JFrog Privacy Notice
Last updated: July 24, 2024
- Personal Data We Collect
- Purposes and Legal Bases
- Disclosure of Personal Data
- International Data Transfers and Data Privacy Framework
- Data Retention
- Data Security
- Cookies and Other Technologies
- Your Privacy Rights
- Updates to this Privacy Notice
- Children’s Privacy
- Contact Us
Welcome! We provide this notice to explain our information practices and the choices you can make about the way your personal data is collected and used. This Privacy Notice (“Notice” or “Privacy Policy”) relates to personal data collected by JFrog and its affiliates (referred to in this Privacy Notice as “JFrog“, “us”, “our” or “we”) through the use of our websites and portals (collectively the “Sites”), JFrog services (“Services”), and other interactions (e.g. customer service inquiries, webinars, marketing, social media, etc.) you may have with JFrog. If you do not agree with this Notice, then do not access or use the Services, Sites, or any other aspect of JFrog’s business.
This Notice does not apply to any third-party applications or software that integrates with the Services or any other third-party products, services, or businesses who provide their services under their own terms of service and privacy notice. The organization (e.g. your employer or another entity or person) that entered into the Subscription Agreement (JFrog’s “Customer”) controls its instance of the Services, including artifacts, containers, images and configuration files uploaded into the Services (“Customer Data”). If you have received an invitation to join a Customer instance but have not yet created an account, you should request assistance from the Customer that sent the invitation.
1. Personal Data We Collect
As used in this Notice, “personal data” means any information that relates to, describes, or could be used to identify an individual, directly or indirectly. This does not include anonymous or aggregated data. We collect personal data about you when you input it into our services, Sites, or otherwise provide it to us. The types of personal data we may process depend on the business context and the purposes for which it was collected. It may include:
Identifiers: such as name, email, address, phone number, unique personal identifier, online identifier, device ID, IP address, badge information, advertising identifiers, and other similar identifiers.
Account and Commercial Information: such as, information JFrog maintains in association with your account, username/user ID, password, billing and payment information, purchase records, trial/demo records, information about your use of the service and features, webinars or other events, surveys, feedback and testimonials, your preferred language and other preferences, and support requests.
Internet or Other Electronic Network Activity: such as, browsing and search history, device information, error data, log data, metadata, operating system, IP address, integrations, system configuration information, date and time stamps of usage, information on your interaction with our Sites and advertisements, and other passive or active engagement regarding your interactions with our Sites, services and us.
Geolocation Information: such as, information about your approximate location, such as if you provide your postal address or based on your IP address or time zone. You may be able to control collection of this data through the settings on your device.
Inferences: such as, information drawn from the personal data collected, such as what topics you may be interested in based on purchase records.
Cookies and Other Technologies: Website cookies and similar technologies to distinguish you from other visitors and compile information about interactions. See Cookies and Other Technologies section below for more details on how we use these technologies and your opt-out controls and other options.
Sensory Data: such as, interactions with our sales and customer support teams may be recorded for quality assurance, training and analysis purposes (subject to your consent if required under applicable law), photos or recordings of your attendance at our events (subject to your consent if required under applicable law), and CCTV recordings of our offices.
Information Collected from Other Sources: We receive information about you from other users of our services, third-party services, social media, public sources, and from channel and consulting partners and resellers. We may combine this information with information we collect through other means described in this Notice. This helps us to identify new customers, create more personalized experiences, and suggest services that may be of interest to you.
Additional Information Provided to JFrog: We also receive other information when submitted to our Sites or in other ways, such as responses or opinions you provide if you participate in a focus group, promotion or contest, activity or event, feedback, testimonials you provide about our Services, enroll in a certification program, interact with our social media account, or otherwise communicate with JFrog.
2. Purposes and Legal Bases
We may use your personal data for the following purposes, in reliance on the following lawful bases noted, as appropriate. JFrog is a processor of Customer Data and the Customer is the controller. For example, our Customer may use the Services to grant and remove access to the Services, assign roles and configure settings, access, export, share, and remove Customer Data.
- To fulfill or meet the reason you provided the information. To process your requests, transactions and payment, respond to your inquiries, and personalize your experience;
- Legal Bases: Performance of contract; Legal obligations; Legitimate interests
- To facilitate, operate, authenticate, enhance, secure, provide, monitor usage, trends, and other activities, and customize our services and Sites. To register and update accounts, provide customer support, service improvement, inform you of additional features or other services offered by JFrog, and provide updates;
- Legal Bases: Performance of contract; Legitimate interests; Legal obligations
- To market our services or those of third parties, including to solicit or publish surveys, feedback, testimonials, marketing and promotional communications about our services via phone, email, or other online or offline methods, promote and drive engagement with our services, facilitate your participation in an event, promotion or contest, assess ad impressions, and advertising. You may select unsubscribe at the bottom of each marketing email. To review or set your preference regarding the information that we collect about you online on our Sites, select “Cookies Settings” in the footer;
- Legal Bases: Consent where required by law; Legitimate interests
- To detect, prevent, and respond to potential or actual security incidents and against malicious, deceptive, fraudulent activity, illegal or prohibited activity and maintain the safety, security and integrity of our Sites, services, offices, databases and other technology assets and business;
- Legal Bases: Performance of contract; Legitimate interests; Legal obligation; Public interest
- To comply with our legal obligations and requirements and maintain our compliance with applicable laws, regulations and standards, including to respond to law enforcement requests as required by applicable law, court order, or governmental regulations;
- Legal Bases: Legitimate interests; Legal obligation
- To protect and enforce our legitimate business interests and legal rights, such as where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, such as in connection with audits, legal claims or disputes, investigate potential policy or terms violations, and to evaluate or conduct a merger, acquisition, restructure, reorganization, divestiture, bankruptcy or other corporate event, sale or transfer of some or all of JFrog’s assets; and
- Legal Bases: Legitimate interests; Legal obligation
- As described to you when collecting your personal data
- Legal Bases: Consent where required by law
3. Disclosure of Personal Data
We may disclose your personal data to certain third parties as described below. JFrog does not control how our Customer or any third party chooses to disclose your personal data.
- Service Providers: We engage service providers in order to support our business operations, including billing and payment processing, hosting, maintenance, security, backup, storage, marketing, advertising, analytics, call recording and transcription services, and other services. Information about the Sub-processors we use to support delivery of our Services can be found at: https://jfrog.com/trust/privacy/sub-processors/
- Business and Channel Partners: We engage selected business and channel partners, resellers, distributors, and providers of professional services related to our Services to provide consulting, sales, support, and technical services. If you directly engage with any of our partners, any aspect of that engagement which is not directly related to the Services and directed by JFrog is beyond the scope of this Notice and will be governed by the partner’s terms and privacy notice.
- Help Center and Community: Some of our support mechanisms allow you to create and publicly publish content (“User Submissions”). If you elect to publish your personal data in any User Submissions, you may receive unsolicited messages from the public. We urge you to exercise discretion when submitting such content.
- Customer and Other Users: If you are using our Services on behalf of a JFrog Customer or if you provide us with an email address or other details which belong to a Customer, your personal data may be disclosed to the Customer. Customers with whom you are affiliated and the applicable partner responsible for your account. JFrog may disclose personal data in accordance with Customer instructions, including any terms in the Agreement with the Customer. Administrators and other Customer representatives may be able to access, modify, or restrict access, including your employers’ using features of the Services to access or modify your profile details or export logs of your activity.
- Service Integrations, Social Media, Third Party Websites: You or your JFrog Customer admin may elect to integrate or interact with third-parties through the Services (provided that such integration is supported by our Services) or through a link in the Services or on our Sites (for example, you can share posts and comments on or through your social media account). The provider of such integrated third-party service, feature or link may receive certain data about or from your account, such as IP address and usage details, and may provide cookies. You should always check the privacy settings and notices of third-party services to understand how these third-parties may use your information. If you submit information to any third party, your information is governed by their privacy policies, not this one. We are not responsible for the privacy practices of any third party sites or companies. We do not endorse any of these third parties or any content contained on their sites.
- Events: If you attend an event, webinar, or download or access an asset on our Sites (such as information about our products, news, or events), we may share your personal data with sponsors and presenters of the event. If required by law, you may consent to such disclosure on the registration form or by allowing your attendee badge to be scanned at a sponsor booth. In these circumstances, your personal data will be subject to the sponsor/presenter privacy notice. If you do not wish for your personal data to be disclosed, you may choose not to opt in via event/webinar registration, elect not to have your badge scanned, or you can opt out in accordance with section 9 below.
- Business Transfers: Internally within our group of affiliates, including our parent company. In connection with any business transaction involving all or part of JFrog, such as a merger, acquisition, purchase of substantially all or part of its assets, consolidation, divestiture, or financing.
- Professional advisors: With professional advisers such as lawyers, bankers, auditors, and insurers.
- Legal compliance: To comply with legal process or government request; to respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person; to protect the security or integrity of our products, services, and offices; enforce our agreements, terms, and policies; protect the rights, property, and safety of our business, employees, Customers, or others; and comply with applicable laws and regulations. For more information on how we respond to government requests, see our Government Access Policy.
- We may disclose your personal data in additional manners, pursuant to your consent or on an aggregated basis.
4. International Data Transfers and Data Privacy Framework
As a global company, JFrog may need to transfer your personal data to JFrog affiliates, contractors, service providers, and to third parties in various countries and jurisdictions around the world. Your personal data may be processed outside your country and such country may not have equivalent privacy and data protection laws.
JFrog Ltd. (JFrog parent company) is headquartered in Israel, a jurisdiction which is considered by the European Commission, the UK Secretary of State and the Swiss Federal Data Protection and Information Commissioner, to be offering an adequate level of protection for personal data of individuals residing in EU Member States, the UK and Switzerland, respectively, on the basis of which data transfers are permissible. In the event that these adequacy decisions become ineffective, we shall utilize a valid data transfer mechanism, such as European Commission approved Standard Contractual Clauses, the UK Addendum, or other appropriate legal mechanism to safeguard the transfer.
For the purposes of the GDPR and UK GDPR, JFrog Ltd. is the controller of your personal data. The registered address is 3, Hamachshev Street, Netanya, 4250465, Israel and we can be contacted using the details provided below in the “Contact Us” Section 11. Please see Section 2 for the legal basis on which we rely for the collection, processing, and use of personal data. You may exercise certain rights regarding your personal data, as provided in Section 8.
JFrog Inc., our US subsidiary, complies with the EU-U.S. Data Privacy Framework (the “DPF”), the UK Extension to the DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce. JFrog Inc. has certified to the U.S. Department of Commerce that we adhere to the EU-U.S. Data Privacy Framework Principles (“Principles”) with regard to the processing of personal data received from the European Union in reliance on the DPF, and from the UK (and Gibraltar) in reliance on the UK Extension to the DPF and Swiss-U.S. DPF with regard to processing of personal data received from Switzerland. If there is any conflict between the terms in this Privacy Notice and the Principles, the Principles shall govern. To learn more about the DPF program, and to view our certification, please visit https://www.dataprivacyframework.gov/ and search for “JFrog Inc.” in the Data Privacy Framework List. JFrog Inc. is responsible for the processing of Personal Data it receives under the DPF and subsequently may transfer it to third parties acting as agents on our behalf.
In compliance with the Principles, JFrog Inc. commits to resolve unresolved complaints concerning our handling of your personal data received in reliance on the Principles. EU, EEA, UK (and Gibraltar), and Swiss individuals with DPF inquiries or complaints should first contact JFrog Inc. by submitting a Privacy Request online or by emailing [email protected]. If you do not receive timely acknowledgement of your Principles-related complaint from JFrog Inc., or if we have not addressed your Principles-related complaint to your satisfaction, please contact our U.S.-based third-party dispute resolution provider (free of charge) for more information or to file a complaint. If your DPF complaint cannot be resolved through the above channels, under certain circumstances, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms as detailed in the Principles, available here. JFrog Inc. is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.
5. Data Retention
We may retain your personal data for as long as it is reasonably necessary to fulfill the purposes it was collected for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. To determine the retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the existence of an ongoing relationship with you, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.
6. Data Security
We use industry standard technologies and internal procedures to secure the information we store, taking into account the sensitivity of the information we collect, process, and store, and the current state of technology. For more information, please visit the JFrog Trust Center. Please note, no method of storage or transmission is completely secure. We cannot guarantee that our Services or Sites will be immune from any wrongdoing, malfunctions, unlawful interceptions or access, or other kinds or abuse and misuse. You are solely responsible for protecting your account, password(s), limiting access, and signing out after your sessions.
7. Cookies and Other Technologies
JFrog and our third parties, such as advertising and analytics providers, through our Sites, Services, emails, marketing/advertising communications, use automatic data collection tools, such as cookies, embedded web links, pixels, tags, web beacons, JavaScript, alone or in conjunction with other other technology (collectively “cookies”) to provide functionality, recognize you across different devices, provide personalized service, analyze performance, understand usage and interests, provide customization, marketing/advertising, and to help us to improve our interactions with you. When you visit our Sites, a cookie may be placed on your device that collects information, including personal data (such as IP address, MAC address), about your online activities over time and across different sites. These tools help to make your visit to our Sites and Services easier, more efficient, and personalized. We also use the information to improve our Sites and Services, provide greater service, better understand your potential interest in our Sites and Services, and provide you with more relevant ads and other content. To update your cookie preferences, click the “Cookie Settings” link at the bottom of our Site. Additionally, you may be able to use other tools to control cookies and similar technologies (i.e. you may have controls in your internet browser to limit how the websites you visit are able to use cookies and other technologies). You can also opt out of Google Analytics by downloading, installing, and enabling the Google Analytics Opt-out Browser Add-on, which can be found at: https://tools.google.com/dlpage/gaoptout/. For more information, see our Cookie Notice. Choosing to disable cookies may limit your use of certain features or functions on our Sites.
Global Privacy Control (“GPC”) is a browser-based option that you can use to signal your privacy preference. Certain browsers and extensions will allow you to enable GPC. If you enable GPC, our cookie tool will automatically turn off all targeting cookies on our Sites in response to your signal. You can learn more at: https://globalprivacycontrol.org/
8. Your Privacy Rights
Where applicable under applicable law, you may have certain rights regarding the personal data we collect and maintain about you.
- The right to request information about our use of your personal data
- The right to review and access your personal data
- The right to rectify (correct, update or modify) the personal data we hold about you
- The right to erase (delete), de-identify, or anonymize your personal data
- The right to restrict our use of your personal data
- The right to object to our use of, or certain types of disclosures of, your personal data
- The right to receive personal data you have provided to us in a structured, machine-readable format that allows you to transmit the data to another controller.
- The right to withdraw any consent you have given us (which will not affect the lawfulness of processing based on consent before the withdrawal).
- The right to lodge a complaint with a supervisory authority. If you work or reside in a country that is a member of the European Union or that is in the EEA, you may find the contact details for your appropriate data protection authority on the following website. If you are a resident of the United Kingdom you may contact the UK supervisory authority, the Information Commissioner’s Office.
- The right to not be subject to automated decision-making, GDPR Article 22(1) and (4) do not take place in connection with your personal data.
If you would like to exercise any of these rights, please submit a request through the Privacy Request Form. If you are in the U.S., you may also call us toll-free at +1-408-329-1540. When JFrog is acting as a “data processor,” you will need to contact the data controller (the JFrog Customer) under the applicable data protection laws (usually this is the JFrog Customer). Only you, or someone legally authorized to act on your behalf (including an authorized agent) may make a verifiable request related to your personal data using the method described above. We may refuse to act on requests in certain cases, such as if the request impacts our legal obligations or might infringe on someone else’s privacy rights.
Before responding to a request for information about your personal data, we may need to verify your identity. The information we ask to verify may depend on your relationship with us. Please note we may be permitted by applicable laws to retain some of your personal data to satisfy our business needs.
We do not sell personal data to third parties in exchange for money. However, we engage in routine practices with cookies (as described in the above Cookies and Tracking Technologies section) involving third parties that could be considered a “sale” or “share” under certain U.S. state laws. You may opt out of cookies by: (1) Submitting an opt out webform at: https://preferences.jfrog.com/ and (2) clicking on the “Do Not Sell My Personal Information” link in the cookie banner or “Cookie Settings” link in our footer, move the toggle switch to disabled, then click the “Confirm My Choices” button. You need to complete this step on each of our Sites from each browser and on each device that you use. These steps are necessary to place a first party cookie signaling that you have opted out on each browser and each device you use. If you block cookies, we will not be able to comply with your Do Not Sell or Share My Personal Information request for device data that we automatically collect and disclose to third parties using cookies. If you clear cookies in your browser, you will need to follow step 2 above again. We will not discriminate against you, in any manner prohibited by applicable law, for exercising these rights.
You may opt out of receiving direct marketing communications from us by using the unsubscribe link within the email, updating your preferences in the JFrog Subscription Center, or by contacting us as provided in the Contact Us section below. You may not be able to opt out of receiving certain communications that are integral to the operation and use of our Services.
9. Updates to this Privacy Notice
JFrog may change this Privacy Notice from time to time by posting an updated version on our Sites with a date indicating when it was last updated. We recommend checking back periodically for updates. When required under applicable law, we will post a notice on our Site. If you continue to use our Sites and Services after a revision takes effect, we consider that you have read and understand the Privacy Notice updates.
10. Children’s Privacy
Our Sites and Services are not directed to children under the age of 16 and we do not knowingly collect online personal data directly from children. We do not knowingly sell or share any personal data of minors under the age of 16. If you are a parent or guardian of a child and believe that the child has disclosed online personal data to us, please contact us at [email protected].
11. Contact Us
If you have any comments, complaints or questions regarding our data practices or this Notice, please contact our Privacy Office and DPO by email at [email protected]. When you contact us, please indicate the country and/or state you reside.
JFrog, Attn: Privacy Office/DPO – Legal, 270 E. Caribbean Drive, Sunnyvale, CA 94089 or
JFrog Ltd., Attn: Privacy Office/DPO – Legal, P.O. Box 8187, 3 Hamachshev Street, Netanya, 4250465 Israel
For convenience, non-English translations of this Notice may be provided, this English language version will control.