Netlify Privacy Statement
Last updated: February 13, 2024
This Privacy Statement applies to Netlify, Inc. and/or its affiliated entities (“Netlify”, “we”, or “us”) when we act as the controller of your Personal Data. Netlify’s affiliates are listed in Section 16 below. However, this Privacy Statement does not apply to data we process as a service provider or data processor on behalf of our enterprise customers. Such data processing activities are governed by our Data Processing Agreement. If you use the Netlify Services as part of your organization (for example, you are an employee), you should read your organization’s privacy statement and direct any inquiries to that organization.
Netlify takes your privacy seriously. We will not sell, lease, or exchange your personal data to, or otherwise share your personal data with, third parties in ways other than described in this Privacy Statement.
1. Applicability
This Privacy Statement applies when Netlify acts as controller of your Personal Data such as:
- when you subscribe online to the services provided by Netlify (the “Netlify Services”). If you subscribe to the Netlify Services, your subscription will be governed by the Self-Serve Subscription Agreement (“Terms of Service”), and this Privacy Statement;
- when you interact with the Netlify.com website, including the Netlify Support Forums, (the “Website”) together with our Website Terms of Use;
- When you register for, or participate, in our webinars, events, programs, either online or in-person.
2. Personal Data Netlify Collects
The categories of Personal Data that we collect depend on how you use the Netlify Services or the Website.
(i) Information You Provide Directly
- Account Information: when you register for an account with Netlify, we collect information that identifies you such as your name, username, email address, and password.
- Profile Information: we collect information that you voluntarily provide in your user profile. This may include your public avatar (which may be a photo), additional email addresses, and username of connected accounts (such as GitHub, Bitbucket, GitLab).
- Payment Information: if you purchase a paid subscription from Netlify, we will collect payment information from you that may include your name, billing address and credit card or bank information. We may also use your credit card information to verify your identity and prevent abuse. We do not directly process or store your entire credit card number, but we do direct that information to our third-party payment processors for processing.
- Marketing Contact Information: if you request Netlify to contact you, or sign up for marketing materials or events, Netlify may collect information such as name, address, email address, telephone number, company name, and size of company. This may be collected through the Website as well as through the use of the Netlify Services.
- Customer Content: as defined in our Self-Serve Subscription Agreement, this is the content we collect and store including when you use the Netlify Services, as for example: sites you create, deployments, team builds, profile metadata, activity, and usage data.
- Troubleshooting Information: if you contact Netlify’s customer support, we will collect information about you related to your account and the requests you are making.
- Call Recordings: sometimes, we record and transcribe sales or support calls hosted on various video-conferencing technologies to enable our sales and support teams to share conversational insights, create training and presentations, and improve their internal processes. You will be informed if a video-call is recorded.
- Other Content You Submit through the Website: we also collect any content that you submit to our Website. For example: comments in the Netlify Support Forums and blog posts, or when you participate in any interactive features, surveys, or events.
(ii) Information We Collect Automatically
- Identifiers: when you access and use our Services, we automatically collect information about your device, which may include: device type, your device operating system, browser type and version, IP address, hardware identifiers.
- Service Data: as defined in our Self-Serve Subscription Agreement, Service Data is data derived by or on behalf of Netlify based on your use of the Netlify Services. This data includes aggregated metrics regarding activity and feature usage that may influence our product roadmap.
- Website Usage Data: when you visit our Website, we may automatically log information about how you interact with the sites, such as the referring site, date and time of visit, and the pages you have viewed or links you have clicked. This may change depending on your choice regarding cookies.
- Cookies and Tracking Technologies: Netlify uses cookies and similar tracking technologies to provide functionality, such as storing your settings, and to recognize you as you use our Services and our Website. In addition, we use cookies to gather information to provide interest-based advertising which is tailored to you based on your online activity.
(iii) Information We Receive from Third-parties
- Vendors and Partners: we may receive information about you from third-parties such as vendors, resellers, or partners. For example, our sales and marketing teams may receive access to third-party databases containing information to enrich business contacts and other corporate data.
- Third-party Sign-in Services: Netlify allows you to sign up, and login into, our Services using third-party accounts, such as GitHub, Gitlab, Bitbucket. When you give permission for this to happen, Netlify will receive information about you from your third-party account, such as name, email address, and location.
3. Purposes for which Netlify Processes Personal Data and Legal Basis
- Purpose of Processing: Providing the Netlify Services. We process your Personal Data to perform our contract with you for the provision of the Netlify Service and to satisfy our obligations under the applicable terms of use.
- Legal Basis: Performance of a Contract
- Purpose of Processing: Providing and improving the Website. We process your Personal Data to operate and administer the Website and to provide you with the content you access and request. We also analyze overall trends to improve the user experience.
- Legal Basis: Legitimate Interest
- Purpose of Processing: Displaying personalized advertisements and content. We process your Personal Data to conduct market research, advertise to you, provide personalized information about us on and off our websites and to provide other personalized content based upon your activities and interests.
- Legal Basis: Legitimate Interest
- Purpose of Processing: Managing event registrations and attendance. We process your Personal Data to plan and host events or webinars for which you have registered or that you attend, including sending related communications to you. This includes sending marketing communications to you for similar products and services.
- Legal Basis: Performance of a Contract; Legitimate Interest
- Purpose of Processing: Sending communications. We process your Personal Data to send you marketing information, product recommendations and other non-transactional communications about Netlify, and partners.
- Legal Basis: Legitimate Interest; Consent
- Purpose of Processing: Recording phone calls. Our Sales and Support teams may - from time to time - record video calls for training, quality assurance, and administration purposes.
- Legal Basis: Legitimate Interest; Consent
- Purpose of Processing: Developing and improving the performance of the services. We process your Personal Data to develop, maintain, improve the Netlify Services.
- Legal Basis: Performance of a Contract; Legitimate Interest
- Purpose of Processing: Managing our customer and user accounts. We process your Personal Data (including Service Data) to manage customer and user accounts, such as billing, customer correspondence and customer relationship management.
- Legal Basis: Performance of a Contract
- Purpose of Processing: Providing customer support. We process your Personal Data when you write to our customer support team and log a ticket with them.
- Legal Basis: Performance of a Contract
4. Disclosure of Personal Data
We may share your Personal Data with third parties, such as:
- Service Providers: with our contracted service providers, who provide services such as IT and system administration and hosting, credit card processing, research and analytics, marketing, events planning, customer support and data enrichment for the purposes and pursuant to the legal bases described above.
- Netlify Affiliates: with affiliates of Netlify, Inc. (as listed below in Section 16) and any companies that we may acquire in the future.
- Event Sponsors: if you attend an event or webinar organized by Netlify, or download or access an asset on our website, we may share your Personal Data with sponsors of the event. If required by applicable law, you may consent to such sharing via the registration form. In these circumstances, your information will be subject to the sponsors’ privacy statements. If you do not wish for your information to be shared, you can opt-out at any time in accordance with Section 8 below.
- Partners: with specific partners that offer supplementary services to those provided by Netlify, such as partners that resell the Netlify Services.
- Netlify Third-party Integrations: if - while using the Netlify Services - you choose to interact with, activate, or otherwise use third-party tools, we may share your Personal Data with such third parties.
- Professional Advisers: we may share your Personal Data with professional advisers acting as service providers, processors, or joint controllers - including lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance and accounting services, and to the extent we are legally obliged to share or have a legitimate interest in sharing your Personal Data.
- Public Authorities: with public and government authorities, to the extent we receive a lawful order and we are compelled to disclose Personal Data to comply with our legal obligations.
5. International Transfer of Personal Data
Your Personal Data may be collected, transferred to and stored by Netlify outside of the country of collection to and by our affiliates.
Your Personal Data may be processed outside your country or jurisdiction, including in places that are not subject to an adequacy decision by the European Commission, and that may not provide for the same level of data protection as the General Data Protection Regulation (“GDPR”). When we engage in cross-border transfers to countries that do not ensure the same level of data protection, we use a variety of legal mechanisms, including the standard contractual clauses published by the European Commission under Commission Implementing Decision 2021/914, to help protect your rights and enable these protections to travel with your data. For transfers to the United States, see below Section13 “Data Privacy Framework”.
6. Children's Privacy
We do not knowingly provide the Services to, and will not knowingly collect the personal information from anyone under the age of 16. If you are a parent or guardian of a minor child and believe that a child has disclosed online personal data to us, please contact us using the details provided in Section 17. If we learn or have reason to suspect that a user is under the age of 16, we will close the account.
7. Data Retention
We may retain your Personal Data for a period of time consistent with the original purpose of collection or as long as required to fulfill our legal obligations. We determine the appropriate retention period for Personal Data on the basis of the amount, nature, and sensitivity of the Personal Data being processed, the potential risk of harm from unauthorized use or disclosure of the Personal Data, whether we can achieve the purposes of the processing through other means, and on the basis of applicable legal requirements (such as applicable statutes of limitation). After expiry of the applicable retention periods, your Personal Data will be deleted. If there is any data that we are unable, for technical reasons, to delete entirely from our systems, we will implement appropriate measures to prevent any further use of such data. For more information on data retention periods, please contact us by using the information in Section 17.
8. Your Rights
(i) Your Rights Relating to Your Personal Data
You may have certain rights relating to your Personal Data, subject to local data protection laws. Depending on the applicable laws these rights may include the right to:
- Access your Personal Data held by us;
- Know more about how we process your Personal Data;
- Rectify inaccurate Personal Data and, taking into account the purpose of processing the Personal Data, ensure it is complete;
- Erase your Personal Data;
- Restrict our processing of your Personal Data;
- Transfer your Personal Data to another controller, to the extent possible;
- Object to any processing of your Personal Data;
- Opt out of certain disclosures of your Personal Data to third parties;
- If you’re under the age of 16, or such other applicable age of consent for privacy purposes in relevant individual jurisdictions, opt-in to certain disclosures of your Personal Data to third parties;
- Not be subject to a decision based solely on automated processing, including profiling, which produces legal effects ("Automated Decision-Making");
- Withdraw your consent at any time (to the extent we base processing on consent), without affecting the lawfulness of the processing based on such consent before its withdrawal; and
- Not be discriminated against for exercising your rights as described above.
Where we process your Personal Data for direct marketing purposes or share it with third parties for their own direct marketing purposes, you can exercise your right to object at any time to such processing without having to provide any specific reason for such objection.
Please note that Automated Decision-Making currently does not take place on our websites or in the Netlify Services.
(ii) How to Exercise Your Rights
To exercise your rights, please contact us by using the information in Section 17. Your Personal Data may be processed in responding to these rights. We try to respond to all legitimate requests within one month unless otherwise required by law, and will contact you if we need additional information from you in order to honor your request or verify your identity. Occasionally it may take us longer than a month, taking into account the complexity and number of requests we receive. If you are an employee of a Netlify customer, you should contact your employer’s system administrator for assistance in correcting or updating your information.
(iii) When We Act as Processor
As described above, we may also process Personal Data submitted by or for a customer to the Netlify Services. To this end we process such Personal Data as a processor on behalf of our customer (and its affiliates) who is the controller of the Personal Data. We are not responsible for and have no control over the privacy and data security practices of our customers, which may differ from those explained in this Privacy Statement. If your data has been submitted to us in our role as a processor by or on behalf of a Netlify customer and you wish to exercise any rights you may have under applicable data protection laws, please inquire with them directly. We may only access a customer’s data upon their instructions, therefore if you make your request directly to us we will refer your request to that customer (provided you identify who the customer is), and will support them as needed in responding to your request within a reasonable timeframe.
9. Marketing Communications
If we process your Personal Data for the purpose of sending you marketing communications, you may manage your receipt of marketing and non-transactional communications from Netlify by clicking on the “unsubscribe” link located on the bottom of Netlify marketing emails. Please note that opting out of marketing communications does not opt you out of receiving important business communications related to your current relationship with Netlify, such as communications about your subscriptions or event registrations, service announcements or security information.
If you want your phone number to be added to our internal Do-Not-Call telemarketing register, please contact us by using the information in Section 17 below. Please include your first name, last name, company and the phone number you wish to add to our Do-Not-Call register.
Alternatively, you can always let us know during a telemarketing call that you do not want to be called again for marketing purposes
10. External Links
During your interactions with us, you may come across links to external sites or other online services, included in those embedded within third party advertisements. It is important to note that we do not have control over, and are not responsible for the privacy practices or the content of these third-party sites. We strongly encourage you to review the privacy policy of linked third-party sites, if you have any questions about their privacy practices, as their privacy policies and practices may vary from our own.
11. Data Security at Netlify
We will strive to prevent unauthorized access to your personal information, however, no data transmission over the Internet, by wireless device or over the air is guaranteed to be 100% secure. We will continue to enhance security procedures as new technologies and procedures become available.
We strongly recommend that you do not disclose your password to anyone. If you forget your password, we will ask you for your ID and send you an email containing a link that will allow you to reset your password.
Please remember that you control what personal information you provide while using the Netlify Services. Ultimately, you are responsible for maintaining the secrecy of your identification, passwords and/or any personal information in your possession for the use of the Netlify Services. Always be careful and responsible regarding your personal information. We are not responsible for, and cannot control, the use by others of any information which you provide to them and you should use caution in selecting the personal information you provide to others through the Netlify Services. Similarly, we cannot assume any responsibility for the content of any personal information or other information which you receive from other users through the Netlify Services, and you release us from any and all liability in connection with the contents of any personal information or other information which you may receive using the Netlify Services. We cannot guarantee, or assume any responsibility for verifying, the accuracy of the personal information or other information provided by any third party. You release us from any and all liability in connection with the use of such personal information or other information of others.
You can find more information on how we protect content provided to Netlify in using the Netlify Services, as well as any data transmitted and processed through your account on the Netlify Service, here: https://www.netlify.com/security/.
12. Changes to this Privacy Statement
We will update this Privacy Statement from time to time to reflect changes in our practices, technologies, legal requirements, and other factors. If we do, we will update the “effective date” at the top. If we make a material update, we may provide you with notice prior to the update taking effect, such as by posting a notice on our website or by contacting you directly, or where required under applicable law and feasible, seek your consent to these changes.
We encourage you to periodically review this Privacy Statement to stay informed about our collection, processing and sharing of your Personal Data.
13. Data Privacy Framework
Netlify, Inc. and Jamstack Innovation Fund comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Netlify, Inc. and Jamstack Innovation Fund have certified to the U.S. Department of Commerce that they adhere to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Netlify, Inc. and Jamstack Innovation Fund have certified to the U.S. Department of Commerce that they adhere to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit the Data privacy framework website.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Netlify, Inc. and Jamstack Innovation Fund commit to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.
The Federal Trade Commission has jurisdiction over Netlify, Inc. and Jamstack Innovation Fund compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
In certain circumstances, the DPF provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I of the DPF Principles.
If we share data with third parties as detailed in in paragraph 4, Netlify has signed contracts with such third parties restricting their access, use and disclosure of personal data in compliance with our obligations under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, including the onward transfer provisions, and Netlify remains liable if they fail to meet those obligations and we are responsible for the event giving rise to damage.
14. California Residents
If you are a California resident, you have the rights listed below, as recognized by the California Consumer Privacy Act (CCPA). However, these rights are not absolute, and in certain cases we may decline your request as permitted by law.
- Knowledge. You can request information about what personal information we have collected about you, including:
- the categories of personal information;
- the categories of sources from which the personal information is collected;
- the business or commercial purpose for collecting, selling, or sharing personal information;
- the categories of third parties to whom we disclose personal information;
- the specific pieces of personal information that we have collected about you.
- Access. You can request a copy of the Personal Information that we have collected about you.
- Deletion. You can ask us to delete the Personal Information that we have collected from you.
- Correction. You can ask us to rectify inaccurate personal information and, taking into account the purpose of processing the personal information, ensure it is complete;
- Opt-out of sales or sharing. You can ask that we do not “sell” or “share” your Personal Information as “sell” and “share” are explicitly defined under the CCPA. For more information, please refer to Section 8.
- Nondiscrimination. You are entitled to exercise the rights described above free from discrimination. This means that we will not penalize you for exercising your rights by taking actions such as denying you the Services; increasing the price/rate of the Services; decreasing service quality; or suggesting that we may penalize you as described above for exercising your rights.
In order to submit a request to exercise your right of information, access, or deletion pursuant to the CCPA, please follow the instructions for submitting a request detailed in this Privacy Statement. Please note, we reserve the right to confirm your California residence to process your requests and may need to confirm your identity to process certain requests. For example, we take reasonable precautions to verify the identities of those California residents submitting requests to delete or access Personal Information.
Right to Opt Out of the Sale and Sharing of Your Personal Information
We do not sell your Personal Information in the conventional sense (i.e., for money). Like many companies, however, we use services that help deliver interest-based ads to you and may transfer Personal Information to business partners for their use. Making Personal Information (such as online identifiers or browsing activity) available to these companies may be considered a “sale” or “sharing” of your Personal Information under the CCPA.
In addition, some internet browsers offer the option to enable opt-out signals such as Global Privacy Control that lets you tell websites that you do not want to have your online activities tracked. We respond to these signals by processing them as a request to opt out of the “sale” or “sharing” of your Personal Information as discussed above.
Please note that you will still see some advertising, regardless of your selection. We do not impose verification protocols for processing opt out requests unless we have reason to question the authenticity of a requester’s identity, in which case we may request evidence of identity and California residency.
15. Supplemental Information for the EEA, Switzerland, and the U.K.
“Personal Data” as referenced in this Privacy Statement means “personal data” as that term is defined under the European Union (“EU”) General Data Protection Regulations (“GDPR”) and its United Kingdom (“UK”) GDPR counterpart. If you are an individual from the European Economic Area (the “EEA”), the UK or Switzerland, please note that our legal basis for collecting and using your Personal Data will depend on the Personal Data collected and the specific context in which we collect it. As detailed in Section 2, we normally will collect Personal Data from you only where: (a) we have your consent to do so, (b) where we need your Personal Data to perform a contract with you (e.g. to deliver the Netlify Services you have requested), or (c) where the processing is in our legitimate interests. Please note that in most cases, if you do not provide the requested information, Netlify will not be able to provide the requested service to you.
In some cases, we may also have a legal obligation to collect Personal Data from you, or may otherwise need the Personal Data to protect your vital interests or those of another person. Where we rely on your consent to process your Personal Data, you have the right to withdraw or decline consent at any time. Where we rely on our legitimate interests to process your Personal Data, you have the right to object by emailing us at [email protected]
16. Netlify Affiliates
Stackbit, Inc.; Gatsby, Inc.; Netlify Canada Limited; Netlify EMEA Limited; Netlify UK Limited.
17. Contact Us
If you have any questions or suggestions regarding our Privacy Statement, please contact us at [email protected], or write us at:
Netlify, Inc.
512 2nd Street, Fl 2
San Francisco, CA 94107
When you contact us, please indicate in which country and/or state you reside.
If you believe that we have not been able to assist with your complaint or concern, and you are located in the European Economic Area or the United Kingdom, you have the right to lodge a complaint with the competent supervisory authority. If you work or reside in a country that is a member of the European Union or that is in the EEA, you may find the contact details for your appropriate data protection authority on the following website.