Introduction

This Privacy Notice (“Notice”) describes the types of information Pure Storage Inc. and its subsidiaries and affiliates, (collectively, “Pure,” “we,” “our,” or “us”) collect through our websites, including the website at purestorage.com (our “sites”) or any website that uses this notice, how we use and disclose such information, the steps we take to protect it, and how you can exercise your data protection rights.

We will only process your personal data in accordance with this Notice and any applicable law to which we are subject when offering you a localized website in your language and country, in particular any United States federal and state legislation, and for users located in the EEA and the UK subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), and all other national data protection laws globally (altogether “Data Protection Legislation").

If you are unable to access this notice due to a disability or any other impairment, please contact us using the contact details provided below and we will arrange to supply you with the information you need in an alternative format that you can access.

Data Privacy Framework

1. Compliance. Pure Storage, Inc. and its U.S. subsidiaries, Pure Storage, LLC, Pure Storage Holdings, Inc., Pure Storage International, Inc., and Portworx Inc., comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Pure Storage, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Pure has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

2. Complaints. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Pure Storage, Inc. commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Pure Storage, Inc. at privacy@purestorage.com.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Pure Storage, Inc. commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

3. Arbitration. If your DPF complaint cannot be resolved through the above channel, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2.

4. Onward Transfers. Transfers of Personal Information to a third party acting as a data processor are covered by the provisions of this Notice. Pure Storage, Inc. holds contracts with the third-party Data Processor that provide that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify Pure Storage, Inc. immediately if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made, the third party Data Processor ceases processing or takes other reasonable and appropriate steps to remediate. When transferring Personal Information to a third party acting as a Data Processor, Pure Storage, Inc. : (i) transfers such data only for limited and specified purposes; (ii) has ascertained that the Data Processor is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) takes reasonable and appropriate steps to ensure that the Data Processor effectively processes the Personal Information transferred in a manner consistent with the Pure Storage, Inc.’s obligations under the Principles; (iv) requires the Data Processor to notify Pure Storage, Inc. if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), Pure Storage, Inc. will take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) will provide a summary or a representative copy of the relevant privacy provisions of its contract with that Data Processor to the Department of Commerce upon request.

5. Liability. Pure Storage, Inc. is potentially liable in cases of onward transfer to third parties of data of EU, the United Kingdom, or Swiss individuals received pursuant to the Data Privacy Framework.

6. Enforcement. Pure Storage, Inc. is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.

Data Collected, Purpose and Legal Basis

Pure Storage, Inc. collects personal information in a variety of contexts, each of which is defined below. The categories of information, types of information, sources of information and our purposes for collecting, processing, using, and sharing such information is determined based on this context. “Personal Data” is information relating to, directly or indirectly, an identified or identifiable natural person or household.

When visiting our Sites

Pure collects Personal Data through our sites. This includes things like your name, postal address, telephone number, and email address, as well as less obvious information, e.g., browser and device data, and internet or network activity information, such as activity on our sites, data collected through cookies, pixel tags and other technologies, and other information that is generated through your use of the internet to access our websites.

Personal Data is collected from you directly or through your web browser when accessing our sites. The purpose of our processing is to optimize the user experience and the site's functionality including creating statistics, developing new as well as enhancing, improving, or modifying our products and services; and identifying usage trends, for example, understanding which parts of our sites are the most interesting to any visitor.

This processing of Personal Data is necessary for us to pursue our legitimate interest in operating and improving these Sites (Article 6(1) (f) GDPR).

When signing up for our Communications

If you sign up for communications, we will collect your name, e-mail address, your IP address, and the language in which you wish to receive such communications.

The purpose for collecting your Personal Data is to contact you for marketing and sales purposes, including notifications related to product enhancements, warranties, and renewals, that are related specifically to customer needs and interests.

The sending of marketing materials and the necessary processing of respective Personal Data is based on the consent of the recipient to receive the newsletters (Article 6(1) (a) GDPR).

However, where local laws require a separate legal basis for the processing than consent (e.g. Denmark), Personal Data is processed to pursue our legitimate interest in marketing our services and engaging with our customers and prospects (Article 6(1) (f) GDPR).

When engaging with us through Social Media

Pure’s sites may use social media features, such as the Facebook “like” button etc.. These features may collect your IP address and which page you are visiting on our site, and may set a cookie, pixel, beacon or other similar technologies to enable the feature to function properly.

You may be given the option by such a feature to post information about your activities on our products and services to a profile page of yours that is provided by a third-party social media network in order to share with others within your network. These features are either hosted by a third-party or hosted directly on sites. Information collected in the context of the feature is subject to the relevant social media platforms’ own data collection, use, and disclosure policies.

Sharing of Your Data

Except as described in this Notice, we will not disclose information about you that we collect on or through our sites to third-parties without your consent, unless legally required or permitted to do so. We may disclose information to third-parties if you consent to us doing so, as well as in the following circumstances:

Any information that You voluntarily choose to include in a publicly accessible area of the Sites will be available to anyone who has access to that content, including other users.

We may share your information with our partners in connection with, selling or distributing our products and services, or engaging in joint marketing activities, in accordance with your expressed marketing preferences.

We may share information with our corporate affiliates (e.g., parent and sister companies, subsidiaries, joint ventures or other companies under common control). If another company acquires, or plans to acquire, our company, business, or assets, we will also share information with that company, including at the negotiations stage.

We may disclose your information if required to do so by any competent law enforcement body, regulatory, government agency, court or other third-party where we believe disclosure is necessary to comply with applicable law or regulation, in response to a court order, judicial or other government subpoena or warrant, or to otherwise cooperate with law enforcement or other governmental agencies.

We also reserve the right to disclose your information that we believe, in good faith, is appropriate or necessary to (i) take precautions against liability, (ii) protect ourselves or others from fraudulent, abusive, or unlawful uses or activity, (iii) investigate and defend ourselves against any third-party claims or allegations, (iv) protect the security or integrity of our products and services and any facilities or equipment used to make our products and services available, or (v) protect our property or other legal rights (including, but not limited to, enforcement of our agreements), or the rights, property, or safety of others.

We may make certain aggregated, automatically-collected, or otherwise non-personal information available to third-parties for various purposes, including (i) compliance with various reporting obligations; (ii) for business or marketing purposes; or (iii) to assist such parties in understanding our users’ interests, habits, and usage patterns for certain programs, content, services, advertisements, promotions, and/or functionality available through our Offerings.

We may share your information with service providers. Among other things, service providers may help us to administer our website, conduct surveys, provide technical support, process payments, and assist in fulfillment of services. We contract with these service providers to ensure they only use your information to fulfill their obligations to provide services to us.

We may use artificial intelligence (AI)/machine learning (ML) through third parties to help improve and develop Pure Storage products and services. For example, this may be used to enhance customer service interactions, customer support and marketing purposes. When we do use AI/ML, those applications do not use Pure Storage or your data to train their algorithms.

Cross-border transfer

Your Personal Data may be stored and processed in any country where we have facilities or in which we engage service providers, and by browsing our Sites You understand that your information will be transferred to countries outside of your country of residence, including the United States, which may have data protection rules that are different from those of your country. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your Personal Information.

When we transfer Personal Data out of the European Union (“EU”), European Economic Area (“EEA”), the United Kingdom (“U.K.”), and Switzerland to countries that do not benefit from an adequacy decision, we may rely on Standard Contractual Clauses or other legal transfer mechanisms with appropriate safeguards in place to protect Personal Data. As previously noted, Pure Storage, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the U.K. Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) for transfers of Personal Data from the EU, EEA, U.K. (and Gibraltar), and Switzerland to the U.S.

Data retention

We retain Personal Data we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax or accounting requirements). When we have no ongoing legitimate business need to process your Personal Data, we will either delete or anonymize it or, if this is not possible (for example, because your Personal Data has been stored in backup archives), then we will securely store your Personal Data and isolate it from any further processing until deletion is possible.

Data Security

We have put in place appropriate security measures to prevent your Personal Data from being lost, used, or accessed in an unauthorised way, altered or disclosed. In addition, only employees and contractors who have a relevant and reasonably required need to access your Personal Data to perform their work have access to your Personal Data.

Cookies & Similar Technologies

Like many websites, Pure uses automatic data collection tools, such as cookies, embedded web links, and web beacons. These tools collect certain standard information that your browser sends to our Sites such as your browser type and the address of the website from which you arrived at our Sites. They may also collect information about: 

• Your Internet Protocol (IP) address. This is a number automatically assigned to your computer or device whenever you are connecting to the Internet. It allows web servers to locate and identify your device, this is a unique address assigned to your device by your Internet service provider or information systems department on a TCP/IP network.
• Clickstream behavior, which helps us better understand your visit to our Sites and may, in turn, provide you with a more customized experience when you return. This data is aggregated into anonymized analytics in order to measure overall trends and is not tied to a specific individual or their individualized behavior.

When we use Cookies we do this on the basis of our legitimate interest in providing you with a great user experience (e.g., making the sites available to you in your local language and remembering your language choices, etc.). We have classified the Cookies we use in different categories, such as functional, performance and other categories. You can find a description of these categories, the Cookies and how to opt-in or opt-out of either a category or a specific Cookie when you go to our Cookie Consent Manager which usually comes up when you visit our site for the first time. Please note that we do not have a persistence mechanism that captures your preference choices from one web browser to another and/or from one device to another. Therefore you may need to make your preference choices the first time you use a new browser or device to access our sites.

Linked websites

We may provide links to other websites and services that are outside our control and not covered by this Privacy Notice. We encourage you to review the privacy notices posted on those websites (and all websites) you visit.

Forums and Chat Rooms

If you participate in a discussion forum, local communities, or chat room on a Pure website, you should be aware that the information you provide there (i.e. your public profile) may be made broadly available to others, and could be used to contact you, send you unsolicited messages, or for purposes neither Pure, nor you, have control over. Also, please recognize that individual forums and chat rooms may have additional rules and conditions. Pure is not responsible for the personal information or any other information you choose to submit in these forums. To request removal of your personal information from our blog or community forum, please submit a request via the Data Subject Access Request (“DSAR”) form. In certain circumstances, we may not be able to remove your personal information.

Your Rights

EU, EEA, U.K., and Switzerland

If you are a visitor/customer located in the EU, EEA U.K. or Switzerland, Pure is the data controller of your Personal Data. Our legal basis for collecting and using the Personal Data as described above will depend on the Personal Data concerned and the specific context in which we collect it. However, we will normally collect Personal Data from you only where we have your consent to do so, where we need the Personal Data to perform a contract with You, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect Personal Data from you.

You have the following rights:

Access: You have the right to request access to your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it (Article 15 GDPR).

Correction: You have the right to request correction of your personal data that we hold about you. This enables you to have any incomplete or inaccurate information We hold about You corrected (Article 16 GDPR).

Erasure: You may have the right to request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for Us continuing to process it. To the extent that continued processing of your personal data is necessary, for example in order for Us to comply with our legal obligations or for legal requirements to be established, enforced or defended, we are not required to delete your personal data (Article 17 GDPR).

Objection: You have the right to object to our processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes You want to object to processing on this ground (Article 21 GDPR).

Restriction: You may have the right to request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it (Article 18 GDPR).

Portability: You have the right to receive the registered personal data in a structured, commonly used and machine-readable format and, in certain cases, to have it transferred from one data controller to another without hindrance (Article 20 GDPR).

If the processing of your personal data is based on your consent, you are entitled to revoke such consent at any time. Revocation of your consent will not affect the lawfulness of the processing carried out prior to your revocation of consent. You are entitled to withdraw your consent at any time (Article 7 (3) GDPR). If you wish to withdraw your consent please use our Data Subject Access Request (DSAR) form.

Only for France: If you are subject to the French Data Protection Act, you are at any time entitled to issue directives relating to the fate of your Personal Data after your death.

If you are dissatisfied with the way we process your personal data, you can lodge a complaint with the data protection authorities in the country you are located or where you consider a breach of data protection law has occurred (Article 77 GDPR).

California Rights

• Shine the Light Customer Rights

Residents of California have the right to request a disclosure describing what types of personal information we have shared with third-parties for their direct marketing purposes, and with whom we have shared it, during the preceding calendar year. You may request a copy of that disclosure by contacting us.

• California Consumer Rights Under The CCPA / CPRA

The following disclosures apply only to California residents covered under the California Consumer Privacy Act  and/or the California Privacy Rights Act ("CCPA" and/or the “CPRA”):

Personal information collected for a business purpose and for a commercial purpose

The purposes for which we collect your personal information are described under the heading "Data Collected, Purpose and Legal Basis" above. This section describes the business purposes and commercial purposes for which we collect personal information.

Personal information disclosed for a business purpose

This Privacy Notice describes the categories of personal information that we have, disclosed for a business purpose +. Please refer to the sections headed "Data Collected, Purpose and Legal Basis" and "Sharing of your Data" for more information.

Personal information sold or shared

When you use Pure Storage websites, Pure Storage's authorized business partners may collect cookies and similar technologies and use this data for their own purposes. This may qualify as a “sale” or "sharing" under the CCPA. You can make choices to allow or prevent such uses. Depending on your choices, during the past twelve months, our authorized business partners may have collected information within the following categories defined by the CCPA:

● Identifiers like IP address and cookies

● Internet activity information relating to your interactions with Pure Storage websites

● Inferences about your consumer preferences

Right to know and right to delete

You have the right to request that we disclose the personal information we collect, use, disclose and sell. To exercise this right, please follow the instructions described in our Data Subject Access Request (DSAR) form. We do not discriminate against individuals that exercise state-conferred rights.

Note that, as required by law, we will require you to prove your identity.  We may verify your identity by phone call or email. Depending on your request, we will ask for information such as your name or email address. We may also ask you to provide a signed declaration confirming your identity. Following a request, we will use reasonable efforts to supply, correct or delete personal information about you in our files.

In some circumstances, you may designate an authorized agent to submit requests to exercise certain privacy rights on your behalf.  We will require verification that you provided the authorized agent permission to make a request on your behalf.  You must provide us with a copy of the signed permission you have given to the authorized agent to submit the request on your behalf and verify your own identity directly with us.  If you are an authorized agent submitting a request on behalf of an individual you must attach a copy of the following information to the request:

1. A statement indicating that you have authorization to act on the consumer’s behalf sent to privacy@purestorage.com.
2. If you are a business, proof that you are registered with the Secretary of State to conduct business in California.

If we do not receive both pieces of information, the request will be denied.

Children's Privacy

Protecting the privacy of young children is especially important to Pure. Our sites are general audience websites not directed to children under the age of 18, and we do not knowingly collect personal information from children under the age of 18 without obtaining parental consent. If you believe we have collected information belonging to an individual under the age of 18, please let us know by contacting us.

Changes and Updates

Please revisit this page periodically to stay aware of any changes to this Privacy Notice, which we may update from time to time. If we modify this Privacy Notice. In the event that the modifications materially alter your rights or obligations hereunder, we will make reasonable efforts to notify You of the change and obtain your consent where legally required. For example, we may send a message to your email address, if we have one on file, or generate a pop-up or similar notification when You access one of our offerings for the first time after such material changes are made.

Contact Information

If you have any questions or comments about this Notice, your Information, our use, and disclosure practices, or your consent choices, please contact Us via our Data Subject Access Request (DSAR) form, by email to privacy@purestorage.com, or by postal mail or toll-free telephone number as listed below:

Pure Storage, Inc.
2555 Augustine Dr.
Santa Clara, CA 95054
Toll-free: +1 - 800-379-7873