Table Of Contents:
- What Personal Data Do We Collect
- How We Use Your Data And Legal Basis
- Who We Share Your Personal Data With
- How Long Do We Process Your Data
- Cross Border Data Transfers
- Childrens’ Privacy
- Your Rights
- Contacting LastPass
- European Economic Area, United Kingdom, and Switzerland Supplement
- California Supplement
2. What Personal Data Do We Collect
At LastPass, we strive to limit the types and categories of personal data that is collected from and processed on behalf of our users to include only data which is necessary to achieve the purpose(s) for which it was collected. We do not use personal data for additional purpose(s) which are incompatible with their initial collection. In other words, we have measures and policies in place designed to ensure that we only collect and process data from our users that we believe is necessary to provide them with a world-class Service.
Data We Collect Directly From You
When you visit our website(s), interact with LastPass, or use our Services, you may provide us with the following categories of personal data:
- Customer Account Data. Your email is needed to validate, create, and use LastPass Services. However, you may also choose to provide identifiers such as first and last name or phone number to help maintain and support your account. Members of a LastPass Families Plan may also provide emails and names of other authorized users.
- A Note Regarding Your Mobile Phone Number. You may provide us with your mobile phone number if you set up two-factor authentication and/or opt-in to our SMS account recovery feature. By opting in to SMS account recovery, you consent to receiving autodialed text messages, including SMS messages, that may be sent by or on behalf of LastPass at the mobile phone number you provide us. Message and data rates may apply.
- A Note Regarding Your Master Password. Except for those LastPass Business accounts which utilize alternative authentication methods (e.g., Single Sign On or “SSO”) to access LastPass, users must create a “Master Password,” which is used to access their LastPass account and generate the encryption keys that secure the data they store within the LastPass Service (“Customer Content” as further defined below). LastPass is designed to keep your most sensitive data safe using a local-only, zero knowledge security model. This means that no one at LastPass has access to your master password or the data stored in your vault, except you. Vault data is encrypted locally at the device level before syncing to LastPass servers for safe storage – users can only decrypt their vault using their own unique decryption key derived from their master password.
- Billing Data. LastPass utilizes third-party payment processing providers to process payments made through our websites. Where required for regulatory, legal, tax compliance, or customer support purposes, we store partial payment information (such as the expiration date and last four digits of your credit card). Data that is maintained by our payment processors such as name, address, and phone number associated with a payment method may be accessed only by select individuals with role-based access, in a secure manner, under appropriate confidentiality obligations, and a legitimate need to know. LastPass does not maintain your complete credit card numbers, payment data or otherwise receive or store any billing data where payment is made for a LastPass subscription through the Google Play or Apple App Store.
- Customer Content. Usernames, passwords, secure notes, files, documents, or similar data that we maintain on your behalf, as well as any other information you may choose to upload or input (e.g., manually such as images, audio, or other information or via optional functionality such as password save and fill) to your LastPass account in connection with your use of the Services, all of which is referred to as “Customer Content” in our terms of service. This data is encrypted within your vault using our zero knowledge security model.
- Webinars, Trainings, Contests, and Program Data. Data you provide to us when you create an account; request support or technical assistance; or register for any of our events, contests, webinars, whitepapers and surveys. This typically includes, but is not necessarily limited to, identifiers and employer information, such as, first and last name, a valid email address, company name, job title, phone number, and location.
- Support and Correspondence. Data you provide to us when you communicate with us by email, posts to social media pages, or another method. We process this data to respond to you and in the normal course of our business operations. You may also provide audio or video data when we record sales or support calls.
- Feedback. Where you elect to provide us with feedback, which may include, but is not limited to, reviews or suggestions posted online (e.g., in social channels or review sites,) on app stores, made in connection with surveys, market research, etc., we may use any applicable personal data provided with the feedback to respond to you. We may also use feedback as described in the Terms of Service.
Data Automatically Collected When Using Our Websites Or Services
- Device and Usage Data (including Session, Location, and Usage data). When you visit our websites and use our Services, we receive data that you or others voluntarily enter, as well as data that is automatically logged by the website or Service (for example, hardware, equipment and devices used, IP addresses, location, language settings, operating system used, unique device identifiers, and other diagnostic, troubleshooting, crash, and bug reporting data). We utilize this data to provide, operate, support the use of, and improve our Services. We collect location-based data for the purpose of providing, operating, and supporting the Service and for fraud prevention, export compliance and security monitoring. (You can disable location data transmission on mobile devices at any time by disabling location services from the settings menu on your device.)
- Cookies and Similar Technologies. Where applicable, if we are permitted to place cookies or contact you for marketing purposes, we may also use your personal data for purposes that are consistent and compatible with the original purpose of collection under the same legal basis or where your consent has been given. Please refer to our Cookie Notice for more information. We may also contact you where we have a legitimate business purpose to do so (e.g., if you are a current subscriber to one of our Services). Note that we have made it easy for you to opt-out of receiving further marketing communications from LastPass at any time by visiting https://lp.lastpass.com/LastPass-Unsubscribe.html.
Data We Collect From Other Sources
- Social Media Integrations. Many of our websites include optional social media integrations and features, such as Facebook, Google, and Twitter “share” buttons. If you use these features, they may collect your IP address or data about which page you are visiting on our site and may set a cookie to enable the feature to function properly. If you use these services, integrations, and features to authenticate your identity or pre-populate our sign-up or feedback forms, you direct these services to provide certain personal data with us such as your name and email address. You may be able to determine what you authorize those services provide us via your privacy settings of that service.
- Third-Party Sources. In some circumstances, we work with third-party partners and service providers that provide us with data about you. We also collect publicly available data about you from other third-party sources. This data from third-party sources includes identity breach monitoring data (e.g., for dark web monitoring) and other information that may help us detect potential fraud, or information to identify leads and prospects for marketing purposes. This data may contain personal data such as personal identifiers, professional or employment-related information, business contact information, internet activity information, social media profiles, LinkedIn URLs, and custom profiles. We may combine this third-party sourced data with personal data provided by you to draw inferences or make assumptions.
3. How We Use Your Data and Legal Basis
LastPass processes personal data for the following purposes and relying on the associated legal basis:
|Legal Basis for Processing
|Provide, operate, and support our Services
|Necessary for the performance of a contract or our legitimate interest to operate our Services
|We process your personal data to manage customer accounts, process payments, manage our relationship with you, and send you administrative and product notifications about the Services
|Necessary for the performance of a contract or legitimate interest to manage customer accounts
|Address and respond to service, security, and customer support, and technical issues
|We process your personal data if you contact us for support, to assist with responding to your inquiries and use of the Services, and to address technical or security issues
|Necessary for the performance of a contract or legitimate interest to fulfill your requests and ensure Services meet customer expectations
|Improve our Services and enhance security of our users
|We process your personal data to identify usage trends and issues in order to optimize and improve the performance of our Services and research security threats and vulnerabilities to provide analysis and valuable insights back to our users
|Necessary for the performance of a contract or our legitimate interest to provide our Services and ensure our Services meet our customer expectations
|Maintain security, regulatory compliance, and to prevent fraud
|We process your personal data to detect, prevent, or otherwise address fraud, unlawful activities, comply with applicable law, or to address security issues
|Our legitimate interest to protect the integrity of the Services, LastPass, and its users
|Planning and product development
|We process your personal data to conduct research and analysis for internal reporting and business modeling to plan for future product features and forecast business goals
|Our legitimate interest in the management of our business operations
|Websites and LastPass-branded sites
|Maintain and improve our websites
|We process your personal data to operate, improve, and enhance our websites and provide you with information you access and request
|Our legitimate interest in providing a functioning online experience and content to our customers and prospective customers regarding our Services and related information.
|We process your personal data to detect, prevent, or otherwise address security issues or unlawful activity on our websites
|Our legitimate interest to protect the integrity of the Services, LastPass, and its users
|Manage advertising efforts
|We process personal data to understand how you use our websites and what you like and dislike to display personalized advertisements and content based upon your interests
|Our legitimate interest in advertising our Services to the extent you provided your consent, where required by law. To exercise your rights, please refer to Section 9.
|Visits to our offices and webinars
|Manage participation and attendance of webinars and contests
|We process your personal data to provision you access to, or allow you to participate in, a webinar, training, whitepaper, or contest
|Our legitimate interest in providing the webinar, training, contest, or other programming; necessary for performance of a contract; or consent
|Register attendees and on-site visitors
|We process your personal data to register you and, where applicable, to complete associated non-disclosure agreements for security reasons
|Legitimate interest in protecting our employees, visitors, and information; necessary for performance of a contract; or consent
|Other and Communications
|We process your personal data, including recording calls, for training, quality assurance, and administrative purposes and to improve sales operations and customer engagement
|Our legitimate interest in maintaining quality customer service and engagement or consent
|Identify prospects for marketing purposes
|Analyze our records to identify prospects as well as their presumed or identified needs or preferences and serve ads and other communications that may be of interest to you
|Our legitimate interest in identifying prospective business contacts and conduct direct marketing
|We process your personal data to send you communications about the Services you use as well as marketing information related to your Services, which includes announcements about the Services, product updates, news, or events
|Our legitimate interest in conducting direct marketing or when you have provided prior consent. To exercise your rights and opt-out, please refer to Section 9.
|To comply with applicable laws and administrative requests
|We process your personal data to comply with applicable laws and administrative or law enforcement requests, protect our rights and the rights of others, and to assert and defend against claims
|Necessary for compliance with a legal obligation or our legitimate interests of pursuing our legal rights and protecting our interests
LastPass may aggregate or de-identify your personal data in order to minimize the amount of personal data processed and for purposes listed. LastPass maintains such data without attempting to re-identify it.
4. Who We Share Your Personal Data With
We may share your personal data for the following reasons:
- With our affiliated companies and subsidiaries within the LastPass company group in order to operate our business and provide our services;
- With third-party service providers (such as IT and security service vendors, website hosting facilities, and email distribution services), contractors, and other third-parties we use to support our business. Such third-parties operate under appropriate confidentiality and data privacy obligations (only for the purposes identified in Section 3, “How We Use Your Data”);
- With specific partners that resell LastPass Services, to the extent you consent to such sharing (where required by applicable law);
- If you are provided our Services by a LastPass customer, we may share your personal data with the affiliated customer responsible for your access to the Services to the extent this is necessary for verifying accounts and activity or investigating suspicious activity;
- With third-party social media networks, advertising networks, so that LastPass can market and advertise on those platforms;
- At your direction, with separate, specific notice to you, or with your consent;
- In connection with a merger, divestiture, acquisition, reorganization, restructuring, financing transaction, or sale of all or substantially all of the assets pertaining to a product or business line;
- To courts or authorities or other third-parties if we believe disclosure is lawful, necessary or appropriate to detect, investigate, prevent, or take action against illegal activities, fraud, or situations regarding the safety or rights of LastPass, our employees, you, or others;
- To courts or authorities or other third-parties in order to enforce our Terms of Service or other agreements we have with you; and
- As required by law or administrative order, which includes responding to relevant government or regulatory requests (Please refer to our Government Request Policy for more information).
To learn more about how LastPass protects personal data, to review and execute appropriate data processing addendums (where relevant), or review locations where LastPass may process your Customer Content (including any personal data therein), please visit the LastPass Trust & Privacy Center.
LastPass does not sell your personal data as that term is traditionally understood. However, under some US state laws, certain activities, including the use of third-party cookies may be considered a “sale” of your data. We may also share your personal data with third parties for the purposes of cross-contextual advertising.
LastPass may share or disclose aggregate or anonymized data that does not identify an individual or a household.
5. How Long Do We Process Your Personal Data
We keep your personal data no longer than is needed for the business purposes for which it was collected (as outlined in Section 3) or as necessary to comply with our own legal and regulatory obligations. Unless requested sooner or a shorter retention period is defined, the applicable Technical and Organizational Measures (“TOMs”) documentation designates when your personal data, including your account, LastPass vault (and the Customer Content therein), will be deleted in accordance with our record retention processes. We determine the appropriate retention period based on the length of time we have an ongoing relationship with you and reasonable time after which we may have a legitimate need to reference your personal data to address issues which may arise, whether there is a legal obligation to retain such records, and whether retention is allowed by applicable law.
6. Cross Border Data Transfers
As a global organization, LastPass has international affiliates and subsidiaries, utilizes third-party service providers, and maintains a global infrastructure. Data that we collect and maintain will be transferred to and processed in the United States and other countries around the world. In cases of a transfer to “third countries,” which may be deemed to not provide the same level of data protection required by the European Commission or your applicable jurisdiction, LastPass applies additional safeguards, in accordance with applicable legal requirements, to ensure that the recipient provides an adequate level of data protection. LastPass utilizes, as applicable and required, lawful data transfer mechanisms, such as the Data Privacy Framework (see “Data Privacy Framework Notice” below), Standard Contractual Clauses (inclusive of any variations recognized in other regions of the world), or other appropriate legal mechanisms to safeguard personal data transfers from the European Economic Area, United Kingdom, or Switzerland.
Data Privacy Framework Notice
LastPass complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. LastPass has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. LastPass has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, LastPass commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to https://feedback-form.truste.com/watchdog/request, an alternative dispute resolution provider based in the United States. The services of TRUSTe are provided at no cost to you.
For complaints regarding EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF compliance not resolved by any of the other aforementioned mechanisms, you may, under certain conditions described on the DPF website, invoke binding arbitration. The Federal Trade Commission has jurisdiction over LastPass’ compliance with EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.
APEC Privacy Certifications
LastPass has implemented a comprehensive information security program which includes appropriate technical and organizational measures designed to safeguard and protect your data. LastPass has been assessed by, and received validation from, independent third-party auditors against recognized security standards and controls, including SOC2 Type II, SOC3 Type II, ISO 27001, and BSI C5.
Additionally, LastPass uses a combination of geographically distributed hosting providers and facilities to help deliver sufficient service availability, uptime, and redundancy needed to provide our global user base with the best possible user experience.
To learn more about LastPass’ security measures and certifications, please visit the LastPass Trust & Privacy Center.
8. Children’s Privacy
LastPass’ webpages and Services are not intended for children. If you inform us or we otherwise become aware that we have unintentionally received personal data from a minor without a parent’s or guardian’s consent, we will delete this data from our records.
9. Your Rights
- Access to your personal data and right to know more about how we process your personal data;
- Export or transfer your personal data (for information about how to export your account and vault, please visit here);
- Rectify or correct personal data about you that is inaccurate, incomplete or out-of-date (please visit here to review resources on correction, including revision of save-and-fill credentials directly within your LastPass vault);
- Erase or delete your personal data (in order to protect the sensitive contents of your LastPass vault from inadvertent deletion, we request you initiate the deletion of your account by following the instructions here);
- Restrict or limit the processing of personal data;
- Object to the processing of your personal data;
- Opt-out of the sale or sharing of your personal data for advertising purposes;
- Not be subject to automated decision-making, including profiling, resulting in legal or similarly significant effects (please note that automated decision-making does not occur on our websites or in our Services); and
- Appeal a refusal to act on any of the above-mentioned rights (please see applicable instructions included in the refusal or submit the appeal to email@example.com with the subject “Appeal of Consumer Rights Request”).
LastPass will not discriminate against you, deny or provide you with a different quality of service, or charge you differently for exercising any of your privacy rights, as required by applicable law.
Exercising Your Rights
To exercise any of the above-mentioned rights, please submit your request to the LastPass Individual Rights Management Portal, e-mail us at firstname.lastname@example.org, or contact us at https://support.lastpass.com, which allows you to make a request online or request a phone call. For security purposes, we will need to verify your identity by matching the identifying information you provide with the personal data we already maintain. At a minimum, we will ask for your name and email address. LastPass will never ask you for your Master Password. We may contact you for additional information that would allow us to reasonably verify your identity or in order to sufficiently respond to your request. The information that we ask you to provide for verification purposes will depend on your prior interactions with us (e.g. if you are a current LastPass user, we may verify your identity through our existing authentication practices) and the sensitivity of the personal data at issue.
We strive to respond to all legitimate privacy requests within one month of receipt, but in any event within the time frames required under applicable law. Depending on the complexity and number of requests we receive, it may take more than a month. If we require more time to process your request, we will let you know.
For your convenience, LastPass users may update their information, change their settings, or exercise some of their rights from within the Services. For more information about exercising your privacy rights, please visit Your Privacy Choices. If you wish to no longer receive marketing communications from us, you can opt-out of marketing emails by clicking on the unsubscribe link on any marketing email you receive or at https://lp.lastpass.com/LastPass-Unsubscribe.html.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, you may also contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Please note that where LastPass processes personal data on behalf of our customer, your use is subject to our customer’s policies and privacy and security practices. If our customer provides you with access to our Services, please submit your requests directly with our customer. If you submit your request to us, we will refer the request to our customer and will honor and support any instructions they provide us with respect to your personal data.
11. Contacting LastPass
12. European Economic Area, United Kingdom, and Switzerland Supplement
LastPass Ireland Limited (Ella House, 41.2 Merrion Square, Dublin 2 D02 NP96, Ireland. Data protection officer: email@example.com) is the controller for data collected in connection with your use of the Services if you live in the EEA or Switzerland or visits to our offices in the EEA. LastPass UK Ltd (5 New Street Square, London EC4A 3TW, United Kingdom. Data protection officer: firstname.lastname@example.org) is the controller for data collected in connection with your use of the Services if you live in the UK or visits to our offices in the UK. For purposes of providing the Services, LastPass Ireland Limited, LastPass UK Ltd, and LastPass US LP (contact information in Section 11) are responsible as joint controllers. The parties have jointly determined the means and purposes of processing.
LastPass US LP is the controller for data collected in connection with visits to our webpages and registration for and participation in our webinars.
Legal Basis For Processing Personal Data
Your Rights As An EU, UK, or Swiss Data Subject
As a data subject in the EEA, UK, or Switzerland, you have certain rights in relation to our processing of your personal data in accordance with applicable data protection regulations:
- Right to access (Art. 15 GDPR), right to rectification (Art. 16 GDPR), right to erasure (Art. 17 GDPR), right to restriction (Art. 18 GDPR), right to data portability (Art. 20 GDPR), right to withdraw previously given consent (Art. 7(3) GDPR).
- Right to object (Art. 21 GDPR). In certain circumstances (e.g., where the legal basis for processing is a legitimate interest or if we are performing direct marketing), you may object to continued processing for those purposes. If you do, we will re-evaluate our legitimate business interests and your data protection interests. We will only continue the processing activity if (i) there are compelling legitimate grounds for the processing that override your interests, rights and freedoms, or (ii) the processing is necessary to establish, enforce or defend legal claims.
- Right to lodge a complaint. We prefer to resolve any data protection concerns directly with you. However, you have the right to submit a complaint with a competent supervisory authority in the EEA, UK, or Switzerland where you reside, work, or suspect an infringement has occurred. You may find the contact details for the appropriate data protection authority here: https://edpb.europa.eu/about-edpb/about-edpb/members.
13. California Supplement
- Commercial information;
- Internet activity information;
- Geolocation data;
- Audio and visual information;
- Professional or employment-related information; and
- Inferences drawn from the categories of information described above.
LastPass does not sell your personal information as that term is traditionally understood. However, under California law, certain activities, including the use of third-party cookies may be considered a “sale” of your data. We may also share your personal data with third parties for the purposes of cross-contextual advertising.
Your Rights As A Californian Resident
As a data subject in California you have certain rights in relation to our processing of your personal data in accordance with the CCPA. These include the right to know and access specific pieces of personal data that we process about you, right to request deletion of your personal data, right to request correction of your personal data, right to opt-out of sharing your personal data for advertising purposes, and right to non-discrimination for the exercise of your privacy rights. If you are a California resident under the age of 18 years old and have a LastPass account, you may ask us to delete your data (please note that LastPass’ websites and Services are not intended for children).
You may designate an authorized agent to make a request on your behalf if:
- The authorized agent is a natural person or a business entity registered with the Secretary of State of California; and
- You sign a written declaration that you authorize the authorized agent to act on your behalf.
If you use an authorized agent to submit a request to exercise your right to access or right to request deletion of your personal data, please have the authorized agent take the following steps in addition to those steps described above:
- Mail your written declaration authorizing the authorized agent to act on your behalf, certified by a California notary public, to Attn: LastPass Legal Department (Privacy Team), 125 High Street, Suite 220, Boston, MA 02210 with an email cc: to email@example.com; and
- Provide any information we request in our response to your email to verify your identity. The information that we ask you to provide for verification purposes will depend on your prior interactions with us and the sensitivity of the personal data at issue.
If you provide an authorized agent with power of attorney pursuant to Probate Code sections 4000 to 4465, it may not be necessary to perform these steps and we will respond to any request from such authorized agent in accordance with the California law.