Effective Date: March 5, 2024

Acronis, Inc., registered at 1 Van de Graaff Drive, Suite 301 Burlington, MA 01803 and its affiliates (together, Acronis or we) provides this U.S. State Privacy Rights Notice (Notice) as a supplement to the Acronis Privacy Statement and any other Acronis privacy notice or statement in which this Notice is linked or referenced.

THIS NOTICE ALSO SERVES AS THE ACRONIS NOTICE AT COLLECTION FOR PURPOSES OF THE CALIFORNIA CONSUMER PRIVACY ACT.

DEFINITIONS

Throughout this Notice, we use the following terms with the following meanings:

• Acronis Services has the meaning given in the Acronis Privacy Statement.
• Business Purposes means performing the Acronis Services; managing and processing interactions and transactions with Consumers; securing and debugging the Acronis Services; advertising and marketing; quality assurance; research and development; and other business purposes as may be defined in CCPA from time to time.
• CCPA means the California Consumer Privacy Act of 2018 (Cal Civ Code 1798.100 - 1798.199.100).
• Consumer (or you) means an individual acting in a personal or household context and individuals who are California residents acting in a business-to-business context who uses the Acronis Services, including a “data subject” as defined in U.S. Privacy Laws. Some Consumers are also Customers.
• Controller means the person or entity that determines the purpose and means of processing of Personal Information, including a “business” under CCPA.
• Customer means managed service providers, distributors and other business customers or other legal or natural persons that or who subscribe to or order the Acronis Services
• personal information means information that identifies or can be used to identify a Consumer, including personal data as defined in U.S. Privacy Laws.
• processing (and its cognates, such as “process”) means any operation (or set of operations) performed on personal information, such as collecting, combining and storing.
• processor means a person or entity that processes personal information on behalf of Acronis pursuant to a written contract which meets the requirements of U.S. Privacy Laws, including a “service provider” under CCPA.
• U.S. Privacy Laws means the state privacy laws in effect in the U.S., including CCPA; Colorado Privacy Act; Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring; Utah Consumer Privacy Act; Virginia Consumer Data Protection Act; and all similar U.S. state general consumer privacy laws when in effect (e.g., in Delaware, Indiana, Iowa, Montana, New Jersey, Oregon and Tennessee), each as amended, repealed, consolidated or replaced from time to time.
• Vendors means Processors that Process Personal information on behalf of Acronis and contractors and other organizations with which Acronis shares personal information pursuant to a written agreement for Business Purposes.

Other capitalized terms used but not defined in the Acronis Privacy Statement or this Notice have the meanings given to them in U.S. Privacy Laws.

This Notice applies to you as a Consumer when you are asked to acknowledge it and when Acronis is the Controller of your personal information.

This Notice does not apply to Acronis’ current and former employees, independent contractors and job applicants. Please contact privacy.careers@acronis.com for Acronis’ California Personnel Privacy Notice.

This Notice covers the twelve (12) months prior to the “Last Updated” date above. This Notice is reviewed at least once per year and updated as needed. If Acronis’ processing materially changes between updates to this Notice, Acronis will provide a supplemental notice when or before the changes apply.

Acronis (as Controller) collects personal information from or about you as follows:

• directly from you (e.g., when you register for an account on Acronis.com)
• from Customers
• from your computer and mobile devices when you use the Acronis Services, including personal information generated by or derived from your use of the Acronis Services
• from our affiliates
• from Vendors
• from public sources of data
• from other businesses or individuals

Generally, Acronis processes personal information to provide the Acronis Services and as otherwise related to the operation of our business, including for Business Purposes. (See also Section V below.)

Acronis discloses personal information: to our Vendors; to you or to other third parties at your direction or through your actions; for the additional purposes explained at the time of collection (such as in the applicable privacy policy or notice); as required or permitted by applicable law; to the government or private parties to comply with law or legal process or protect or enforce legal rights or obligations or prevent harm; and as part of an acquisition, merger, asset sale or other transaction in which a third party assumes control over all or part of Acronis’ business. These disclosures to our Vendors are not a “sale” or “share” (as described in Section VI below).

Subject to restrictions and obligations under U.S. Privacy Laws, our Vendors also may use your personal information for Business Purposes and other approved purposes and may engage their own vendors to help perform services for us.

Acronis, when acting as a Controller, may collect or receive (and may have collected or received during the 12-month period prior to the “Last Updated” date above) the categories of personal information listed below. (These categories track the categories in CCPA, which is required by CCPA.)

Not all categories are collected or received for every Consumer. Some personal information included in one category may overlap with other categories. All of this personal information is collected for the purposes of providing, improving and promoting the Acronis Services.

• Personal Characteristics or Traits – In some circumstances, Acronis may receive personal information that receives special protections under U.S. law, such as age, gender and nationality. Acronis only receives this category of personal information when you choose to provide that information to Acronis, which Acronis will use only for Business Purposes.
• Commercial Information – Acronis collects purchase and transaction information, such as records of Acronis products or services purchased, participation in promotional offers and product reviews or testimonials available on the Acronis Services or offline. Acronis also collects personal information from internet-connected devices used in connection with the Acronis Services.
• Internet Usage Information – Acronis collects Internet or other electronic network activity information when you subscribe to or otherwise interact with the Acronis Services, including:
  
  • network addresses, Internet connections and operating statistics
  • type, operating system and other identifying information about computers and mobile devices (device information) connected to Acronis Services, including the date and time the Acronis Services are accessed, search requests and results, mouse clicks and movements.
  • Internet service provider name and Internet protocol (IP) address, Internet speeds and outages.
  • log information from connected computers and mobile devices and their software and hardware versions and connection time.
  • identifiers for computers and mobile devices currently connected to Acronis Services and how long a specific computer or mobile device is connected.
  • how often the Acronis Services are used and in which circumstances and similar performance metrics.
  • date/time stamps associated with installations, updates and integrations of the Acronis Services.
  • features used and the results of their operations and disabled features, such as specific webpages accessed and links clicked on Acronis.com
  • names of potentially-malicious files together with their hashes and full paths and blocked website URLs collected to provide antivirus and URL filtering functionality offered through certain of the Acronis Services.
  • email contents but only if Acronis identifies the email as malicious or reasonably believes it contains malware or other compromises the security of Acronis’ systems.
  • information about errors and the activity that preceded or caused the errors.
  • systems and user’s activity logs (date and content) about your use of the Acronis Services for protecting the security and integrity of the Acronis Services, such as endpoint detection and response and data loss prevention functionality.
  • information required to establish connection with the third-party integrations for the Acronis Services that you (or the Acronis Customer through which you have access to the Acronis Services) chose to use and the information necessary to connect to and operate the integrations.
  • data obtained from locally-installed software or endpoints.
  • activity and audit logs, such as search queries and IP address, browser type and language, time zones, date and time of request and referral URL and certain necessary cookies that may identify a browser or account when you log onto the Acronis Services.
  • information collected through cookies, pixel, web beacons and other similar technologies, such as device or browser identifiers, traffic and usage measurements that monitor the traffic patterns from one webpage to another that enable Acronis to understand whether you visit the Acronis Services after seeing an online advertisement displayed on a third-party website; data about the third-party sites or services accessed before interacting with the Acronis Services, which is used to make advertising more relevant; and interactions with our marketing communications, such as whether and when an Acronis email is opened to help Acronis measure the success of our email marketing campaign.
  • metadata related to identifying devices and IP addresses.
  • network state information, such as source and destination traffic headers, IP addresses and domain name system (DNS) details.
  
  
  • Sensory Data (audio, visual and similar information) – Acronis collects audio or visual information from interactions with Acronis’ customer service and Sales teams or as part of online or offline events.
  • Professional or Employment-Related Information – Acronis collects professional or employment related information about Consumers who are users associated with a business Customer and are personnel of Vendors and business partners, as well as other Consumers who choose to provide this category of information to Acronis.
  • Inferences from Personal Information – Acronis collects inferences drawn from personal information to create a profile reflecting preferences, characteristics and behavior of Consumers who interact with Acronis.

  For purposes of this Notice, Acronis does not knowingly collect or process the following categories of personal information from you. Acronis may process one of these categories of personal information data if provided by our Customers that are using the Acronis Services (e.g., as part of their data backup and storage) when Acronis is acting as a Processor.

• Government Issued Identification Numbers (e.g., social security, driver’s license, state identification card or passport number).
• Non-public Education Records as defined in Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99), which are education records directly maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, schedules, identification codes, financial information or disciplinary records.
• Precise Geolocation which means personal information that is derived from a device and that is used or intended to be used to locate a Consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet).
• Genetic Data used for the purpose of uniquely identifying a Consumer.
• Biometric Information used for the purpose of uniquely identifying a Consumer.
• Health Information, which means personal information collected and analyzed concerning a Consumer’s health, medical history, mental or physical health, diagnosis/condition and medical treatment.
• Sex Life / Sexual Orientation, which means personal information collected and analyzed concerning a Consumer’s sex life or sexual orientation.
• Children’s Data which means personal information collected from a Consumer under age 16.

Acronis may collect other information that meets the definition of personal information under U.S. Privacy Laws but is not reflected by a category above. When this occurs, we treat the information as personal information as required by U.S. Privacy Laws but will not include it when we describe our practices in this Notice.

As permitted by applicable law, we do not treat personal information that is deidentified (also known as anonymized) as personal information. We reserve the right to convert (or permit others to convert) personal information to deidentified data and may elect not to treat publicly available information as personal information. We will not attempt to reidentify data that we maintain as deidentified data.

As required by California law, the table above includes Acronis’ general retention rules by personal information category. Actual retention periods may, however, vary because each category has several types of personal information and uses. We retain specific pieces of personal information for as long as we have a legitimate purpose for doing so.

Business Purposes: Acronis uses and discloses personal information for Business Purposes which are:

1. Performing services:

1. Privacy Rights

Subject to our verification requirements, Acronis provides Consumers with the privacy rights described in this Section VI. For residents of states without privacy rights, Acronis will consider requests but will determine in its sole discretion how to process those requests.

(a) Right to Access/Know

Residents of California, Virginia and Colorado are entitled to access personal information up to twice per 12-month period. Residents of Connecticut and Utah are entitled once every 12-month period to access personal information maintained by Acronis. Acronis may choose to provide you with access to personal information more frequently but a service fee may apply to these additional requests.

(1) Categories of Personal Information

California residents have a right to submit a request for any of the following for the 12-month period prior to the request date:

• The categories of personal information we collect from or about you or otherwise process.
• The categories of sources from which your personal information was collected.
• Acronis’ business purposes or commercial purposes for collecting and (if applicable) selling or sharing your personal information.
• The categories of third parties to which Acronis disclosed your personal information.
• A list of the categories of personal information disclosed for a Business Purpose and, for each, the categories of recipients or that no disclosure occurred.
• A list of the categories of personal information Sold or Shared (each as defined below) about you and, for each, the categories of recipients or that no Sale or Share occurred.

(2) Specific Pieces of Personal Information (for California Consumers)

You may request to confirm if we are processing your personal information and, if we are, to obtain a transportable copy (subject to applicable request limits) of your personal information that we have collected and are maintaining. Acronis will apply the heightened verification standards described below. To comply with access requests, Acronis is not required to re-identify information or to keep personal information longer than we need it or are required to by applicable law.

(b) Right to Delete

You may request that Acronis delete your personal information unless Acronis has a basis for retaining it under applicable law. Depending on where you reside (e.g., California or Utah), Acronis may not have the obligation to delete your personal information that we did not collect directly from you.

(c) Right to Correct Personal Information

You have the right to request that we correct inaccuracies that you find in the personal information about you maintained by us. You also can make certain changes to your online account (e.g., name and password) in the account settings section of the account. Changing your account settings will not, however, change your personal information that exists in other places.

(d) Do Not Sell / Share / Target

U.S. Privacy Laws have broad and differing concepts of Selling personal information for which an opt-out is required. California also has an opt-out from Sharing for Cross-Context Behavioral Advertising (i.e., use of personal information from different businesses or services to target advertisements). Other states have an opt-out of Targeted Advertising (defined differently but also addressing tracking, profiling and targeting of advertisements). Acronis may Sell or Share your personal information and/or use your personal information for Targeted Advertising, as these terms apply under U.S. Privacy Laws. Third-party digital businesses may associate cookies and other tracking technologies that collect personal information about you on the Acronis Services or otherwise collect and process personal information that we make available about you, including digital activity information. We understand that giving access to personal information on the Acronis Services or otherwise to a third-party digital business may be deemed a Sale and/or Share under some U.S. Privacy Laws. Acronis will treat that personal information (e.g., cookie ID, IP address and other online IDs and internet or other electronic activity information) collected by a third-party digital business not limited to acting as our Service Provider or Contractor (as defined in CCPA) or as a Sale and/or Share and subject to a Do Not Sell/Share/Target opt-out request. We will not Sell your personal information, Share your personal information for Cross-Context Behavioral Advertising or process your personal information for Targeted Advertising once you make a Do Not Sell/Share/Target opt-out request.

Opt-out for non-cookie-related personal information: If you want to limit our processing of your non-cookie personal information (e.g., your email address) for Targeted Advertising or opt-out of the Sale/Sharing of such personal information, please make an opt-out request as described below in the “How to Exercise Privacy Rights” section below. To stop receiving promotional emails from Acronis, please click the “Unsubscribe” link at the bottom of the email. After you opt out, Acronis may send you non-promotional communications, such as receipts for purchases or administrative information about your account. To stop receiving promotional text messages (SMS or MMS), please send a text message back to Acronis indicating that you wish to stop receiving promotional text messages from us. Opt-out for cookie-related personal information: If you want to limit our Processing of your cookie-related personal information for Targeted Advertising or opt-out of the Sale/Sharing of that personal information, you need to exercise a separate opt-out request on by using our Privacy Preference Center. This is because we use different technologies to apply preferences for opting out of cookie personal information vs. non-cookie personal information. Our Privacy Preference Center enables you to exercise an opt-out request and enable certain cookie preferences on your browser / device. You must exercise your preferences on the Acronis Services that you use and from each browser you use and on each device that you use. Since your browser opt-out is designated by a cookie, if you clear or block cookies, your preferences are no longer effective and you must enable them again by clicking on the "Your Privacy Choices" link in the footer of www.acronis.com (if loaded from California) or using https://www.acronis.com/en-us/legal/#cookies Please also refer to our Cookie Policy for other ways to exercise preferences regarding cookies. If you use ad blocking software, our cookie banner may not appear when you visit the Acronis Services and you may need to use the link above to access the Privacy Preference Center.

Acronis honors the Global Privacy Control (GPC) and similar technology (sometimes called Universal Opt-Out Mechanisms), as specified by the U.S. Privacy Laws.

Acronis relies on third-party providers for obtaining geo-IP location information, including when enabling or disabling cookies and honoring GPC signals.

If at any time you believe that Acronis has not adhered to its specific privacy obligations, please contact us at data-protection-office@acronis.com. We will use good faith efforts to determine and correct the problem. We do not knowingly Sell or Share the personal information of Consumers under age 16, unless we receive affirmative (opt-in) authorization from either the Consumer who is between age 13 and 16 or the parent or guardian of a Consumer who is less than age 13. If you think Acronis may have unknowingly collected personal information of a Consumer under age 16, please contact us using the information in How to Contact Acronis. Acronis may disclose your personal information for the following purposes (which are not a Sale or Share): (i) if you direct Acronis to disclose personal information; (ii) to comply with any Consumer rights request you submit to Acronis; (iii) disclosures among the entities that constitute Acronis or as part of a corporate transaction; and (iv) as otherwise required or permitted by applicable law.

(e) Right to Limit Sensitive Personal Information Processing (if/when applicable)

Acronis does not require that you provide sensitive personal information (as defined in U.S. Privacy Laws) to use the Acronis Services. If you provide us with sensitive personal information, you have consented to Acronis’ processing of the sensitive personal information for the purpose for which you provided it. You also may have certain privacy rights related to your sensitive personal information. Please contact us at data-protection-office@acronis.com.

(f) Automated Decision Making/Profiling (if/when applicable)

If Acronis engages in processing that may constitute Automated Decision Making or Profiling under U.S. Privacy Laws, you have the right to opt-out of certain types of Automated Decision Making or Profiling processing.

2. How to Exercise Privacy Rights

To submit a request to exercise your Consumer privacy rights or to submit a request as an authorized agent, submit a form at https://support.acronis.com/submit-ticket, as described in our dedicated Knowledge Base article: https://kb.acronis.com/authorized_agent, email us at data-protection-office@acronis.com or call us at TOLL-FREE NUMBER: +18885687931 . Please check for and respond to any follow-up inquiries we make. Please be aware that we do not accept or process requests through other means (e.g., via fax). More information on how you can exercise your consumer privacy rights under U.S. Privacy Laws, including CCPA is available here.

3. Verification of Privacy Rights Requests

We may ask you to provide verifying information, such as your name, email, telephone number and/or account information, before we act on your request. We will review the information provided and may request additional information. We will not fulfill your Right to Know (Categories), Right to Know (Specific Pieces), Right to Delete or Right to Correction request unless you have provided sufficient information for us to reasonably verify you are the Consumer about whom we collected personal information. We do not verify opt-outs of Sell/Share/Target or Limitation of Sensitive personal information requests unless we suspect fraud. We verify each request as follows:

• Right to Access/Know (Categories): We verify your Request to Access/Know categories of personal information to a reasonable degree of certainty. If we cannot do so, we will refer you to this Notice for a general description of our privacy practices.
• Right to Access/Know: We verify your Request to Access/Know specific pieces of personal information to a reasonably high degree of certainty. If you fail to provide requested information, we will be unable to verify you sufficiently to honor your request, but we will then treat it as a Right to Know Categories Request if you are a California resident.
• Do Not Sell/Share/Target: No specific verification required unless we suspect fraud.
• Right to Delete: We verify your Request to Delete to a reasonable degree of certainty or to a reasonably high degree of certainty depending on the sensitivity of the personal information and the risk of harm to the Consumer posed by unauthorized deletion. If we cannot verify you sufficiently to honor a deletion request, you can still make a Do Not Sell/Share/Target request.
• Correction: We verify your Request to Correct Personal Information to a reasonable degree of certainty depending on the sensitivity of the personal information and the risk of harm for unauthorized correction.

To protect Consumers, if we are unable to verify a privacy rights request, we are unable to honor the request. We will use personal information provided in a verified privacy rights request only to verify identity or authority to make the privacy rights request and to track and document responses unless Acronis also received the personal information for another purpose.

4. Agent Requests

You may use an authorized agent to make a privacy rights request for you. Before you can authorize an agent, Acronis requires that you complete and submit a form at https://support.acronis.com/submit-ticket, as described in our dedicated Knowledge Base article: https://kb.acronis.com/authorized_agent, email us at data-protection-office@acronis.com or call us at +18885687931 (toll-free). We also may require you to directly confirm that you authorized the agent to submit the request. Once confirmed, your Authorized Agent may exercise privacy rights on your behalf, subject to the requirements of applicable law.

5. Appeals

You may appeal Acronis’ decision regarding a request by email at data-protection-office@acronis.com. Please use the same email address that you used to submit the initial privacy rights request to submit your Request to Appeal and please add “Request to Appeal” in the subject line of the email. If you do not use the same email address, Acronis cannot link your Request to Appeal to your initial privacy rights request.

6. Acronis’ Responses

Some personal information that we maintain is insufficiently specific for us to be able to associate it with a verified Consumer (e.g., data tied only to a pseudonymous browser ID). We do not include that personal information in response to those requests. If we deny a request, in whole or in part, Acronis will explain the reasons in our response.

Acronis will make commercially reasonable efforts to identify personal information that we process to respond to a privacy rights request. In some cases, particularly with voluminous and/or typically irrelevant data, we may suggest you receive the most recent or a summary of your personal information and give you the opportunity to elect whether you want the rest. We reserve the right to direct you to where you may access and copy responsive personal information yourself. We will typically do not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee or refuse to act upon a request, if your request is excessive, repetitive, unfounded or overly burdensome. If we determine that the request warrants a fee or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.

1. Non-Discrimination / Non-Retaliation

Acronis will not discriminate or retaliate against you in a manner prohibited by applicable U.S. Privacy Laws for your exercise of your Consumer privacy rights. We may charge a different price or rate or offer a different level or quality of good or service, to the extent that doing so is reasonably related to the value of the applicable personal information.

2. Notice of Financial Incentive Programs

Acronis does not currently offer discounts or other rewards to Consumers in exchange for personal information. If we do in the future offer these types of incentives, we will provide notice and obtain consent as required by applicable law.

3. Our Rights and the Rights of Others

Acronis may collect, use and disclose your personal information as required or permitted by applicable law, which may override your rights under U.S. Privacy Laws. Acronis is not required to honor requests if doing so would infringe Acronis’ or another party’s rights or conflict with applicable law.

4. California Shine the Light Law

Acronis does not share “personal information,” as defined by California’s “Shine the Light” law, with third parties for those third parties own direct marketing purposes, unless we have consent for this sharing. California residents may opt-out of this sharing by contacting us at data-protection-office@acronis.com or Burlington, MA 1, Van de Graaff Drive, Suite 301, Burlington, MA, 01803 (Attn: Privacy).

Please add the statement “Shine the Light Request” in the subject line and in the body of your correspondence. Please also attest to the fact that you are a California resident and provide a current California address for your response. This right is available in addition to CCPA rights and requires a separate request. The Do Not Sell/Share/Target opt-out is broader and will limit our sharing with third parties for their own direct marketing purposes without the need for making a separate Shine the Light request.

Acronis will not accept Shine the Light Requests by telephone or by fax and is not responsible for Shine the Light Requests not properly labeled or sent or that are incomplete.