Privacy Policy

Last updated: January 8, 2024

Synack, Inc. (“Synack”, “we”, “our”, “us”), a Delaware corporation with offices at 303 Twin Dolphin Drive, 6th Floor, Redwood City, California 94065, United States of America, is committed to protecting and respecting your privacy. This Synack Privacy Policy (our “Privacy Policy”) explains how we collect, use, process and disclose personal information in connection with your use of Synack’s website at synack.com (https://www.synack.com) and/or one of our applications, platforms, and other online services (collectively, our “Sites”). Please take a moment to read our Privacy Policy carefully. If you have any questions about our Privacy Policy, please contact us at [email protected].

Please note our Sites can contain links to third-party websites, applications, and services. Information collected by third parties is governed by their privacy practices. We do not take any responsibility for those third-party websites, applications, and services, nor how information shared through them is used, and we expressly disclaim any and all liability for the actions of third parties, including but without limitation to actions relating to the use and/or disclosure of personal information by third parties. We encourage you to learn about the privacy practices of those third parties.

ACKNOWLEDGMENT OF PRIVACY POLICY

By using our Sites you are acknowledging the terms of our Privacy Policy and accepting our Terms of Use, and acknowledge our collection, use, disclosure, and retention of your personal information as described in our Privacy Policy. If you do not agree with our Privacy Policy or our Terms of Use, you should not access our Sites.

INFORMATION WE COLLECT

When you access or use our Sites we collect certain categories of information about you from a variety of sources. Some features of our Sites may require you to directly enter certain information about yourself. You provide us with information in the following circumstances:

  • When you contact us. You provide personal information when contacting us through our Sites. For example, we will collect your first and last name, user name, company name, job title, email address, postal address, and phone number when you ask to download content (such as white papers), register for a webcast or other event, or subscribe to email lists.
  • When you create a customer account on our platform. When you create a customer account on our platform you will be required to provide us with your first and last name and email address. Customer account holders can provide us with additional information while using our platform’s messaging system.
  • Social media platforms. Our Sites also include social media features that may collect your IP address, which webpage you are visiting on our Sites, and may set a cookie to enable the feature to function properly. Your interactions with these features are governed by the privacy policy of the company providing it.
  • When you participate in a focus group, activity, or other events sponsored by us or other third parties we will collect from you your first and last name, company name, job title, email address and phone number.

We also automatically collect certain information when you visit our Sites from your computer, mobile phone or other access device. This information includes your location, computer operating system, Internet Protocol (IP) address, access times, browsing history and web log information, browser type and language, and “click stream” data, such as domain names and page views.

Finally, we obtain information about you from third parties. Such information may include:

  • Information we collect by going directly to third parties, such as advertising publishers, and marketing or analytics companies. We use this information to better understand our audience base, and customize our advertising and marketing.
  • Your first and last name, company name, job title, email address and phone number from event sponsors, including from industry tradeshows and conferences.

HOW WE USE COOKIES

We use cookies to collect information about your browsing activities on our Sites over time. Cookies allow us to recognize and count the number of users and to see how users move around our Sites. This helps us to improve the services we provide to you and the way our Sites work. For information on what cookies are, which ones we use, why we use them, and how you can manage their use, please see our Cookies Policy.

Your browser settings may allow you to transmit a “do not track” signal, “opt-out preference” signal, or other mechanism for exercising your choice regarding the collection of your personal information when you visit various websites. We respond to such signals and requests in accordance with our legal obligations and the practices described in this Privacy Policy. To learn more about “Do Not Track” signals, you can visit http://www.allaboutdnt.com/.

HOW WE USE INFORMATION WE COLLECT

In order to fulfil our contract with you, we process your personal information to administer your account and provide the services described in our Terms of Use.

Additionally, in order to be responsive to you, to provide effective services to you, and to maintain our business relationship, as a matter of our legitimate interests we will use the information we collect from you to:

  • personalize our Sites to ensure our content from our Sites is presented in the most effective manner for you and your device;
  • monitor and analyze trends, usage and activity in connection with our Sites and services to improve our Sites;
  • measure and understand the effectiveness of the content we serve to you and others;
  • communicate with you;
  • keep our Sites safe and secure, which includes enforcing our Terms of Use;
  • communicate with you about products, services, promotions, events and other news and information we think will be of interest to you; or
  • provide third parties with statistical information about our users (but those third parties will not be able to identify any individual user from that information).

We obtain your consent to process your personal information for the following reasons:

  • Sign you up for our newsletter or alerts;
  • Personalize our services for you; and
  • If you opted into marketing, to communicate with you about products, services, marketing, promotions, events and other news and information we think will be of interest to you.

In addition, we will use some or all of the above personal information to comply with any applicable legal obligations and to protect or defend our rights, the rights of our users, or others.

HOW WE DISCLOSE YOUR INFORMATION

We do not disclose your personal information with third parties other than as described above and as follows:

  • We disclose your personal information with service providers who help with parts of our business operation, such as cloud storage providers, IT service providers, and analytics and search engine providers that assist us in the improvement and optimization of our Sites.
  • We may disclose your personal information with advertising publishers, marketing and analytics companies.
  • We may disclose your personal information with third parties in order to (a) comply with laws and respond to lawful requests and legal process, (b) enforce our Terms of Use, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Synack, its users or the public as required or permitted by law.
  • We may disclose or transfer your personal information to a third party if we sell, transfer, divest, or disclose all or a portion of our business or assets to another company in connection with or during negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction, or proceeding.
  • We will otherwise disclose your information as directed by you or subject to your consent.
  • With respect to those users who have a username (and personal photo or avatar, if any, provided by you and associated with your user name), such information will be displayed on our Sites.

Information you provide through your participation in research projects, community discussions, chats, and any correspondence through our Sites, will be disclosed to other users, our customers or otherwise displayed on our Sites.

CALIFORNIA RESIDENTS

This section applies only to California residents.

Processing of Personal Information

In the preceding 12 months, we collected and disclosed for a business purpose the following categories of personal information about residents:

Categories of Personal Information Categories of Recipients
Identifiers, such as your first and last name, user name, Internet Protocol (IP) address and email address Cloud storage providers, IT service providers, analytics and search engine providers
Personal information categories listed in the California Customer Records statute, such as your postal address and phone number Cloud storage providers, IT service providers, analytics and search engine providers
Internet or other similar network activity, such as your computer operating system, access times, browsing history and web log information, browser type and language, and “click stream” data, such as domain names and page views Cloud storage providers, IT service providers, analytics and search engine providers
Geolocation data, such as information about your location Cloud storage providers, IT service providers, analytics and search engine providers
Professional or employment-related information, such as your company name and job title Cloud storage providers, IT service providers, analytics and search engine providers
Other information, such as any information customer account holders provide us with in the course of their use of our platform’s messaging system Cloud storage providers, IT service providers, analytics and search engine providers

 

We do not collect, use, or disclose personal information for purposes other than those specified in this Privacy Policy. The purposes for which we collect your personal information are described in the section above, How We Use Your Information, and the categories of sources from which we collect your personal information are described in the section above, Information We Collect. We disclosed personal information over the preceding 12 months for the business purposes described in the section above, How We Disclose Your Information. Finally, the criteria we use to determine how long to retain personal information is described in the section below, Security and Retention of Your Information.

Selling or Sharing Personal Information / Opting-Out of Targeted Advertising

Synack does not “sell” (as “sell” is traditionally defined) personal information about our consumers. We do not make available or provide consumer’s names, phone numbers, addresses, email addresses, or other personal information to third parties in exchange for money.  Like many companies, however, we have shared (as that term is defined in the CCPA) personal information in the preceding 12 months with third parties to provide you with personalized advertising about our Services when you visit other websites, better understanding our audience base, and customizing our advertising and marketing campaigns.  This is considered a (1) “sale’’ or a (2) a “share” of personal information to target advertisements to a consumer under the CCPA, which is subject to a right of opt-out in some jurisdictions.

If you wish to opt-out of such sharing and targeted advertising, you can do so by opting-out of being tracked by these technologies through our Cookie Settings Tool. Please note, some transfers of personal information may not be subject to this opt-out, and your selection does not affect other sharing of personal information about you as outlined in our Privacy Policy. For questions, please email [email protected].

WHERE WE STORE YOUR PERSONAL INFORMATION

Our Sites and the servers upon which our Sites are hosted are located in the United States. The personal information that we collect from you will be transferred to the United States. The personal information held by us will be stored in the United States. We will take all steps reasonably necessary to ensure that your personal information is treated securely and in accordance with our Privacy Policy.

In case of transfers of personal information out of Europe, see the “EU–U.S. Data Transfers” section of our Privacy Policy.

SECURITY AND RETENTION OF YOUR INFORMATION

We follow generally accepted industry standards to protect personal information submitted to us from unauthorized access, both during transmission and once we receive it. However, no data transmission over the Internet or other network can be guaranteed to be 100% secure. As a result, while we strive to protect information transmitted on or through Sites, we cannot and do not guarantee the security of any information you transmit on or through our Sites, and you do so at your own risk.

We retain the Personal Information we process for as long as needed to provide services to our users or as necessary to fulfil the purpose(s) for which it was collected. We will retain and use this Personal Information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

AGE LIMITATIONS

We do not knowingly collect personal information from children under 16. If we learn that we have collected the personal information of a child under 16, we will take steps to delete the information as soon as possible.

YOUR DATA PRIVACY RIGHTS

You may have rights under relevant data privacy laws, including the CCPA, the General Data Protection Regulation (EU) 2016/679 (the GDPR), the UK GDPR and other applicable laws and regulations.

Depending on where you are based, those rights can include the right to:

  • Access/Know: request access or copies of your personal information Synack processes and details of how we use it, and who we share it with;
  • Correction: rectify incorrect personal information;
  • Erasure: in certain circumstances you have the right to request that we delete your personal information;
  • Restriction: restrict the processing of your personal information other than for storage purposes, in certain circumstances;
  • Portability: request a commonly structured, machine-readable copy of your personal information and that such information is transferred to another data controller in certain circumstances and with certain exceptions;
  • Right to Opt out of Sale or Sharing: direct us not to “sell” or “share” your personal information (as those terms are defined under the CCPA). To exercise this right, please click here;
  • Objection: object to our processing of your personal information;
  • Complain: lodge complaints with the competent data protection supervisory authority in the EEA country in which you live or work or where you think we have infringed data protection laws or with the UK Information Commissioner’s Office, as applicable to you, though we would encourage you to contact us in the first instance to relay any concerns; and/or
  • Non-discrimination: not to be discriminated against for exercising any of these rights.

Please note that a number of these rights only apply in certain circumstances, and all of these rights may be limited by law. For example, these rights may be limited where fulfilling your request would adversely affect other individuals or our trade secrets or intellectual property, where there are overriding public interests or where we are required by law to retain your personal information.

To exercise these rights, or to ask questions or relay concerns, please contact us via email at [email protected], phone at +1 (855) 796-2251 or by mail at: Synack, Inc., Attn: Legal Department, 303 Twin Dolphin Drive, 6th Floor, Redwood City, California 94063, United States of America.

To respond to some rights, we may need to verify your request either by asking you to log in and authenticate your account or otherwise verify your identity by providing information about yourself or your account. Authorized agents can make a request on your behalf if you have given them legal power of attorney or we are provided proof of signed permission, verification of your identity, and, in some cases, confirmation that you provided the agent permission to submit the request.

WITHDRAWAL OF CONSENT

Where you have provided your consent to us processing your personal information, you can withdraw your consent at any time by contacting us at [email protected].

OBJECTION TO MARKETING

You have the right to opt-out of receiving promotional emails from Synack by following the instructions in those emails. If you opt-out, we could still send you non-promotional emails, such as emails about your Synack account or our ongoing business relations. You can also send requests about your contact preferences or changes to your information, including requests to opt-out of disclosing your personal information with third parties, to our contact information below.

If you have an account, you can choose to either temporarily set your account offline or permanently delete it. In the event you choose to set your account offline, you will not be able to use our Sites until you decide to reactivate your account and your information will remain with Synack. In the event you delete your account, we will delete all personal information.

EU – U.S. DATA TRANSFERS

European Union Model Contract Clauses

Synack offers European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our Customers that operate in the European Economic Area, UK or Switzerland. A copy of our standard data processing addendum incorporating the Standard Contractual Clauses is available here. To the extent that Synack receives from a Customer any personal information of individuals located in the European Economic Area, UK or Switzerland, the parties will be deemed to have entered into the applicable Standard Contractual Clauses in respect of such transfer, whereby Synack is the “data importer” and the Customer is the “data exporter,” unless otherwise agreed.

EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF)

Synack complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework program (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  Synack has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  Synack has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework program Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland inreliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Synack is subject to the investigatory and enforcement authority of the U.S. Federal Trade Commission.

Synack is responsible for the processing of personal information it receives and subsequently transfers to a third party acting as an agent on its behalf.

Synack commits to cooperate with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commission (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.

In certain situations, Synack could be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

PRIVACY DISPUTE RESOLUTION

In compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), Synack commits to resolve complaints about our collection or use of your personal information transferred to the U.S. pursuant to the EU-U.S. DPF, the UK extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. EU, UK, and Swiss individuals with inquiries or complaints should first contact Synack via email at [email protected], by phone at +1 (855) 796-2251 or by mail at: Synack, Inc., Attn: Legal Department, 303 Twin Dolphin Drive, Floor 6, Redwood City, California 94065, United States of America.

Synack has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2.

CHANGES TO THIS PRIVACY POLICY

We update our Privacy Policy from time to time when our privacy practices change. When we update our Privacy Policy, we will revise the “Last updated” date above and post the new Privacy Policy to our Sites.

CONTACTING SYNACK

For questions about accessing, changing, or deleting your personal information, please visit http://www.synack.com/ or contact us at +1 (855) 796-2251 or via email at [email protected].