Privacy Policy

We, at Cloudinary Ltd. and its affiliates, put great efforts in making sure that we secure your personally identifiable information and use it properly.

This policy explains our privacy practices for processing your personally identifiable information as a user of our Cloudinary cloud-based image management solution, on the Cloudinary website and through other registration or contact channels (the “Service“). We process your personally identifiable information subject to the terms of this policy.

The summary of this policy will give you a quick and clear view of our practices. Please take the time to read our full policy.

A Summary of The Policy

The Cloudinary Privacy Policy

The_personally_identifiable_information_that_you_provide_usThe Personally Identifiable Information That You Provide Us

We receive and store any information you enter on our website or give us in any other way.

You provide most of your information through forms you fill out to contact us, access the Cloudinary platform, and access Cloudinary assets. You also provide this information by filling out your profile on the Cloudinary platform.

If you register with the Service through our website at: www.cloudinary.com, or through a separate subscription agreement with us, then as part of such registration we will ask you to provide personally identifiable information, including your name, your company name, your email address and password.

As a paying user of the Service, we will receive your payment transaction details (for example, your name, the amount paid and the date of payment), from the payment service provider that processed your payment.

When you contact us, or when we contact you, we will receive and process any personally identifiable information that you provide us.

The_personally_identifiable_information_that_we_collect
The Personally Identifiable Information That We Collect

Like many websites, we use “cookies” (for further information about cookies, please see our Cookies and Similar Tracking Technologies Policy), and we obtain information when your browser accesses our website.

Examples of the information we collect and analyze include the Internet Protocol (IP) address used to connect your access device to the Internet; login; e-mail address; password; access device and connection information such as browser type, version, and time zone setting, browser plug-in types and versions, operating system, and platform.

When you use the Service, we collect information about your Service activity, for example your log-in and log-out time, the duration of Service sessions, the content uploaded and downloaded, viewed web-pages or specific content on web-pages, activity measures and geo-location.

The_personally_identifiable_information_that_you_upload
The Personally Identifiable Information That You Upload

The content you upload to the Service, whether from your own device or from a cloud-based hosting service, including any data, text, graphic, audio and audio-visual files, may include personally identifiable information. The content that you upload and designate as public, will be accessible to others.

Please use caution when uploading the content and avoid any involuntary disclosure of your personally identifiable information or disclosure of sensitive personally identifiable information or disclosure of others’ personally identifiable information without their consent.

What_do_we_do_with_personally_identifiable_information
What Do We Do With Personally Identifiable Information?

We use the personally identifiable information we collect and receive to provide the Service to you and to other users, to enable the Service’s tools and features, to study and analyze the functionality of the Service and users’ activities, to provide support, to measure Service activity for pricing purposes, to maintain the Service, to make it better and to continue developing the Service.

We will use your email address to contact you when necessary, to send you reminders and to provide you information and notices about the Service. We will include commercial and marketing information about our Service and related services to the Cloudinary platform.

We obey the law and expect you to do the same. If necessary, we will use your personally identifiable information to enforce our terms, policies and legal agreements, to comply with court orders and warrants, and assist law enforcement agencies, to collect debts, prevent fraud, misappropriation, infringements, identity thefts and any other misuse of the Service, and to take any action in any legal dispute and proceeding.

We commit to process personally identifiable information solely for the purposes described in this policy.

Sharing_information_with_others
Sharing Personally Identifiable Information with Others

We do not sell, rent or lease your personally identifiable information. We will share your personally identifiable information with service providers and other third parties, if necessary to fulfill the purposes for collecting the information. Any such third party will commit to protect your privacy as required under the applicable law and this policy.

For example, we will share your payment transaction details with the payment services providers, to process and verify your payments. We will use a service provider to manage our email messages transmission.

We will also share your personally identifiable information with our affiliates. These mean companies within the Cloudinary group and include subsidiaries, sister-companies and parent companies, with the express provision that their use of your personally identifiable information will comply with this policy.

We will report any content that you upload and share user personally identifiable information, if we believe, in our sole discretion that such content is illegal or abusive or may violate any third party rights.

Additionally, a merger, acquisition or any other structural change will require us to transfer your personally identifiable information to another entity, as part of the structural change, provided that the receiving entity will comply with this policy.

We will be liable for onward transfers to third parties in violation of the Privacy Shield Principles. For further information, please below the EU-US Privacy Shield chapter of this policy.

Disclosure_of_information_to_authorities
Disclosure of Information to Authorities

We will need to disclose personally identifiable information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Aggregated_and_analytical_information
Aggregated and Analytical Information

We use standard analytics tools. The privacy practices of these tools are subject to their own privacy policies and they use their own cookies to provide their service (for further information about cookies, please see the ‘Cookies’ section in this policy).

We use the standard analytics tools of Google Analytics and we will use additional or other analytics tools, from time to time, to learn about how you and other users use the Service, in support of our Service-related activities and operations.

The privacy practices of these tools are subject to their own privacy policies. See Google Analytics Privacy Policy at: http://www.google.com/analytics/learn/privacy.html.

We use anonymous, statistical or aggregated information and will share it with our partners for legitimate business purposes. It has no effect on your privacy because there is no reasonable way to extract data from the aggregated information that we or others can associate specifically to you.

We will share your personally identifiable information only subject to the terms of this policy, or subject to your prior consent.

Your_choice
Your Choice

At any time, you can unsubscribe our mailing lists or newsletters, by accessing our unsubscribe page.

At any time you can stop using the Cloudinary website. Termination of your Cloudinary Service account is subject to the terms of your subscription agreement with us.

Note that if one of our customers uploaded content to our Service with your personally identifiable information , then you can contact our customer who uploaded that content and request to remove your personally identifiable information.

At any time, you can exercise your following opt-out options:

  1. object to the disclosure of your personally identifiable information to a third party, other than to third parties who act as our agents to perform tasks on our behalf and under our instructions; or,
  2. object to the use of your personally identifiable information for a purpose that is materially different from the purposes for which we originally collected such information, pursuant to this policy, or you subsequently authorized such use.

You can exercise your choice by contacting us at: privacy@cloudinary.com.

We request and collect minimal personally identifiable information that we need for the purposes that we describe in this policy. Following the termination or expiration of the Service, we will stop collecting any personally identifiable information from or about you.

However, we will store and continue using or making available your personally identifiable information according with our data retention section in this policy.

Web browsers offer a “Do Not Track” (“DNT”) signal. A DNT signal is a HTTP header field indicating your preference for tracking your activities on a service or through cross-site user tracking. Our Service does not respond to DNT signals.

Specific Provisions for California Residents

This section applies solely to users of our Service who reside in the State of California.

The personal information that we collect

In the preceding twelve (12) months we have collected the following categories of personal information:

  • Identifiers and Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), such as name, email address and IP address.
  • Commercial information, such as payment details.
  • Internet or other similar network activity.
  • Geolocation data.
  • Inferences drawn from other personal information.

Please note that the above list includes the categories of personal information that we are aware of. We may have been be collecting other categories of personal information which you have uploaded to our Service as further described above under the section titled The Personally Identifiable Information That You Upload.

Our business purposes for collecting your personal information

We collect your personal information for various business purposes, such as to provide you with the Service and make it better, all as described above under the section titled What Do We Do With Personally Identifiable Information.

The categories of sources from which your personal information is collected

We obtain the categories of personal information listed above from various sources, including directly from you and from your Services activities and from third party service providers, as further described above under the section titled The Personally Identifiable Information That We Collect.

The categories of third parties with whom we share your personal information

We may share your personal information with various third parties such as our service providers and our affiliates, as further described above under the section titled Sharing Personally Identifiable Information with Others.

The categories of personal information disclosed to said third parties:

In the preceding twelve (12) months we have disclosed the following categories of personal information for business purposes:

  • Identifiers and Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), such as name, email address and IP address.
  • Commercial information, such as payment details.
  • Internet or other similar network activity.
  • Inferences drawn from other personal information.

In the preceding twelve (12) months, we have not sold personal information.

Your Rights as a California Resident

You are entitled to the following specific rights under the California Consumer Privacy Act (‘CCPA’) in relation to your personal information:

Access to Specific Information and Data Portability Rights

You have the right to request that we will disclose certain information to you about our collection and use of your personal information over the past 12 months. After verifying your request, we will disclose to you:

  • The categories of personal information we collected about you;
  • The categories of sources for the personal information we collected about you;
  • Our business or commercial purpose for collecting that personal information;
  • The categories of third parties with whom we share that personal information;
  • The specific pieces of personal information we collected about you;
  • If we disclosed your personal information for a business purpose, we will provide you with a list which will identify the personal information categories that each category of recipient obtained.

Deletion Rights

You have the right to request that we delete your personal information. Upon confirmation of your request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception under applicable law applies.

Exercising Your Rights

To exercise the access, data portability, and deletion rights described above, please submit your request to us by sending an email to: privacy@cloudinary.com.

Only you or a person authorized to act on your behalf, may make a request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

A request for access can be made by you only twice within a 12-months period.

We cannot respond to your request or provide you with the requested personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. We will only use the personal information provided in your request to verify your identity or authority to make the request.

We will do our best to respond to your request within 45 days of its receipt.  If we require more time (up to additional 45 days), we will inform you of the reason and extension period in writing.  If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

Any disclosures that we provide will only cover the 12-month period preceding receipt of your request.

The response we provide will also explain the reasons for our inability to comply with your request, if applicable.

We do not charge a fee to process or respond to your request unless it is excessive, repetitive, or manifestly unfounded.  If we determine that the request warrants a fee, we will inform you of the reasons for such decision and provide you with a cost estimate before processing further your request.

Accessing_your_personally_identifiable_information
Accessing Your Personally Identifiable Information

If you find that the information on your account is not accurate, complete or up-to-date, please provide us the necessary information to correct it.

At any time, you can contact us at: privacy@cloudinary.com and request to access the personally identifiable information that we keep about you. We will ask you to provide us certain credentials to make sure that you are who you claim to be and to the extent required under the applicable law, will make good-faith efforts to locate your personally identifiable information that you request to access..

If you are eligible for the right of access under the applicable law, you can obtain confirmation from us of whether we are processing personally identifiable information about you, and receive a copy of that data, so that you could –

  • verify its accuracy and the lawfulness of its processing;
  • request the correction, amendment or deletion of your personally identifiable information if it is inaccurate or if you believe that the processing of your personally identifiable information is in violation of the applicable law or the Privacy Shield Principles (please see the EU-US Privacy Shield section in this policy for further information).

We will use judgement and due care to redact from the data which we will make available to you, personally identifiable information related to others.

Your_eu_data_subject_rights
Your EU Data Subject Rights

If EU data protection laws apply to the processing of your personal data by Cloudinary, then the following terms apply:

For the purposes of the Cloudinary media management platform service, we are a data processor and our customers are data controllers, or data processors as well.

For the purposes of the Cloudinary media management platform service, we are a data processor and our customers are data controllers, or data processors as well. Cloudinary’s data processing addendum, which is available at: https://cloudinary.com/gdpr/dpa, applies to such processing.

.

Where we process your personal data as a data controller, the processing is based on the following lawful grounds:

  • All processing of your personal data which are not based on the lawful grounds indicated below, are based on your consent.
  • We process your account and payment details to perform the contract with you.
  • We will process your personal data to comply with a legal obligation and to protect your and others’ vital interests.
  • We will further rely on our legitimate interests, which we believe are not overridden by your fundamental rights and freedoms, for the following purposes:
    • Communications with you, including direct marketing where you are our client or a user of our client, or where you make contact with us through our website and other digital assets.
    • Cyber security
    • Support, customer relations, service operations
    • Enhancements and improvements to yours and other users’ experience with our services.
    • Fraud detection and misuse of the Service.

In addition to your rights under other sections in this policy, you have the following rights:

  • AT ANY TIME, CONTACT US IF YOU WANT TO WITHDRAW YOUR CONSENT TO THE PROCESSING OF YOUR PERSONAL DATA. EXERCISING THIS RIGHT WILL NOT AFFECT THE LAWFULNESS OF PROCESSING BASED ON CONSENT BEFORE ITS WITHDRAWAL.
  • Request to delete or restrict access to your personal data. We will review your request and use our judgment, pursuant to the provisions of the applicable law, to reach a decision about your request.
  • If you exercise one (or more) of the above-mentioned rights, in accordance with the provisions of applicable law, you may request to be informed that third parties that hold your personal data, in accordance with this policy, will act accordingly.
  • You may ask to transfer your personal data in accordance with your right to data portability.
  • You may object to the processing of your personal data for direct marketing purposes. Additional information about this right is available under the Choice section in this policy.
  • You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affecting you.
  • You have a right to lodge a complaint with a data protection supervisory authority of your habitual residence, place of work or of an alleged infringement of the GDPR.

A summary and further details about your rights under EU data protection laws, is available on the EU Commission’s website at: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens_en.

Note that when you send us a request to exercise your rights, we will need to reasonably authenticate your identity and location. We will ask you to provide us credentials to make sure that you are who you claim to be and will further ask you questions to understand the nature and scope of your request.

If we need to delete your personal data following your request, it will take some time until we completely delete residual copies of your personal data from our active servers and from our backup systems.

If you have any concerns about the way we process your personal data, you are welcome to contact our privacy team at: privacy@cloudinary.com. We will look into your inquiry and make good-faith efforts to respond promptly.

Data_retention
Data Retention

We retain different types of personally identifiable information for different periods, depending on the purposes for processing the information, our legitimate business purposes as well as pursuant to legal requirements under the applicable law.

For example, we will need to keep the information about the payment transactions that you made for several years due to tax related requirements, for accounts settling, record keeping, archiving and legal issues.

We will maintain your contact details, to help us stay in contact with you. At any time before or after the termination of your account, you can contact our privacy team at: privacy@cloudinary.com and request to delete your contact details. Note that we may keep your details without using them unless necessary, and for the necessary period of time, for legal requirements and proceedings.

We will keep aggregated non-identifiable information without limitation, and to the extent reasonable we will delete or de-identify potentially identifiable information, when we no longer need to process the information.

In any case, as long as you use the Service, we will keep information about you, unless the law requires us to delete it, or if we decide to remove it at our discretion, according to the terms of this policy.

Transfer_of_data_outside_your_territory
Transfer of Data Outside Your Territory

The Service is a web-based service. We store and process information within the European Union and in the United States on our cloud-based services’ sites.

From time to time, we will make operational decisions which will have an impact on the sites in which we maintain personally identifiable information. We make sure that our data hosting service providers, provide us with adequate confidentiality and security commitments.

If you are a resident in a jurisdiction where transfer of your personally identifiable information to another jurisdiction requires your consent, then you provide us your express and unambiguous consent to such transfer. You can contact our privacy team at: privacy@cloudinary.com for further information about data transfer.

Eu_us_privacy_shield
EU-US Privacy Shield

We comply with the EU-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personally identifiable information from European Union member countries.

We adhere to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability.

If there is any conflict between this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles will govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/ The Federal Trade Commission (FTC) has jurisdiction over our compliance with the EU-US Privacy Shield Framework.

Cookies
Cookies

We use cookies and similar tracking technologies to make sure that our Service is continuously improved and meets your needs.

Please view our Cookies and Similar Tracking Technologies Policy for more information on our use of cookies.

Information Security

We and our hosting services implement systems, applications and procedures to secure your personally identifiable information, to minimize the risks of theft, damage, loss of information, or unauthorized access or use of information.

These measures provide sound industry standard security. However, although we make efforts to protect your privacy, we cannot guarantee that the Service will be immune from any wrongdoings, malfunctions, unlawful interceptions or access, or other kinds of abuse and misuse.

Dispute Resolution

We do periodical assessments of our data processing and privacy practices, to make sure that we comply with this policy, to update the policy when we believe that we need to, and to verify that we display the policy properly and in an accessible manner. If you have any concerns about the way we process your personally identifiable information, you are welcome to contact our privacy team at: privacy@cloudinary.com, or write to us. Our address is published on our website at: www.cloudinary.com and, if applicable, is indicated in your subscription agreement with us.

We will look into your query and make good-faith efforts to resolve any existing or potential dispute with you.

In compliance with the EU-US Privacy Shield Principles, we commit to resolve complaints about your privacy and our collection or use of your personally identifiable information. European Union individuals with inquiries or complaints regarding this privacy policy should first contact our privacy team at: privacy@cloudinary.com.

We have further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles to the EU Data Protection Authorities. Please contact the EU Data Protection Authorities for more information and to file a complaint, at no charge. Further details, including in relation to filing a complaint is available on the Cloudinary Privacy Shield page at: https://www.privacyshield.gov/participant?id=a2zt0000000011jAAA&status=Active.

Additionally, if you are an EU data subject, you can invoke binding arbitration in certain cases, as Annex I of the EU-U.S. Privacy Shield Agreement describes. For further information, please visit the Privacy Shield website at: www.privacyshield.gov, or contact our privacy team.

Changes to this Privacy Policy

From time to time, we will update this policy. If the updates have minor if any consequences, they will take effect 7 days after we post a notice on the Service’s website. Substantial changes will be effective 30 days after we initially posted the notice.

Until the new policy takes effect, if it materially reduces the protection of your privacy right under the then-existing policy you can choose not to accept it and terminate your use of the Service. Continuing to use the Service after the new policy takes effect means that you agree to the new policy. Note that if we need to adapt the policy to legal requirements, the new policy will become effective immediately or as required by law.

Incorporation to the Terms of Use

This policy is an integral part of the Cloudinary Terms of Use or, if applicable, of any other Service subscription agreement entered into between you (or the entity that you are acting on its behalf) and us.

Contact Us

Please contact our Privacy Compliance Team and our EU Representative (Cloudinary UK Ltd.) at: privacy@cloudinary.com for further information.

Last updated: Jan 21, 2020.