Personvernerklæring for LastPass Password Manager
LastPass Password Manager av LastPass
LastPass Browser Extension Privacy Notice:
Last Updated on March 1, 2024
1. Who We Are and Scope Of This Privacy Notice -
LastPass is an award-winning password manager and provider of password and identity management solutions, including the LastPass Password Manager Browser Extension (“Services”) that are convenient, easy to manage and effortless to use for individuals and businesses. This Browser Add-On Privacy Notice (hereinafter “Privacy Notice”) supplements our Global Privacy Policy and is designed to provide customers and end users with important information about the types of personal data LastPass US LP and its affiliates (“LastPass,” “we,” “us,” “our”) collect from or about you and our practices for collecting, using, sharing, or processing of that data. LastPass US LP is based in the United States of America, with affiliates around the world. A complete list of LastPass entities can be found here (within the LastPass Affiliate Disclosure).
This Privacy Notice addresses data collected by LastPass where we act as the controller or business, which includes data collected when you download, access, or otherwise use our Services. The full privacy policy with formatting intact and more information relating to our privacy practices, please visit our Global Privacy Policy: https://www.lastpass.com/legal-center/privacy-policy.
2. What Personal Data Do We Collect -
At LastPass, we strive to limit the types and categories of personal data that is collected from and processed on behalf of our users to include only data which is necessary to achieve the purpose(s) for which it was collected. We do not use personal data for additional purpose(s) which are incompatible with their initial collection. In other words, we have measures and policies in place designed to ensure that we only collect and process data from our users that we believe is necessary to provide them with a world-class Service.
Data We Collect Directly From You
When you use our Services, you may provide us with the following categories of personal data:
· Customer Account Data. Your email is needed to validate, create, and use LastPass Services. However, you may also choose to provide identifiers such as first and last name or phone number to help maintain and support your account. Members of a LastPass Families Plan may also provide emails and names of other authorized users.
o A Note Regarding Your Mobile Phone Number. You may provide us with your mobile phone number if you set up two-factor authentication and/or opt-in to our SMS account recovery feature. By opting in to SMS account recovery, you consent to receiving autodialed text messages, including SMS messages, that may be sent by or on behalf of LastPass at the mobile phone number you provide us. Message and data rates may apply.
o A Note Regarding Your Master Password. Except for those LastPass Business accounts which utilize alternative authentication methods (e.g., Single Sign On or “SSO”) to access LastPass, users must create a “Master Password,” which is used to access their LastPass account and generate the encryption keys that secure the data they store within the LastPass Service (“Customer Content” as further defined below). LastPass is designed to keep your most sensitive data safe using a local-only, zero knowledge security model. This means that no one at LastPass has access to your master password or the data stored in your vault, except you. Vault data is encrypted locally at the device level before syncing to LastPass
servers for safe storage – users can only decrypt their vault using their own unique decryption key derived from their master password.
· Customer Content. Usernames, passwords, secure notes, files, documents, or similar data that we maintain on your behalf, as well as any other information you may choose to upload or input (e.g., manually such as images, audio, or other information or via optional functionality such as password save and fill) to your LastPass account in connection with your use of the Services, all of which is referred to as “Customer Content” in our terms of service. This data is encrypted within your vault using our zero knowledge security model.
· Feedback. Where you elect to provide us with feedback, which may include, but is not limited to, reviews or suggestions posted online (e.g., in social channels or review sites,) on app stores, made in connection with surveys, market research, etc., we may use any applicable personal data provided with the feedback to respond to you. We may also use feedback as described in the Terms of Service.
Data Automatically Collected When Using Our Services
Where applicable, if we are permitted, we collect the following categories of personal data:
· Device and Usage Data (including Session, Location, and Usage data). When you use our Services, we receive data that you or others voluntarily enter, as well as data that is automatically logged by the Service (for example, hardware, equipment and devices used, IP addresses, location, language settings, operating system used, unique device identifiers, and other diagnostic, troubleshooting, crash, and bug reporting data). We utilize this data to provide, operate, support the use of, and improve our Services. We collect location-based data for the purpose of providing, operating, and supporting the Service and for fraud prevention, export compliance and security monitoring. (You can disable location data transmission on mobile devices at any time by disabling location services from the settings menu on your device.)
· Cookies and Similar Technologies. When providing our Services, we may use first-party cookies to facilitate your access to certain features, learn more about and improve the functionality of our Services, store login details for our Services to help make your logins easier, perform system diagnostics and administration, and to implement security features.
3. How We Use Your Data
LastPass processes personal data for the following purposes and relying on the associated legal basis:
· Provide, operate, and support our Services;
· Account management;
· Address and respond to service, security, and customer support, and technical issues;
· Improve our Services and enhance security of our users;
· Maintain security, regulatory compliance, and to prevent fraud;
· Planning and product development; and
· To comply with applicable laws and administrative requests.
LastPass may aggregate or de-identify your personal data in order to minimize the amount of personal data processed and for purposes listed. LastPass maintains such data without attempting to re-identify it.
4. Who We Share Your Personal Data With
We may share your personal data for the following reasons:
· With our affiliated companies and subsidiaries within the LastPass company group in order to operate our business and provide our services;
· With third-party service providers (such as IT and security service vendors, hosting facilities, and email distribution services), contractors, and other third-parties we use to support our business. Such third-parties operate under appropriate confidentiality and data privacy obligations (only for the purposes identified in Section 3, “How We Use Your Data”);
· At your direction, with separate, specific notice to you, or with your consent;
· In connection with a merger, divestiture, acquisition, reorganization, restructuring, financing transaction, or sale of all or substantially all of the assets pertaining to a product or business line;
· To courts or authorities or other third-parties if we believe disclosure is lawful, necessary or appropriate to detect, investigate, prevent, or take action against illegal activities, fraud, or situations regarding the safety or rights of LastPass, our employees, you, or others; · To courts or authorities or other third-parties in order to enforce our Terms of Service or other agreements we have with you; and
· As required by law or administrative order, which includes responding to relevant government or regulatory requests (Please refer to our Government Request Policy for more information).
To learn more about how LastPass protects personal data, to review and execute appropriate data processing addendums (where relevant), or review locations where LastPass may process your Customer Content (including any personal data therein), please visit the LastPass Trust & Privacy Center.
LastPass may share or disclose aggregate or anonymized data that does not identify an individual or a household.
5. How Long Do We Process Your Personal Data
We keep your personal data no longer than is needed for the business purposes for which it was collected (as outlined in Section 3) or as necessary to comply with our own legal and regulatory obligations. Unless requested sooner or a shorter retention period is defined, the applicable Technical and Organizational Measures (“TOMs”) documentation designates when your personal data, including your account, LastPass vault (and the Customer Content therein), will be deleted in accordance with our record retention processes. We determine the appropriate retention period based on the length of time we have an ongoing relationship with you and reasonable time after which we may have a legitimate need to reference your personal data to address issues which may arise, whether there is a legal obligation to retain such records, and whether retention is allowed by applicable law.
6. Cross Border Data Transfers
As a global organization, LastPass has international affiliates and subsidiaries, utilizes third-party service providers, and maintains a global infrastructure. Data that we collect and maintain will be transferred to and processed in the United States and other countries around the world.
7. Security
LastPass has implemented a comprehensive information security program which includes appropriate technical and organizational measures designed to safeguard and protect your data. LastPass has been assessed by, and received validation from, independent third-party auditors against recognized security standards and controls, including SOC2 Type II, SOC3 Type II, ISO 27001, and BSI C5.
Additionally, LastPass uses a combination of geographically distributed hosting providers and facilities to help deliver sufficient service availability, uptime, and redundancy needed to provide our global user base with the best possible user experience.
To learn more about LastPass’ security measures and certifications, please visit the LastPass Trust & Privacy Center.
8. Children’s Privacy
LastPass’ Services are not intended for children. If you inform us or we otherwise become aware that we have unintentionally received personal data from a minor without a parent’s or guardian’s consent, we will delete this data from our records.
9. Your Rights
Certain jurisdictions impose legal requirements and afford privacy rights with respect to the processing of personal data. Depending on the applicable laws of your jurisdiction and the additional information included in the below regional supplements to the Global Privacy Policy, your rights may include the right to:
· Access to your personal data and right to know more about how we process your personal data;
· Export or transfer your personal data (for information about how to export your account and vault, please visit here);
· Rectify or correct personal data about you that is inaccurate, incomplete or out-of-date (please visit here to review resources on correction, including revision of save-and-fill credentials directly within your LastPass vault);
· Erase or delete your personal data (in order to protect the sensitive contents of your LastPass vault from inadvertent deletion, we request you initiate the deletion of your account by following the instructions here);
· Restrict or limit the processing of personal data;
· Object to the processing of your personal data;
· Opt-out of the sale or sharing of your personal data for advertising purposes;
· Not be subject to automated decision-making, including profiling, resulting in legal or similarly significant effects (please note that automated decision-making does not occur in our Services); and
· Appeal a refusal to act on any of the above-mentioned rights (please see applicable instructions included in the refusal or submit the appeal to privacy@lastpass.com with the subject “Appeal of Consumer Rights Request”).
LastPass will not discriminate against you, deny or provide you with a different quality of service, or charge you differently for exercising any of your privacy rights, as required by applicable law.
Exercising Your Rights
To exercise any of the above-mentioned rights, please submit your request to the LastPass Individual Rights Management Portal, e-mail us at privacy@lastpass.com, or contact us at https://support.lastpass.com, which allows you to make a request online or request a phone call. For security purposes, we will need to verify your identity by matching the identifying information you provide with the personal data we already maintain. At a minimum, we will ask for your name and email address. LastPass will never ask you for your Master Password. We may contact you for additional information that would allow us to reasonably verify your identity or in order to sufficiently respond to your request. The information that we ask you to provide for verification purposes
will depend on your prior interactions with us (e.g. if you are a current LastPass user, we may verify your identity through our existing authentication practices) and the sensitivity of the personal data at issue.
Please note that where LastPass processes personal data on behalf of our customer, your use is subject to our customer’s policies and privacy and security practices. If our customer provides you with access to our Services, please submit your requests directly with our customer. If you submit your request to us, we will refer the request to our customer and will honor and support any instructions they provide us with respect to your personal data.
10. Changes
We may update this Privacy Notice from time to time to reflect changes to our personal data handling practices or respond to new legal requirements. If we make any material changes to this Privacy Notice that have a substantive and adverse impact on your privacy, we will provide notice on this website and additionally notify you by email (sent to the e-mail address specified in your account). We encourage you to periodically review this page for the latest information on our privacy practices.
11. Contacting LastPass
If you have any other questions about this Privacy Notice you may contact the LastPass Privacy Team or Data Protection Officer by emailing us at privacy@lastpass.com or write to us via postal mail at: Attn: Data Protection Officer, c/o LastPass Legal, LastPass, 125 High Street, Suite 220, Boston, MA 02210. To reach our Global Customer Support department, you may contact us here.
If you have any difficulties reviewing the contents of this Privacy Notice, you may also contact privacy@lastpass.com if you wish to obtain a copy of this Privacy Notice in an alternative format.