers. Generally, Panopto will respond within 30 days from when we receive your request, unless the request will take substantially longer to fulfill.
Cookies & Similar Technologies
However, if you choose to disable any of these, it may limit your use of certain features or functions on our website and Services. To manage cookies and similar technologies for your browser, see our page on How to Manage Cookies, which includes information on the types of cookies and technologies that Panopto uses.
International Data Transfers
Panopto Customers have control and responsibility for selecting the appropriate geographical region(s) in which they store and upload data, including Personal Data, and administer Panopto Services in accordance with data protection regulations governing the Customer’s data controlling activities.
Panopto is a multinational organization that is headquartered in the United States and has subsidiaries, systems and business functions around the world. We may share Personal Data within Panopto entities and transfer it to countries where we do business, including outside of the European Union and other countries pursuant to standard contractual clauses. Other countries may have privacy laws that are different from privacy laws in your country. We handle Personal Data as described within this policy, regardless of location. Through contractual requirements, Panopto strives to ensure that any employee, partner, or service provider with access to Personal Data, adheres to these same practices.
European Union Model Clauses
Panopto offers European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our Customers that operate in the European Union, and for other international transfers of Personal Data. A copy of our standard data processing addendum, incorporating Model Clauses, is available upon request by contacting us at email@example.com.
Other Important Privacy Information
Notice to Authorized Users
If you use an email address provided by an organization you are affiliated with, such as an employer or school, to access Panopto Services, the owner of the domain (e.g., your organization) associated with your email address may control and administer your Panopto account, and may access and process your data, including the contents of your communications and files.
Your use of Panopto Services may be subject to your organization’s policies and procedures. Panopto is not responsible for the privacy or security practices of our Customers, which may differ from those set forth in this privacy statement. Personal Data and privacy inquiries should be directed to your organization’s administrator.
Panopto’s website and services are not designed for use by children under the age of 16. Except as detailed in the paragraph below, Panopto does not voluntarily or knowingly collect information from children under 16. As such, if you are under the age of 16, please stop using this website and/or Panopto Services. If you are a parent or guardian and believe that we may have collected Personal Data from someone under the age of 16, please let us know by emailing firstname.lastname@example.org.
If a Panopto Customer uploads content containing Personal Data of a minor under the age of 16, Panopto may process that Personal Data, in order to provide the Services to the Customer. It is the responsibility of the Panopto Customer to obtain any consents required under applicable law, including under the Children’s Online Privacy Protection Act (COPPA) and relevant data protection laws, for the collection of such Personal Data.
If you are concerned about your privacy while using Panopto Services that are provided by a Customer, you should first address requests and inquiries relating to your Personal Data directly to that specific Customer. If you contact us regarding information on an account of a Customer, we may forward your requests or inquiries to the relevant Customer.
Attn: Data Protection Officer
506 2nd Avenue
Seattle, WA 98104
Our representative in the EU for the purposes of compliance with the GDPR is Panopto EMEA Limited, the UK-based subsidiary of Panopto, Inc., which may be contacted at:
Panopto EMEA Limited
53-79 Highgate Road
London, NW5 1TL
Phone: +44 (0)203 137 5955