Privacy Statement

Effective Date: March 1, 2024

Welcome! We are Palo Alto Networks, Inc. (“Palo Alto Networks”, “Company”, “we”, “us” or “our”). Our mission is to be the cybersecurity partner of choice, protecting our digital way of life. We view privacy as an integral part of delivering on that mission.

This Privacy Statement explains how Palo Alto Networks (including our family of brands, subsidiaries, and related entities when they specifically reference this Privacy Statement) collects, uses, discloses, and otherwise processes personal information (as defined below) in connection with our websites (the “Sites”) and other websites we own and operate that link to this Privacy Statement, and any other related content, platform, services, products, and functionality offered on or through our services (collectively, the “Services”).

This Privacy Statement applies to personal information collected and/or used by Palo Alto Networks while acting in the capacity of a data controller, as that term is defined in the European Union’s (EU) General Data Protection Regulation 2016/679, the “EU GDPR” or, where applicable, the “United Kingdom (UK) GDPR” (as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018), as amended and supplemented from time to time (together, herein referred to as the “GDPR”), for the purposes and legal bases set out in further detail below. For example, when individuals create accounts within our Customer Service Portal and provide certain personal information (such as name and email address) that is used for authentication purposes, we act as a data controller. When we provide other aspects of our Customer support services (such as reviewing files for troubleshooting), we act as a data processor, or service provider.

This Privacy Statement does not apply to situations where we act as a “processor” or “service provider” in relation to the data our customers submit, manage, use, or process through or as part of our Services (“Customer Data”). For additional information about our data processing activities in our role as a processor or service provider, please see our DPA and our Trust Center. When acting as data controllers, our customers are responsible for making their own disclosures concerning the rights of individuals (e.g., “data subjects” under the GDPR) with respect to personal information and other information regarding data collection and use, in accordance with applicable law.

What is Personal Information?

When we use the term “personal information” in this Privacy Statement, we mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an individual. The term does not include aggregated or deidentified information that is maintained in a form that is not reasonably capable of being associated with or linked to an individual and does not apply to other information that is excluded from privacy protections under applicable law.

If you are located in the European Economic Area (EEA), the term “personal Information” used in this Privacy Statement includes all “personal data”, as defined under the EU GDPR, and any applicable national implementing laws, as amended from time to time.

Our Collection of Personal Information

At times, we collect personal information automatically when an individual interacts with our Services, directly from an individual, or about an individual from other sources and third parties.

Personal Information Collected from You

We may collect the following personal information submitted to us by individuals through the Services:

• Contact Information, including first and last name, business email address, business postal address, employer, job title, your area of responsibility, company name, phone number, your country or region, and communication preferences.
• Inquiry and Communications Information, including information provided in custom messages sent through the forms, in chat messages, to our email addresses, or via phone. This also includes information provided in order to subscribe to any of our newsletters (such as email address) or contact information provided on our Services.
• Account Information, including first and last name, company name, employer, job title, business email address, customer ID, user ID (or equivalent unique identifier) and password, profile information, affiliations, account balances, payment, customer support, return, replacement, subscription, and history of product and services obtained, purchased, and considered, and any other information you provide to us. Please note we use a third-party provider to process payments on our behalf and do not accept payments directly through our Services.
• Audio or Visual Information, including recordings of customer service or support calls for quality assurance and internal training purposes, and photographs of yourself that you voluntarily consent to provide in connection with reviews of and contests, sweepstakes, surveys, webcasts, and events involving our Services.
• LIVEcommunity and Blog Information, including public profile information, username, comments and posts, topics you follow, interactions you have with other users, comments you post, and any other information you choose to provide. If you choose to post comments on the Palo Alto Networks Blog, accessible at http://researchcenter.paloaltonetworks.com (the “Blog”), please be aware that other users of the blog will see your name, website, and the content of your comments, and may interact with you in response to your comments.
• Contest, Sweepstakes, and Survey Information, including information provided when you enter a contest or sweepstakes, or information included in any questions submitted through surveys or content of any testimonials.
• Event and Webcast Information, including registration information, call-in details, attendee badge information, and business and/or personal contact information, such as email, physical address, mobile or telephone number, job title, and company name.

Personal Information Automatically Collected

We, and our third-party partners, automatically collect information you provide to us and information about how you access and use the Services when you visit our services, read our emails, or otherwise engage with us. We typically collect this information through a variety of tracking technologies, including (i) cookies or small data files that are stored on an individual’s computer and (ii) other, related technologies, such as web beacons, pixels, embedded scripts, mobile SDKs, location-identifying technologies and logging technologies (collectively, “tracking technologies”) and we may use third-party partners or technologies to collect this information. Information we collect automatically about you may be combined with other personal information we collect directly from you or receive from other sources.

We, and our third-party partners, use tracking technologies to automatically collect usage and device information, such as:

• Information about the computer, tablet, smartphone or other device you use, such as your IP address, browser type, Internet service provider, device type/model/manufacturer, operating system, date and time stamp, and a unique ID that allows us to uniquely identify your browser, mobile device, or your account (including, for example, a persistent device identifier or an Ad ID), and other such information. We may also work with third-party partners to employ technologies, including the application of statistical modeling tools, which permit us to recognize and contact you across multiple devices.
• Information about the way you access and use our services, for example, the site from which you came and the site to which you are going when you leave our services, how frequently you access the Services, whether you open emails or click the links contained in emails, whether you access the services from multiple devices, and other browsing behavior and actions you take on the Sites. We may also record information you enter when you interact with our Services or engage in chat features through our Services.
• Information about how you use the Services, such as the pages you visit, the links you click, the ads you view and click on, videos you watch, and other similar actions. We may also use third-party tools to collect information you provide to us or information about how you use the Services and may record your mouse movements, scrolling, clicks and keystroke activity on the Services and other browsing, search or purchasing behavior. These tools may also record information you enter when you interact with our Services or engage in chat features through our Services.
• Information about your location, such as general geographic location that we or our third-party providers may derive from your IP address.
• Analytics information. We may collect analytics data or use third-party analytics tools such as Google Analytics to help us measure traffic and usage trends for the services and to understand more about the demographics of our users. You can learn more about Google’s practices at http://www.google.com/policies/privacy/partners and view its opt-out options at https://tools.google.com/dlpage/gaoptout.

All of the information collected automatically through these tools allows us to improve your customer experience. For example, we may use this information to enhance and personalize your user experience, to monitor and improve our Sites and Services, and to improve the effectiveness of our Services, offers, advertising, communications, features such as live and automated chat and customer service. We may also use this data collected through tracking technologies to: (a) remember information so that you will not have to re-enter it during your visit or the next time you visit the site; (b) provide custom, personalized content and information, including targeted content and advertising; (c) identify you across multiple devices; (d) provide and monitor the effectiveness of our services; (e) monitor aggregate metrics such as total number of visitors, traffic, usage, and demographic patterns on our website; (f) diagnose or fix technology problems; and (g) otherwise to plan for and enhance our services.

If you would prefer not to accept cookies, most browsers will allow you to: (i) change your browser settings to notify you when you receive a cookie, which lets you choose whether or not to accept it; (ii) disable existing cookies; or (iii) set your browser to automatically reject cookies; however, doing so may negatively impact your experience using the services, as some features and services may not work properly. You may also set your email options to prevent the automatic downloading of images that may contain technologies that would allow us to know whether you have accessed our email and performed certain functions with it.

We and our third-party partners may also use cookies and tracking technologies for advertising purposes.

For more information about these practices and your choices regarding cookies, please see our Cookie Notice. To opt-out of targeted advertising cookies, click on the link to “Do Not Sell or Share My Personal Information” in the website footer to adjust your targeting cookie preferences.

Personal Information from Third Parties

We obtain personal information from third parties, which we may combine with personal information we collect automatically or directly from an individual.

We may receive the same categories of personal information as described above from the following third parties:

• Our Customers, and Other Users or Individuals who Interact with our Services: We may receive your information from our customers, such as Customer Data, and other users or other individuals who interact with our Services. This includes any information collected by Palo Alto Networks when you or your organization contact us for support related to your organization’s use of our products, services, or events. In such instances, we will also collect information about the reason for the inquiry and any other information provided to us.
• Your Employer / Company: If you interact with our Services through your employer or company, we may receive your information from your employer or company, including another representative of your employer or company.
• Business Partners: We may receive your information from our business partners.
• Social Media: When an individual interacts with our Services through various social media networks, such as when someone “Likes” us on Facebook or follows us or shares our content on Google, Facebook, Twitter, or other social networks, we may receive some information about individuals that they permit the social network to share with third parties. The data we receive is dependent upon an individual’s privacy settings with the social network, and including, but not limited to, your profile information, profile picture, gender, username, user ID associated with your social media account, age range, language, country, and any other information you permit the social network to share with third parties. Individuals should always review and, if necessary, adjust their privacy settings on third-party websites and social media networks and services before sharing information and/or linking or connecting them to other services.
• Service Providers: Our service providers that perform services on our behalf, such as survey and marketing providers and payment processors, collect personal information and often share some or all of this information with us.
• Information Providers: We may from time to time obtain information from third-party information providers to correct or supplement personal information we collect. For example, we may obtain updated contact information from third-party information providers to reconnect with an individual.
• Other Sources: We may also collect Personal Information about individuals that we do not otherwise have from, for example, publicly available sources, third-party data providers, brand partnerships, or through transactions such as mergers and acquisitions.

Our Use of Personal Information

We may use personal information we collect to:

• Provide, deliver, and analyze the Services you have requested, provide you with information related to the Services or that you have otherwise requested, and process transactions, including providing you with a white paper or an online product demonstration you have requested;
• Manage our organization and its day-to-day business operations;
• Verify your identity and authorization to use our Services, when you contact us or access our Services;
• Create and manage user accounts;
• Allow you to activate and access apps on our Cloud Services Portal;
• Register you for and provide you access to events and webcasts;
• Communicate with individuals, including via email, social media, our online live chat or automated chat, and/or telephone calls;
• Request individuals to complete surveys about our organization, organizations we partner with, and the Services;
• For marketing and advertising purposes, including to offer you through email, direct mail, or phone information and updates on products or services we think that you may be interested in (where applicable, we may send you marketing messages if we have your consent);
• Administer, improve and personalize our Services, including by confirming their relevant customer or user information when they return to our Services;
• Accept, record, and adjust your payments for our Services, including through our third party processors;
• Facilitate customer relationships through benefits and services, including customer support for our customers and our customers’ end users;
• Identify and analyze how individuals use our Services;
• Conduct research and analytics on our customer and user base and our Services;
• Improve and customize our Services to address the needs and interests of our user base and other individuals we interact with;
• Test, enhance, update and monitor the Services, or diagnose or fix problems related to our Services;
• Help maintain the safety, security and integrity of our property and Services, technology assets, and business;
• To enforce our Terms of Use, to resolve disputes, to carry out our obligations and enforce our rights, and to protect our business interests and the interests and rights of third parties;
• Prevent, investigate, or provide notice of fraud or unlawful or criminal activity;
• Comply with contractual and legal obligations and requirements;
• To fulfill any other purpose for which you provide personal information; and
• For any other lawful purpose, or other purpose to which you consent.

Where you choose to contact us, we may need additional information to fulfill the request or respond to inquiries. We may provide you with additional privacy-related information where the scope of the inquiry/request and/or personal information we require fall outside the scope of this Privacy Statement. In that case, the additional privacy notice will govern how we may process the information provided at that time.

Our Disclosure of Personal Information

We may share, transmit, disclose, grant access to, make available, and provide personal information with and to third parties, as follows:

• Palo Alto Networks Companies: We may share personal information with other companies owned or controlled by Palo Alto Networks, and other companies owned by or under common ownership as Palo Alto Networks, which also includes our subsidiaries (i.e., any organization we own or control) or our ultimate holding company (i.e., any organization that owns or controls us) and any subsidiaries it owns, particularly when we collaborate in providing the Services.
• Customers: As mentioned above, when our customers use our Services, we may share Customer Data with our customers which may include your information.
• Other LIVEcommunity and Blog Users: If you participate in any of our online communities or purchase goods or services via our Services, we may disclose your public profile information to other online community members, as well as any other information you choose to provide or make public.
• Contests, Sweepstakes, and Survey Providers: We share personal information with third parties who assist us in delivering our contests, sweepstakes, or survey offerings and processing the responses.
• Marketing Providers: We coordinate and share personal information with our marketing providers in order to communicate with individuals about the Services we make available.
• Customer Service and Communication Providers: We share personal information with third parties who assist us in providing our customer services and facilitating our communications with individuals that submit inquiries.
• Other Service Providers: In addition to the third parties identified above, we engage other third-party service providers that perform business or operational services for us or on our behalf, such as website hosting, infrastructure provisioning, IT services, analytics services, chat functionality services, employment application-related services, payment processing services, and administrative services.
• Ad Networks and Advertising Partners: We work with third-party ad networks and advertising partners to deliver advertising and personalized content on our Services, on other websites and services, and across other devices. These parties may collect information directly from a browser or device when an individual visits our Services through cookies or other data collection technologies. This information is used to provide and inform targeted advertising, as well as to provide advertising-related services such as reporting, attribution, analytics, and market research. Please see our Cookie Notice for more information.
• Business Partners: We enter into certain select marketing relationships with advertisers and other companies that provide products or services that we believe may be of interest to users of the Services. We will share personal information, or any information collected through the Services with those marketing partners in order to help them send you information that we believe will be of interest to you.
• Your Employer / Company: If you interact with our Services through your employer or company, we may disclose your information to your employer or company, including another representative of your employer or company.
• Business Transaction or Reorganization: We may take part in or be involved with a corporate business transaction, such as a merger, acquisition, joint venture, or financing or sale of company assets. We may disclose personal information to a third party during negotiation of, in connection with or as an asset in such a corporate business transaction. Personal information may also be disclosed in the event of insolvency, bankruptcy, or receivership.
• Legal Obligations and Rights: We may disclose personal information to third parties, such as legal advisors and law enforcement:
  • in connection with the establishment, exercise, or defense of legal claims;
  • to comply with laws or to respond to lawful requests and legal process;
  • to protect our rights and property and the rights and property of others, including to enforce our agreements and policies;
  • to detect, suppress, or prevent fraud;
  • to protect the health and safety of us and others; or
  • as otherwise required by applicable law.
• With Your Consent: We may disclose personal information about an individual to certain other third parties or publicly with their consent or direction. For example, with an individual’s consent or direction, we may post their testimonial on our Sites or service-related publications.

Legal Bases for Processing

Under the GDPR, we process your personal information as follows:

• When it is necessary for the performance of a contract to which you are party, or to take steps at your request prior to agreeing a contract: This applies to any processing where you sign a contract with us, for example when you become our customer, participate in our affiliate or premium partner program, or deliver services to us as a vendor or contractor. This may also include our Terms of Use.
• We have a legitimate interest where such interest is not overridden by your interests or fundamental rights and freedoms. This includes, but is not limited to, the following processing activities:
  • When we communicate: To respond to your inquiries and, on some occasions, keep records in case of complaints or legal claims.
  • When you use our Services: When you access and use our Services (for example, LIVEcommunity), we process technical and analytics data to see if and how our Services can be improved, so that we can offer you a better user experience in the future.
  • Global Suppression List: To avoid contacting you again if you have withdrawn your consent to our marketing-related activities.
  • Marketing to existing customers (apart from scenarios where you have consented to marketing): To find, customize, and offer products and services we hope you find useful and relevant, i.e., provide you with excellent customer service.
  • Sharing personal information with other parties: To run our business efficiently and securely.
• Your consent: Wherever you consent to the processing, for example when you sign up for our newsletters or events, request a demo, free trial or a download, or submit a survey. Here, your consent is implied, meaning that you consent by submitting a particular form to us. We also rely on your consent for using cookies and other technologies on our website when you explicitly agree to these. Note that your default setting depends on your location (country), as the rules for using such technologies vary across jurisdictions.
• We are subject to a legal obligation: For any processing where we need to comply with laws and regulations related to bookkeeping, accounting, taxation, employment, and other business activities (e.g., a legal requirement to maintain certain business records for a set amount of time).

Control Over Your Information

You may control your information in the following ways:

• Access to Your Device Information. Your device may have controls that determine what information we and other websites collect, usually via a “Settings” menu on your device. For instance, you can withdraw permission for Services to access your network devices and geolocation and to integrate with your other applications.
• Email Communications Preferences. You can stop receiving promotional email communications from us by clicking on the “unsubscribe” link provided in such communications. You may not opt-out of Services-related communications (e.g., account verification, transactional communications, changes/updates to features of the Services, technical and security notices).
• Push Notifications. You can stop receiving push notifications from us by changing your preferences via your device’s Settings menu.
• Modifying or Deleting Your Information. If you have any questions about reviewing, modifying, or deleting your information, you can contact us directly at privacy@paloaltonetworks.com. We may not be able to modify or delete your information in all circumstances.

Region-Specific Disclosures

We may choose or be required by law to provide different or additional information relating to the processing of personal information (as defined below) about residents of certain countries, regions, or states. Please refer below for additional information that may be applicable to you:

• California, Colorado, Connecticut, Utah, and Virginia: If you are a resident of California, Colorado, Connecticut, Utah, or Virginia in the U.S., please see our Additional U.S. State Privacy Disclosures below for additional privacy information.
• Nevada: If you are a resident of the State of Nevada, Chapter 603A of the Nevada Revised Statutes permits a Nevada resident to opt out of future sales of certain covered information that a website operator has collected or will collect about the resident. Although we do not currently sell covered information, please contact us at privacy@paloaltonetworks.com with the subject line “Nevada Opt Out Request” to submit such a request.

Your Rights in Respect of Your Personal Information

In accordance with applicable privacy law, you may have the following rights in respect of your personal information:

• Right of access. You have the right to obtain:
  • confirmation of whether, and where, we are processing your personal information;
  • information about the categories of personal information we are processing, the purposes for which we process your personal information, and information as to how we determine applicable retention periods;
  • information about the categories of recipients with whom we may share your personal information; and
  • a copy of the personal information we hold about you.
• Right of portability. You have the right, in certain circumstances, to receive a copy of the personal information you have provided to us in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of your personal information to another person.
• Right to rectification. You have the right to obtain rectification of any inaccurate or incomplete personal information we hold about you without undue delay.
• Right to erasure. You have the right, in some circumstances, to require us to erase your personal information without undue delay if the continued processing of that personal information is not justified.
• Right to restriction. You have the right, in some circumstances, to require us to limit the purposes for which we process your personal information if the continued processing of the personal information in this way is not justified, such as where the accuracy of the personal information is contested by you.
• Right to withdraw consent. If you have provided consent for the processing of your personal information, you have the right to withdraw your consent. If you withdraw your consent, this will not affect the lawfulness of our use of your personal information before your withdrawal.

Under the GDPR, you also have the right to object to any processing based on our legitimate interests where there are grounds relating to your particular situation. There may be compelling reasons for continuing to process your personal information, and we will assess and inform you if that is the case. You can object to marketing activities for any reason.

You also have the right to lodge a complaint with your local data protection authority. Information about how to contact your local data protection authority is available here. If you are based in the UK or Switzerland, your local data protection authorities are the UK Information Commissioner's Office (https://ico.org.uk/global/contact-us/) and the Swiss Federal Data Protection and Information Commissioner (https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html), respectively.

If you wish to exercise any of these rights, please visit via our Individual Rights Form or contact us using one of the methods listed here. Due to the confidential nature of data processing, we reserve the right to verify your identity when exercising any of the above rights.

Data Retention

We store the personal information we collect about you for no longer than necessary for the purposes set out in this Privacy Statement, and in accordance with our legal obligations and legitimate business interests. If your personal information is subject to the EU GDPR or UK GDPR, the criteria used to determine the period for which personal data about you will be retained varies depending on the legal basis under which we process the personal data:

• Contract. Where we are processing personal data based on contract, we generally will retain your personal data for the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the statute of limitations for legal claims that could arise from our contractual relationship.
• Legitimate Interests. Where we are processing personal data based on our legitimate interests, we generally will retain such information for a reasonable period of time based on the particular interest, taking into account your fundamental interests and your rights and freedoms.
• Consent. Where we are processing personal data based on your consent, we generally will retain your personal data until you withdraw your consent, or otherwise for the period of time necessary to fulfill the underlying agreement with you or provide you with the applicable service for which we process that personal data.
• Legal Obligation. Where we are processing personal data based on a legal obligation, we generally will retain your personal data for the period of time necessary to fulfill the legal obligation.
• Legal Claim. We may need to apply a “legal hold” that retains information beyond our typical retention period where we face threat of legal claim or intent to establish a claim. In that case, we will retain the information until the hold is removed, which typically means the claim or threat of claim has been resolved.

We also consider the volume, nature, and sensitivity of your personal data, as well as any potential risk of harm from unauthorized use or disclosure of that personal data.

Storing and Transferring Your Personal Information

Security. We implement appropriate technical and organizational measures to protect your personal information against accidental or unlawful access, destruction, loss, change, or damage. We will never contact you requesting your account ID, password, credit or debit card information or national identification numbers. Please note that email sent over the Internet may not be secure and should not be used to communicate confidential and/or sensitive personal information to us. Therefore, we cannot guarantee the confidentiality or security of any information you send to us over the Internet when using email.

International Transfers of Your Personal Information. The personal information we collect may be transferred to and stored in countries outside of the jurisdiction you are in to locations where we and our third-party service providers have operations, including in the United States of America. For example, if you are accessing our Services from the EEA, UK or Switzerland, your personal information may be processed outside of the EEA, the UK and Switzerland, respectively.

In the event of such a transfer, we ensure that: (i) the personal information is transferred to countries recognised as offering an adequate level of protection; or (ii) the transfer is made pursuant to appropriate safeguards, such as standard contractual clauses adopted by the European Commission. If you wish to inquire further about these safeguards used, please contact us or visit our Trust Center.

DATA PRIVACY FRAMEWORK STATEMENT

Palo Alto Networks, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), (collectively the “Data Privacy Framework” or “DPF”), as set forth by the U.S. Department of Commerce, regarding the transfers of non-HR personal data from the European Union, the United Kingdom (and Gibraltar), and Switzerland, in accordance with the transfer requirements under applicable data protection laws, including the EU General Data Protection Regulation (“GDPR”). Palo Alto Networks has certified to the U.S. Department of Commerce that it adheres to the DPF Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement, and liability with respect to all personal data received from the EU, UK, or Switzerland in reliance on the DPF.

If there is any conflict between the terms in this statement and the DPF Principles, the DPF Principles shall govern. To learn more about the DPF program, and to view Palo Alto Networks’ certification, please visit https://www.dataprivacyframework.gov/. The U.S. subsidiaries of Palo Alto Networks that adhere to the DPF Principles are listed in our self-certification listing. Palo Alto Networks is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) with regard to its compliance with the DPF Program.

Purposes of Data Processing

Palo Alto Networks may act as a data processor or a data controller when processing non-HR personal data transferred from the European Economic Area to the United States of America, depending on the product(s) or service(s) being provided. The types of non-HR data Palo Alto Networks collect and process varies depending on the business relationship, the product or service being provided, customers’ preferences, contractual requirements with customers, and the legitimate interests, including marketing, security, billing, transaction processing, product support, and relationship management, as set forth in the Privacy Statement, Privacy & Product Datasheets, and Customer Data Processing Agreement (DPA).

Notice. At the time of data collection, or as soon as practicable thereafter, including via our Customer Data Processing Agreement (DPA), Palo Alto Networks notifies data subjects about its data practices regarding personal data, including the types of personal data it collects about them, the purposes for which it collects and uses such personal data, the types of third parties to which it discloses such personal data and the purposes for which it does so, the rights of data subjects to access their personal data, and the choices and means that Palo Alto Networks offers for limiting its use and disclosure of such personal data.

Choice. Palo Alto Networks offers individuals the opportunity to opt-out of personal data, or opt-in for sensitive data being: (i) disclosed to a third party (other than to Palo Alto Networks service providers under contract or pursuant to lawful request as set forth below), or (ii) used for a purpose materially different from the purpose for which it was originally collected or subsequently authorized by you if such circumstances arise. Where personal data is processed on behalf of a Customer, we will work with that Customer to comply with any individual’s choices for limiting use or disclosure of personal data, in accordance with the Customer’s instructions.

Access. Individuals whose personal data may be processed by Palo Alto Networks are entitled to obtain confirmation of whether such personal data is being processed, access the information held, and ask us to correct, amend, or delete that information where it is inaccurate or has been processed in violation of the laws. Where Palo Alto Network processes personal data on behalf of a Customer and receives individual requests regarding the personal data use or disclosure relating to the Customer, Palo Alto Networks will work with the Customer to comply with such requests in accordance with applicable law and our obligations under the DPF. If requested to remove data, we will respond within a reasonable timeframe.

Accountability for Onward Transfers (Transfer to Third Parties). Palo Alto Networks may transfer personal data to certain third parties (including as described in our Customer Data Processing Agreement (DPA) and Subprocessors List). Where we transfer personal data to a third party, we take reasonable and appropriate steps to ensure the third party processes personal data for limited and specified purposes and in a manner consistent with our DPF obligations. Where the transfer is to a third-party agent acting on our behalf, we may be liable if such third parties fail to meet those obligations.

Security. Palo Alto Networks takes reasonable and appropriate measures to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction. We take into account the risks involved in the processing and the nature of the personal data when we implement appropriate technical and organizational procedures to help safeguard and secure personal data from such risks.

Data Integrity and Purpose Limitation. Palo Alto Networks will retain personal data for a reasonable period of time necessary to comply with applicable law, in accordance with our document retention practice, and in a manner that is compatible with and relevant to the purposes for which it was collected or authorized by individuals. To the extent necessary for those purposes, we will take reasonable steps to ensure that personal data is accurate, complete, current and reliable for its intended use.

Lawful Requests. We may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Palo Alto Networks will only disclose such personal data in accordance with our government and law enforcement agency request handling process.

Enforcement and Dispute Resolution. Palo Alto Networks has established internal mechanisms to verify our ongoing adherence to the Principles and is committed to resolving complaints about our collection or use of your personal data. If you have a question or complaint related to Palo Alto Networks’ participation in the DPF, we encourage you to first contact us via our DSAR form or at the Privacy Team at privacy@paloaltonetworks.com. Please note, to pursue your rights under the DPF, your complaint must concern personal data received from the EU, UK, or Switzerland in reliance on the DPF, which excludes any personal data transferred under the Standard Contractual Clauses (SCCs), any approved derogation from the EU Directive, or other non-DPF data transfer mechanisms.

Palo Alto Networks has further committed to refer unresolved privacy complaints under the DPF Principles to a U.S.- based, independent dispute resolution mechanism, the Data Privacy Framework Services Program operated by the Better Business Bureau (BBB) National Programs. If you do not receive timely or satisfactory acknowledgment of your complaint, please visit https://bbbprograms.org/dpf-complaints for more information about how to file a complaint. This service is provided at no cost to you.

If neither Palo Alto Networks nor its dispute resolution provider is able to resolve your DPF complaint, you may be entitled, under certain conditions, to invoke binding arbitration through the Data Privacy Framework Panel.

Federal Trade Commission (FTC). Palo Alto Networks is subject to the investigatory and enforcement powers of the Federal Trade Commission. In certain situations, Palo Alto Networks may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

If you have a question or complaint regarding personal data processed under the DPF, please contact Palo Alto Networks at:

Attention: Chief Privacy Officer
3000 Tannery Way
Santa Clara California 95054
United States Of America
Email: privacy@paloaltonetworks.com
Telephone: (408) 753-4000

DPF-certified organizations must respond within 45 days of receiving a complaint.

Children’s Personal Information

Our Services are not directed to, and we do not intend to, or knowingly, collect or solicit personal information from children under the age of 16. If an individual is under the age of 16, they should not use our Services or otherwise provide us with any personal information either directly or by other means. If a child under the age of 16 has provided personal information to us, we encourage the child’s parent or guardian to contact us to request that we remove the personal information from our systems. If we learn that any personal information we collect has been provided by a child under the age of 16, we will promptly delete that personal information.

Links to Third-Party Websites or Services

Our Services may include links to third-party websites, plug-ins, and applications. Except where we post, link to or expressly adopt or refer to this Privacy Statement, this Privacy Statement does not apply to, and we are not responsible for, any personal information practices of third-party websites and online services or the practices of other third parties. To learn about the personal information practices of third parties, please visit their respective privacy notices.

Updates to This Privacy Statement

We will update this Privacy Statement from time to time. When we make changes to this Privacy Statement, we will change the date at the beginning of this Privacy Statement. If we make material changes to this Privacy Statement, we will notify individuals by email to their registered email address, by prominent posting on our Services, or through other appropriate communication channels. All changes shall be effective from the date of publication unless otherwise provided.

Contact Us

If you have any questions or requests in connection with this Privacy Statement or other privacy-related matters, please send an email to privacy@paloaltonetworks.com.

Alternatively, inquiries sent by mail may be addressed to:

Attention: Privacy
Palo Alto Networks, Inc.
3000 Tannery Way
Santa Clara, CA 95054

ADDITIONAL U.S. STATE PRIVACY DISCLOSURES

SCOPE OF NOTICE

For residents of the States of California, Colorado, Connecticut, Utah, and Virginia: These Additional U.S. State Privacy Disclosures (“U.S. Disclosures”) supplement the information contained in our Privacy Statement by providing additional information about our personal information processing practices relating to individual residents of these States. For a detailed description of how we collect, use, disclose, and otherwise process personal information in connection with our services, please visit our Privacy Statement. Unless otherwise expressly stated, all terms defined in our Privacy Statement retain the same meaning in these U.S. Disclosures.

For the purposes of these U.S. Disclosures, personal information does not include publicly available information or deidentified, aggregated or anonymized information that is maintained in a form that is not capable of being associated with or linked to you.

When we use the term “personal information” in these U.S. Disclosures, we mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

COLLECTION AND USE OF PERSONAL INFORMATION

We collect personal information from and about consumers for a variety of purposes. To learn more about the types of personal information we collect, the sources from which we collect or receive personal information, and the purposes for which we use this information, please refer to the “Our Collection of Personal Information” and “Our Use of Personal Information” sections of our Privacy Statement.

In the last 12 months, we have collected the following categories of personal information:

• Identifiers, such as your username and email address;
• California Customer Records (Cal. Civ. Code § 1798.80(e)), such as your log-in credentials and phone number;
• Commercial Information, such as products and services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
• Internet/Network Information, such as device information, logs and analytics data;
• Geolocation Data, such as your approximate location based upon your IP address;
• Sensory Information, such as recordings of any phone or video calls between you and Palo Alto Networks;
• Professional/Employment Information, such as job title and company;
• Other Personal Information, including information you submit into the feedback forms and any communications between you and Palo Alto Networks, including the content of any messages in our live or automated online chat functionality, as well as information we receive from social networking sites; and
• Inferences, such as information generated from your use of the Services reflecting user or customer predictions about your interests and preferences, characteristics, predispositions, behaviors, and attitudes.

We collect this information from a variety of sources, including: directly from you, from your employer or organization, from our customers and other users, from our business partners and affiliates, from your browser or device when you use our Services, or from third parties that you permit to share information with us. Please see the Our Collection of Personal Information section of the Privacy Statement for more information about the sources of personal information we collect.

DISCLOSURE OF PERSONAL INFORMATION

We share personal information with third parties for business purposes. While we generally do not engage in the sale of personal information for monetary or other valuable consideration that we obtain from you via our Sites, there may be limited circumstances where we “share” personal information with third parties in a way that may be considered a “sale” under the CCPA or other similar laws (e.g., for cross-context behavioral advertising purposes where no money is exchanged). As explained in the “Do Not Sell or Share my Personal Information” section of this CA Notice, you may opt out of such disclosures of your personal information.

The categories of third parties to whom we sell or disclose your personal information for a business purpose may include: (i) other brands and affiliates in our family of companies; (ii) our service providers and advisors; (iii) marketing and strategic partners; (iv) analytics providers; and (v) social networks.

In the previous 12 months, we have disclosed or sold all of the categories of personal information we collect, as explained in the “Collection and Use of Personal Information” section of these U.S. Disclosures, to third parties for a business purpose.

SENSITIVE INFORMATION

In the last 12 months, we have collected the following categories of sensitive personal information:

• Account log-in or credentials in combination with any required security or access code, password, or credentials allowing access to your Palo Alto Networks account.
  Palo Alto Networks uses or discloses sensitive personal information for the following purposes, where such use or disclosure is necessary and proportionate for those purposes: for performing services you have requested, operation of our website, for detecting security incidents, fraud and other illegal actions, to perform services on behalf of the business (where the sensitive information is reasonably necessary and proportionate for this purpose).

YOUR PRIVACY RIGHTS

As a resident of certain states, you may be able to exercise the following rights in relation to the personal information that we have collected about you (subject to certain limitations at law):

Depending on your state of residency, you may also have the right to not receive retaliatory or discriminatory treatment in connection with a request to exercise the above rights. However, the exercise of the rights described above may result in a different price, rate or quality level of product or service where that difference is reasonably related to the impact the right has on our relationship or is otherwise permitted by law.

Please note, we do not engage in profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

HOW TO EXERCISE YOUR CONSUMER RIGHTS

To Exercise Your Right to Access, Right to Know, Right to Deletion, or Right to Correction of Your Personal Information

To exercise your Right to Access, Right to Know, your Right to Deletion, or your Right to Opt-out of the Sale of Your Personal Information, please submit a request by either:

• Completing our Individual Rights Form, or
• Emailing us at dsar@paloaltonetworks.com with the subject line, “Consumer Rights Request”

Before processing your request, we will need to verify your identity and confirm you are a resident of California, Colorado, Connecticut, Utah, or Virginia. In order to verify your identity, we will generally either require the successful authentication of your account, or the matching of sufficient information you provide us to the information we maintain about you in our systems. This process may require us to request additional personal information from you, including, but not limited to, your first name, last name, email address, phone number, state/province of residence, and/or country. During verification, we will only request the minimum personal information necessary to correctly identify you for the purpose of fulfilling your request.

In certain circumstances, we may decline a request to exercise the rights described above, particularly where we are unable to verify your identity or locate your information in our systems. If we are unable to comply with all or a portion of your request, we will explain the reasons for declining to comply with your request.

You also may exercise your right to opt-out the sale of your personal information to third parties, or your right to opt-out of “sharing” your personal information with third parties for cross-context behavioral advertising, now or in the future. You do not need to create an account with us to exercise your Right to Opt-Out. However, we may ask you to provide additional personal information so that we can properly identify you to track compliance with your opt-out request. We will only use personal information provided in an opt-out request to review and comply with the request. If you choose not to provide this information, we may only be able to process your request to the extent we are able to identify you in our data systems. Learn more about your rights regarding sharing of your personal information via cookies and automated technologies, below under the DO NOT SELL OR SHARE MY PERSONAL INFORMATION section below and in our Cookie Notice.

To Exercise Your “Shine the Light” Rights

The California Shine the Light Law permits you the right to opt out of the disclosure of personal information to third parties for their direct marketing purposes during the immediately preceding calendar year.

To opt out of having your information shared under Shine the Light, you may submit a request by visiting the “Unsubscribe” tab at https://start.paloaltonetworks.com/preference-center-subscribe.html or email us at unsubscribe@paloaltonetworks.com to be added to our suppression list.

CCPA Requests Report

We are committed to helping our users exercise their rights under the CCPA. In accordance with the CPRA requirements, we have published the following metrics. For the previous calendar year (2023), Palo Alto Networks received and responded to California consumer requests as set forth in the table below. For more information regarding our privacy practices, review this Privacy Statement, and to exercise your privacy choices and rights, visit our Individual Rights Form, as further explained below.

• Requests to know
  • Requests Received: 3
  • Responses to Requests (reflects our attempts to process requests, even if ultimately denied): 3
  • Compiled (In whole or in part) (to extent we hold any non-exempt data): 0
  • Denied* (which means we have no data to report): 3
  • Mean Number of Days Substantively Responded To: 7


• Requests to delete
  • Requests Received: 0
  • Responses to Requests (reflects our attempts to process requests, even if ultimately denied): 0
  • Compiled (In whole or in part) (to extent we hold any non-exempt data): 0
  • Denied* (which means we have no data to report): 0
  • Mean Number of Days Substantively Responded To: N/A
  
  
• Requests to opt-out
  • Requests Received: 0
  • Responses to Requests (reflects our attempts to process requests, even if ultimately denied): 0
  • Compiled (In whole or in part) (to extent we hold any non-exempt data): 0
  • Denied* (which means we have no data to report): 0
  • Mean Number of Days Substantively Responded To: N/A

DO NOT SELL OR SHARE MY PERSONAL INFORMATION

We respect your right to opt out of the sale of your personal information to third parties. While we generally do not engage in the sale of personal information that we obtain from you via our Sites, there may be limited circumstances where we “share” personal information with third parties with third parties for cross-context behavioral advertising. This may be considered a “sale” under the CCPA or other similar laws. Specifically, this sharing occurs when we permit certain third party advertising networks, social media companies, and similar businesses to collect and process your personal information (including preferences, commercial information and internet, network, and device information) directly from your browser or device through cookies or tracking technologies in use when you visit or interact with our Sites. As further discussed in our Cookie Notice, these third parties then process your personal information to provide you with relevant ads on our behalf, measure and analyze our ad campaigns, detect and report fraud to promote the security of our Services, and perform similar processing purposes, subject to the third parties’ privacy policies.

To opt out of cookies and tracking technologies on our Sites, please visit our homepage’s cookie banner and open the “Manage My Cookies” link to visit the “Privacy Preference Center” where you can select your preferences and opt out of our use of cookie and tracking information.

To learn more about online advertising and other tracking technologies and what choices you have regarding their use, you may opt out of certain interest-based advertising, across our Sites and other websites on the Internet, by using the following resources:

(i) You may opt-out of tracking and receiving tailored advertisements on your mobile device by some mobile advertising companies and other similar entities by downloading the App Choices app at www.aboutads.info/appchoices or use the DAA’s CCPA App-based Opt-Out Tool.

(ii) You may opt-out of receiving permissible targeted advertisements by using the NAI Opt-out tool available at optout.networkadvertising.org or visiting About Ads.

Please note that we do not maintain or control any third party opt-out mechanisms and are not responsible for their operation.

Authorized Agents

In certain circumstances, you are permitted to use an authorized agent (as that term is defined by the CCPA) to submit requests on your behalf through the designated methods set forth in these U.S. Disclosures where we can verify the authorized agent’s authority to act on your behalf.

For requests to know or delete personal information, we require the following for verification purposes:

1. a valid power of attorney; or
2. sufficient evidence to show that you have:
   1. provided the authorized agent signed permission to act on your behalf; and
   2. verified your own identity directly with us pursuant to the instructions set forth in these U.S. Disclosures; or directly confirmed with us that you provided the authorized agent permission to submit the request on your behalf.

For requests to opt-out of personal information “sales”, we require a signed permission demonstrating your authorized agent has been authorized by you to act on your behalf.

Minors Under 16

We do not sell the personal information and do not have actual knowledge that we sell the personal information of minors under 16 years of age. Please contact us at privacy@paloaltonetworks.com to inform us if you, or your minor child, are under the age of 16.

If you wish to submit a privacy request on behalf of your minor child in accordance with applicable jurisdictional laws, you must provide sufficient information to allow us to reasonably verify your child is the person about whom we collected personal information and you are authorized to submit the request on your child’s behalf (i.e., you are the child’s legal guardian or authorized representative).

Appealing Privacy Rights Decisions

Depending on your state of residency, you may be able to appeal a decision we have made in connection with your privacy rights request. All appeal requests should be submitted at dsar@paloaltonetworks.com.

COOKIE NOTICE

Unless otherwise expressly stated, terms in this notice have the same meaning as defined in the Privacy Statement.

SCOPE OF NOTICE

This Cookie Notice supplements the information contained in the Privacy Statement and explains how we and our business partners and service providers use cookies and related technologies in the course of managing and providing our online services and our electronic communication to you. It explains what these technologies are and why we use them, as well as your rights to control our use of them.

In some cases, we may use cookies and related technologies described in this Cookie Notice to collect personal information, or to collect information that becomes personal information if we combine it with other information. For more details about how we process your personal information, please review the Privacy Statement.

WHAT ARE COOKIES AND RELATED TECHNOLOGIES

As is common practice among websites, our Services use cookies, which are tiny files downloaded to your device that allow us and our third-party partners to collect certain information about your interactions with our email communications, websites and other online services, and that improve your experience. We and our third-party partners and providers may also use other, related technologies to collect this information, such as web beacons, pixels, embedded scripts, location-identifying technologies and logging technologies (collectively, “cookies”).

WHAT WE COLLECT WHEN USING COOKIES

We and our third-party partners and providers may use cookies to automatically collect certain types of usage information when you visit or interact with our email communications and Services. For example, we may collect log data about your device and its software, such as your IP address, operating system, browser type, date/time of your visit, and other similar information. Our emails may also contain tracking pixels that identify if and when you have opened an email that we have sent you, how many times you have read it and whether you have clicked on any links in that email. With the exclusion of some EU countries, we may also collect analytics data or use third-party analytics tools such as Google Analytics to help us measure usage and activity trends for our online services and better understand our customer base. We also may collect location data, including general geographic location based on IP address or more precise location data when a user accesses our online services through a mobile device.

We use the following types of cookies:

1. Strictly necessary cookies. These cookies enable core functionality such as security, network management and accessibility. You may disable these by changing your browser settings, but this may affect how the Services function. The legal basis for our use of strictly necessary cookies is our legitimate interests, namely being able to provide and maintain our Services. Please see the website Cookies Chart (below) for more information.
2. Functional cookies. These enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in. The legal basis for our use of functionality cookies is our legitimate interests, namely being able to provide and maintain our Services. Please see the Cookies Chart for more information.
3. Analytical/performance cookies. These cookies allow us to recognize and count the number of visitors to our Services, and to see how visitors move around our Services when they are using them. This helps us to improve the way our Services work, for example, by ensuring that users are finding what they are looking for easily. If you are accessing our Services with a European IP address, you have been asked to consent to the use of these cookies. You are free to deny your consent. Please see the Cookies Chart for more information.
4. Targeting cookies. These cookies record your visit to our Services, the pages you have visited and the links you have followed. They are used to track visitors across our Services. If you are accessing our Services with a European IP address, you have been asked to consent to the use of these cookies. You are free to deny your consent. Please see the Cookies Chart for more information.

HOW WE USE INFORMATION COLLECTED VIA COOKIES

We use cookies for a variety of reasons outlined below:

• If you create an account with us, we will use cookies for the management of the signup process and general administration. These cookies will usually be deleted when you log out; however, in some cases, they may remain in order to remember your site preferences when logged out.
• We use cookies when you are logged in so that we can remember you. These cookies are typically removed or cleared when you log out to ensure you can only access restricted features and areas when logged in.
• The Services offer newsletter or email subscription services and cookies may be used to remember if you are already registered and whether to show certain notifications which might only be valid to subscribed/unsubscribed users.
• When you submit data through a form, such as those found on the contact pages or comment forms, cookies may be set to remember your user details for future correspondence.
• In order to provide you with a great experience on the Services, we provide the functionality to set your preferences for how the Services run when you use it. In order to remember your preferences, we need to set cookies so that this information can be called whenever you interact with a website page.
• We use cookies to provide and monitor the effectiveness of our Services, monitor online usage and activities of our Services, and facilitate the purposes identified in the Our Use of Personal Information section of our Privacy Statement.
• We may also use the information we collect through cookies to understand your browsing activities, including across unaffiliated third-party sites, so that we can deliver information about products and services that may be of interest to you.
• Tracking technology used in emails helps us measure the effectiveness of our marketing email campaigns, make the emails we send to you more relevant to your interests and help us understand if you have opened and how you interacted with our email.

Please note that we link some of the personal information we collect through cookies with the other personal information that we collect about you and for the purposes described in our Privacy Statement.

YOUR CHOICES ABOUT COOKIES

If you would prefer not to accept cookies, most browsers will allow you to change the setting of cookies by adjusting the settings on your browser to: (i) notify you when you receive a cookie, which lets you choose whether or not to accept it; (ii) disable existing cookies; or (iii) set your browser to automatically reject cookies. Be aware that disabling cookies may negatively affect the functionality of this and many other websites that you visit. Disabling cookies will usually result in also disabling certain functionalities and features of the Services.

Depending on your device and operating system, you may not be able to delete or block all cookies. In addition, if you want to reject cookies across all your browsers and devices, you will need to do so on each browser on each device you actively use. You may also set your email options to prevent the automatic downloading of images that may contain technologies that would allow us to know whether you have accessed our email and performed certain functions with it.

If you are located in the EEA, UK, or Switzerland, you may take advantage of Your Online Choices. This service allows you to select tracking preferences for most of the advertising tools. As such, it is recommended that you make use of this resource in addition to the information provided in this document.

COOKIES CHART

Strictly Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

Functional

Functional cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.

Analytics / Performance

We use analytics cookies to make aggregated reports on visitor interactions with our website. The reports include information regarding the time spent on the websites and the geographic area from which the user is connected. We use such information to optimize our website and offer the best user experience. We set such analytics features to anonymize your IP address. In that case, we don’t process personal information. In fact, the full IP address is never written nor memorized by a system. For instance, if your IP is 12.428.58.394, the technology promptly erases the last three numbers. In such way, we are not able to link an IP like 12.428.58.0 to an individual. Where such analytics technologies are based on the processing of your entire Internet Protocol (IP)address, we ask for your consent to process such information.

Targeting

Targeting cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.