Looking for our GDPR DPA? Find it here.
(1) Introduction
(2) Information we collect
(3) Our use of cookies and urchin tracking modules (UTMs)
(4) How we use your information
(5) Why we process your personal information/data
(6) Disclosing your personal information
(7) Your data protection rights under GDPR, Canada’s PIPEDA, and California's consumer privacy act
(8) Accessing and updating your personal information
(9) Storing, securing, and transfer of your personal data and information
(10) Data breaches
(11) Third-party links
(12) Children’s privacy
(13) About us
(14) Contact us
(15) Data Privacy Framework
(16) Changelog
(1) Introduction
Platform.sh is operated by Platform.sh SAS, a French company located at 22 rue de Palestro, Paris, 75002 France, which may include its affiliates, subsidiaries, directors, officers, employees, agents, partners, contractors, and/or licensors (together, referred to throughout this Privacy Policy as “Platform.sh”, “us”, or “we”).
Platform.sh offers different services, products, software, and offerings (the "Services"), including but not limited to, all information, tools and services (including any beta services) available from us to you (the 'User'), that are run under the brand "Platform.sh'' and on related Platform.sh websites, including but not limited to: https://platform.sh, https://docs.platform.sh, https://status.platform.sh, https://accounts.platform.sh, https://console.platform.sh/, https://blackfire.io, and Upsun.com (the 'Sites'), conditioned upon your acceptance of all terms, conditions, policies and notices stated in the Terms of Services and this Privacy Policy.
(Note: this Privacy Policy explicitly excludes customer sites. These sites are subdomains under .platform.sh and .platformsh.site).
This Privacy Policy explains how Platform.sh collects, uses, stores, and shares your personal information when you use our Services and/or visit our Sites in accordance with various privacy laws. By using the Sites and Services, Users and visitors acknowledge the processing of their personal data in accordance with this Privacy Policy which may be modified or updated from time to time. Personal data is information that alone or in combination with other information in our possession, or likely to come into our possession, can be used to identify a living individual. We strive to make this Privacy Policy as consumer-friendly as possible, but if you have a question about something, please contact us.
If you are looking for our Events Privacy Policy, please click here.
(2) Information we collect
We collect information that you give us or that we get from your use of our Sites and Services, including without limitation, the following categories:
- names;
- addresses;
- country;
- email addresses;
- telephone numbers;
- organizations;
- job title;
- financial data relating to orders;
- IP Addresses;
- log files;
- CV and and other information when applying to work with us through our Careers page; and
- We may also collect information about you, including your user interactions with our Sites and Services, from cookies and tracking devices if you have consented to their use.
Platform.sh provides tools to make your development workflow more productive, such as our command-line interface (CLI). Also, Platform.sh will occasionally provide application-specific modules or libraries, which you may opt into, for integration into your software project in order to make its configuration simpler. Such applications, libraries, or modules may report usage information to us, which we may collect. Information collected may contain the type of actions performed, log data of API activity, as well as configuration information. This information may be linked to you, and we may use this information to better provide technical support to you and to improve our Services. We do not explicitly collect any special categories of personal data or sensitive personal information through our Sites and Services. However, we may collect special categories of personal data or sensitive personal information if you have signed up to attend a conference hosted by Platform.sh and have explicitly consented to the processing of your data regarding dietary restrictions or disability accommodations.
(3) Our use of cookies and urchin tracking modules (UTMs)
Cookies are small pieces of data stored on your device (computer or mobile device). Cookies can be used to provide you with a tailored user experience and to make it easier for you to use a site upon a future visit. When used, cookies are downloaded and stored on your device. Such information, on its own, will not identify you personally. It is statistical data. You have the option to accept all cookies, accept some cookies while rejecting others, or reject them all. Rejecting functional cookies may prevent you from using certain portions or functionalities of our sites and Services. We may use such cookies to deliver and improve our Services. Some third-party services that we use to improve the Services (including usage, measuring performance, and advertising), such as Google Analytics, may also place cookies on your device. Examples of Cookies we use:
- Strictly necessary cookies. These cookies are necessary for the website to function and cannot be switched off in our systems.
- Performance & analytic cookies. These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our Sites.
- Functional cookies. These cookies enable the website to provide enhanced functionality and personalization.
- Advertising cookies. These cookies deliver and measure the effectiveness of our marketing campaigns and may be set through our site by our advertising partners.
- Social media cookies. These cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks.
The validity period of cookies for our sites and Services is 6 months. We will request a new prior consent after this period.
Urchin Tracking Module ("UTM") tags are distinct from cookies as defined above. UTM works as a custom Uniform Resource Locator (“URL”) parameter for marketing campaigns and reports can be viewed in platforms like Google Analytics. UTM tags are appended as part of the visible URL in marketing programs to understand the specific instance of a link. UTM tag reports are observed in Google Analytics or Marketo to better understand how our visitors are getting to our websites, and as such, who our visitors are. Such data is collected at an aggregate level, and we will not identify you personally. Customizing the URL with UTM tags allows us to better understand marketing activity, which then allows us to better serve our customers and audience.
As part of this process, non-identifying and non-profiling information (source, medium, campaign, and Click ID), will be stored in your browser in local storage. No Personally Identifiable Information (“PII”) or personal data will be stored. This information would only be used by Platform.sh if you sign up for and consent to our service. At that point in time, campaign attribution information would be made available to Platform.sh to gauge the effectiveness of the campaign. You may clear your browser cache prior to signing up for our service to opt out.
You can manage your cookies preference in our Cookies dashboard. For any questions on cookies or UTM opt-outs, or about our policy listed here, please contact us.
(4) How we use your information
We use the information we collect from you to provide, maintain, protect, and improve our Sites and Services, and to develop new ones.
In addition, we may use the information for one or more of the following purposes:
- To provide information that you request from us relating to our products or Services;
- To provide information related to products or Services provided by us;
- To inform you of any changes, offers, updates, or other announcements about our Services when you have opted-in;
- To allow you to participate in interactive features of our Services when you choose to do so;
- To provide customer support;
- To gather analysis or valuable information so that we can improve our Services;
- To monitor the usage of our Services and Sites;
- To better provide technical support to you and to improve our Services and Sites;
- To detect, prevent, and address technical issues;
- To provide you with new Services offers and relevant Services information and events unless you have opted not to receive such information. We will never send Users or visitors commercial offers unrelated to our Services; and
- To detect, prevent, and address fraud and/or abuse of our products or Services.
(5) Why we process your personal information
We may process your personal information because:
- We need to provide a requested Service and honor our contractual obligations with you;
- You have given us permission to do so;
- The processing is in our legitimate interest and it is not overridden by your rights;
- For payment processing purposes; and
- To comply with applicable law.
(6) Disclosing your personal information
We will not disclose your personal information to any other party other than in accordance with this Privacy Policy and in the circumstances detailed below:
Our affiliates and subsidiaries: To provide the Services and for any of the purposes identified above.
Third-party service providers: We use trusted third-party service providers, consultants, and other agents to help us provide, maintain, protect, and improve our Services and Sites. We may provide your personal information to such third-party service providers to perform certain tasks based on our instructions and in compliance with this Privacy Policy. Such third-party service providers may include data storage, maintenance services, database management, web analytics including user interactions, payment processing providers, and live chatbots.
When we have your consent: We may disclose personal information if we have your specific consent to do so, where you have expressly opted-in/consented to the disclosure of your personal data for a specific purpose. If you wish to withdraw this consent, please contact us. For existing customers, please file a support ticket.
Legal: We will share personal information with our regulators, law enforcement, or fraud prevention agencies, as well as legal advisers, and courts, if we have a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary to:
- comply with legal obligations, meet applicable laws, regulations, or legal processes, or abide by enforceable governmental requests (however, we will use reasonable efforts to provide notice to Platform.sh’s customers when we receive a request for customer personal data unless Platform.sh is explicitly prohibited from doing so by applicable laws);
- enforce applicable Terms of Service or any of our other agreements with you, including investigation of potential breaches;
- detect, prevent, or otherwise address fraud, security, or technical issues in connection with the Services;
- protect against harm to the rights, property, liability, or safety of Platform.sh, our Users, customers and our employees, or the general public, as required or permitted by law;
- prevent an emergency when a person is at risk of potential imminent death or serious physical injury, and Platform.sh may have personal data necessary to prevent such emergency;
- protect against apparent instances of child exploitation or missing children detected on Platform.sh’s services;
Succession: If we are involved in a merger, acquisition, asset sale, restructuring or reorganization with prospective buyers or sellers of such business or assets.
All information you disclose in your public profile, forum posts, blogs, comments, issue queues, or other public portions of our Services becomes public information. Please be careful about what you choose to disclose publicly.
(7) Your data protection rights under GDPR, Canada’s PIPEDA, and California's consumer privacy act
Your rights under GDPR:
If you are a resident of the European Economic Area, you have certain data protection and privacy rights. In certain circumstances, you have the following privacy rights:
- The right to access the information we have on you.
- The right of rectification. You have the right to have your information rectified if that information is inaccurate or incomplete.
- The right of deletion. You can request us to delete the personal information we hold about you. Please note that this is not an absolute right and we might need to retain your personal information for compliance with laws or other legitimate reasons.
- The right to object. You have the right to object to our processing of your personal information.
- The right of restriction. You have the right to request that we restrict the processing of your personal information.
- The right to data portability. In certain circumstances, You have the right to be provided with a copy of the information we have on you in a structured, machine-readable, and commonly used format.
- The right to withdraw consent. You also have the right to withdraw your consent at any time when Platform.sh relies on your consent to process your personal information, though we may have other lawful bases for processing your information for other purposes, such as those set above.
- The right not to be subject to automated decisions including profiling. You have the right not to be subject to a decision based solely on an automated process, including profiling, which produces legal effects concerning you or similarly significantly affects you.
- Please note that we may ask you to verify your identity before responding to such requests.
Your rights under Canada’s PIPEDA (Privacy rights):
The Personal Information Protection and Electronic Documents Act (‘PIPEDA’) is the Canadian federal privacy law that regulates how private-sector organizations handle personal information in the course of commercial activity.
Platform.sh continuously strives to comply with PIPEDA Principles. We have procedures in place to receive and respond to any complaints and inquiries you may have. Contact us or email our Data Protection Officer at dpo@platform.sh. For existing customers, please file a support ticket. If you are a resident of Canada you have certain privacy rights:
The right to know why your personal information is being collected, how it will be used, and to whom it will be disclosed. This Privacy Policy serves this purpose. You also have the right to access, or correct, your personal information.
Your rights under California privacy laws.
The California Consumer Privacy Act (‘CCPA’) and the California Privacy Rights Act (‘CPRA’), (together ‘California Privacy Laws’), give California consumers/residents (or your authorized agent) certain privacy rights and impose corresponding, and independent, obligations on businesses processing California consumers’ personal information.
Platform.sh does NOT sell your personal information. We do NOT collect sensitive personal information as defined under California Privacy Laws. Where applicable, we have added contractual requirements instructing our service providers to not further collect, sell, share, or use the consumers’ personal information except as necessary to perform their respective business purpose. If you are a resident of California you have certain privacy rights:
- Right to know. You have the right to know about the personal information we collect about you and how it is used and shared. This Privacy Policy serves this purpose.
- Right to delete. You have the right to request us to delete your personal information and to tell our service providers to do the same. However, there are many exceptions that allow businesses to keep your personal information. Please note that this is not an absolute right and we might need to retain your personal information for compliance with laws or other legitimate reasons.
- Right to correct. You have the right to request that we correct any inaccurate personal information about you.
- Right to portability. You have the right to receive your personal information in a portable and, to the extent technically feasible, readily usable format.
- Right to opt-out of sale or sharing. Platform.sh does not sell or share your personal information within the meaning of California Privacy Laws.
- Right not to be discriminated against for exercising any of your rights. We do not use financial incentive practices that are unjust, unreasonable, coercive, or usurious, and do not retaliate against those who choose to exercise their rights.
- Right to limit use and disclosure of sensitive PI. You have the right to direct that we limit the use of sensitive PI to the use that is reasonably necessary to perform the services expected by you. We do not collect sensitive personal information as defined under the CCPA.
- Right to opt-in for children: Business Obligation Not to Sell or Share Children’s PI unless there is Affirmative Authorization. We do not sell or share personal information as defined under the CCPA nor do we (knowingly) collect children's personal information.
(8) Accessing and updating your personal information
Whenever made possible on your account settings, you can access, update, or request deletion of your personal information and data we held about you directly within your account settings section. Please also file a support ticket to confirm any account changes, or contact us to assist you. If you are unable to perform these actions yourself (e.g. you don’t have an account), please contact us using the various methods detailed below to assist you. For customers located in Australia, you may also email "dpo@platform.sh".
(9) Storing, securing, and transfer of your personal data and information
We only collect personal information that is relevant to the purposes set out in this Privacy Policy and do not collect more personal information than what is necessary for those purposes. We also ensure that the information we collect is accurate and sufficient to properly fulfill those purposes. We will retain your personal information only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your personal information to the extent reasonably necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies. We retain usage data for a reasonable period of time to pursue legitimate business interests, or for internal analysis purposes. Usage data is generally retained for up to 14 months or less, except when this data requires a longer retention period due to a compliance reason, legal obligation, security purpose, or legitimate business reason that does not outweigh the user's or visitor's interests, such as improving the Services.
We take all reasonable measures to protect your personal data and information from unauthorized access to, or unauthorized alteration, disclosure or destruction of, information we maintain. To maintain your trust, we’ve achieved several independently audited industry certifications, ensuring your data is handled with appropriate care and according to industry standards. You can find more information here. We also use physical, organizational, and technological methods and policies to protect and safeguard your personal information. For more on our security, please visit https://platform.sh/trust-center/.
We may transfer personal data outside the European Economic Area (EEA) to countries with and without an EU adequacy decision to enable customers to rapidly deploy projects in any geographical region. Customer name, email, and ssh keys may be transferred from the Platform.sh Accounts portal located in Ireland to clusters in France, Ireland, USA, Australia, Canada, the UK, and Germany using securely encrypted transfer channels (TLS) and encrypted at rest. We transfer this data to companies that are GDPR compliant. Platform.sh signs Data Processing Agreements (DPAs) or Standard Contractual Clauses (SCCs) with all processors, and has replaced vendors who fail security, compliance, or privacy assessments. We also conduct Supplementary Measures Assessments on vendors who store personal data in non-adequate countries.
(10) Data breaches
We will report any unlawful data breaches to any and all relevant persons and authorities within 72 hours (or sooner if it is required under applicable privacy laws) of the breach when such breach is likely to result in a high risk to the rights and freedoms of data subjects. Platform’s obligation to report or respond to a personal data breach or security incident will not be construed as an acknowledgement by Platform.sh of any fault or liability with respect to the personal data breach or security incident. Should you have any complaint about a breach, or the way in which we will handle a breach, please contact us.
(11) Third-party links
Our Services may contain links to other sites that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We do not endorse these sites, nor are we responsible for the content or accuracy of any information contained on them. We strongly advise you to review the privacy policies of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.
(12) Children’s privacy
To the extent prohibited by applicable law, our Service does not address anyone under the age of 16 (“Children”). By agreeing to our Terms of Service, you represent that you are the age of majority in your state, province, or country of residence, or 16 years of age, whichever is greater. We do not knowingly collect personally identifiable information from children. If you are a parent or guardian and you are aware that your children have provided us with personal information, please contact us. If we become aware that we have collected personal information from children without verifiable verification of parental consent, we will take steps to delete that information from our databases and servers.
(13) About us
Platform.sh has a designated Data Protection Officer who is accountable for the management of your personal information, including collection, usage, disclosure, retention, and transfer of personal information to third parties for processing. All privacy issues, compliance requests, inquiries, and other requests will be handled by our French parent company, Platform.sh SAS.
(14) Contact us
If you have any questions, requests, feedback, or concerns regarding this Privacy Policy or you want to exercise any of your rights, please contact us. You can also send an email to dpo@platform.sh. Our procedures are in place to receive and respond to any complaints and inquiries you may have. For Blackfire.io-specific questions, please visit the support center. For existing Platform.sh customers, please create a support ticket through your account to allow for identity verification.
Sites visitors have the following options for correcting personal information or removing their information from our database in order to discontinue future communications from Platform.sh.
- Click on the “Unsubscribe” link on any Platform.sh email
- Contact us using our website contact form
- Send a request by mail to: Attention Legal, Platform.sh, 22 rue de Palestro , Paris, 75002, France.
Should you deem that we have not satisfactorily handled your request or you have a complaint, you have the right to contact your local Data Protection Authority (or Attorney General). Our GDPR Supervisory Authority is the Commission Nationale de l'Informatique et des Libertés. Platform.sh is also registered with the Information Commissioner's Office in the United Kingdom and the Office of the Australian Information Commissioner.
(15) Data Privacy Framework (Data Privacy Framework notice)
Platform.sh, including its wholly owned subsidiaries Platform.sh Inc. and Blackfire.io Inc., comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.
Platform.sh has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Platform.sh has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
15.1 U.S. Federal trade commission enforcement:
Platform.sh commitments under the Data Privacy Framework are subject to the investigatory and enforcement powers of the United States Federal Trade Commission or the applicable United States authorized statutory body.
15.2 Your rights to access, to limit use, and to limit disclosure:
You have rights to access your stored personal data and to limit its use and disclosure. With our Data Privacy Framework certification, Platform.sh has committed to respect those rights. If you wish to request access to or to limit the use or disclosure of your personal data, please contact us by email at dpo@platform.sh or by mail to: 22 Rue de Palestro, Paris, 75002 France.
15.3 Third parties who may receive personal data:
Platform.sh may disclose personal data to its affiliates, as well as to a limited number of third-party business partners, service providers, vendors, suppliers and other contractors (collectively, “Service Providers”) for the purpose of assisting us in providing, managing, enhancing, or improving our Services. Platform.sh maintains contracts with these affiliates and Service Providers restricting their access, use and disclosure of personal data in compliance with our Data Privacy Framework obligations. To the extent that Platform.sh receives personal data under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) and transfers these personal data to a Service Provider acting on Platform.sh behalf, Platform.sh will remain responsible for any processing activities inconsistent with the Data Privacy Framework Principles (including the Swiss-U.S. DPF Principles), except where Platform.sh can demonstrate that they are not responsible for the event giving rise to the damage.
15.4 Inquiries and complaints:
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Platform.sh commits to resolve DPF Principles-related complaints about our collection and use of your personal data. EU, UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF {and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF} should first contact Platform.sh. You can also send an email to dpo@platform.sh. In compliance with the EU-U.S. DPF {and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF}, Platform.sh commits to cooperate and comply {respectively} with the advice of {the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF {and the Swiss-U.S. DPF}. If you have a complaint and Platfotm.sh is not able to resolve it, you may invoke binding arbitration under the EU-U.S. Data Privacy Framework policies. Platform.sh is willing to enter into binding arbitration with written notice provided that all pre-arbitration requirements are met (See Data Privacy Framework website).
(16) Changelog
We may update this Privacy Policy from time to time. We recommend that you revisit this Privacy Policy regularly. When we materially change this Privacy Policy, a prompt notice will be posted on our blog along with the updated Privacy Policy. In accordance with the Terms of Service, in some cases, we will notify you in advance, and your continued use of the Services after the changes have been made will constitute your acceptance of the changes.
This policy was last reviewed and updated: November 2023.
Version | Date | Changes |
---|---|---|
1.0 | 2016-08-16 |
|
1.1 | 2017-10-25 |
|
1.2 | 2018-01-20 |
|
2.0 | 2018-06-16 |
|
2.1 | 2018-11-05 |
|
2.2 | 2019-04-23 |
|
2.3 | 2019-06-10 |
|
3.0 | 2019-12-04 |
|
3.1 | 2019-12-05 |
|
3.2 | 2019-12-20 |
|
3.3 | 2020-01-09 |
|
3.4 | 2020-01-09 |
|
3.4.1 | 2020-01-09 |
|
3.5 | 2020-01-09 |
|
3.6 | 2021-03-29 |
|
3.7 | 2021-04-26 |
|
3.7.1 | 2021-04-28 |
|
3.8 | 2021-06-17 |
|
3.9 | 2021-09-03 |
|
4.0 | 2021-09-09 |
|
5.0 | 2021-09-24 |
|
6.0 | 2022-02-16 |
|
7.0 | 2022-03-03 |
|
7.1 | 2022-03-11 |
|
7.2 | 2022-06-28 |
|
7.3 | 2022-08-19 |
|
7.4 | 2023-03-03 |
|
7.5 | 2023-05-03 |
|
7.6 | 2023-07-06 |
|
7.7 | 2023-07-31 |
|
7.8 | 2023-11-07 |
|
7.9 | 2024-03-19 |
|
7.10 | 2024-03-20 |
|
7.11 | 2024-03-22 |
|
7.12 | 2024-03-22 |
|