Elastic Product Privacy Statement

Effective Date: January 1, 2020

This Product Privacy Statement (the "Product Privacy Statement" or "Statement") explains how Elasticsearch, Inc. and its subsidiaries and affiliates ("Elastic," "we", "us" and "our") collect, use and share information, including information relating to an identified or identifiable natural person ("Personal Data") from our customers or users ("you" and "your") when you use or demo our Elastic products such as Elastic Self-Managed Software or, Elastic Cloud Services but also including any other services maintained by Elastic for use by our users, such as support services (together "the Products").

Scope & Responsibilities
Information We Collect from the Products
How We Use Information We Collect from the Products
How We Share Information We Collect from the Products
How We Use Cookies and Automatic Data Collection Tools
Legal Basis for Processing Information We Collect from the Products
User Privacy Rights and Choices
Security
International Data Transfers
California Privacy Rights
Other Information
How to Contact Us

Scope & Responsibilities

This Statement applies only to the information we collect automatically in connection with your use of the Products and for which we determine the means and purpose of processing (i.e., as a "data controller"). This information includes Product Usage Data (defined below) and Operations Data (defined below), which are generally technical and aggregated but may include limited Personal Data such as IP/MAC address of the user's device and identifiers.

Our legal basis for processing such information in the European Economic Area (EEA) is our legitimate interest in performing, improving, maintaining, and securing our Products, providing support for users of our Products, and operating our business efficiently and appropriately. We have assessed that these legitimate interests are not overridden by the data protection interests or fundamental rights of any individuals.

This Product Privacy Statement does not cover:

  • Personal Data processed according to our General Privacy Statement, such as Personal Data collected through: our websites, such as www.elastic.co, website (together the "Sites"); product feedback or surveys; the sales and provisioning process; and in connection with Elastic events, sales and marketing activities. Please see our General Privacy Statement for details on how this information is processed.

  • Personal Data processed according to our Applicant Privacy Statement when an individual applies for a role with Elastic through our Site or otherwise.

  • Customer Content. Certain Elastic Products permit customers to ingest, or upload and submit, content to the Products ("Customer Content"). This Statement does not cover Customer Content, including any Personal Data contained in Customer Content, because the Customer, rather than Elastic, controls how Customer Content is processed. Any questions about the processing of Customer Content should be addressed to the Customer directly.

  • Organizational Users. When you use the Products on behalf of an organization (e.g., your employer), your use is administered and provisioned by your organization per its own policies regarding the use and protection of Personal Data. If you have questions about how your data is being accessed or used by your organization, please refer to your organization's privacy policy and direct your inquiries to your organization's system administrator.

Please contact privacy@elastic.co with any questions about this Statement.

Information We Collect from the Products

Elastic automatically collects "Operations Data" and "Product Usage Data" from your use of the Products. Operations Data is information we use to facilitate the delivery of the Products, manage and monitor infrastructure, and provide support. Product Usage Data is information we use for product analytics and improvement. This information is generally technical and aggregated but may include limited Personal Data such as IP/MAC addresses and identifiers (including cookies). Depending on the Product, the information may include:

  • Products and System Data: this is information about the Products you are using and about the systems and related environment from which you access the Service. Examples include Product type and version, license information, installed plug-ins, UUID, and third-party systems used in connection with the Product.
  • Cluster Data: this is information about your Elasticsearch Cluster. Examples include statistics related to uptime, node count, node types, indexes, shards, and segments.
  • Performance Data: this is information about the performance of the Products. Examples include metrics on the performance and scale of the Products and response times.
  • Feature Usage Data: this is information about how the Products are used. Examples include details about which features are used and user interface metrics.
  • Endpoint Security Data: for endpoint security Products, this is information on and from the endpoints on which endpoint security software is installed. Examples include information on sensor performance and configuration and detection events.

How We Use Information We Collect from the Products

Elastic uses the information automatically collected from the Products to support our customers and improve the Products generally; more detailed information is provided below. Elastic strives to collect only the minimum amount of information needed to achieve these purposes. As between Operations Data and Product Usage Data, the same data may be used for both purposes.

How we use Product Usage Data

Elastic uses Product Usage Data to improve our Products, support our Customers, support business to business marketing and sales, comply with legal requirements, and for other legitimate business purposes. More information on each category follows:

  • Product Improvement: Elastic may use Product Usage Data to analyze the use of the Products; prioritize testing and development of new features and functionality; improve our support responses; improve forecasting; make pricing and packaging decisions; identify, understand, and anticipate performance issues and the factors that affect them;
  • Customer Support: Elastic may use Product Usage Data to provide proactive or reactive support to our customers, such as guidance to help optimize usage; identifying product improvement opportunities; prioritize future product features; personalize your experience and suggest other Elastic Products, and increase engagement and adoption of our features (e.g., by providing in product suggestions).
  • Business to Business Marketing and Sales: Where permitted by law, Elastic may use Product Usage Data to market additional Products to our customers and to inform sales discussions.
  • Legal Requirements. Elastic may be required to access Personal Data contained in Product Usage Data as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect or defend our rights or property of Elastic or users of the Products, protect the safety of others, to investigate fraud, or respond to government requests, including public and government authorities outside a user's country of residence, for national security or law enforcement purposes.
  • Other Legitimate Business Purposes: Elastic may use Product Usage Data when it is necessary for other legitimate purposes.

How we use Operations Data

Elastic uses Operations Data for purposes including to facilitate Product delivery, administer accounts, provide support, maintain security, detect fraud, comply with legal requirements, and for other legitimate business purposes. More information on each category follows:

  • Facilitate the delivery of the Products. Elastic may use Operations Data to facilitate the delivery of the Products.
  • Conduct account administration and similar Products related activities: Elastic may use Operations Data to provide the Products and for account management. Examples include managing product downloads, updates, and fixes, and sending other administrative or account-related communications, including release notes and billing information.
  • Provide support: Elastic processes Operations Data when users or other individuals contact Elastic via one of our support channels so that we can contact them about the relevant support request. In some cases, users may need to send us copies of any affected files, logs, or other information to enable us to assist with the support request. In such cases, we will use such information to respond to, troubleshoot, and otherwise resolve the support request.
  • Maintain the security of our infrastructure and Products: Elastic may use Operations Data to maintain the security and operational integrity of the Elastic IT infrastructure and our Products, including for security monitoring and incident management, managing the performance and stability of the Products, and addressing technical issues.
  • Administer our disaster recovery plans and policies: Elastic may use Operations Data to operate our back-up disaster recovery plans and policies.
  • Detect fraud: Elastic may use Operations Data to help monitor, prevent and detect fraud, enhance security, monitor and verify identity or access, and combat spam or other malware or security risks.
  • Confirm customer compliance with contractual obligations: Elastic may use Operations Data to confirm compliance with contractual and other terms of use obligations in connection with the relevant Products.
  • Comply with legal obligations: Elastic may use any of the Operations Data to comply with applicable laws and regulations and to operate our business, including to comply with legally mandated reporting, disclosure or other legal process requests, for mergers and acquisitions, finance and accounting, archiving and insurance purposes, legal and business consulting and in the context of dispute resolution.
  • Other legitimate business purposes: Elastic may use Operations Data when it is necessary for other legitimate purposes.

How We Share Information We Collect from the Products

We take care to ensure that the Product Usage and Operations Data, including any Personal Data contained therein, is accessed internally only by individuals that require access to perform their tasks and duties, and externally only by service providers with a legitimate purpose for accessing it. Such service providers are required by contract to safeguard any Personal Data from us and are prohibited from reusing the Personal Data for any purpose other than to perform the services as instructed by Elastic. We will not sell your Personal Data or allow a third party to use your Personal Data for its own commercial purpose. See the Section titled How We Share the Information in our General Privacy Statement for more information.

How We Use Cookies and Automatic Data Collection Tools

Depending on the Product you use, we may use cookies or other tracking technologies in furtherance of the purposes described in this Statement. The types of technology we use may change over time. Some of these technologies are essential for the provision of the Products, such as account access and authentication; others assist with the performance and functionality of the services, such as recognizing returning users or remembering preferences; and others enable us to analyze and customize the Products. For example, we use a tool called Fullstory to provide a better user experience and diagnose user issues. It records and captures user sessions so that we can monitor user actions like mouse clicks, movements, etc. If you would like to opt-out, Fullstory provides the link below: https://www.fullstory.com/optout/

Legal Basis for Processing Information We Collect from the Products

Our legal basis for processing Personal Data contained in information we collect from the Products in the European Economic Area (EEA) is our legitimate interest in performing, improving, maintaining, and securing our Products and operating our business efficiently and appropriately. We have assessed that these legitimate interests are not overridden by the data protection interests or fundamental rights of any individuals.

If you have questions about or need further information concerning the legal basis on which we collect and use Personal Data, please contact us at privacy@elastic.co.

User Privacy Rights and Choices

We only collect a limited amount of Personal Data to fulfill the purposes outlined in this Statement. To the extent provided under applicable laws, users may request to access, correct, update or delete such Personal Data, or otherwise exercise their choices with regards to such Personal Data by contacting us at privacy@elastic.co.

Residents of the European Economic Union (EEA) have the right to complain to a data protection authority about our collection and use of their Personal Data. For more information, please contact your local data protection authority.

Security

Elastic is committed to protecting the security of Personal Data. We use appropriate technical and organizational measures to protect Personal Data from unauthorized access, use, or disclosure. Despite these measures, Elastic cannot eliminate security risks associated with Personal Data and mistakes, and security breaches may happen. If there are any questions about security, please contact us at privacy@elastic.co.

International Data Transfers

Personal Data of an individual may be transferred to, and processed in, countries other than the country in which the individual resides. These countries may have data protection laws that are different from the laws of the individual's country of residence.

Specifically, if an individual resides in the EEA, such individual should note that their Personal Data may be accessed by employees or suppliers, transferred, or stored outside the EEA, to countries, including the US, which have different data protection laws than in the EEA.

For the transfer of Personal Data to Elastic entities outside of the European Union, we have agreed on respective EU Model Clauses between the Elastic entities. We have taken appropriate safeguards to ensure that such Personal Data will remain protected under this Products Privacy Statement, and we put in place adequacy mechanisms to protect your Personal Data in our agreements with our service providers.

California Privacy Rights

See our California Privacy Rights Statement for information about California Privacy Rights, and other required disclosures, if any.

Other Information

Data Retention. We retain information collected in connection with the Products for so long as necessary to fulfill the purposes outlined in this Statement or where we have an ongoing legitimate business need to do so (for example, to provide a user with a service that was requested or to comply with applicable legal, tax or accounting requirements).

Changes to this Product Privacy Statement. This Product Privacy Statement is subject to occasional revision. If we make any substantial changes in the way we use Personal Data, we will take appropriate measures to inform our customers, consistent with the significance of the changes we make. We will provide notice of any material Product Privacy Statement changes if and where required by applicable data protection laws.

The date of the most recent update to this Product Privacy Statement can be found by checking the "effective" date displayed at the top of this Product Privacy Statement.

How to Contact Us

If you have any questions or concerns regarding this Statement, you may call us at +1.650.458.2620, or write to us by email at privacy@elastic.co or by postal mail to:

Elasticsearch, Inc.
Attn: Privacy Team
800 W. El Camino Real, Suite 350
Mountain View, CA 94040 USA

Or

Elasticsearch B.V.
Attn: Privacy Team
Keizersgracht 281
1016 ED Amsterdam
The Netherlands

Data Protection Officer. Elastic has appointed an external Data Protection Officer for German data subjects. For questions about how information is gathered, stored, shared, used, or to exercise any data subject rights, please contact our Data Protection Officers as follows: dpo@elastic.co.

If we are unable to resolve your concerns, you have the right to contact your local data privacy supervisory authority or seek a remedy through the courts if you believe your requests to exercise your rights have not been honored.